Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Virtumonde.prx, please help me remove it

  1. #1
    Junior Member
    Join Date
    Dec 2008
    Posts
    7

    Default Virtumonde.prx, please help me remove it

    After installing S&D and eliminating a number of other nasties, I am unable to remove Virtumonde.prx, after numerous attempts over a number of days, I could really use some help. This is my only workable machine and I really need it for work purposes, I work from home.

    Here's the HJT log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:57:17 AM, on 28/12/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16762)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\nvraidservice.exe
    C:\Program Files\Ideazon\ZEngine\Zboard.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\DNA\btdna.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {2ab5ab86-d857-41f3-9a26-60b2f598a94a} - C:\WINDOWS\system32\fokozewa.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
    O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [sadorujoha] Rundll32.exe "C:\WINDOWS\system32\menuliho.dll",s
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [iPlusAgent] "C:\Program Files\iriver\iriver plus\iAgent.exe"
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [sadorujoha] Rundll32.exe "C:\WINDOWS\system32\menuliho.dll",s (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
    O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://asia.msi.com.tw
    O15 - Trusted Zone: http://global.msi.com.tw
    O15 - Trusted Zone: http://www.msi.com.tw
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1203682545671
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1203682515296
    O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobio...ne/install.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll avgrsstx.dll c:\windows\system32\seyegoku.dll c:\windows\system32\yidofazu.dll c:\windows\system32\siwusupe.dll c:\windows\system32\hayemave.dll c:\windows\system32\tesavohi.dll
    O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tesavohi.dll (file missing)
    O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tesavohi.dll (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)

    --
    End of file - 7476 bytes

  2. #2
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hello and welcome to Safer Networking.

    My name is peku006and I will be helping you to remove any infection(s) that you may have.
    I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

    Please observe these rules while we work:
    • If you don't know, stop and ask! Don't keep going on.
    • Please reply to this thread. Do not start a new topic.
    • Please continue to respond until I give you the "All Clear"


    If you follow these instructions, everything should go smoothly.

    IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

    BitTorrent DNA


    I'd like you to read the this thread.

    Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


    1 - Scan With ComboFix

    We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/comb...o-use-combofix

    * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    How to Temporarily Disable Anti-virus

    Please include the C:\ComboFix.txt in your next reply for further review.

    2 - Run Hijackthis
    Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

    3 - Status Check
    Please reply with


    1. the ComboFix log(C:\ComboFix.txt)
    2. a fresh HijackThis log

    Thanks peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

  3. #3
    Junior Member
    Join Date
    Dec 2008
    Posts
    7

    Default

    Thank you for your assistance, as requested here's the ComboFix and HJT logs:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:50:20 PM, on 30/12/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16762)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\nvraidservice.exe
    C:\Program Files\Ideazon\ZEngine\Zboard.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
    O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
    O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://asia.msi.com.tw
    O15 - Trusted Zone: http://global.msi.com.tw
    O15 - Trusted Zone: http://www.msi.com.tw
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1203682545671
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1203682515296
    O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobio...ne/install.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)

    --
    End of file - 6358 bytes


    ComboFix 08-12-29.02 - Sue 2008-12-30 15:34:06.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.516 [GMT 11:00]
    Running from: c:\documents and settings\Sue\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
    AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated)
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    c:\documents and settings\Sue\Local Settings\Temporary Internet Files\update.inf
    c:\windows\system32\agatalot.ini
    c:\windows\system32\ahozukah.ini
    c:\windows\system32\ajazuvud.ini
    c:\windows\system32\eminurem.ini
    c:\windows\system32\fokozewa.dll
    c:\windows\system32\ihetowil.ini
    c:\windows\system32\iverigak.ini
    c:\windows\system32\jisubufo.dll
    c:\windows\system32\jusiwona.dll
    c:\windows\system32\merunime.dll
    c:\windows\system32\opebirul.ini
    c:\windows\system32\opemigeb.ini
    c:\windows\system32\raziwanu.dll
    c:\windows\system32\siwusupe.dll
    c:\windows\system32\tibarozo.dll
    c:\windows\system32\ubariwop.ini
    c:\windows\system32\utanivop.ini
    c:\windows\system32\yerayeho.dll

    ----- BITS: Possible infected sites -----

    hxxp://77.74.48.105
    .
    ((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 )))))))))))))))))))))))))))))))
    .

    2008-12-30 14:47 . 2008-12-30 14:47 2,602 ---hs---- c:\windows\system32\dezudesu.dll
    2008-12-30 14:47 . 2008-12-30 14:47 2,602 ---hs---- c:\windows\system32\bazabezi.dll
    2008-12-30 14:47 . 2008-12-30 14:47 2,601 ---hs---- c:\windows\system32\posuyele.dll
    2008-12-30 11:46 . 2008-12-30 12:08 <DIR> d-------- c:\documents and settings\Administrator
    2008-12-28 12:30 . 2008-12-28 12:30 2,602 ---hs---- c:\windows\system32\tonepopo.dll
    2008-12-28 00:30 . 2008-12-28 00:30 2,602 ---hs---- c:\windows\system32\mevozeha.dll
    2008-12-27 20:15 . 2008-12-27 20:15 410,984 --a------ c:\windows\system32\deploytk.dll
    2008-12-27 13:03 . 2008-12-27 13:03 <DIR> d-------- c:\program files\Trend Micro
    2008-12-27 12:29 . 2008-12-27 12:29 2,603 ---hs---- c:\windows\system32\hovolile.dll
    2008-12-27 12:29 . 2008-12-27 12:29 2,603 ---hs---- c:\windows\system32\gisusuje.dll
    2008-12-18 12:11 . 2008-12-24 12:35 385 --a------ c:\windows\wininit.ini
    2008-12-18 01:51 . 2008-12-18 01:55 <DIR> d-------- c:\program files\Spybot - Search & Destroy
    2008-12-18 01:51 . 2008-12-18 12:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2008-12-18 00:15 . 2008-12-29 15:25 <DIR> d--h----- C:\$AVG8.VAULT$
    2008-12-17 17:18 . 2008-12-17 17:18 2,604 ---hs---- c:\windows\system32\duweweba.dll
    2008-12-17 17:18 . 2008-12-17 17:18 2,601 ---hs---- c:\windows\system32\dajifuji.dll
    2008-12-17 14:51 . 2008-12-29 13:09 <DIR> d-------- c:\windows\system32\drivers\Avg
    2008-12-17 14:51 . 2008-12-17 14:51 <DIR> d-------- c:\program files\AVG
    2008-12-17 14:51 . 2008-12-30 15:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
    2008-12-17 14:51 . 2008-12-17 14:51 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
    2008-12-17 14:51 . 2008-12-17 14:51 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
    2008-12-17 14:51 . 2008-12-17 14:51 10,520 --a------ c:\windows\system32\avgrsstx.dll
    2008-12-17 13:37 . 2008-12-17 13:37 <DIR> d-------- c:\documents and settings\Sue\New Folder
    2008-12-17 13:08 . 2008-12-17 13:08 <DIR> d-------- c:\program files\Kaspersky Lab
    2008-12-17 13:08 . 2008-12-30 15:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
    2008-12-17 13:08 . 2008-12-30 15:36 4,720,160 --ahs---- c:\windows\system32\drivers\fidbox.dat
    2008-12-17 13:08 . 2008-12-30 15:39 303,136 --ahs---- c:\windows\system32\drivers\fidbox2.dat
    2008-12-17 13:08 . 2008-12-17 13:08 96,976 --a------ c:\windows\system32\drivers\klin.dat
    2008-12-17 13:08 . 2008-12-17 13:08 87,855 --a------ c:\windows\system32\drivers\klick.dat
    2008-12-17 13:08 . 2008-12-30 15:36 40,052 --ahs---- c:\windows\system32\drivers\fidbox.idx
    2008-12-17 13:08 . 2008-12-30 15:36 3,164 --ahs---- c:\windows\system32\drivers\fidbox2.idx
    2008-12-17 13:07 . 2008-12-17 13:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
    2008-11-18 18:17 . 2008-11-18 18:34 <DIR> d-------- c:\program files\VentSrv
    2008-11-11 20:00 . 2008-11-11 20:00 218,376 --a------ c:\windows\system32\klogon.dll
    2008-11-11 19:58 . 2008-11-11 19:58 25,601 --a------ c:\windows\system32\drivers\klopp.dat

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-12-30 04:05 --------- d-----w c:\program files\Trillian
    2008-12-28 08:51 --------- d-----w c:\documents and settings\Sue\Application Data\teamspeak2
    2008-12-27 09:15 --------- d-----w c:\program files\Java
    2008-12-17 14:56 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
    2008-12-16 05:57 --------- d-----w c:\program files\Windows Media Connect 2
    2008-11-18 08:29 --------- d-----w c:\program files\Teamspeak2_RC2
    2008-12-20 12:49 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
    2008-12-20 12:49 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
    2008-12-20 12:49 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
    2008-12-20 12:49 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
    2008-12-20 12:49 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "NVRaidService"="c:\windows\system32\nvraidservice.exe" [2004-06-11 83968]
    "Zboard"="c:\program files\Ideazon\ZEngine\Zboard.exe" [2005-12-20 32768]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-27 136600]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
    "AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-11-11 206088]
    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-17 1261336]
    "SoundMan"="SOUNDMAN.EXE" [2006-11-17 c:\windows\soundman.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9e.exe" [2007-11-21 218496]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Trillian\\trillian.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Games\\World of Warcraft\\Repair.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Games\\World of Warcraft\\BackgroundDownloader.exe"=
    "c:\\Program Files\\Teamspeak2_RC2\\server_windows.exe"=
    "c:\\Program Files\\Teamspeak2_RC2\\TeamSpeak.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
    "3784:TCP"= 3784:TCP:Ventrillo TCP
    "3784:UDP"= 3784:UDP:Ventrillo UDP
    "8767:TCP"= 8767:TCP:TeamSpeak TCP
    "8767:UDP"= 8767:UDP:Teamspeak UDP

    R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-17 97928]
    R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-17 875288]
    R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-17 231704]
    R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-17 76040]
    R3 Alpham;Ideazon Merc Composite Keyboard Driver;c:\windows\system32\DRIVERS\Alpham.sys [2005-12-04 34944]
    R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]
    S3 Alpham1;Ideazon Merc USB Human Interface Device;c:\windows\system32\DRIVERS\Alpham1.sys [2007-07-23 42624]
    S3 Alpham2;Ideazon Merc MM USB Human Interface Device;c:\windows\system32\DRIVERS\Alpham2.sys [2007-03-20 18432]
    .
    Contents of the 'Scheduled Tasks' folder

    2008-12-29 c:\windows\Tasks\At1.job
    - c:\windows\system32\2PTlVVK1.exe []

    2008-12-27 c:\windows\Tasks\At10.job
    - c:\windows\system32\2PTlVVK1.exe []

    2008-12-27 c:\windows\Tasks\At11.job
    - c:\windows\system32\2PTlVVK1.exe []

    2008-12-28 c:\windows\Tasks\At12.job
    - c:\windows\system32\2PTlVVK1.exe []

    2008-12-28 c:\windows\Tasks\At13.job
    - c:\windows\system32\2PTlVVK1.exe []

    2008-12-28 c:\windows\Tasks\At14.job
    - c:\windows\system32\2PTlVVK1.exe []

    2008-12-29 c:\windows\Tasks\At15.job
    - c:\windows\system32\2PTlVVK1.exe []

    2008-12-30 c:\windows\Tasks\At16.job
    - c:\windows\system32\2PTlVVK1.exe []

    2008-12-29 c:\windows\Tasks\At17.job
    - c:\windows\system32\2PTlVVK1.exe []

    2008-12-29 c:\windows\Tasks\At18.job
    - c:\windows\system32\2PTlVVK1.exe []

    2008-12-29 c:\windows\Tasks\At19.job
    - c:\windows\system32\2PTlVVK1.exe []

    2008-12-28 c:\windows\Tasks\At2.job
    - c:\windows\system32\2PTlVVK1.exe []

    2008-12-29 c:\windows\Tasks\At20.job
    - c:\windows\system32\2PTlVVK1.exe []

    2008-12-29 c:\windows\Tasks\At21.job
    - c:\windows\system32\2PTlVVK1.exe []

    2008-12-29 c:\windows\Tasks\At22.job
    - c:\windows\system32\2PTlVVK1.exe []

    2008-12-29 c:\windows\Tasks\At23.job
    - c:\windows\system32\2PTlVVK1.exe []

    2008-12-29 c:\windows\Tasks\At24.job
    - c:\windows\system32\2PTlVVK1.exe []

    2008-12-29 c:\windows\Tasks\At25.job
    - c:\windows\system32\o1in1ngI.exe []

    2008-12-28 c:\windows\Tasks\At26.job
    - c:\windows\system32\o1in1ngI.exe []

    2008-12-27 c:\windows\Tasks\At27.job
    - c:\windows\system32\o1in1ngI.exe []

    2008-12-27 c:\windows\Tasks\At28.job
    - c:\windows\system32\o1in1ngI.exe []

    2008-12-27 c:\windows\Tasks\At29.job
    - c:\windows\system32\o1in1ngI.exe []

    2008-12-27 c:\windows\Tasks\At3.job
    - c:\windows\system32\2PTlVVK1.exe []

    2008-12-27 c:\windows\Tasks\At30.job
    - c:\windows\system32\o1in1ngI.exe []

    2008-12-27 c:\windows\Tasks\At31.job
    - c:\windows\system32\o1in1ngI.exe []

    2008-12-27 c:\windows\Tasks\At32.job
    - c:\windows\system32\o1in1ngI.exe []

    2008-12-27 c:\windows\Tasks\At33.job
    - c:\windows\system32\o1in1ngI.exe []

    2008-12-27 c:\windows\Tasks\At34.job
    - c:\windows\system32\o1in1ngI.exe []

    2008-12-27 c:\windows\Tasks\At35.job
    - c:\windows\system32\o1in1ngI.exe []

    2008-12-28 c:\windows\Tasks\At36.job
    - c:\windows\system32\o1in1ngI.exe []

    2008-12-28 c:\windows\Tasks\At37.job
    - c:\windows\system32\o1in1ngI.exe []

    2008-12-28 c:\windows\Tasks\At38.job
    - c:\windows\system32\o1in1ngI.exe []

    2008-12-29 c:\windows\Tasks\At39.job
    - c:\windows\system32\o1in1ngI.exe []

    2008-12-27 c:\windows\Tasks\At4.job
    - c:\windows\system32\2PTlVVK1.exe []

    2008-12-30 c:\windows\Tasks\At40.job
    - c:\windows\system32\o1in1ngI.exe []

    2008-12-29 c:\windows\Tasks\At41.job
    - c:\windows\system32\o1in1ngI.exe []

    2008-12-29 c:\windows\Tasks\At42.job
    - c:\windows\system32\o1in1ngI.exe []

    2008-12-29 c:\windows\Tasks\At43.job
    - c:\windows\system32\o1in1ngI.exe []

    2008-12-29 c:\windows\Tasks\At44.job
    - c:\windows\system32\o1in1ngI.exe []

    2008-12-29 c:\windows\Tasks\At45.job
    - c:\windows\system32\o1in1ngI.exe []

    2008-12-29 c:\windows\Tasks\At46.job
    - c:\windows\system32\o1in1ngI.exe []

    2008-12-29 c:\windows\Tasks\At47.job
    - c:\windows\system32\o1in1ngI.exe []

    2008-12-29 c:\windows\Tasks\At48.job
    - c:\windows\system32\o1in1ngI.exe []

    2008-12-28 c:\windows\Tasks\At49.job
    - c:\windows\system32\20X8yQUo.exe []

    2008-12-27 c:\windows\Tasks\At5.job
    - c:\windows\system32\2PTlVVK1.exe []

    2008-12-28 c:\windows\Tasks\At50.job
    - c:\windows\system32\20X8yQUo.exe []

    2008-12-27 c:\windows\Tasks\At51.job
    - c:\windows\system32\20X8yQUo.exe []

    2008-12-27 c:\windows\Tasks\At52.job
    - c:\windows\system32\20X8yQUo.exe []

    2008-12-27 c:\windows\Tasks\At53.job
    - c:\windows\system32\20X8yQUo.exe []

    2008-12-27 c:\windows\Tasks\At54.job
    - c:\windows\system32\20X8yQUo.exe []

    2008-12-27 c:\windows\Tasks\At55.job
    - c:\windows\system32\20X8yQUo.exe []

    2008-12-27 c:\windows\Tasks\At56.job
    - c:\windows\system32\20X8yQUo.exe []

    2008-12-27 c:\windows\Tasks\At57.job
    - c:\windows\system32\20X8yQUo.exe []

    2008-12-27 c:\windows\Tasks\At58.job
    - c:\windows\system32\20X8yQUo.exe []

    2008-12-27 c:\windows\Tasks\At59.job
    - c:\windows\system32\20X8yQUo.exe []

    2008-12-27 c:\windows\Tasks\At6.job
    - c:\windows\system32\2PTlVVK1.exe []

    2008-12-28 c:\windows\Tasks\At60.job
    - c:\windows\system32\20X8yQUo.exe []

    2008-12-28 c:\windows\Tasks\At61.job
    - c:\windows\system32\20X8yQUo.exe []

    2008-12-28 c:\windows\Tasks\At62.job
    - c:\windows\system32\20X8yQUo.exe []

    2008-12-28 c:\windows\Tasks\At62.job
    - K:\ []

    2008-12-29 c:\windows\Tasks\At63.job
    - c:\windows\system32\20X8yQUo.exe []

    2008-12-30 c:\windows\Tasks\At64.job
    - c:\windows\system32\20X8yQUo.exe []

    2008-12-29 c:\windows\Tasks\At65.job
    - c:\windows\system32\20X8yQUo.exe []

    2008-12-29 c:\windows\Tasks\At66.job
    - c:\windows\system32\20X8yQUo.exe []

    2008-12-29 c:\windows\Tasks\At67.job
    - c:\windows\system32\20X8yQUo.exe []

    2008-12-29 c:\windows\Tasks\At68.job
    - c:\windows\system32\20X8yQUo.exe []

    2008-12-29 c:\windows\Tasks\At69.job
    - c:\windows\system32\20X8yQUo.exe []

    2008-12-27 c:\windows\Tasks\At7.job
    - c:\windows\system32\2PTlVVK1.exe []

    2008-12-29 c:\windows\Tasks\At70.job
    - c:\windows\system32\20X8yQUo.exe []

    2008-12-29 c:\windows\Tasks\At71.job
    - c:\windows\system32\20X8yQUo.exe []

    2008-12-29 c:\windows\Tasks\At72.job
    - c:\windows\system32\20X8yQUo.exe []

    2008-12-27 c:\windows\Tasks\At8.job
    - c:\windows\system32\2PTlVVK1.exe []

    2008-12-27 c:\windows\Tasks\At9.job
    - c:\windows\system32\2PTlVVK1.exe []
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{2ab5ab86-d857-41f3-9a26-60b2f598a94a} - c:\windows\system32\fokozewa.dll
    HKCU-Run-iPlusAgent - c:\program files\iriver\iriver plus\iAgent.exe
    HKLM-Run-sadorujoha - c:\windows\system32\menuliho.dll


    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    Trusted Zone: asia.msi.com.tw
    Trusted Zone: global.msi.com.tw
    Trusted Zone: www.msi.com.tw

    O16 -: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
    c:\windows\Downloaded Program Files\MSIWDev.inf
    FF - ProfilePath - c:\documents and settings\Sue\Application Data\Mozilla\Firefox\Profiles\4kytjr7j.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.knightsofvegemight.com/nuke/
    FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-12-30 15:38:49
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1412)
    c:\windows\system32\Ati2evxx.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\ati2evxx.exe
    c:\windows\system32\ati2evxx.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\progra~1\AVG\AVG8\avgrsx.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\windows\system32\WgaTray.exe
    .
    **************************************************************************
    .
    Completion time: 2008-12-30 15:42:51 - machine was rebooted [Sue]
    ComboFix-quarantined-files.txt 2008-12-30 04:42:48

    Pre-Run: 403,632,386,048 bytes free
    Post-Run: 404,009,107,456 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    343 --- E O F --- 2008-12-11 16:01:55

  4. #4
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi grommit01

    1 - Download and run OTMoveIt3

    • Download OTMoveIt3 by OldTimer from here and save it to your desktop
    • Launch OTMoveIt3.exe and copy the text from the codebox below into the lefthand box below "Paste Instructions for Items to be Moved"
      Code:
      :files
      
      c:\windows\system32\dezudesu.dll
      c:\windows\system32\bazabezi.dll
      c:\windows\system32\posuyele.dll
      c:\windows\system32\tonepopo.dll
      c:\windows\system32\mevozeha.dll
      c:\windows\system32\deploytk.dll
      c:\windows\system32\hovolile.dll
      c:\windows\system32\gisusuje.dll
      c:\windows\system32\duweweba.dll
      c:\windows\system32\dajifuji.dll
      c:\windows\system32\20X8yQUo.exe
      c:\windows\system32\2PTlVVK1.exe
      c:\windows\system32\o1in1ngI.exe
      c:\windows\Tasks\At1.job
      c:\windows\Tasks\At10.job
      c:\windows\Tasks\At11.job
      c:\windows\Tasks\At12.job
      c:\windows\Tasks\At13.job
      c:\windows\Tasks\At14.job
      c:\windows\Tasks\At15.job
      c:\windows\Tasks\At16.job
      c:\windows\Tasks\At17.job
      c:\windows\Tasks\At18.job
      c:\windows\Tasks\At19.job
      c:\windows\Tasks\At2.job
      c:\windows\Tasks\At20.job
      c:\windows\Tasks\At21.job
      c:\windows\Tasks\At22.job
      c:\windows\Tasks\At23.job
      c:\windows\Tasks\At24.job
      c:\windows\Tasks\At25.job
      c:\windows\Tasks\At26.job
      c:\windows\Tasks\At27.job
      c:\windows\Tasks\At28.job
      c:\windows\Tasks\At29.job
      c:\windows\Tasks\At3.job
      c:\windows\Tasks\At30.job
      c:\windows\Tasks\At31.job
      c:\windows\Tasks\At32.job
      c:\windows\Tasks\At33.job
      c:\windows\Tasks\At34.job
      c:\windows\Tasks\At35.job
      c:\windows\Tasks\At36.job
      c:\windows\Tasks\At37.job
      c:\windows\Tasks\At38.job
      c:\windows\Tasks\At39.job
      c:\windows\Tasks\At4.job
      c:\windows\Tasks\At40.job
      c:\windows\Tasks\At41.job
      c:\windows\Tasks\At42.job
      c:\windows\Tasks\At43.job
      c:\windows\Tasks\At44.job
      c:\windows\Tasks\At45.job
      c:\windows\Tasks\At46.job
      c:\windows\Tasks\At47.job
      c:\windows\Tasks\At48.job
      c:\windows\Tasks\At49.job
      c:\windows\Tasks\At5.job
      c:\windows\Tasks\At50.job
      c:\windows\Tasks\At51.job
      c:\windows\Tasks\At52.job
      c:\windows\Tasks\At53.job
      c:\windows\Tasks\At54.job
      c:\windows\Tasks\At55.job
      c:\windows\Tasks\At56.job
      c:\windows\Tasks\At57.job
      c:\windows\Tasks\At58.job
      c:\windows\Tasks\At59.job
      c:\windows\Tasks\At6.job
      c:\windows\Tasks\At60.job
      c:\windows\Tasks\At61.job
      c:\windows\Tasks\At62.job
      c:\windows\Tasks\At62.job
      c:\windows\Tasks\At63.job
      c:\windows\Tasks\At64.job
      c:\windows\Tasks\At65.job
      c:\windows\Tasks\At66.job
      c:\windows\Tasks\At67.job
      c:\windows\Tasks\At68.job
      c:\windows\Tasks\At69.job
      c:\windows\Tasks\At7.job
      c:\windows\Tasks\At70.job
      c:\windows\Tasks\At71.job
      c:\windows\Tasks\At72.job
      c:\windows\Tasks\At8.job
      c:\windows\Tasks\At9.job
    • Double-check that the input matches the code box above and then click the MoveIt! button to start the script. If you're prompted about rebooting allow the request.
    • Once OTMoveIt finishes, a log will be located at C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss. (mmddyyyy_hhmmss is a timestamp from when the log was created)
    • Include this log in your next reply


    2 - Download and Run Malwarebytes' Anti-Malware
    Please download Malwarebytes Anti-Malware and save it to your desktop.
    alternate download link 1
    alternate download link 2

    • Double-click on Download_mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
    • Then click Finish.

    MBAM will automatically start and you will be asked to update the program before performing a scan.
    • If an update is found, the program will automatically update itself.
    • Press the OK button to close that box and continue.
    • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

    On the Scanner tab:
    • Make sure the "Perform full scan" option is selected.
    • Then click on the Scan button.
    • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button
    • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
    • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    • Click OK to close the message box and continue with the removal process.

    Back at the main Scanner screen:
    • Click on the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked, and click Remove Selected.
    • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
    • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    • The log can also be found here:

      C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    • Copy and paste the contents of that report in your next reply and exit MBAM.


    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


    3 - Run Hijackthis
    Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

    4 - Status Check
    Please reply with

    1. the OTMoveIt3 log
    2. the Malwarebytes' Anti-Malware Log
    3. a fresh HijackThis log
    How is the computer running now?

    Thanks peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

  5. #5
    Junior Member
    Join Date
    Dec 2008
    Posts
    7

    Default

    Thank you once again for your assistance, your help is very much appreciated.

    Here's the 3 log files as requested:

    OTMoveIt Log

    ========== FILES ==========
    LoadLibrary failed for c:\windows\system32\dezudesu.dll
    c:\windows\system32\dezudesu.dll NOT unregistered.
    c:\windows\system32\dezudesu.dll moved successfully.
    LoadLibrary failed for c:\windows\system32\bazabezi.dll
    c:\windows\system32\bazabezi.dll NOT unregistered.
    c:\windows\system32\bazabezi.dll moved successfully.
    LoadLibrary failed for c:\windows\system32\posuyele.dll
    c:\windows\system32\posuyele.dll NOT unregistered.
    c:\windows\system32\posuyele.dll moved successfully.
    LoadLibrary failed for c:\windows\system32\tonepopo.dll
    c:\windows\system32\tonepopo.dll NOT unregistered.
    c:\windows\system32\tonepopo.dll moved successfully.
    LoadLibrary failed for c:\windows\system32\mevozeha.dll
    c:\windows\system32\mevozeha.dll NOT unregistered.
    c:\windows\system32\mevozeha.dll moved successfully.
    c:\windows\system32\deploytk.dll unregistered successfully.
    c:\windows\system32\deploytk.dll moved successfully.
    LoadLibrary failed for c:\windows\system32\hovolile.dll
    c:\windows\system32\hovolile.dll NOT unregistered.
    c:\windows\system32\hovolile.dll moved successfully.
    LoadLibrary failed for c:\windows\system32\gisusuje.dll
    c:\windows\system32\gisusuje.dll NOT unregistered.
    c:\windows\system32\gisusuje.dll moved successfully.
    LoadLibrary failed for c:\windows\system32\duweweba.dll
    c:\windows\system32\duweweba.dll NOT unregistered.
    c:\windows\system32\duweweba.dll moved successfully.
    LoadLibrary failed for c:\windows\system32\dajifuji.dll
    c:\windows\system32\dajifuji.dll NOT unregistered.
    c:\windows\system32\dajifuji.dll moved successfully.
    File/Folder c:\windows\system32\20X8yQUo.exe not found.
    File/Folder c:\windows\system32\2PTlVVK1.exe not found.
    File/Folder c:\windows\system32\o1in1ngI.exe not found.
    c:\windows\Tasks\At1.job moved successfully.
    c:\windows\Tasks\At10.job moved successfully.
    c:\windows\Tasks\At11.job moved successfully.
    c:\windows\Tasks\At12.job moved successfully.
    c:\windows\Tasks\At13.job moved successfully.
    c:\windows\Tasks\At14.job moved successfully.
    c:\windows\Tasks\At15.job moved successfully.
    c:\windows\Tasks\At16.job moved successfully.
    c:\windows\Tasks\At17.job moved successfully.
    c:\windows\Tasks\At18.job moved successfully.
    c:\windows\Tasks\At19.job moved successfully.
    c:\windows\Tasks\At2.job moved successfully.
    c:\windows\Tasks\At20.job moved successfully.
    c:\windows\Tasks\At21.job moved successfully.
    c:\windows\Tasks\At22.job moved successfully.
    c:\windows\Tasks\At23.job moved successfully.
    c:\windows\Tasks\At24.job moved successfully.
    c:\windows\Tasks\At25.job moved successfully.
    c:\windows\Tasks\At26.job moved successfully.
    c:\windows\Tasks\At27.job moved successfully.
    c:\windows\Tasks\At28.job moved successfully.
    c:\windows\Tasks\At29.job moved successfully.
    c:\windows\Tasks\At3.job moved successfully.
    c:\windows\Tasks\At30.job moved successfully.
    c:\windows\Tasks\At31.job moved successfully.
    c:\windows\Tasks\At32.job moved successfully.
    c:\windows\Tasks\At33.job moved successfully.
    c:\windows\Tasks\At34.job moved successfully.
    c:\windows\Tasks\At35.job moved successfully.
    c:\windows\Tasks\At36.job moved successfully.
    c:\windows\Tasks\At37.job moved successfully.
    c:\windows\Tasks\At38.job moved successfully.
    c:\windows\Tasks\At39.job moved successfully.
    c:\windows\Tasks\At4.job moved successfully.
    c:\windows\Tasks\At40.job moved successfully.
    c:\windows\Tasks\At41.job moved successfully.
    c:\windows\Tasks\At42.job moved successfully.
    c:\windows\Tasks\At43.job moved successfully.
    c:\windows\Tasks\At44.job moved successfully.
    c:\windows\Tasks\At45.job moved successfully.
    c:\windows\Tasks\At46.job moved successfully.
    c:\windows\Tasks\At47.job moved successfully.
    c:\windows\Tasks\At48.job moved successfully.
    c:\windows\Tasks\At49.job moved successfully.
    c:\windows\Tasks\At5.job moved successfully.
    c:\windows\Tasks\At50.job moved successfully.
    c:\windows\Tasks\At51.job moved successfully.
    c:\windows\Tasks\At52.job moved successfully.
    c:\windows\Tasks\At53.job moved successfully.
    c:\windows\Tasks\At54.job moved successfully.
    c:\windows\Tasks\At55.job moved successfully.
    c:\windows\Tasks\At56.job moved successfully.
    c:\windows\Tasks\At57.job moved successfully.
    c:\windows\Tasks\At58.job moved successfully.
    c:\windows\Tasks\At59.job moved successfully.
    c:\windows\Tasks\At6.job moved successfully.
    c:\windows\Tasks\At60.job moved successfully.
    c:\windows\Tasks\At61.job moved successfully.
    c:\windows\Tasks\At62.job moved successfully.
    File/Folder c:\windows\Tasks\At62.job not found.
    c:\windows\Tasks\At63.job moved successfully.
    c:\windows\Tasks\At64.job moved successfully.
    c:\windows\Tasks\At65.job moved successfully.
    c:\windows\Tasks\At66.job moved successfully.
    c:\windows\Tasks\At67.job moved successfully.
    c:\windows\Tasks\At68.job moved successfully.
    c:\windows\Tasks\At69.job moved successfully.
    c:\windows\Tasks\At7.job moved successfully.
    c:\windows\Tasks\At70.job moved successfully.
    c:\windows\Tasks\At71.job moved successfully.
    c:\windows\Tasks\At72.job moved successfully.
    c:\windows\Tasks\At8.job moved successfully.
    c:\windows\Tasks\At9.job moved successfully.

    OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12312008_000608

    Malwarebytes' Anti-Malware 1.31
    Database version: 1574
    Windows 5.1.2600 Service Pack 2

    31/12/2008 12:53:56 AM
    mbam-log-2008-12-31 (00-53-56).txt

    Scan type: Full Scan (C:\|D:\|E:\|)
    Objects scanned: 169231
    Time elapsed: 41 minute(s), 42 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 5
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 7

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\solution.solution (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\solution.solution.1 (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{892b2785-b0d0-4aa2-ae6a-0ed60b00a979} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Typelib\{00476c87-a276-49bf-86bc-ff005732430b} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AppID\{e81cf86b-f683-422a-b742-3f2427ea9d6a} (Trojan.BHO) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Qoobox\Quarantine\C\WINDOWS\system32\merunime.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{2A254C4A-01DE-4930-BE79-760CA68C65F4}\RP329\A0029038.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{2A254C4A-01DE-4930-BE79-760CA68C65F4}\RP330\A0029118.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{2A254C4A-01DE-4930-BE79-760CA68C65F4}\RP330\A0030237.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{2A254C4A-01DE-4930-BE79-760CA68C65F4}\RP331\A0030294.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{2A254C4A-01DE-4930-BE79-760CA68C65F4}\RP331\A0030326.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{2A254C4A-01DE-4930-BE79-760CA68C65F4}\RP332\A0030495.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:54:52 AM, on 31/12/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16762)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\nvraidservice.exe
    C:\Program Files\Ideazon\ZEngine\Zboard.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
    O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
    O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://asia.msi.com.tw
    O15 - Trusted Zone: http://global.msi.com.tw
    O15 - Trusted Zone: http://www.msi.com.tw
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1203682545671
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1203682515296
    O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobio...ne/install.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)

    --
    End of file - 6484 bytes

  6. #6
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi grommit01
    Looking good
    We will run one online scan to be sure that there is nothing left.

    1 - Clean temp files

    • Download and Run ATF Cleaner
      Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.

      Under Main choose:
      • Windows Temp
        Current User Temp
        All Users Temp
        Temporary Internet Files
        Prefetch
        Java Cache

        *The other boxes are optional*
        Then click the Empty Selected button.

      if you use Firefox:
      • Click Firefox at the top and choose: Select All
        Click the Empty Selected button.
        NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

      if you use Opera:
      • Click Opera at the top and choose: Select All
        Click the Empty Selected button.
        NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


      Click Exit on the Main menu to close the program


    2 - Kaspersky Online Scan

    Please go to Kaspersky website and perform an online antivirus scan.

    1. Read through the requirements and privacy statement and click on Accept button.
    2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    3. When the downloads have finished, click on Settings.
    4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
    5. Click on My Computer under Scan.
    6. Once the scan is complete, it will display the results. Click on View Scan Report.
    7. You will see a list of infected items there. Click on Save Report As....
    8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
    9. Please post this log in your next reply.


    3 - Run Hijackthis
    Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

    4 - Status Check
    Please reply with

    1. the Kaspersky online scanner report
    2. a fresh HijackThis log

    Thanks peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

  7. #7
    Junior Member
    Join Date
    Dec 2008
    Posts
    7

    Default

    Hi Peku, run into a small problem.

    ATFCleaner went well, the Kaspersky Online Scan not so. After following the instructed steps and completion of downloads, I receive 'blue screen' reporting a critical error of some sort and the PC reboots. I do have Kaspersky and AVG Antivirus programs installed, however, they have been disabled.

    Any ideas?

    Regards, Sue

  8. #8
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi Sue
    Let us take a deeper look.

    Download and Run: OTViewIt

    • Please download OTViewIt and save it to your desktop.
    • Double click on OTViewIt.exe to run it.
    • Click on the Run Scan button at the top left hand corner.
    • OTViewIt will start running. When done, 2 Notepad files will open. Please post the contents of these 2 files in your next reply. 1 log per reply please.


    Thanks peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

  9. #9
    Junior Member
    Join Date
    Dec 2008
    Posts
    7

    Default

    Thanks Peku, here's the 2 OTViewIT logs:

    OTViewIt logfile created on: 31/12/2008 10:39:57 PM - Run
    OTViewIt by OldTimer - Version 1.0.20.1 Folder = C:\Documents and Settings\Sue\Desktop
    Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.5730.13)
    Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

    1023.47 Mb Total Physical Memory | 697.23 Mb Available Physical Memory | 68.12% Memory free
    2.40 Gb Paging File | 2.01 Gb Available in Paging File | 83.59% Paging File free
    Paging file location(s): C:\pagefile.sys 1536 3072;

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 465.75 Gb Total Space | 376.20 Gb Free Space | 80.77% Space Free | Partition Type: NTFS
    Drive D: | 931.52 Gb Total Space | 695.20 Gb Free Space | 74.63% Space Free | Partition Type: NTFS
    Drive E: | 186.30 Gb Total Space | 142.28 Gb Free Space | 76.37% Space Free | Partition Type: NTFS
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: SERVER
    Current User Name: Sue
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Whitelist: On
    File Age = 30 Days

    ========== Processes ==========

    [2007/09/29 02:56:34 | 00,483,328 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
    [2007/09/29 02:56:34 | 00,483,328 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
    [2004/06/11 11:15:00 | 00,083,968 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvraidservice.exe
    [2005/12/20 14:34:56 | 00,032,768 | ---- | M] (Ideazon, Inc.) -- C:\Program Files\Ideazon\ZEngine\Zboard.exe
    [2006/11/17 05:42:52 | 00,577,536 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\soundman.exe
    [2008/12/27 20:15:22 | 00,136,600 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
    [2008/12/17 14:51:35 | 01,261,336 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
    [2008/12/17 14:51:33 | 00,231,704 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
    [2007/07/24 16:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
    [2008/12/27 20:15:22 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
    [2008/12/17 14:51:36 | 00,287,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
    [2008/12/17 14:51:34 | 00,875,288 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
    [2004/08/04 09:56:58 | 00,218,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
    [2001/08/23 23:00:00 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\unsecapp.exe
    [2007/04/10 14:01:18 | 00,336,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\WgaTray.exe
    [2008/10/16 14:09:44 | 00,051,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wuauclt.exe
    [2008/12/20 23:49:39 | 07,678,568 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
    [2008/12/31 22:39:42 | 00,423,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sue\Desktop\OTViewIt.exe

    ========== (O23) Win32 Services ==========

    [2004/07/15 01:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
    [2007/09/29 02:56:34 | 00,483,328 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])
    [2008/12/17 14:51:34 | 00,875,288 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc [Auto | Running])
    [2008/12/17 14:51:33 | 00,231,704 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
    [2008/11/11 19:59:16 | 00,206,088 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe -- (AVP [Auto | Running])
    [2007/07/24 16:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
    [2008/05/31 13:24:12 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Stopped])
    [2008/12/27 20:15:22 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
    [2006/05/14 22:28:48 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [On_Demand | Stopped])
    File not found -- -- (Ventrilo [Auto | Stopped])
    [2005/10/06 18:12:30 | 00,855,552 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Connect 2\wmccds.exe -- (WMConnectCDS [On_Demand | Stopped])

    ========== Driver Services ==========

    [2004/10/08 12:16:04 | 00,035,840 | ---- | M] (Oak Technology Inc.) -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K [System | Running])
    [2006/12/04 17:11:46 | 04,025,984 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM [On_Demand | Running])
    [2005/12/04 13:55:40 | 00,034,944 | ---- | M] (Ideazon Corporation) -- C:\WINDOWS\system32\drivers\Alpham.sys -- (Alpham [On_Demand | Running])
    [2007/07/23 07:56:58 | 00,042,624 | ---- | M] (Ideazon Corporation) -- C:\WINDOWS\system32\drivers\Alpham1.sys -- (Alpham1 [On_Demand | Stopped])
    [2007/03/20 09:49:52 | 00,018,432 | ---- | M] (Ideazon Corporation) -- C:\WINDOWS\system32\drivers\Alpham2.sys -- (Alpham2 [On_Demand | Stopped])
    [2007/04/16 21:46:00 | 00,033,792 | ---- | M] (Advanced Micro Devices) -- C:\WINDOWS\system32\drivers\AmdPPM.sys -- (AmdPPM [System | Running])
    [2007/09/29 03:06:00 | 02,456,064 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag [On_Demand | Running])
    [2008/12/17 14:51:43 | 00,097,928 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (AvgLdx86 [System | Running])
    [2008/12/17 14:51:43 | 00,026,824 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])
    [2008/12/17 14:51:46 | 00,076,040 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (AvgTdiX [Auto | Running])
    [2004/08/03 22:58:36 | 00,014,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\kbdhid.sys -- (kbdhid [System | Running])
    [2008/07/21 17:34:36 | 00,121,872 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\drivers\kl1.sys -- (kl1 [Boot | Running])
    [2008/01/29 17:29:38 | 00,032,784 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\drivers\klbg.sys -- (klbg [Boot | Running])
    [2008/12/17 13:08:21 | 00,227,344 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF [System | Running])
    [2008/04/30 17:06:48 | 00,024,592 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\drivers\klim5.sys -- (klim5 [On_Demand | Running])
    [2005/05/17 17:45:00 | 00,092,800 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nvatabus.sys -- (nvatabus [Boot | Running])
    [2004/05/17 14:00:00 | 00,033,280 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD [On_Demand | Running])
    [2004/05/17 14:00:00 | 00,012,928 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus [On_Demand | Running])
    [2004/06/03 10:40:00 | 00,068,224 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nvraid.sys -- (nvraid [Boot | Running])
    [2003/10/29 13:02:00 | 00,021,120 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv_agp.SYS -- (nv_agp [Boot | Running])
    [2001/08/23 23:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
    [2008/02/21 13:05:38 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
    [2007/07/12 11:49:16 | 00,096,384 | R--- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp [On_Demand | Running])
    [2007/11/13 21:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [Auto | Running])
    [2008/12/17 13:08:21 | 00,227,344 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\drivers\klif.sys -- (TSP [On_Demand | Stopped])

    ========== (R ) Internet Explorer ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
    "Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
    "Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
    "Default_Secondary_Page_URL"=
    "Extensions Off Page"=about:NoAdd-ons
    "Local Page"=%SystemRoot%\system32\blank.htm
    "Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
    "Security Risk Page"=about:SecurityRisk
    "Start Page"=http://go.microsoft.com/fwlink/?LinkId=69157

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
    "CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
    "SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
    "AlwaysUseDefaultPrinter"=yes
    "Local Page"=C:\WINDOWS\system32\blank.htm
    "Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    "Start Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    "ProxyEnable" = 0
    "ProxyOverride" = *.local

    ========== (O1) Hosts File ==========

    HOSTS File = (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
    First 25 entries...
    127.0.0.1 localhost

    ========== (O2) BHO's ==========

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} (HKLM) -- C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
    {53707962-6F74-2D53-2644-206D7942484F} (HKLM) -- C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} (HKLM) -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll (Kaspersky Lab)
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    {DBC80044-A445-435b-BC74-9C25C1C588A9} (HKLM) -- C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
    {E7E6F031-17CE-4C07-BC86-EABFE594F69C} (HKLM) -- C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)

    ========== (O4) Run Keys ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
    "AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
    "AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" (Kaspersky Lab)
    "NVRaidService"=C:\WINDOWS\system32\nvraidservice.exe (NVIDIA Corporation)
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime (Apple Inc.)
    "SoundMan"=SOUNDMAN.EXE (Realtek Semiconductor Corp.)
    "SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
    "Zboard"=C:\Program Files\Ideazon\ZEngine\Zboard.exe (Ideazon, Inc.)

    ========== (O4) Startup Folders ==========


    ========== (O6 & O7) Current Version Policies ==========

    [HKEY_CURRENT_USER\Software\policies\microsoft\internet explorer]
    "Windows Update Menu Text"=Microsoft Update

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
    "NoDriveAutoRun"=67108863
    "NoDriveTypeAutoRun"=323
    "NoDrives"=0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
    "dontdisplaylastusername"=0
    "legalnoticecaption"=
    "legalnoticetext"=
    "shutdownwithoutlogon"=1
    "undockwithoutlogon"=1
    "DisableRegistryTools"=0

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
    "NoDriveTypeAutoRun"=323
    "NoDriveAutoRun"=67108863
    "NoDrives"=0

    ========== (O9) IE Extensions ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
    {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}: Button: Web traffic protection statistics -- %ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll [2008/11/11 20:00:38 | 00,222,472 | ---- | M] (Kaspersky Lab)
    {DFB852A3-47F8-48C4-A200-58CAB36FD2A2}: Menu: Spybot - Search & Destroy Configuration -- %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [2008/07/07 09:41:58 | 01,562,448 | ---- | M] (Safer Networking Limited)
    {e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\network diagnostic\xpnetdiag.exe [2006/10/10 23:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation)
    {FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/10/13 12:21:24 | 01,694,208 | ---- | M] (Microsoft Corporation)
    {FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/10/13 12:21:24 | 01,694,208 | ---- | M] (Microsoft Corporation)

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
    CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 12:21:24 | 01,694,208 | ---- | M] (Microsoft Corporation)

    ========== (O12) Internet Explorer Plugins ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
    PluginsPage: "" = http://activex.microsoft.com/control...ext=%s&mime=%s
    PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

    ========== (O13) Default Prefixes ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
    ""=http://

    ========== (O15) Trusted Sites ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
    49 domain(s) and sub-domain(s) not assigned to a zone.

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
    com.tw\asia.msi: http in My Computer
    com.tw\global.msi: http in My Computer
    com.tw\www.msi: http in My Computer
    49 domain(s) and sub-domain(s) not assigned to a zone.

    ========== (O16) DPF ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
    {6414512B-B978-451D-A0D8-FCFDF33E833C}: http://www.update.microsoft.com/micr...?1203682545671 -- WUWebControl Class
    {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}: http://www.update.microsoft.com/micr...?1203682515296 -- MUWebControl Class
    {8167C273-DF59-4416-B647-C8BB2C7EE83E}: http://liveupdate.msi.com.tw/autobio...ne/install.cab -- WebSDev Control
    {8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jin...ndows-i586.cab -- Java Plug-in 1.6.0_11
    {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jin...ndows-i586.cab -- Java Plug-in 1.6.0_06
    {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jin...ndows-i586.cab -- Java Plug-in 1.6.0_11
    {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jin...ndows-i586.cab -- Java Plug-in 1.6.0_11

    ========== (O17) DNS Name Servers ==========

    {2DA27063-FC87-442E-B140-09549D2DC6C7} (Servers: | Description: )
    {2FEB8ADC-A41D-4787-93BC-26A629B9DB11} (Servers: | Description: 1394 Net Adapter)
    {A537C14A-08AA-42D2-8822-CD7CE4C179A9} (Servers: | Description: Realtek RTL8169/8110 Family Gigabit Ethernet NIC)

    ========== (O20) Winlogon Notify Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
    AtiExtEvent: "DllName" = Ati2evxx.dll -- C:\WINDOWS\system32\ati2evxx.dll (ATI Technologies Inc.)
    klogon: "DllName" = C:\WINDOWS\system32\klogon.dll -- C:\WINDOWS\system32\klogon.dll (Kaspersky Lab)

    ========== Safeboot Options ==========

    "AlternateShell"=cmd.exe

    ========== CDRom AutoRun Settings ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
    "AutoRun" = 1

    ========== Autorun Files on Drives ==========

    AUTOEXEC.BAT []
    [2008/02/22 22:49:02 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

    AUTOEXEC.BAT []
    [2008/02/22 22:24:03 | 00,000,000 | ---- | M] () -- E:\AUTOEXEC.BAT -- [ NTFS ]

    ========== Files/Folders - Created Within 30 Days ==========

    [3 C:\WINDOWS\*.tmp files]
    [2008/12/31 22:39:36 | 00,423,424 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Sue\Desktop\OTViewIt.exe
    [2008/12/31 10:40:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
    [2008/12/31 10:12:21 | 00,000,000 | -HSD | C] -- C:\RECYCLER
    [2008/12/31 00:10:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Sue\Application Data\Malwarebytes
    [2008/12/31 00:10:00 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2008/12/31 00:10:00 | 00,000,738 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2008/12/31 00:09:58 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2008/12/31 00:09:57 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2008/12/31 00:09:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2008/12/31 00:08:44 | 02,539,168 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Sue\Desktop\mbam-setup.exe
    [2008/12/31 00:06:08 | 00,000,000 | ---D | C] -- C:\_OTMoveIt
    [2008/12/31 00:04:26 | 01,033,216 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Sue\Desktop\OTMoveIt3.exe
    [2008/12/30 15:26:11 | 00,000,211 | ---- | C] () -- C:\Boot.bak
    [2008/12/30 15:26:09 | 00,260,272 | ---- | C] () -- C:\cmldr
    [2008/12/30 15:26:08 | 00,000,000 | RHSD | C] -- C:\cmdcons
    [2008/12/30 15:23:14 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2008/12/30 15:23:14 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2008/12/30 15:23:14 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2008/12/30 15:23:14 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2008/12/30 15:23:14 | 00,089,504 | ---- | C] (Smallfrogs Studio) -- C:\WINDOWS\fdsv.exe
    [2008/12/30 15:23:14 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2008/12/30 15:23:14 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2008/12/30 15:23:14 | 00,049,152 | ---- | C] () -- C:\WINDOWS\VFIND.exe
    [2008/12/28 11:29:14 | 00,028,672 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2008/12/28 11:29:11 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2008/12/28 11:29:11 | 00,000,000 | ---D | C] -- C:\Qoobox
    [2008/12/27 14:08:17 | 02,887,980 | R--- | C] () -- C:\Documents and Settings\Sue\Desktop\ComboFix.exe
    [2008/12/27 13:03:33 | 00,001,776 | ---- | C] () -- C:\Documents and Settings\Sue\Desktop\HijackThis.lnk
    [2008/12/27 13:03:30 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
    [2008/12/27 13:02:50 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Sue\Desktop\HJTInstall.exe
    [2008/12/18 12:11:27 | 00,000,385 | ---- | C] () -- C:\WINDOWS\wininit.ini
    [2008/12/18 01:51:38 | 00,000,975 | ---- | C] () -- C:\Documents and Settings\Sue\Desktop\Spybot - Search & Destroy.lnk
    [2008/12/18 01:51:32 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
    [2008/12/18 01:51:32 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    [2008/12/18 01:44:55 | 15,083,520 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\Sue\Desktop\spybotsd160.exe
    [2008/12/18 00:15:25 | 00,000,000 | -H-D | C] -- C:\$AVG8.VAULT$
    [2008/12/17 14:51:47 | 00,001,549 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 8.0.lnk
    [2008/12/17 14:51:46 | 00,076,040 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
    [2008/12/17 14:51:46 | 00,010,520 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
    [2008/12/17 14:51:43 | 00,097,928 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
    [2008/12/17 14:51:43 | 00,026,824 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
    [2008/12/17 14:51:40 | 31,290,179 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
    [2008/12/17 14:51:40 | 06,061,540 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
    [2008/12/17 14:51:40 | 00,368,010 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
    [2008/12/17 14:51:40 | 00,008,170 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
    [2008/12/17 14:51:40 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
    [2008/12/17 14:51:33 | 00,000,000 | ---D | C] -- C:\Program Files\AVG
    [2008/12/17 14:51:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg8
    [2008/12/17 14:02:13 | 53,682,216 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Sue\Desktop\avg_free_stf_en_8_176a1399.exe
    [2008/12/17 13:08:59 | 00,096,976 | ---- | C] () -- C:\WINDOWS\System32\drivers\klin.dat
    [2008/12/17 13:08:58 | 00,087,855 | ---- | C] () -- C:\WINDOWS\System32\drivers\klick.dat
    [2008/12/17 13:08:33 | 04,720,160 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox.dat
    [2008/12/17 13:08:33 | 00,319,520 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
    [2008/12/17 13:08:33 | 00,040,052 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox.idx
    [2008/12/17 13:08:33 | 00,003,220 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
    [2008/12/17 13:08:32 | 00,000,000 | ---D | C] -- C:\Program Files\Kaspersky Lab
    [2008/12/17 13:08:32 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    [2008/12/17 13:08:21 | 00,227,344 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
    [2008/12/17 13:07:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
    [2008/12/17 12:44:39 | 39,647,808 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Sue\Desktop\kav8.0.0.506en.exe

    ========== Files - Modified Within 30 Days ==========

    [3 C:\WINDOWS\System32\*.tmp files]
    [3 C:\WINDOWS\*.tmp files]
    [2008/12/31 22:39:42 | 00,423,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sue\Desktop\OTViewIt.exe
    [2008/12/31 14:08:23 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2008/12/31 14:08:00 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
    [2008/12/31 14:07:59 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2008/12/31 12:51:30 | 00,001,664 | ---- | M] () -- C:\Documents and Settings\Sue\Desktop\Trillian.lnk
    [2008/12/31 03:06:27 | 04,720,160 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat
    [2008/12/31 03:06:27 | 00,319,520 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
    [2008/12/31 03:06:27 | 00,040,052 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx
    [2008/12/31 03:06:27 | 00,003,220 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
    [2008/12/31 00:10:00 | 00,000,738 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2008/12/31 00:09:30 | 02,539,168 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Sue\Desktop\mbam-setup.exe
    [2008/12/31 00:04:40 | 01,033,216 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sue\Desktop\OTMoveIt3.exe
    [2008/12/30 15:38:56 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
    [2008/12/30 15:38:00 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2008/12/30 15:31:26 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\jikakewi
    [2008/12/30 15:26:11 | 00,000,281 | RHS- | M] () -- C:\boot.ini
    [2008/12/30 15:22:52 | 02,887,980 | R--- | M] () -- C:\Documents and Settings\Sue\Desktop\ComboFix.exe
    [2008/12/30 14:57:15 | 05,880,146 | -H-- | M] () -- C:\Documents and Settings\Sue\Local Settings\Application Data\IconCache.db
    [2008/12/29 13:09:45 | 31,290,179 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
    [2008/12/29 13:09:45 | 00,008,170 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
    [2008/12/27 13:03:34 | 00,001,776 | ---- | M] () -- C:\Documents and Settings\Sue\Desktop\HijackThis.lnk
    [2008/12/27 13:03:02 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Sue\Desktop\HJTInstall.exe
    [2008/12/24 12:35:55 | 00,000,385 | ---- | M] () -- C:\WINDOWS\wininit.ini
    [2008/12/23 04:24:28 | 00,368,010 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
    [2008/12/18 01:51:38 | 00,000,975 | ---- | M] () -- C:\Documents and Settings\Sue\Desktop\Spybot - Search & Destroy.lnk
    [2008/12/18 01:49:41 | 15,083,520 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Sue\Desktop\spybotsd160.exe
    [2008/12/17 14:51:47 | 00,001,549 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 8.0.lnk
    [2008/12/17 14:51:46 | 00,076,040 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
    [2008/12/17 14:51:46 | 00,010,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
    [2008/12/17 14:51:43 | 00,097,928 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
    [2008/12/17 14:51:43 | 00,026,824 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
    [2008/12/17 14:51:40 | 06,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
    [2008/12/17 14:19:20 | 53,682,216 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Sue\Desktop\avg_free_stf_en_8_176a1399.exe
    [2008/12/17 13:08:59 | 00,096,976 | ---- | M] () -- C:\WINDOWS\System32\drivers\klin.dat
    [2008/12/17 13:08:58 | 00,087,855 | ---- | M] () -- C:\WINDOWS\System32\drivers\klick.dat
    [2008/12/17 13:08:21 | 00,227,344 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
    [2008/12/17 12:59:51 | 39,647,808 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Sue\Desktop\kav8.0.0.506en.exe
    [2008/12/13 17:40:02 | 03,593,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mshtml.dll
    [2008/12/13 17:40:02 | 03,593,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
    [2008/12/12 03:01:55 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2008/12/05 01:17:43 | 00,084,992 | ---- | M] () -- C:\Documents and Settings\Sue\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2008/12/03 19:59:06 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2008/12/03 19:59:02 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    < End of report >

  10. #10
    Junior Member
    Join Date
    Dec 2008
    Posts
    7

    Default

    OTViewIt Extras logfile created on: 31/12/2008 10:39:57 PM - Run
    OTViewIt by OldTimer - Version 1.0.20.1 Folder = C:\Documents and Settings\Sue\Desktop
    Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.5730.13)
    Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

    1023.47 Mb Total Physical Memory | 697.23 Mb Available Physical Memory | 68.12% Memory free
    2.40 Gb Paging File | 2.01 Gb Available in Paging File | 83.59% Paging File free
    Paging file location(s): C:\pagefile.sys 1536 3072;

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 465.75 Gb Total Space | 376.20 Gb Free Space | 80.77% Space Free | Partition Type: NTFS
    Drive D: | 931.52 Gb Total Space | 695.20 Gb Free Space | 74.63% Space Free | Partition Type: NTFS
    Drive E: | 186.30 Gb Total Space | 142.28 Gb Free Space | 76.37% Space Free | Partition Type: NTFS
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: SERVER
    Current User Name: Sue
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Whitelist: On
    File Age = 30 Days

    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled"=1
    "AntiVirusDisableNotify"=1
    "FirewallDisableNotify"=0
    "UpdatesDisableNotify"=1
    "AntiVirusOverride"=0
    "FirewallOverride"=0
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring"=1
    ""=
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    "EnableFirewall"=1
    "DoNotAllowExceptions"=0
    "DisableNotifications"=0
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    [2004/08/04 09:56:58 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
    [2006/10/10 23:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    [2004/08/04 09:56:58 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
    [2006/10/10 23:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
    [2007/12/11 00:00:00 | 01,873,280 | ---- | M] (Cerulean Studios) -- C:\Program Files\Trillian\trillian.exe:*:Enabled:Trillian
    [2004/08/04 09:56:50 | 00,083,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test
    [2008/11/14 17:00:38 | 00,889,488 | ---- | M] (Blizzard Entertainment, Inc.) -- C:\Games\World of Warcraft\Repair.exe:*:Enabled:Blizzard Repair Utility
    [2007/07/24 16:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour
    [2008/11/14 17:00:35 | 01,077,904 | ---- | M] (Blizzard Entertainment) -- C:\Games\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader
    [2007/08/02 06:52:48 | 00,439,808 | ---- | M] () -- C:\Program Files\Teamspeak2_RC2\server_windows.exe:*:Enabled:Server
    [2003/08/29 16:13:04 | 01,436,160 | ---- | M] (Dominating Bytes Design) -- C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe:*:Enabled:Teamspeak RC2
    [2008/12/17 14:51:34 | 00,875,288 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe
    [2008/12/17 14:51:35 | 00,641,304 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe
    [2004/10/13 12:21:24 | 01,694,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe:*:Disabled:Windows Messenger
    [2007/12/17 17:13:36 | 03,810,544 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Disabled:Yahoo! Messenger

    ========== (O10) Winsock2 Catalogs ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\]
    NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] -- C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

    ========== (O18) Protocol Handlers ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
    [2008/12/17 14:51:40 | 00,079,128 | ---- | M] (AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG8\avgpp.dll (linkscanner:{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} (HKLM) [XPLPPFilter Class])
    msdaipp: [HKLM - No CLSID value]
    [2004/09/17 14:44:16 | 00,843,472 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\msdaipp.dll msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]
    [2004/09/17 14:44:16 | 00,843,472 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\msdaipp.dll msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{0046FA01-C5B9-4985-BACB-398DC480FC05}"=Adobe Photoshop CS3
    "{04AF207D-9A77-465A-8B76-991F6AB66245}"=Adobe Help Viewer CS3
    "{08B32819-6EEF-4057-AEDA-5AB681A36A23}"=Adobe Bridge Start Meeting
    "{08CA9554-B5FE-4313-938F-D4A417B81175}"=QuickTime
    "{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}"=OpenOffice.org Installer 1.0
    "{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}"=Adobe WinSoft Linguistics Plugin
    "{18D10072035C4515918F7E37EAFAACFC}"=AutoUpdate
    "{26A24AE4-039D-4CA4-87B4-2F83216011FF}"=Java(TM) 6 Update 11
    "{29E5EA97-5F74-4A57-B8B2-D4F169117183}"=Adobe Stock Photos CS3
    "{3248F0A8-6813-11D6-A77B-00B0D0160060}"=Java(TM) 6 Update 6
    "{51846830-E7B2-4218-8968-B77F0FF475B8}"=Adobe Color EU Extra Settings
    "{54793AA1-5001-42F4-ABB6-C364617C6078}"=Adobe Linguistics CS3
    "{64E47A5F-B3C4-476A-9100-2D006BD1FFB4}"=ZEngine
    "{6580C5A3-2336-4EC5-85F1-3448C5F6208A}"=Kaspersky Anti-Virus 2009
    "{6ABE0BEE-D572-4FE8-B434-9E72A289431B}"=Adobe Fonts All
    "{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}"=Adobe Asset Services CS3
    "{7299052b-02a4-4627-81f2-1818da5d550d}"=Microsoft Visual C++ 2005 Redistributable
    "{789289CA-F73A-4A16-A331-54D498CE069F}"=Ventrilo Client
    "{7B63B2922B174135AFC0E1377DD81EC2}"=DivX Codec
    "{7CCEBC24-62DB-4280-A8EC-BFA49F167920}"=Software Update for Web Folders
    "{802771A9-A856-4A41-ACF7-1450E523C923}"=Adobe XMP Panels CS3
    "{8ADFC4160D694100B5B8A22DE9DCABD9}"=DivX Player
    "{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}"=Adobe Device Central CS3
    "{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}"=Adobe Type Support
    "{90176341-0A8B-4CCC-A78D-F862228A6B95}"=Adobe Anchor Service CS3
    "{95655ED4-7CA5-46DF-907F-7144877A32E5}"=Adobe Color NA Recommended Settings
    "{9C9824D9-9000-4373-A6A5-D0E5D4831394}"=Adobe Bridge CS3
    "{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}"=Adobe CMaps
    "{A2D81E70-2A98-4A08-A628-94388B063C5E}"=Adobe Color - Photoshop Specific
    "{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}"=PDF Settings
    "{AC76BA86-7AD7-1033-7B44-A81200000003}"=Adobe Reader 8.1.2
    "{B13A7C41581B411290FBC0395694E2A9}"=DivX Converter
    "{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}"=Adobe Camera Raw 4.0
    "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1"=Spybot - Search & Destroy
    "{B7050CBDB2504B34BC2A9CA0A692CC29}"=DivX Web Player
    "{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}"=Adobe Default Language CS3
    "{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}"=Adobe ExtendScript Toolkit 2
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}"=Microsoft .NET Framework 1.1
    "{D0DFF92A-492E-4C40-B862-A74A173C25C5}"=Adobe Version Cue CS3 Client
    "{D1BB4446-AE9C-4256-9A7F-4D46604D2462}"=Adobe Setup
    "{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}"=Adobe PDF Library Files
    "{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}"=Adobe Color Common Settings
    "{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}"=Adobe Color JA Extra Settings
    "{E69AE897-9E0B-485C-8552-7841F48D42D8}"=Adobe Update Manager CS3
    "{FB08F381-6533-4108-B7DD-039E11FBC27E}"=Realtek AC'97 Audio
    "AC3Filter"=AC3Filter (remove only)
    "Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
    "Adobe Flash Player Plugin"=Adobe Flash Player 10 Plugin
    "Adobe_2ac78060bc5856b0c1cf873bb919b58"=Adobe Photoshop CS3
    "ATI Display Driver"=ATI Display Driver
    "AVG8Uninstall"=AVG Free 8.0
    "Canon Digital Camera USB WIA Driver"=Canon Digital Camera USB WIA Driver
    "HijackThis"=HijackThis 2.0.2
    "IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
    "ie7"=Windows Internet Explorer 7
    "InstallWIX_{6580C5A3-2336-4EC5-85F1-3448C5F6208A}"=Kaspersky Anti-Virus 2009
    "KC Softwares VideoInspector_is1"=KC Softwares VideoInspector
    "Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
    "Microsoft .NET Framework 1.1 (1033)"=Microsoft .NET Framework 1.1
    "Mozilla Firefox (2.0.0.20)"=Mozilla Firefox (2.0.0.20)
    "NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
    "NVIDIA Drivers"=NVIDIA Drivers
    "Teamspeak 2 RC2_is1"=TeamSpeak 2 RC2
    "TeamSpeak 2 Server_is1"=TeamSpeak 2 Server RC2
    "Trillian"=Trillian
    "WinRAR archiver"=WinRAR archiver
    "World of Warcraft"=World of Warcraft
    "Xvid_is1"=Xvid 1.1.3 final uninstall
    "Yahoo!7 Messenger"=Yahoo!7 Messenger

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 16/05/2008 10:21:48 PM | Computer Name = SERVER | Source = Application Error | ID = 1000
    Description = Faulting application wordpad.exe, version 5.1.2600.2180, faulting
    module unknown, version 0.0.0.0, fault address 0x7575ffff.

    Error - 22/05/2008 10:01:04 PM | Computer Name = SERVER | Source = PerfNet | ID = 2004
    Description = Unable to open the Server service. Server performance data will not
    be returned. Error code returned is in data DWORD 0.

    Error - 26/05/2008 7:05:59 AM | Computer Name = SERVER | Source = PerfNet | ID = 2004
    Description = Unable to open the Server service. Server performance data will not
    be returned. Error code returned is in data DWORD 0.

    Error - 11/07/2008 10:41:12 AM | Computer Name = SERVER | Source = Application Hang | ID = 1002
    Description = Hanging application Ad-Aware.exe, version 7.1.0.10, hang module hungapp,
    version 0.0.0.0, hang address 0x00000000.

    Error - 9/08/2008 5:56:13 AM | Computer Name = SERVER | Source = Application Hang | ID = 1002
    Description = Hanging application iexplore.exe, version 7.0.6000.16674, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 15/09/2008 10:13:34 PM | Computer Name = SERVER | Source = Application Hang | ID = 1002
    Description = Hanging application firefox.exe, version 1.8.20080.4669, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 3/10/2008 8:29:36 AM | Computer Name = SERVER | Source = Application Error | ID = 1000
    Description = Faulting application firefox.exe, version 1.8.20080.17373, faulting
    module firefox.exe, version 1.8.20080.17373, fault address 0x00175b8e.

    Error - 7/10/2008 12:46:26 AM | Computer Name = SERVER | Source = Application Hang | ID = 1002
    Description = Hanging application firefox.exe, version 1.8.20080.17373, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 7/10/2008 12:48:30 AM | Computer Name = SERVER | Source = Application Hang | ID = 1002
    Description = Hanging application firefox.exe, version 1.8.20080.17373, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 7/10/2008 1:28:13 AM | Computer Name = SERVER | Source = Application Hang | ID = 1002
    Description = Hanging application firefox.exe, version 1.8.20080.17373, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    [ System Events ]
    Error - 30/12/2008 7:41:21 PM | Computer Name = SERVER | Source = Service Control Manager | ID = 7000
    Description = The Ventrilo service failed to start due to the following error: %%2

    Error - 30/12/2008 7:51:03 PM | Computer Name = SERVER | Source = Service Control Manager | ID = 7000
    Description = The Ventrilo service failed to start due to the following error: %%2

    Error - 30/12/2008 7:51:10 PM | Computer Name = SERVER | Source = System Error | ID = 1003
    Description = Error code 100000d4, parameter1 b7233c48, parameter2 000000ff, parameter3
    00000001, parameter4 80542455.

    Error - 30/12/2008 7:51:18 PM | Computer Name = SERVER | Source = ati2mtag | ID = 45062
    Description = CRT invalid display type

    Error - 30/12/2008 7:51:18 PM | Computer Name = SERVER | Source = ati2mtag | ID = 45062
    Description = CRT invalid display type

    Error - 30/12/2008 8:02:36 PM | Computer Name = SERVER | Source = Service Control Manager | ID = 7034
    Description = The AVG Free8 E-mail Scanner service terminated unexpectedly. It
    has done this 1 time(s).

    Error - 30/12/2008 8:02:44 PM | Computer Name = SERVER | Source = Service Control Manager | ID = 7034
    Description = The AVG Free8 E-mail Scanner service terminated unexpectedly. It
    has done this 2 time(s).

    Error - 30/12/2008 11:08:13 PM | Computer Name = SERVER | Source = Service Control Manager | ID = 7000
    Description = The Ventrilo service failed to start due to the following error: %%2

    Error - 30/12/2008 11:08:28 PM | Computer Name = SERVER | Source = ati2mtag | ID = 45062
    Description = CRT invalid display type

    Error - 30/12/2008 11:08:28 PM | Computer Name = SERVER | Source = ati2mtag | ID = 45062
    Description = CRT invalid display type


    < End of report >

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •