W32.IRCbot.Gen removal problem then cannot reboot my computer normally

GUMPY · Nov 20, 2009

hey guys, my Symantec Antivirus detected this trojan (W32.IRCbot.Gen) in my WindowsXP\System32. I followed instructions laid down by Norton:
1) Turn off Systems Restore
2) Update my NAV
3) Do a full scan
I scanned with NAV/Spybot/ Malwarebytes but was unable to remove the virus.
Hence, I shut down my computer and tried to go through step 3) via safe mode. Same problem but this time much worse because now when my computer starts on up, theres these five options on my screen.

it says -Safe Mode
-Safe Mode with Networking
-Safe Mode with Command Prompt

-Last known Good Configuration (your most recent settings that worked)
-Start Windows Normally.

I've clicked on last know good configuration or start windows normall and after several seconds where it looked like it was gonna work, it just goes back to the same screen. Normal Windows can't open. However, I was only able to open via safe mode.

What in the world do I need to do to get my computer up and running normally again?

Please help me!

peku006 · Nov 25, 2009

Hi GUMPY

Please see the forum FAQ which details how to produce a HJT log and copy paste it into a new topic.
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

peku006

GUMPY · Nov 25, 2009

W32.IRCbot.Gen problem and cannot reboot computer

peku006 said:
Hi GUMPY

Please see the forum FAQ which details how to produce a HJT log and copy paste it into a new topic.
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

peku006

This is my Hijack log. Thank you for your time and effort.
Gumpy

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:09:18 AM, on 11/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hk.yahoo.com/?p=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: AmsServer
O2 - BHO: (no name) - {000009D5-2161-4196-9F87-D1FEFBDE1CAf} - C:\WINDOWS\system32\qestlkdp.dll
O2 - BHO: WebThunderBHO - {00000AAA-A363-466E-BEF5-9BB68697AA7F} - (no file)
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {F92CCA65-3301-4C6B-88B5-95ED581FF3DA} - c:\windows\system32\svjfjqa.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [FLV Downloader] C:\Program Files\Moyea\YouTube FLV Downloader\FLVDownloader.exe -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: dsawxfot - C:\WINDOWS\SYSTEM32\svjfjqa.dll
O23 - Service: tdict.server.VietdictServer" /Directory:"C:/Documents and Settings/Owner/My Documents/AVIXE pen drive2 stuff/TuDienHND" /Name:"TuDienHND" /Startup:A (AppToService_TuDienHND) - Basta Computing - C:\Documents and Settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\basta\AppToService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\ecsxpv_5762_010208\wdm\STacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7933 bytes

peku006 · Nov 25, 2009

Hi GUMPY

1 - Download and Run ComboFix
We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here.

When finished, it will produce a log for you
Please include the C:\ComboFix.txt in your next reply for further review.

2 - Status Check
Please reply with

1. the ComboFix log(C:\ComboFix.txt)

Thanks peku006

GUMPY · Nov 26, 2009

W32.IRCbot.Gen problem and cannot reboot computer

Dear Peku006:

Thank you very much for your help.

A few other points you should know:
1) I cannot access internet from the computer in safemode with networking. There is something wrong with internet access program perhaps as part of the overall problem.
2) therefore, I am using my second (working) computer to write to you.
3) I recently install daemon tools Pro. Perhaps this may have something to do with it. It kept giving an error saying it would not run without Windows 2000 with SPTD 1.43 or higher and asks me to turn off kernel debugger. It worked last week before my computer crashed. Could it have a virus in it or is it an innocent victim due to the trojan.vundo.h?
4) I do not have the original Windows installation disc for my computer because it was installed by retailers when I bought my computer from them. Therefore, I will have to use a borrowed windows XP installation disc from a friend or download a pirated one. The retailers would not give it to me.

Here is the combofix log (I could not download restore console from microsoft because the affected computer could not access internet as I mentioned before). Nevertheless, the combofix completed its analysis and gave me the log. Thank you once again.

ComboFix 09-11-25.03 - Owner 11/26/2009 6:59.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.330 [GMT 8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\sosuo.col
c:\windows\system32\clauth1.dll
c:\windows\system32\clauth2.dll
c:\windows\system32\iexp_log.txt
c:\windows\system32\nsprs.dll
c:\windows\system32\ssprs.dll
c:\windows\system32\svjfjqa.dll
c:\windows\Tasks\At1.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDEFKLNA
-------\Service_tdefklna

((((((((((((((((((((((((( Files Created from 2009-10-25 to 2009-11-25 )))))))))))))))))))))))))))))))
.

2009-11-25 16:08 . 2009-11-25 16:08 -------- d-----w- c:\program files\Trend Micro
2009-11-25 16:07 . 2009-11-25 16:08 -------- d-----w- c:\program files\ERUNT
2009-11-23 16:42 . 2009-11-23 16:42 -------- d-----w- c:\program files\NETVIGATOR
2009-11-23 16:42 . 2000-12-08 13:59 122880 ----a-w- c:\windows\UnGins.exe
2009-11-23 16:42 . 2009-11-23 16:42 -------- d-----w- C:\Temp
2009-11-23 15:59 . 2009-11-23 16:17 -------- d-----w- c:\documents and settings\Owner\Application Data\MSN6
2009-11-23 15:59 . 2009-11-23 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\MSN6
2009-11-22 10:01 . 2009-11-22 10:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-11-20 14:41 . 2009-11-20 14:41 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-11-20 14:41 . 2009-09-10 06:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-20 14:41 . 2009-11-20 14:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-20 14:41 . 2009-11-20 14:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-20 14:41 . 2009-09-10 06:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-20 11:39 . 2009-11-20 11:39 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-11-20 11:12 . 2009-11-20 11:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-11-20 11:12 . 2009-11-20 11:12 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-11-19 23:32 . 2007-10-17 16:16 79688 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2009-11-19 23:32 . 2007-10-17 16:16 29000 ----a-w- c:\windows\system32\drivers\kcom.sys
2009-11-19 23:32 . 2007-10-17 16:15 62280 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2009-11-19 23:32 . 2007-10-17 16:14 41288 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2009-11-19 23:32 . 2009-11-19 23:32 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools
2009-11-19 23:32 . 2005-09-23 00:29 626688 ----a-w- c:\windows\system32\msvcr80.dll
2009-11-19 13:51 . 2009-11-19 13:51 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-19 13:50 . 2009-11-19 13:50 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert
2009-11-19 13:32 . 2009-11-25 22:53 -------- d-----w- c:\program files\Spyware Doctor
2009-11-19 13:31 . 2009-11-19 14:06 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-19 13:00 . 2009-11-19 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-11-19 13:00 . 2009-11-19 13:00 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!
2009-11-19 13:00 . 2009-11-19 13:00 -------- d-----w- c:\program files\Yahoo!
2009-11-14 16:56 . 2009-11-14 17:00 -------- d-----w- c:\program files\SPSSEval
2009-11-12 13:38 . 2008-05-02 02:41 3493888 ---ha-w- c:\documents and settings\Owner\Application Data\U3\temp\Launchpad Removal.exe
2009-11-11 12:03 . 2009-11-11 12:03 -------- d--h--r- c:\documents and settings\Owner\Application Data\SecuROM
2009-11-11 11:54 . 2009-11-11 11:54 -------- d-----w- c:\program files\Sierra Online
2009-11-09 09:53 . 2009-11-09 09:53 -------- d-----w- c:\program files\Ubisoft
2009-11-05 22:56 . 2009-11-05 22:56 -------- d-----w- c:\documents and settings\Owner\Application Data\Sports Interactive
2009-11-05 22:46 . 2009-11-05 22:46 -------- d-----w- c:\windows\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-25 22:54 . 2008-10-16 22:38 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2009-11-20 12:36 . 2008-11-05 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-20 00:13 . 2008-10-16 23:09 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-11-19 13:00 . 2008-10-16 22:40 -------- d-----w- c:\program files\CCleaner
2009-11-19 09:56 . 2008-11-05 16:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-17 05:25 . 2008-10-14 23:00 -------- d-----w- c:\program files\Symantec AntiVirus
2009-11-14 17:11 . 2008-10-14 22:19 30784 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-11 12:15 . 2008-10-14 22:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-11 12:03 . 2009-10-14 14:12 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-10-26 13:37 . 2009-09-28 23:33 -------- d-----w- c:\program files\GameSpy Arcade
2009-10-26 06:17 . 2009-10-24 06:01 -------- d-----w- c:\program files\Temporary Game file
2009-10-25 17:17 . 2009-10-24 22:57 -------- d-----w- c:\program files\Zombie Shooter
2009-10-24 22:56 . 2009-10-24 22:56 -------- d-----w- c:\program files\ReflexiveArcade
2009-10-24 13:56 . 2009-10-24 13:52 -------- d-----w- c:\program files\DAEMON Tools Pro
2009-10-24 13:56 . 2009-10-24 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-10-24 13:55 . 2009-10-24 13:55 -------- d-----w- c:\documents and settings\Owner\Application Data\DAEMON Tools Pro
2009-10-17 05:06 . 2008-10-26 06:05 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-17 04:00 . 2009-10-17 04:00 -------- d-----w- c:\program files\AGEIA Technologies
2009-10-17 03:27 . 2009-10-17 03:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-17 01:10 . 2009-10-17 01:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-10-17 01:10 . 2009-10-16 16:32 -------- d-----w- c:\program files\Electronic Arts
2009-10-16 16:32 . 2009-10-16 16:32 662 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-10-16 16:32 . 2008-10-14 22:21 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-16 14:32 . 2009-10-16 14:32 1962544 ----a-w- c:\program files\install_flash_player_ax.exe
2009-10-16 14:27 . 2009-10-16 14:27 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-10-14 13:19 . 2009-07-06 12:59 -------- d-----w- c:\program files\MagicISO
2009-10-14 13:19 . 2009-10-14 13:19 3067375 ----a-w- c:\program files\Setup_MagicISO.exe
2009-10-14 13:08 . 2009-10-14 13:08 -------- d-----w- c:\program files\MagicDisc
2009-10-14 13:08 . 2009-10-14 13:08 1352435 ----a-w- c:\program files\setup_magicdisc.exe
2009-10-05 07:42 . 2008-10-14 22:39 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-05 07:38 . 2009-10-05 07:38 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-10-05 07:34 . 2009-10-05 07:34 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-09-28 23:26 . 2009-09-28 23:23 -------- d-----w- c:\program files\Halo
2009-09-28 15:26 . 2009-09-28 15:26 685816 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-11 14:18 . 2001-08-23 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2001-08-23 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2001-08-23 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2008-07-19 22:08 . 2008-10-16 22:40 266544 ----a-w- c:\program files\uTorrent.exe
2005-05-14 00:12 . 2005-05-14 00:12 217073 --sha-r- c:\windows\meta4.exe
2005-10-24 18:13 . 2005-10-24 18:13 66560 --sha-r- c:\windows\MOTA113.exe
2005-06-26 22:32 . 2005-06-26 22:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 05:37 . 2005-06-22 05:37 45568 --sha-r- c:\windows\system32\cygz.dll
2006-05-03 09:06 . 2009-09-15 15:05 163328 --sh--r- c:\windows\system32\flvDX.dll
2004-01-25 07:00 . 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2007-02-21 10:47 . 2009-09-15 15:05 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-09-15 15:05 216064 --sh--r- c:\windows\system32\nbDX.dll
2005-02-28 20:16 . 2005-02-28 20:16 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 07:00 . 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-17 139264]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Shareaza"="c:\program files\Shareaza\Shareaza.exe" [2008-10-01 5723136]
"FLV Downloader"="c:\program files\Moyea\YouTube FLV Downloader\FLVDownloader.exe" [2009-05-27 3644928]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2007-12-14 413696]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-26 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-10-14 576000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Audiosrv]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HDAudBus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96C-E325-11CE-BFC1-08002BE10318}]
@="[6cFgE][S??d, ?駤e???d g??▊?tr?l???!!! !!! !]"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{640167b4-59b0-47a6-b335-a6b3c0695aea}]
@="Portable Media Devices"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Funshion Online\\Funshion\\Funshion.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\AVIXE pen drive2 stuff\\TuDienHND\\3rdparty\\jre\\bin\\jre.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6346:TCP"= 6346:TCP:shareaza

S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/28/2009 11:26 PM 685816]
S1 jqi0d17;jqi0d17;c:\windows\system32\drivers\jqi0d17.sys --> c:\windows\system32\drivers\jqi0d17.sys [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/13/2004 6:18 AM 169192]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [11/20/2009 7:32 AM 311112]
SUnknown AppToService_TuDienHND;AppToService_TuDienHND; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\setup.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://hk.yahoo.com/?p=us
IE: 妏蚚厙珜捃濘狟婥
IE: 妏蚚厙珜捃濘狟婥窒蟈諉
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436}
.
- - - - ORPHANS REMOVED - - - -

BHO-{F92CCA65-3301-4C6B-88B5-95ED581FF3DA} - c:\windows\system32\svjfjqa.dll
SafeBoot-drmkaud
SafeBoot-AudioEndpointBuilder
SafeBoot-HdAudAddService
SafeBoot-MMCSS

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-26 07:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8231F2F6]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8586f28
\Driver\ACPI -> ACPI.sys @ 0xf83f7cb8
\Driver\atapi -> atapi.sys @ 0xf8389852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf8295bb0
PacketIndicateHandler -> NDIS.sys @ 0xf82a2a21
SendHandler -> NDIS.sys @ 0xf828087b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AppToService_TuDienHND]
"ImagePath"="c:\documents and settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\basta\AppToService.exe /sys \"C:/Documents and Settings/Owner/My Documents/AVIXE pen drive2 stuff/TuDienHND/3rdparty/jre/bin/jrew.exe\" /Arguments:\"-mx64m -cp vietdict.jar vietdict.server.vietdictserver\" /Directory:\"c:/documents and settings/owner/my documents/avixe pen drive2 stuff/tudienhnd\" /Name:\"tudienhnd\" /Startup:A"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-507921405-179605362-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-507921405-179605362-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:bf,61,9c,87,c7,11,f9,a3,3d,3a,b8,09,f4,ba,38,70,93,f8,3b,56,bb,78,30,
ae,94,f6,6f,9a,93,9a,c4,bf,d2,f6,37,ec,4e,59,19,69,b8,c8,c2,4c,02,0f,44,1b,\
"??"=hex:6a,d4,43,5c,8e,72,8a,6a,02,82,58,4c,bd,6d,7e,5d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(608)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(672)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1348)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Ahead\Lib\NeroDigitalExt.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
.
Completion time: 2009-11-26 07:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-25 23:56

Pre-Run: 45,339,598,848 bytes free
Post-Run: 45,275,926,528 bytes free

- - End Of File - - 3751DF7ADCFEAA44EAFD3DC99392B84B

peku006 · Nov 26, 2009

Hi GUMPY

Have you tried Manually restoring the Internet connection ?
(bottom in the page)

your "2000 with SPTD 1.43 problem" ..... read this

"download a pirated one" :nono: not recommended

Please download TDSSKiller.rar and save it to your desktop.
Extract the rar file to your desktop.
Double click on TDSSKiller.exe to run it.
When it finished press any key to continue.
If needed reboot the computer.

Go to Start => Run and copy/paste the following line and click OK.

cmd /c mbr.exe -t >log.txt&start log.txt

A log file opens. Please post the content to your reply.

peku006

GUMPY · Nov 26, 2009

W32.IRCbot.Gen problem and cannot reboot computer

Dear Peku006:

1) About internet:
I tried your suggestions and followed the steps manually connecting internet with repairs etc, but didn't work. Got is error message:

"Cannot load remote access connection manager service. Error 711: a configuration error on this computer is preventing the connection"

2) About SPDT.sys problem. I deleted the C:\Windows\System32\SPDT.sys file. I was not able to locate any other SPDT...sys files in registry although I'm not sure how to look for it in that registry jungle.

3) The TDDSKiller.log file is as follows:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8231C2F6]<<
kernel: MBR read successfully
user & kernel MBR OK

Thank you very much once again.

Sincerely,
Gumpy

GUMPY · Nov 26, 2009

Generally problem solved

Dear Peku006:

I have to really thank you because whatever you did during the diagnostic phase of your help, my computer was bootable back to normal windows.

I think the culprit was Daemon tool's SPTD.sys file which prevented normal activation of windows when I restarted my computer; strangely it only allowed me to enter safe mode. However, I was not able to connect to the internet via safe mode plus networking.

My computer isn't the same it used to be though. Now there are 2 internet connection icons at the bottom right of my taskbar when I connect to internet (the twin computer monitor icon which comes up when one is connected to internet with the 2 tiny blue screens).

System restore was already automatically enabled when I restarted successfully in Windows mode.

I do notice the biggest change was my computer was running pretty slowly. Also, the "Switch off Kernel Debugger message related to SPTD.sys" was still on because I had not disabled Daemon tools at startup. So I went and disabled it. Ran Malware scan again and found no more virus.

I am very very happy. Do you suggest any further action?

Sincerely
Gumpy

peku006 · Nov 26, 2009

Hi Gumpy

For general slowness, see here

Can you get to the internet now ?

we can search SPDT.sys registry entries.....by doing so

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code:
```
:regfind
SPDT.sys
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found at on your Desktop entitled SystemLook.txt

peku006

GUMPY · Nov 27, 2009

W32.IRCbot.Gen problem and cannot reboot computer

Dear Peku006:
Thank you once again.
Yes, I can access the net thanks to you.

Something new occurs each time I reboot and restart windows; it now displays a logon asking for a password before windows would open. Before the crash, windows opened automatically without any need for logon password. Anyway, it is not a big problem because the default is no password so luckily I just click enter and the computer accepts. How to revert back to previous state?

Another thing which changed is whenever I press crt+alt+del to generate Task manager, it would switch to a grey control panel of options where I have to select task mgr, whereas before the crash it automatically enters into task mgr without need to select that option. I know other computers normally do that. How do I revert back to the old way?

I had performed system look and it found nothing so it must be clean:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 07:58 on 27/11/2009 by Owner (Administrator - Elevation successful)

========== regfind ==========

Searching for "SPDT.sys"
No data found.

-=End Of File=-

Well I learned valuable lessons this time. In the future I will 1) never turn off system restore without obtaining an expert opinion from you and 2) search forums for any problems with programs such as daemon tools BEFORE I install it.
Gumpy

peku006 · Nov 27, 2009

Hi Gumpy

those your problems do not appear due to malware, we clean your computer first and then the other problems :yes:

1 - Clean temp files

Please download TFC to your desktop
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click Yes to reboot.

NOTE: Save your work.TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

2 - Eset online scannner

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Please go here then click on:
Select the option YES, I accept the Terms of Use then click on:
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:

- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology
Now click on:
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on:
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with

1. the Eset online scannner report
2. a fresh HijackThis log

Thanks peku006

GUMPY · Nov 28, 2009

Status Check

Dear Peku006:

Here is the info you requested; it seems there are viruses which ESET was able to detect but not my other malware program or Norton AV:

1. the Eset online scannner report

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=b8d99be4b0c0134188afb1288150b96a
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-11-28 09:42:51
# local_time=2009-11-28 05:42:51 (+0800, China Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 221526 221526 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=53011
# found=4
# cleaned=0
# scan_time=14517
C:\Program Files\0FF6FB7D\Thunder.exe Win32/TrojanDropper.Delf.NMX trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\svjfjqa.dll.vir a variant of Win32/Kryptik.BDF trojan 00000000000000000000000000000000 I
C:\WINDOWS\system32\qestlkdp.dll a variant of Win32/Kryptik.BDF trojan 00000000000000000000000000000000 I
${Memory} a variant of Win32/Kryptik.BDF trojan 00000000000000000000000000000000 I

2. a fresh HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:50:40 PM, on 11/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\basta\AppToService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Documents and Settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\jre\bin\jrew.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\program files\idt\ecsxpv_5762_010208\wdm\STacSV.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hk.yahoo.com/?p=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {000009D5-2161-4196-9F87-D1FEFBDE1CAf} - C:\WINDOWS\system32\qestlkdp.dll
O2 - BHO: WebThunderBHO - {00000AAA-A363-466E-BEF5-9BB68697AA7F} - (no file)
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9C50A9AF-1506-44A1-958A-873DA3977D0C} - c:\windows\system32\ldjvdsm.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] -
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A3E8348-D9F6-42BF-A07B-C98609F62123}: NameServer = 203.198.23.208 205.252.144.126
O20 - Winlogon Notify: dsawxfot - C:\WINDOWS\SYSTEM32\ldjvdsm.dll
O23 - Service: tdict.server.VietdictServer" /Directory:"C:/Documents and Settings/Owner/My Documents/AVIXE pen drive2 stuff/TuDienHND" /Name:"TuDienHND" /Startup:A (AppToService_TuDienHND) - Basta Computing - C:\Documents and Settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\basta\AppToService.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\ecsxpv_5762_010208\wdm\STacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8492 bytes

Thank you once again.
Gumpy

peku006 · Nov 28, 2009

Hi GUMPY

I'd like you to check some files for Viruses.

Go to VirusTotal or Jotti's

C:\Program Files\0FF6FB7D\Thunder.exe
C:\WINDOWS\system32\qestlkdp.dll

Click to expand...

Copy/Paste the first file on the list into the white Upload a file box.
Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
After a while, a window will open, with details of what the scans found.
Note details of any viruses found.
Repeat for all files on the list, and post me the details please

Thanks peku006

GUMPY · Nov 28, 2009

Trojans

Dear Peku006:

Scans done using Jotti's for C:\Program Files\0FF6FB7D\Thunder.exe

Scanners
2009-11-27 Found nothing 2009-11-28 Found nothing
2009-11-28 Trojan-Dropper.Delf!IK 2009-11-28 Trojan-Dropper.Delf
2009-11-28 Win32:Trojan-gen 2009-11-28 Found nothing
2009-11-28 Found nothing 2009-11-28 Win32/TrojanDropper.Delf.NMX
2009-11-27 Found nothing 2009-11-27 Found nothing
2009-11-28 Found nothing 2009-11-27 Found nothing
2009-11-28 Trojan.Bifrose-8757 2009-11-27 Found nothing
2009-11-28 Found nothing 2009-11-28 Found nothing
2009-11-28 Found nothing 2009-11-27 Found nothing
2009-11-27 Found nothing 2009-11-27 Found nothing
2009-11-28 Found nothing

And for C:\WINDOWS\system32\qestlkdp.dll

Scanners
2009-11-27 Found nothing 2009-11-28 Found nothing
2009-11-28 Trojan-Spy.Win32.BZub!IK 2009-11-28 Trojan-Spy.Win32.BZub
2009-11-28 Found nothing 2009-11-28 Found nothing
2009-11-28 Win32/Heur 2009-11-28 Win32/Kryptik.BDF
2009-11-27 TR/Crypt.XPACK.Gen 2009-11-27 Found nothing
2009-11-28 Found nothing 2009-11-27 Found nothing
2009-11-28 Found nothing 2009-11-27 Found nothing
2009-11-28 Found nothing 2009-11-28 Mal/BHO-C
2009-11-28 Trojan.Packed.196 2009-11-27 Found nothing
2009-11-27 Found nothing 2009-11-27 Found nothing
2009-11-28 Found nothing

Seems like I've got trojans and other viruses.

Thank you once again.
Sincerely,
Gumpy

peku006 · Nov 28, 2009

Hi GUMPY

Download and run OTM

Download OTM by Old Timer and save it to your Desktop.

Double-click OTM.exe to run it.

Paste the following code under the

area. Do not include the word Code.

Code:

:Files
C:\Program Files\0FF6FB7D\Thunder.exe
C:\WINDOWS\system32\qestlkdp.dll

Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
Push the large

button.
OTM may ask to reboot the machine. Please do so if asked.
Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

How's the computer running now? what kind of problems you have ?

Thanks peku006

GUMPY · Nov 28, 2009

Dear Peku006:

Thank you for your help.
Here is the log after moving the files.

========== FILES ==========
C:\Program Files\0FF6FB7D\Thunder.exe moved successfully.
File/Folder C:\WINDOWS\system32\qestlkdp.dll not found.

OTM by OldTimer - Version 3.1.2.0 log created on 11292009_012601

The main problems:
1. Slow running speed of computer.
2. How to get rid of logon for windows pane whenever I start my computer or reboot?

Thank you
Sincerely
Gumpy

peku006 · Nov 29, 2009

Hi Gumpy

How to turn on automatic logon in Windows XP

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware

Security Check
Please download Security Check ... by screen317. Save it to your desktop.
Alternate download site: Link 2

Double click the SecurityCheck.exe icon to begin.
Press the Space Bar when you see the "press any key to continue..." message.
A Notepad results file will open automatically called checkup.txt
Save "checkup.txt" to your desktop. (This output file is NOT automatically saved!)
Please copy/paste the entire contents of the checkup.txt file into your next reply.

Thanks peku006

GUMPY · Nov 29, 2009

Slow

Dear Peku006:

Thank you for your advice. I have installed and run startuplite. Will reboot later to see if the speed picks up
I'll try to follow the instructions to switching off logon or at least make it automatically logon on startup.

Here is the Checkup.text file

Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Symantec AntiVirus
WMIC entry does not exist for antivirus; attempting automatic update.
``````````````````````````````
Anti-malware/Other Utilities Check:
Spyware Doctor 5.1
Spybot - Search & Destroy
CCleaner
Java(TM) 6 Update 13
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 9.1.3
Adobe Reader Chinese Traditional Fonts
``````````````````````````````
Process Check:
objlist.exe by Laurent
Symantec AntiVirus DefWatch.exe
Symantec AntiVirus Rtvscan.exe
``````````````````````````````
DNS Vulnerability Check:
Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

`````````End of Log```````````

Thank you
Sincerely
Gumpy

Here is the

peku006 · Nov 29, 2009

Hi GUMPY

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 17.

Go to Java Site
Click to Download Java SE Runtime Environment (JRE) 6 Update 17
In Platform box choose Windows.
Check the box to Accept License Agreement and click Continue.
Click on Windows Offline Installation, click on the link under it which says "jre-6u17-windows-i586-p.exe" and save the downloaded file to your desktop.
Go to Start => Control Panel => Add or Remove Programs
Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE)
Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
Reboot your computer

Please reply with

a fresh HijackThis log

How's the computer running now?

Thanks peku006

GUMPY · Dec 6, 2009

Follow up on W32.IRCbot.Gen

Dear Peku006:
Sorry for my delayed reply. I have been busy at work.

I upgraded my Java to 17th version.

Also tried your recommendations for editing registry to enable autologon at start of Windows but it only worked once then on the 3rd startup, it asks for logon again. Why?

Anyway, I've done another Hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01:36 AM, on 12/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\basta\AppToService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Documents and Settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\jre\bin\jrew.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\program files\idt\ecsxpv_5762_010208\wdm\STacSV.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hk.yahoo.com/?p=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {000009D5-2161-4196-9F87-D1FEFBDE1CAf} - C:\WINDOWS\system32\qestlkdp.dll (file missing)
O2 - BHO: WebThunderBHO - {00000AAA-A363-466E-BEF5-9BB68697AA7F} - (no file)
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9C50A9AF-1506-44A1-958A-873DA3977D0C} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {F92CCA65-3301-4C6B-88B5-95ED581FF3DA} - c:\windows\system32\svjfjqa.dll (file missing)
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A3E8348-D9F6-42BF-A07B-C98609F62123}: NameServer = 203.198.23.208 205.252.144.126
O20 - Winlogon Notify: dsawxfot - svjfjqa.dll (file missing)
O23 - Service: tdict.server.VietdictServer" /Directory:"C:/Documents and Settings/Owner/My Documents/AVIXE pen drive2 stuff/TuDienHND" /Name:"TuDienHND" /Startup:A (AppToService_TuDienHND) - Basta Computing - C:\Documents and Settings\Owner\My Documents\AVIXE pen drive2 stuff\TuDienHND\3rdparty\basta\AppToService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\swdsvc.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\ecsxpv_5762_010208\wdm\STacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7954 bytes

The computer is running more smoothly now thanks to your help.

Sincerely
Gumpy

W32.IRCbot.Gen removal problem then cannot reboot my computer normally

New member

Emeritus- Security Expert

New member

Emeritus- Security Expert

New member

Emeritus- Security Expert

New member

New member

Emeritus- Security Expert

New member

Emeritus- Security Expert

New member

Emeritus- Security Expert

New member

Emeritus- Security Expert

New member

Emeritus- Security Expert

New member

Emeritus- Security Expert

New member