Hijack This Log

I want to improve the performance of my PC and wanted to post my Hijack this log to see if there where any major issues that stood out? The problem is when I hit save log file after doing a HJT scan I cant seem to find the location it is saving the log file? I tried looking to see if i change the default drive but can seem to find that either? If some on can help me with this I would appreciate it so I can post my log in this thread, thanks in advance.

Comments

  • Dear chi-chi,


    Please check the following locations: my documents folder or on your desktop. If not there check Trend Micro subfolder that you will find in the Program Files folder more specificly in the Hijack This subfolder.


    Best regards


    Niels

  • Please download this http://students.info.uaic.ro/~daniel.chipi...BDAspySetup.exe and install it. Then you can make a decent startup list from the "SysLog" tab. The path to the log is mentioned in the "Path to log file" textbox.


    Good luck. ;)

  • I hae checked there and even did an unhide of folders its not in any of those locations?? Is there a way within the program to just specify where i want to save my log file and if so how? cus i cant seem to find it. or do u suggest uninstalling the program and reinstaling it? thanks in advance

  • Niels
    Niels
    edited March 2008

    Dear chi-chi


    You can speed up your pc performance by disabling unecessary startup items. You can do it by using the windows build in tools. You can find some startup items when you do this go to start,run,now type msconfig press enter. Go to the latest tab which is called start up (boot). There you will find some of the programs that start together with windows. To see if an item is really necessary you can enter the processname on this website. Just enter the name that you will find under the item for startup (boot) in the msconfig utility into the search box of the link I gave to you. Check also start,(all) programs,startup (boot). And the registry go to start,run,type regedit press enter. Open the following registry key hkey_local_machine and the following folders and subfolders: software,microsoft,windows,currentversion,run the startup items are being displayed at the right side. Here you have to delete them. Once you save another hijackthis logfile use than the save as function and choose your desired location. Is there any Trend Micro folder present? Which hijack this version do you currently have is v2.0.2 or still the older v1.99.1 ? But make also a log as Daniel suggested you to do.


    A warning: You have to read the description because sometimes the location of the startup process is important to see if it's a legit one or not.


    Best regards


    Niels

  • I want to improve the performance of my PC and wanted to post my Hijack this log to see if there where any major issues that stood out? The problem is when I hit save log file after doing a HJT scan I cant seem to find the location it is saving the log file? I tried looking to see if i change the default drive but can seem to find that either? If some on can help me with this I would appreciate it so I can post my log in this thread, thanks in advance.


    chi-chi,


    you can speedup your PC, if the slowness is not malware related, by following steps:


    1. Empty your IE an FF cache on a regular basis.


    2. Empty all the Temp folders.


    ( both 1 and 2 with ATF cleaner you have already downloaded, or CCleaner).


    3. Remove unnecessary startup items using Hijackthis, Spybot or other programs handling startup items.


    4. Defragment your c drive.


    3. Remove all old restore points and make a clean restore point, you know already how in the other topic.


    To search for the hijackthis log:


    Go to start-search-click all files and folders.


    Type the name of the file (hijackthislog.txt) in the upper box and click on search.


    If you can't find hijackthislog.txt you have to download and install the hijackthis installer, you already know how.

  • The name of the file is hijacktis.log. And if you have installed it correctly it should be here: C:\program files\trend micro\hijackthis\hijackthis.log


    If not uninstall it and reinstall the hijackthis installer.

  • Please download this http://students.info.uaic.ro/~daniel.chipi...BDAspySetup.exe and install it. Then you can make a decent startup list from the "SysLog" tab. The path to the log is mentioned in the "Path to log file" textbox.


    Good luck. ;)


    <<The path to the log is mentioned in the "Path to log file" textbox>>. Next to the "Browse" button you can see the path. You can use the "Browse" option to select where to save the log. Please give me the log.

  • <<The path to the log is mentioned in the "Path to log file" textbox>>. Next to the "Browse" button you can see the path. You can use the "Browse" option to select where to save the log. Please give me the log.


    How do i get you a copy of the log for this? I have the file saved. and when i hit browse to upload an attachment in this message nothing happens.

  • The name of the file is hijacktis.log. And if you have installed it correctly it should be here: C:\program files\trend micro\hijackthis\hijackthis.log


    If not uninstall it and reinstall the hijackthis installer.


    I did a search for the file and windows found nothing, I also removed and re downloaded the program and still I can not fing the HJT log?? is it because of how or where I am downloading it from?

  • I did a search for the file and windows found nothing, I also removed and re downloaded the program and still I can not fing the HJT log?? is it because of how or where I am downloading it from?


    Please uninstall/remove your Hijackthis.


    Click here to download HijackThis Installer.


    Save HJTInstall.exe to your Desktop.


    Double click on the HJTInstall.exe icon to start the program.


    By default it will install to C:\Program Files\Trend Micro\HijackThis.


    After the final dialogue box it will launch HijackThis.


    Click on the Do a system scan and save a logfile button. It will scan and then open ups a log. A copy will be saved on C:\ (C:\Program Files\Trend Micro\HijackThis).

  • Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 10:38:17 AM, on 3/7/2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v7.00 (7.00.6000.16608)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\Explorer.EXE


    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


    C:\WINDOWS\system32\LEXBCES.EXE


    C:\WINDOWS\system32\LEXPPS.EXE


    C:\WINDOWS\system32\spoolsv.exe


    C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe


    C:\Program Files\Microsoft IntelliPoint\point32.exe


    C:\WINDOWS\system32\Rundll32.exe


    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe


    C:\Program Files\Microsoft IntelliPoint\point32 .exe


    C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol .exe


    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe


    C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe


    C:\WINDOWS\System32\CTsvcCDA.EXE


    C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe


    C:\Program Files\CyberLink\Shared Files\RichVideo.exe


    C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\wscntfy.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\Mozilla Firefox\firefox.exe


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.138.64.148:8080


    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)


    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r


    O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"


    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe /auto


    O4 - HKLM\..\Run: [bMa34f57ea] Rundll32.exe "C:\WINDOWS\system32\dnqekuhx.dll",s


    O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe


    O4 - Global Startup: NETGEAR WG311v3 Wireless Assistant.lnk = ?


    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000


    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm


    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm


    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll


    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll


    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll


    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll


    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll


    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL


    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll


    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll


    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab


    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204


    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll


    O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab


    O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab


    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1166675633328


    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1166985398326


    O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab


    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab


    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab


    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL


    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe


    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE


    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe


    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe


    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe


    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


    --


    End of file - 6870 bytes

  • Hi chi-chi,


    I am going to assist you to clean the infection.


    It seems you have got Vundo on this computer too. And it is of no surprise to me since you are missing one important program on that computer: An antivirus.


    This is somewhat suicidal in today's digital world.

    1. You need to install an antivirus program as soon as you can and run a complete scan of the computer:


      Install it, update it and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.

    2. Copy and paste the AV scan log and a fresh HJT log into tour reply.
  • Scan Log


    Version of virus signature database: 2888 (20080220)


    Date: 3/7/2008 Time: 1:44:13 PM


    Scanned disks, folders and files: Operating memory;A:\Boot sector;A:\;C:\Boot sector;C:\;D:\Boot sector;D:\;E:\Boot sector;E:\;F:\Boot sector;F:\


    Boot sector of disk A: - error opening [4]


    A:\ - error opening [4]


    C:\hiberfil.sys - error opening [4]


    C:\pagefile.sys - error opening [4]


    C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\AIMinst.exe » NSIS - bad archive


    C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\AIMLang.exe » NSIS - bad archive


    C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\alsetup.exe » NSIS - bad archive


    C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\instopts.exe » NSIS - bad archive


    C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\muinst.exe » NSIS - bad archive


    C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\ocpinst.exe » NSIS - bad archive


    C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\tbsetup.exe » NSIS - bad archive


    C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\toolbar.exe » NSIS - bad archive


    C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\vwpt.exe » NSIS - error - unknown compression method


    C:\Documents and Settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4144.0.4\tbsetup.exe » NSIS - bad archive


    C:\Documents and Settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4144.0.4\unagi3.exe » NSIS - bad archive


    C:\Documents and Settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4144.0.4\Vwpt.exe » NSIS - error - unknown compression method


    C:\Documents and Settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4220.0.4\AIMinst.exe » NSIS - bad archive


    C:\Documents and Settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4220.0.4\AIMLang.exe » NSIS - bad archive


    C:\Documents and Settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4220.0.4\alsetup.exe » NSIS - bad archive


    C:\Documents and Settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4220.0.4\ocpinst.exe » NSIS - bad archive


    C:\Documents and Settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4220.0.4\tbsetup.exe » NSIS - bad archive


    C:\Documents and Settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4220.0.4\unagi3.exe » NSIS - bad archive


    C:\Documents and Settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4220.0.4\vwpt.exe » NSIS - error - unknown compression method


    C:\Documents and Settings\Chief\NTUSER.DAT - error opening [4]


    C:\Documents and Settings\Chief\ntuser.dat.LOG - error opening [4]


    C:\Documents and Settings\Chief\Application Data\Mozilla\Firefox\Profiles\n315to4v.default\extensions\{A8F3D9BA-BB14-4f74-8272-6DE41489C89A}\chrome.manifest » MIME - is OK (internal scanning not performed)


    C:\Documents and Settings\Chief\Local Settings\Application Data\Identities\{C470B9B1-8B76-4C3F-A159-9713FC3B5729}\Microsoft\Outlook Express\Inbox.dbx » DBX - is OK (internal scanning not performed)


    C:\Documents and Settings\Chief\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening [4]


    C:\Documents and Settings\Chief\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening [4]


    C:\Documents and Settings\Chief\Local Settings\Temp\RCXA9.tmp - Win32/TrojanDropper.Agent.DGO virus - cleaned - quarantined


    C:\Documents and Settings\Chief\Local Settings\Temp\RCXAC.tmp - Win32/TrojanDropper.Agent.DGO virus - cleaned - quarantined


    C:\Documents and Settings\Chief\Local Settings\Temp\RCXAF.tmp - Win32/TrojanDropper.Agent.DGO virus - cleaned - quarantined


    C:\Documents and Settings\Chief\Local Settings\Temp\TMPE9.tmp - Win32/TrojanDropper.Agent.DGO virus - internal error


    C:\Documents and Settings\Chief\Local Settings\Temp\TMPF1.tmp - Win32/TrojanDropper.Agent.DGO virus - internal error


    C:\Documents and Settings\Chief\Local Settings\Temp\TMPF6.tmp - Win32/TrojanDropper.Agent.DGO virus - internal error


    C:\Documents and Settings\LocalService\NTUSER.DAT - error opening [4]


    C:\Documents and Settings\LocalService\ntuser.dat.LOG - error opening [4]


    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening [4]


    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening [4]


    C:\Documents and Settings\NetworkService\NTUSER.DAT - error opening [4]


    C:\Documents and Settings\NetworkService\ntuser.dat.LOG - error opening [4]


    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening [4]


    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening [4]


    C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab » CAB » PROCESS_LIBRARY.FDT » MIME - is OK (internal scanning not performed)


    C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab » CAB » HIRING_REQUISITION_CUSTOMIZED.FDT » MIME - is OK (internal scanning not performed)


    C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab » CAB » HARDWARE_TRACKER.FDT » MIME - is OK (internal scanning not performed)


    C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab » CAB » HIRING_REQUISITION.FDT » MIME - is OK (internal scanning not performed)


    C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab » CAB » CUSTOMER_SUPPORT.FDT » MIME - is OK (internal scanning not performed)


    C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab » CAB » TRACK_ISSUES.FDT » MIME - is OK (internal scanning not performed)


    C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab » CAB » STATUS_REPORT.FDT » MIME - is OK (internal scanning not performed)


    C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab » CAB » POLICIES.FDT » MIME - is OK (internal scanning not performed)


    C:\Program Files\Ahead\NeroVision\NeroFiles\CDI\CDI_VCD.CFG » MIME - is OK (internal scanning not performed)


    C:\Program Files\AIM6\uninst.exe » NSIS - bad archive


    C:\Program Files\AIM6\uninstall.exe » NSIS - bad archive


    C:\Program Files\Common Files\Adobe\ESD\uninst.exe » NSIS - bad archive


    C:\Program Files\Common Files\AOL\AOLDiag\tbunins.exe » NSIS - bad archive


    C:\Program Files\Common Files\AOL\Loader\alunins.exe » NSIS - bad archive


    C:\Program Files\Microsoft CAPICOM 2.1.0.2\License\license.mht » MIME - is OK (internal scanning not performed)


    C:\Program Files\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Customer Support.fdt » MIME - is OK (internal scanning not performed)


    C:\Program Files\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Hardware Tracker.fdt » MIME - is OK (internal scanning not performed)


    C:\Program Files\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Hiring Requisition - Customized.fdt » MIME - is OK (internal scanning not performed)


    C:\Program Files\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Hiring Requisition.fdt » MIME - is OK (internal scanning not performed)


    C:\Program Files\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\POLICIES.FDT » MIME - is OK (internal scanning not performed)


    C:\Program Files\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Process Library.fdt » MIME - is OK (internal scanning not performed)


    C:\Program Files\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Status Report.fdt » MIME - is OK (internal scanning not performed)


    C:\Program Files\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Track Issues.fdt » MIME - is OK (internal scanning not performed)


    C:\Program Files\Mozilla Firefox\chrome\browser.manifest » MIME - is OK (internal scanning not performed)


    C:\Program Files\Mozilla Firefox\chrome\comm.manifest » MIME - is OK (internal scanning not performed)


    C:\Program Files\Mozilla Firefox\chrome\pippki.manifest » MIME - is OK (internal scanning not performed)


    C:\Program Files\Mozilla Firefox\chrome\toolkit.manifest » MIME - is OK (internal scanning not performed)


    C:\Program Files\Nero\Nero 7\Core\CDI\CDI_VCD.CFG » MIME - is OK (internal scanning not performed)


    C:\Program Files\Nero\Nero 7\Nero BackItUp\BackItUp_ImageTool\root.img » GZIP » - archive damaged


    C:\Program Files\Orb Networks\OrbThis extension for Firefox\OrbThis.xpi » ZIP » chrome.manifest » MIME - is OK (internal scanning not performed)


    C:\Program Files\palmOne\Chief\Addit\BFUploads\UploadLog.txt » MIME - is OK (internal scanning not performed)


    C:\Program Files\palmOne\Chief\Backup\Messages_Database.PDB » MIME - is OK (internal scanning not performed)


    C:\Program Files\Spybot - Search & Destroy\HNMKJDYYKUQFKBSYL.scr - Win32/TrojanDropper.Agent.DGO virus - cleaned - quarantined


    C:\WINDOWS\mrofinu72.exe - Win32/TrojanDownloader.Agent.BLS trojan - cleaned by deleting - quarantined [1]


    C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe - Win32/TrojanDropper.Agent.DGO virus - cleaned - quarantined


    C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe.tmp - Win32/TrojanDropper.Agent.DGO virus - cleaned - quarantined


    C:\WINDOWS\SoftwareDistribution\EventCache\{47CA60B0-FDE1-4BC7-BDE3-C7A0F88C32FE}.bin - error opening [4]


    C:\WINDOWS\system32\ctfmon.exe.tmp - Win32/TrojanDropper.Agent.DGO virus - cleaned - quarantined


    C:\WINDOWS\system32\L4E3A.tmp » NSIS » Yazzle1552OinAdmin.exe - probably a variant of Win32/TrojanDownloader.PurityScan trojan - was a part of the deleted object


    C:\WINDOWS\system32\L6EB2.tmp » NSIS » QdrModule12.exe - Win32/Adware.ISM application - was a part of the deleted object


    C:\WINDOWS\system32\CatRoot2\edb.log - error opening [4]


    C:\WINDOWS\system32\CatRoot2\tmp.edb - error opening [4]


    C:\WINDOWS\system32\config\default - error opening [4]


    C:\WINDOWS\system32\config\default.LOG - error opening [4]


    C:\WINDOWS\system32\config\SAM - error opening [4]


    C:\WINDOWS\system32\config\SAM.LOG - error opening [4]


    C:\WINDOWS\system32\config\SECURITY - error opening [4]


    C:\WINDOWS\system32\config\SECURITY.LOG - error opening [4]


    C:\WINDOWS\system32\config\software - error opening [4]


    C:\WINDOWS\system32\config\software.LOG - error opening [4]


    C:\WINDOWS\system32\config\system - error opening [4]


    C:\WINDOWS\system32\config\system.LOG - error opening [4]


    D:\ - error opening [4]


    E:\ - error opening [4]


    F:\Downloads\NOD32.3.0.642.Antivirus.Smart.Security.FiX.1.2.[31.days.remaining.forever.2


    50].by.TemDono.rar » RAR » Scanner.Virus.ORG - Malware Scanning Service.mht » MIME - is OK (internal scanning not performed)


    F:\Downloads\Alpha.Dog.TS.XViD-mVs-17-01-07-pass\mvs-dog-.rar » RAR » mvs-dog-.avi - Incorrect file checksum (CRC); the file is probably password protected.


    F:\Downloads\Audio\Maroon_5-It_Wont_Be_Soon_Before_Long-_RapGodFathers.com_.rar » RAR » Maroon_5-It_Wont_Be_Soon_Before_Long-(RapGodFathers.com)0-=RapGodFathers.com=- Daily Updated Hip-Hop News & Downloads - Home.url - Incorrect file checksum (CRC); the file is probably password protected.


    F:\Downloads\Audio\Maroon_5-It_Wont_Be_Soon_Before_Long-_RapGodFathers.com_.rar » RAR » Maroon_5-It_Wont_Be_Soon_Before_Long-(RapGodFathers.com)0-=read1st=-.txt - Incorrect file checksum (CRC); the file is probably password protected.


    F:\Downloads\Audio\Maroon_5-It_Wont_Be_Soon_Before_Long-_RapGodFathers.com_.rar » RAR » Maroon_5-It_Wont_Be_Soon_Before_Long-(RapGodFathers.com)0-list-RGF.m3u - Incorrect file checksum (CRC); the file is probably password protected.


    F:\Downloads\Audio\Maroon_5-It_Wont_Be_Soon_Before_Long-_RapGodFathers.com_.rar » RAR » Maroon_5-It_Wont_Be_Soon_Before_Long-(RapGodFathers.com)0-maroon_5-it_wont_be_soon_before_long-2007-RGF.nfo - Incorrect file checksum (CRC); the file is probably password protected.


    F:\Downloads\Audio\Maroon_5-It_Wont_Be_Soon_Before_Long-_RapGodFathers.com_.rar » RAR » Maroon_5-It_Wont_Be_Soon_Before_Long-(RapGodFathers.com)0-Maroon_5-It_Wont_Be_Soon_Before_Long-Cover-(RapGodFathers.com).jpg - Incorrect file checksum (CRC); the file is probably password protected.


    F:\Downloads\Audio\Maroon_5-It_Wont_Be_Soon_Before_Long-_RapGodFathers.com_.rar » RAR » Maroon_5-It_Wont_Be_Soon_Before_Long-(RapGodFathers.com)1-Maroon_5-If_I_Never_See_Your_Face_Again-(RapGodFathers.com).mp3 - Incorrect file checksum (CRC); the file is probably password protected.


    F:\Downloads\Audio\Maroon_5-It_Wont_Be_Soon_Before_Long-_RapGodFathers.com_.rar » RAR » Maroon_5-It_Wont_Be_Soon_Before_Long-(RapGodFathers.com)2-Maroon_5-Makes_Me_Wonder-(RapGodFathers.com).mp3 - Incorrect file checksum (CRC); the file is probably password protected.


    F:\Downloads\Audio\Maroon_5-It_Wont_Be_Soon_Before_Long-_RapGodFathers.com_.rar » RAR » Maroon_5-It_Wont_Be_Soon_Before_Long-(RapGodFathers.com)3-Maroon_5-Little_Of_Your_Time-(RapGodFathers.com).mp3 - Incorrect file checksum (CRC); the file is probably password protected.


    F:\Downloads\Audio\Maroon_5-It_Wont_Be_Soon_Before_Long-_RapGodFathers.com_.rar » RAR » Maroon_5-It_Wont_Be_Soon_Before_Long-(RapGodFathers.com)4-Maroon_5-Wake_Up_Call-(RapGodFathers.com).mp3 - Incorrect file checksum (CRC); the file is probably password protected.


    F:\Downloads\Audio\Maroon_5-It_Wont_Be_Soon_Before_Long-_RapGodFathers.com_.rar » RAR » Maroon_5-It_Wont_Be_Soon_Before_Long-(RapGodFathers.com)5-Maroon_5-Won't_Go_Home_Without_You-(RapGodFathers.com).mp3 - Incorrect file checksum (CRC); the file is probably password protected.


    F:\Downloads\Audio\Maroon_5-It_Wont_Be_Soon_Before_Long-_RapGodFathers.com_.rar » RAR » Maroon_5-It_Wont_Be_Soon_Before_Long-(RapGodFathers.com)6-Maroon_5-Nothing_Lasts_Forever-(RapGodFathers.com).mp3 - Incorrect file checksum (CRC); the file is probably password protected.


    F:\Downloads\Audio\Maroon_5-It_Wont_Be_Soon_Before_Long-_RapGodFathers.com_.rar » RAR » Maroon_5-It_Wont_Be_Soon_Before_Long-(RapGodFathers.com)7-Maroon_5-Can't_Stop-(RapGodFathers.com).mp3 - Incorrect file checksum (CRC); the file is probably password protected.


    F:\Downloads\Audio\Maroon_5-It_Wont_Be_Soon_Before_Long-_RapGodFathers.com_.rar » RAR » Maroon_5-It_Wont_Be_Soon_Before_Long-(RapGodFathers.com)8-Maroon_5-Goodnight_Goodnight-(RapGodFathers.com).mp3 - Incorrect file checksum (CRC); the file is probably password protected.


    F:\Downloads\Audio\Maroon_5-It_Wont_Be_Soon_Before_Long-_RapGodFathers.com_.rar » RAR » Maroon_5-It_Wont_Be_Soon_Before_Long-(RapGodFathers.com)9-Maroon_5-Not_Falling_Apart-(RapGodFathers.com).mp3 - Incorrect file checksum (CRC); the file is probably password protected.


    F:\Downloads\Audio\Maroon_5-It_Wont_Be_Soon_Before_Long-_RapGodFathers.com_.rar » RAR » Maroon_5-It_Wont_Be_Soon_Before_Long-(RapGodFathers.com)\10-Maroon_5-Kiwi-(RapGodFathers.com).mp3 - Incorrect file checksum (CRC); the file is probably password protected.


    F:\Downloads\Audio\Maroon_5-It_Wont_Be_Soon_Before_Long-_RapGodFathers.com_.rar » RAR » Maroon_5-It_Wont_Be_Soon_Before_Long-(RapGodFathers.com)\11-Maroon_5-Better_That_We_Break-(RapGodFathers.com).mp3 - Incorrect file checksum (CRC); the file is probably password protected.


    F:\Downloads\Audio\Maroon_5-It_Wont_Be_Soon_Before_Long-_RapGodFathers.com_.rar » RAR » Maroon_5-It_Wont_Be_Soon_Before_Long-(RapGodFathers.com)\12-Maroon_5-Back_At_Your_Door-(RapGodFathers.com).mp3 - Incorrect file checksum (CRC); the file is probably password protected.


    F:\Downloads\Audio\Maroon_5-It_Wont_Be_Soon_Before_Long-_RapGodFathers.com_.rar » RAR » Maroon_5-It_Wont_Be_Soon_Before_Long-(RapGodFathers.com)\13-Maroon_5-Infatuation_(Bonus_Track)-(RapGodFathers.com).mp3 - Incorrect file checksum (CRC); the file is probably password protected.


    F:\Downloads\National.Treasure.2.Book.of.Secrets.TS.XviD-THS.[usaBit.com]\National.Treasure.2.Book.of.Secrets.TS.XviD-THS.part01.rar » RAR » National.Treasure.2.Book.of.Secrets.TS.XviD-THS.avi - next archive volume not found


    F:\Downloads\Revolver.Directors.Cut.2005.NORDiC.PAL.DVDR-HiGHQUALiTY\hq-revolver.dc.rar » RAR » - next archive volume not found


    F:\Downloads\The.Pursuit.Of.Happyness.DVD.SCREENER.XviD-VideoCD\CD1\vcd-happyness-cd1.rar » RAR » vcd-happyness-cd1.avi - next archive volume not found


    F:\Downloads\The.Pursuit.Of.Happyness.DVD.SCREENER.XviD-VideoCD\CD2\vcd-happyness-cd2.rar » RAR » vcd-happyness-cd2.avi - next archive volume not found


    Number of scanned objects: 166921


    Number of threats found: 13


    Time of completion: 3:48:25 PM Total scanning time: 7452 sec (02:04:12)


    Notes:


    [1] Object has been deleted as it only contained the virus body.


    [4] Object cannot be opened. It may be in use by another application or operating system.


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 4:25:20 PM, on 3/7/2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v7.00 (7.00.6000.16608)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


    C:\WINDOWS\system32\LEXBCES.EXE


    C:\WINDOWS\system32\LEXPPS.EXE


    C:\WINDOWS\system32\spoolsv.exe


    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe


    C:\WINDOWS\System32\CTsvcCDA.EXE


    C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe


    C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe


    C:\Program Files\Microsoft IntelliPoint\point32.exe


    C:\Program Files\CyberLink\Shared Files\RichVideo.exe


    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe


    C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol .exe


    C:\Program Files\Microsoft IntelliPoint\point32 .exe


    C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe


    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe


    C:\WINDOWS\explorer.exe


    C:\Program Files\VideoLAN\VLC\vlc.exe


    C:\Program Files\Mozilla Firefox\firefox.exe


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.138.64.148:8080


    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)


    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r


    O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"


    O4 - HKLM\..\Run: [bMa34f57ea] Rundll32.exe "C:\WINDOWS\system32\dnqekuhx.dll",s


    O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice


    O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe


    O4 - Global Startup: NETGEAR WG311v3 Wireless Assistant.lnk = ?


    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000


    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm


    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm


    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll


    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll


    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll


    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll


    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll


    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL


    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll


    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll


    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab


    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204


    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll


    O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab


    O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab


    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1166675633328


    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1166985398326


    O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab


    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab


    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab


    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL


    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe


    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE


    O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe


    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe


    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe


    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe


    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe


    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


    --


    End of file - 7197 bytes

  • As you may have notice a lot is going on.

    1. Please tell me if you are using the following proxy server and you have set the proxy server yourself:


      212.138.64.148 (in Saudi Arabia).

    2. I see that you are running msconfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure. This can be bad if they are malware or infected, so I would like you to reenable those startup entries by doing the following:


      Please click on start, then run, and type msconfig and then press enter. When the window opens click on the startup tab and make sure there are checkmarks in every entry. Then press ok until you are out of the program. If it asks to reboot, do not reboot.


    Now please create a new Hijackthis Log and post it as a reply.

  • I did delete some from the msconfig based on the one reply someone in this post left however I did what you informed me to do and am posting a new HTJ log. I have not set any proxy server addresses so I dont know why I have a saudi arabian mask address. I did once have a hide IP program which masked you real location but found it to be buggy so I removed it, I also recieved a few pop up when I logged on. One was a dos promt and other was an error message. None the less here is the new log.


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 11:16:39 AM, on 3/8/2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v7.00 (7.00.6000.16608)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\Explorer.EXE


    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


    C:\WINDOWS\system32\LEXBCES.EXE


    C:\WINDOWS\system32\spoolsv.exe


    C:\WINDOWS\system32\LEXPPS.EXE


    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe


    C:\WINDOWS\System32\CTsvcCDA.EXE


    C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe


    C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe


    C:\Program Files\CyberLink\Shared Files\RichVideo.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\Rundll32.exe


    C:\Program Files\Mozilla Firefox\firefox.exe


    C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\wuauclt.exe


    C:\WINDOWS\system32\rundll32.exe


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.138.64.148:8080


    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)


    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r


    O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"


    O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice


    O4 - HKLM\..\Run: [bMa34f57ea] Rundll32.exe "C:\WINDOWS\system32\dnqekuhx.dll",s


    O4 - HKLM\..\Run: [a07c6476] rundll32.exe "C:\WINDOWS\system32\cvhnbnsc.dll",b


    O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe


    O4 - Global Startup: NETGEAR WG311v3 Wireless Assistant.lnk = ?


    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000


    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm


    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm


    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll


    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll


    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll


    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll


    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll


    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL


    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll


    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll


    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab


    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204


    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll


    O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab


    O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab


    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1166675633328


    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1166985398326


    O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab


    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab


    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab


    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL


    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe


    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE


    O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe


    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe


    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe


    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe


    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe


    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


    --


    End of file - 6902 bytes

  • Fix:


    O4 - HKLM\..\Run: [bMa34f57ea] Rundll32.exe "C:\WINDOWS\system32\dnqekuhx.dll",s


    O4 - HKLM\..\Run: [a07c6476] rundll32.exe "C:\WINDOWS\system32\cvhnbnsc.dll",b


    Thank you

  • I did delete some from the msconfig based on the one reply someone in this post left however I did what you informed me to do and am posting a new HTJ log. I have not set any proxy server addresses so I dont know why I have a saudi arabian mask address. I did once have a hide IP program which masked you real location but found it to be buggy so I removed it, I also recieved a few pop up when I logged on. One was a dos promt and other was an error message. None the less here is the new log.


    Hello chi-chi,


    The earlier posts were based on the assumption that the slowness is not malware related, and the fact is that the slowness doesn't always mean the computer is infected. It may be just related to the maintenance.


    Please read the instructions carefully and give me feedback about how it went. If you face any problem or you don't know how to do it feel free to ask before proceeding.

    1. The virus researchers may want to take a look at some files and if needed add them to BD for future detection.
      • Please set your system to show
      all files:


      Click Start, open My Computer, select the Tools menu and click Folder Options.


      Select the View Tab. Under the Hidden files and folders heading, check Show hidden files and folders.


      Uncheck: Hide file extensions for known file types


      Uncheck: Hide protected operating system files (recommended) option.


      Click Yes to confirm.


      Please copy the files in bold:


      C:\WINDOWS\system32\ dnqekuhx.dll


      C:\WINDOWS\system32\cvhnbnsc.dll


      Archive them password protected (using .rar,7.zip, etc.).If you don't know how read this topic Virus Submission.


      The password you use should be infected.


      Upload them as attachment.


      If they are more than 2 MB you should make more than one archive file/folder.


      To attach the archive to your reply: when you press the reply, under the reply window press Browse... show the path to the file on your computer then press the green UPLOAD button.

    2. You have the program Spybot S&D (Teatimer option) running on your machine and that is good. We need to disable TeaTimer so it does not interfere with the fixes we are about to do.
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.


    3. Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:


      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.138.64.148:8080


      R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)


      Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.


    4. Reset the LAN settings if needed:


      click start - control panel - Internet options - under connections tab - click LAN settings - all the following items should be unchecked:

      • Automatically detect settings
      • Use automatic configuration ******
      • Use a proxy server for your LAN
    5. Please copy and paste a fresh hijackthis log into your reply.
  • First here is the location of the infected file sent via yousendit http://download.yousendit.com/68EC83F909A6B354


    Second there was no such file C:\WINDOWS\system32\cvhnbnsc.dll (I even did a search for it to no avail)


    Last I got confused as to if you wanted me to upload the file here in this post but i did so anyway, thanks in advance

  • Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 2:37:32 PM, on 3/16/2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v7.00 (7.00.6000.16608)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


    C:\WINDOWS\system32\LEXBCES.EXE


    C:\WINDOWS\system32\LEXPPS.EXE


    C:\WINDOWS\system32\spoolsv.exe


    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe


    C:\WINDOWS\System32\CTsvcCDA.EXE


    C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe


    C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe


    C:\Program Files\CyberLink\Shared Files\RichVideo.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\WINDOWS\system32\ctfmon .exe


    C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\rundll32.exe


    C:\WINDOWS\system32\rundll32.exe


    C:\WINDOWS\system32\msiexec.exe


    C:\WINDOWS\explorer.exe


    C:\Program Files\Mozilla Firefox\firefox.exe


    C:\WINDOWS\System32\msiexec.exe


    C:\WINDOWS\system32\MsiExec.exe


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r


    O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"


    O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice


    O4 - HKLM\..\Run: [a07c6476] rundll32.exe "C:\WINDOWS\system32\rdaidcmo.dll",b


    O4 - HKLM\..\Run: [bMa34f57ea] Rundll32.exe "C:\WINDOWS\system32\axxdxrbc.dll",s


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - Global Startup: NETGEAR WG311v3 Wireless Assistant.lnk = ?


    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000


    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm


    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm


    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll


    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll


    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll


    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll


    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll


    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL


    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll


    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll


    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab


    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204


    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll


    O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab


    O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab


    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1166675633328


    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1166985398326


    O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab


    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab


    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab


    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL


    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe


    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE


    O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe


    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe


    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe


    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe


    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe


    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


    --


    End of file - 6807 bytes

  • Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 6:51:16 AM, on 3/17/2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v7.00 (7.00.6000.16608)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\Explorer.EXE


    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


    C:\WINDOWS\system32\LEXBCES.EXE


    C:\WINDOWS\system32\LEXPPS.EXE


    C:\WINDOWS\system32\spoolsv.exe


    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe


    C:\WINDOWS\System32\CTsvcCDA.EXE


    C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe


    C:\Program Files\Eset\nod32krn.exe


    C:\Program Files\CyberLink\Shared Files\RichVideo.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\rundll32.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\Mozilla Firefox\firefox.exe


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)


    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll


    O2 - BHO: (no name) - {0C70E628-6A08-4EBE-8AFD-62A56B187677} - (no file)


    O2 - BHO: (no name) - {111C9E23-A11F-41BC-A799-E908A552CFBA} - (no file)


    O2 - BHO: (no name) - {11864FF7-97C7-402C-8052-90D8FF42B4AD} - (no file)


    O2 - BHO: (no name) - {3D885D74-F0A7-41A9-A5F5-7FEB3B8AF27E} - (no file)


    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll


    O2 - BHO: (no name) - {5611D253-D780-4344-B49E-5FA34998786E} - (no file)


    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll


    O2 - BHO: (no name) - {5FFA701D-5D8A-43C7-82AE-69367F3A4E57} - (no file)


    O2 - BHO: (no name) - {6146EE4B-8776-495F-978E-9334A478A665} - (no file)


    O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\urqqrrp.dll (file missing)


    O2 - BHO: (no name) - {72084ACF-D760-479F-844A-5437BFE1EB8F} - (no file)


    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll


    O2 - BHO: {80c82c8c-19b1-f36b-4714-e8e9ab7e7ea7} - {7ae7e7ba-9e8e-4174-b63f-1b91c8c28c08} - C:\WINDOWS\system32\ajgesnop.dll


    O2 - BHO: (no name) - {7DE12190-34B8-48D6-B575-AEE175F1F8A1} - (no file)


    O2 - BHO: (no name) - {7E2C3C7D-2EB5-4ABE-9239-6311D221A80D} - (no file)


    O2 - BHO: (no name) - {D477D47D-1B42-4B94-BD42-A517B99A2510} - C:\WINDOWS\system32\geeby.dll (file missing)


    O2 - BHO: (no name) - {EE79C51C-57D0-443C-A222-D37E1C1C0902} - (no file)


    O2 - BHO: (no name) - {F95CCF6E-7D4F-4E4C-BB19-8E9B676225C1} - (no file)


    O2 - BHO: (no name) - {FF4195E7-E193-4BB5-AC7D-302C47286A72} - (no file)


    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r


    O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"


    O4 - HKLM\..\Run: [bDAspy] C:\Program Files\Softwin\BDAspy\BDASpy.exe


    O4 - HKLM\..\Run: [a07c6476] rundll32.exe "C:\WINDOWS\system32\mpdxvybg.dll",b


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - Global Startup: NETGEAR WG311v3 Wireless Assistant.lnk = ?


    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000


    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm


    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm


    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll


    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll


    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll


    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll


    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll


    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL


    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll


    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll


    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab


    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204


    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll


    O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab


    O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab


    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1166675633328


    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1166985398326


    O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab


    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab


    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab


    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL


    O20 - Winlogon Notify: urqqrrp - urqqrrp.dll (file missing)


    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe


    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE


    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe


    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe


    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe


    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe


    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


    --


    End of file - 8360 bytes

  • Chesda
    edited March 2008

    ChiChi,


    Check and fix these:


    O2 - BHO: (no name) - {0C70E628-6A08-4EBE-8AFD-62A56B187677} - (no file)
    O2 - BHO: (no name) - {111C9E23-A11F-41BC-A799-E908A552CFBA} - (no file)
    O2 - BHO: (no name) - {11864FF7-97C7-402C-8052-90D8FF42B4AD} - (no file)
    O2 - BHO: (no name) - {3D885D74-F0A7-41A9-A5F5-7FEB3B8AF27E} - (no file)
    O2 - BHO: (no name) - {5FFA701D-5D8A-43C7-82AE-69367F3A4E57} - (no file)
    O2 - BHO: (no name) - {6146EE4B-8776-495F-978E-9334A478A665} - (no file)
    O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\urqqrrp.dll (file missing)
    O2 - BHO: (no name) - {72084ACF-D760-479F-844A-5437BFE1EB8F} - (no file)
    O2 - BHO: {80c82c8c-19b1-f36b-4714-e8e9ab7e7ea7} - {7ae7e7ba-9e8e-4174-b63f-1b91c8c28c08} - C:\WINDOWS\system32\ajgesnop.dll
    O2 - BHO: (no name) - {7DE12190-34B8-48D6-B575-AEE175F1F8A1} - (no file)
    O2 - BHO: (no name) - {7E2C3C7D-2EB5-4ABE-9239-6311D221A80D} - (no file)
    O2 - BHO: (no name) - {D477D47D-1B42-4B94-BD42-A517B99A2510} - C:\WINDOWS\system32\geeby.dll (file missing)
    O2 - BHO: (no name) - {EE79C51C-57D0-443C-A222-D37E1C1C0902} - (no file)
    O2 - BHO: (no name) - {F95CCF6E-7D4F-4E4C-BB19-8E9B676225C1} - (no file)
    O2 - BHO: (no name) - {FF4195E7-E193-4BB5-AC7D-302C47286A72} - (no file)
    O4 - HKLM\..\Run: [a07c6476] rundll32.exe "C:\WINDOWS\system32\mpdxvybg.dll",b
    O20 - Winlogon Notify: urqqrrp - urqqrrp.dll (file missing)
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll


    You have too many active Anti Virus running, i suggest you only use one.


    Your Yahoo Messenger has also been infected, please uninstall and reinstall it another time.

  • Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 10:51:43 PM, on 3/17/2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v7.00 (7.00.6000.16608)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\Explorer.EXE


    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


    C:\WINDOWS\system32\LEXBCES.EXE


    C:\WINDOWS\system32\LEXPPS.EXE


    C:\WINDOWS\system32\spoolsv.exe


    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\WINDOWS\System32\CTsvcCDA.EXE


    C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe


    C:\Program Files\Eset\nod32krn.exe


    C:\Program Files\CyberLink\Shared Files\RichVideo.exe


    C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\wuauclt.exe


    C:\Program Files\CCleaner\ccleaner.exe


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)


    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll


    O2 - BHO: (no name) - {5611D253-D780-4344-B49E-5FA34998786E} - (no file)


    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll


    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r


    O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"


    O4 - HKLM\..\Run: [bDAspy] C:\Program Files\Softwin\BDAspy\BDASpy.exe


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - Global Startup: NETGEAR WG311v3 Wireless Assistant.lnk = ?


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll


    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll


    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll


    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll


    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL


    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll


    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll


    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab


    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204


    O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab


    O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab


    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1166675633328


    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1166985398326


    O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab


    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab


    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab


    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL


    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe


    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE


    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe


    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe


    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe


    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe


    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


    --


    End of file - 6107 bytes

  • Check and fix these:


    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {5611D253-D780-4344-B49E-5FA34998786E} - (no file)


    Your log seems clean, Please do a Full System Scan with any Anti-Virus product and let it disinfect what it detects.


    It would also be useful if you tell us what your systems problems.

  • My symtems include at start up a ms dos promp/****** runs with some funny letters and symbols then tells me that ctsys.vol isnt working properly and i have anothe ms dos ****** that runs. upon shut down i get another type of windows prompt as well. but here is my new log hope this helps


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 7:27:09 AM, on 3/18/2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v7.00 (7.00.6000.16608)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\Explorer.EXE


    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


    C:\WINDOWS\system32\LEXBCES.EXE


    C:\WINDOWS\system32\LEXPPS.EXE


    C:\WINDOWS\system32\spoolsv.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe


    C:\WINDOWS\System32\CTsvcCDA.EXE


    C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe


    C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe


    C:\Program Files\Eset\nod32krn.exe


    C:\Program Files\CyberLink\Shared Files\RichVideo.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\wuauclt.exe


    C:\Program Files\palmOne\Hotsync.exe


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll


    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll


    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r


    O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - Global Startup: NETGEAR WG311v3 Wireless Assistant.lnk = ?


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll


    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll


    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll


    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll


    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL


    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll


    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll


    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab


    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204


    O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab


    O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab


    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1166675633328


    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1166985398326


    O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab


    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab


    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab


    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL


    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe


    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE


    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe


    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe


    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe


    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe


    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


    --


    End of file - 5873 bytes

  • I believe the ctsysvol.exe is part of the soundblaster audio card software included with your soundblaster drivers. You should try do update your driver and see if there are any improvements. For the other MS scripts, please post screenshots of the MS Scripts you are encountering as this may give us a better understanding of what is going wrong with your system.

  • I believe the ctsysvol.exe is part of the soundblaster audio card software included with your soundblaster drivers. You should try do update your driver and see if there are any improvements. For the other MS scripts, please post screenshots of the MS Scripts you are encountering as this may give us a better understanding of what is going wrong with your system.


    It is from creative and i dont know how to post screen shots? its says that and drive a is not accessible when i shut down and i have to click ok but i disabled drive a a long time ago as it was a floppy drive and installed a dvd drive?

  • I keep getting (2) 16-Bit MS-DOS subsystem messages one is C:\PROGRA~1\Creative\SBAUDI~1\CTSysVol.exe The NTVDM CPU Has encountered an illegal instruction CS:0546 IP:ffe0 OP:ff ff1e098b Choose 'Close' to terminate application


    and


    C:\PROGRA~1\MIFB84~1\point32.exe


    and upon shutdown I receive drive a:/ not ready or accessible error. please assist me, thanks in advance.


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 11:53:33 AM, on 3/23/2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v7.00 (7.00.6000.16608)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\Explorer.EXE


    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


    C:\WINDOWS\system32\LEXBCES.EXE


    C:\WINDOWS\system32\LEXPPS.EXE


    C:\WINDOWS\system32\spoolsv.exe


    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe


    C:\WINDOWS\System32\CTsvcCDA.EXE


    C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe


    C:\Program Files\CyberLink\Shared Files\RichVideo.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe


    C:\WINDOWS\system32\wscntfy.exe


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    C:\Program Files\Mozilla Firefox\firefox.exe


    C:\WINDOWS\system32\wuauclt.exe


    C:\WINDOWS\System32\svchost.exe


    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll


    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll


    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r


    O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - Global Startup: NETGEAR WG311v3 Wireless Assistant.lnk = ?


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll


    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll


    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll


    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll


    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL


    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll


    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll


    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab


    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204


    O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab


    O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab


    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1166675633328


    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1166985398326


    O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab


    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab


    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab


    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL


    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe


    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE


    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe


    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe


    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe


    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


    --


    End of file - 5786 bytes

  • NTVDM CPU Has Encountered an Illegal Instruction


    To resolve this issue, replace the Command.com file in the Winnt\System32 folder with the same file from another computer that is running Windows NT Workstation 4.0 or Windows NT Server 4.0, and then make sure that there are no Command.com files dated 7/11/95 on the computer. You can also replace the Command.com file on the computer with the same file on the Windows NT installation CD-ROM.


    Error Message: A:\ Is Not Accessible


    To prevent this error message, close the Windows Explorer or My Computer window displaying the contents of the floppy disk before you restart your computer.


    Source: Microsoft KB