Please Assist With Virus
Hi Friends
I get popups that advise I download software because my computer has been infected with spyware. Further more I have also sent spam (unwillingly). I am going to run a HJT log file and post it here, as I have read many problems similar to mine.
Please assist.
regards
Matt
Here is the log file. Please assist.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:06:02 PM, on 7/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesIntelWirelessBinEvtEng.exe
C:Program FilesIntelWirelessBinS24EvMon.exe
C:WINDOWSsystem32spoolsv.exe
c:program filescommon fileslogitechlvmvfmLVPrcSrv.exe
C:WINDOW###plorer.EXE
C:AcerEmpowering TechnologyePerformanceMemCheck.exe
C:Program FilesSynapticsSynTPSynTPEnh.exe
C:WINDOWSRTHDCPL.EXE
C:WINDOWSAGRSMMSG.exe
C:WINDOWSsystem32RUNDLL32.EXE
C:Program FilesCyberLinkPowerDVDPDVDServ.exe
C:Program FilesLaunch ManagerLaunchAp.exe
C:Program FilesLaunch ManagerHotkeyApp.exe
C:PROGRA~1AVGAVG8avgwdsvc.exe
C:Program FilesLaunch ManagerOSDCtrl.exe
C:Program FilesLaunch ManagerWbutton.exe
C:AcerEmpowering TechnologyeDataSecurityeDSloader.exe
C:AcerEmpowering TechnologyePowerePower_DMC.exe
C:WINDOWSsystem32driversCDAC11BA.EXE
C:WINDOWSsystem32nvsvc32.exe
C:AcerEmpowering TechnologyePresentationePresentation.exe
C:AcerEmpowering TechnologyeRecoveryeRAgent.exe
C:WINDOWSsystem32LVCOMSX.EXE
C:Program FilesAcerOrbiCamCameraAssistant.exe
C:Program FilesIntelWirelessBinRegSrvc.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32ElkCtrl.exe
C:PROGRA~1AVGAVG8avgrsx.exe
C:Program FilesHPHP Software UpdateHPWuSchd2.exe
C:WINDOWSSystem32DLADLACTRLW.EXE
C:Program FilesJavajre1.6.0_03binjusched.exe
C:WINDOWSSystem32spoolDRIVERSW32X863fppdis2a.exe
C:PROGRA~1AVGAVG8avgtray.exe
C:PROGRA~1AVGAVG8avgemc.exe
C:Program FilesMessengermsmsgs.exe
C:WINDOWSsystem32ctfmon.exe
C:documents and settingsuserlocal settingsapplication dataycguiuo.exe
C:AcerEmpowering TechnologyAcer.Empowering.Framework.Launcher.exe
C:Program FilesHPDigital Imagingbinhpqtra08.exe
C:Program FilesSonySony Picture UtilityVolumeWatcherSPUVolumeWatcher.exe
C:Program FilesLimeWireLimeWire.exe
C:WINDOWSsystem32wbemwmiapsrv.exe
C:WINDOWSsystem32wbemunsecapp.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://global.acer.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:Program FilesAVGAVG8avgssie.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:PROGRA~1MEGAUP~1MEGAUP~1.DLL
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:WINDOWSSystem32DLADLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_03binssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:PROGRA~1AVGAVG8AVGTOO~1.DLL
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:WINDOWSsystem32eDStoolbar.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:PROGRA~1MEGAUP~1MEGAUP~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:PROGRA~1AVGAVG8AVGTOO~1.DLL
O4 - HKLM..Run: [Preload] C:WindowsRUNXMLPL.exe
O4 - HKLM..Run: [synTPEnh] C:Program FilesSynapticsSynTPSynTPEnh.exe
O4 - HKLM..Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..Run: [AzMixerSel] C:Program FilesRealtekInstallShieldAzMixerSel.exe
O4 - HKLM..Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..Run: [ntiMUI] C:Program FilesNewTech InfosystemsNTI CD & DVD-Maker 7ntiMUI.exe
O4 - HKLM..Run: [iMJPMIG8.1] "C:WINDOWSIMEimjp8_1IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM..Run: [MSPY2002] C:WINDOWSsystem32IMEPINTLGNTImScInst.exe /SYNC
O4 - HKLM..Run: [PHIME2002ASync] C:WINDOWSsystem32IMETINTLGNTTINTSETP.EXE /SYNC
O4 - HKLM..Run: [PHIME2002A] C:WINDOWSsystem32IMETINTLGNTTINTSETP.EXE /IMEName
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit
O4 - HKLM..Run: [RemoteControl] "C:Program FilesCyberLinkPowerDVDPDVDServ.exe"
O4 - HKLM..Run: [LaunchAp] "C:Program FilesLaunch ManagerLaunchAp.exe"
O4 - HKLM..Run: [LManager] "C:Program FilesLaunch ManagerHotkeyApp.exe"
O4 - HKLM..Run: [CtrlVol] "C:Program FilesLaunch ManagerCtrlVol.exe"
O4 - HKLM..Run: [LMgrOSD] "C:Program FilesLaunch ManagerOSDCtrl.exe"
O4 - HKLM..Run: [Wbutton] "C:Program FilesLaunch ManagerWbutton.exe"
O4 - HKLM..Run: [eDataSecurity Loader] C:AcerEmpowering TechnologyeDataSecurityeDSloader.exe 0
O4 - HKLM..Run: [ePower_DMC] C:AcerEmpowering TechnologyePowerePower_DMC.exe
O4 - HKLM..Run: [boot] C:AcerEmpowering TechnologyePowerBoot.exe
O4 - HKLM..Run: [Acer ePresentation HPD] C:AcerEmpowering TechnologyePresentationePresentation.exe
O4 - HKLM..Run: [eRecoveryService] C:AcerEmpowering TechnologyeRecoveryeRAgent.exe
O4 - HKLM..Run: [LVCOMSX] C:WINDOWSsystem32LVCOMSX.EXE
O4 - HKLM..Run: [LogitechCameraAssistant] C:Program FilesAcerOrbiCamCameraAssistant.exe
O4 - HKLM..Run: [LogitechVideo[inspector]] C:Program FilesAcerOrbiCamInstallHelper.exe /inspect
O4 - HKLM..Run: [LogitechCameraService(E)] C:WINDOWSsystem32ElkCtrl.exe /automation
O4 - HKLM..Run: [imageItEncrypt] C:WINDOWSsystem32ImageItEncrypt.exe
O4 - HKLM..Run: [HP Software Update] "C:Program FilesHPHP Software UpdateHPWuSchd2.exe"
O4 - HKLM..Run: [DLA] C:WINDOWSSystem32DLADLACTRLW.EXE
O4 - HKLM..Run: [sunJavaUpdateSched] "C:Program FilesJavajre1.6.0_03binjusched.exe"
O4 - HKLM..Run: [pdfFactory Dispatcher v2] "C:WINDOWSSystem32spoolDRIVERSW32X863fppdis2a.exe" /source=HKLM
O4 - HKLM..Run: [AVG8_TRAY] C:PROGRA~1AVGAVG8avgtray.exe
O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [ycguiuo] c:documents and settingsuserlocal settingsapplication dataycguiuo.exe ycguiuo
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:Program FilesSonySony Picture UtilityVolumeWatcherSPUVolumeWatcher.exe
O4 - Startup: LimeWire On Startup.lnk = C:Program FilesLimeWireLimeWire.exe
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:Program FilesHPDigital Imagingbinhpqtra08.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:Program FilesAdobeAcrobat 7.0Readerreader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_03binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_03binssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:Program FilesAVGAVG8avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:AcerEmpowering TechnologyePerformanceMemCheck.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgwdsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:WINDOWSsystem32driversCDAC11BA.EXE
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:Program FilesIntelWirelessBinEvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:program filescommon fileslogitechlvmvfmLVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:WINDOWSsystem32HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:Program FilesIntelWirelessBinRegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:Program FilesWinPcaprpcapd.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:Program FilesIntelWirelessBinS24EvMon.exe
--
End of file - 9761 bytes
Comments
-
Next time paste the full log file....it doesn have " \" in the file locations !
Download ComboFix from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Then close all running programs, including web browser, instant messenger, etc and then run ComboFix.
It will ask you whether it should start cleaning or not. Press 1 and hit Enter. Don't stop it while running. While doing this your screen may disappear but don't worry, it's a normal behaviour.
At the end ComboFix will generate a log file. Save it and post it here.0 -
Next time paste the full log file....it doesn have " \" in the file locations !
Download ComboFix from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Then close all running programs, including web browser, instant messenger, etc and then run ComboFix.
It will ask you whether it should start cleaning or not. Press 1 and hit Enter. Don't stop it while running. While doing this your screen may disappear but don't worry, it's a normal behaviour.
At the end ComboFix will generate a log file. Save it and post it here.
Hi Crysty2k5
when I run ComboFix, it warns of information loss being a possible outcome. Not being a computer boffin, is it safe to proceed? or should I make back-ups first?
regards
Matt0 -
Hello Matt200,
How does the error message looks like? Because it could be the infection that give you that warning. Combofix only removes known infections and make a logfile. So it's safe to run it.
Kind regards,
Niels0 -
Hi Niels
I will check when I get home tonight. But it almost seemed to just be a disclaimer, that read something lik " only a small percentage of computer survive the scan..... something like that.
But I will confirm tonight.
thanks
Matt0 -
Hi There
I ran Combofix and here is the log file.
please advise.
ComboFix 08-07-10.1 - user 2008-07-11 14:19:23.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.573 [GMT -7:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\Documents and Settings\user\Local Settings\Application Data\ggkey.dat
c:\documents and settings\user\local settings\application data\ggkey.exe
C:\Documents and Settings\user\Local Settings\Application Data\ggkey_nav.dat
C:\Documents and Settings\user\Local Settings\Application Data\ggkey_navps.dat
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\nvs2.inf
C:\WINDOWS\system32\oeminfo.ini
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\Temp\log.txt
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_NPF
((((((((((((((((((((((((( Files Created from 2008-06-11 to 2008-07-11 )))))))))))))))))))))))))))))))
.
2008-07-03 21:09 . 2008-07-03 21:09 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-02 08:53 . 2008-07-02 08:53 <DIR> d-------- C:\Documents and Settings\user\Application Data\Yahoo!
2008-07-02 08:53 . 2008-07-02 08:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-07-02 08:01 . 2008-07-02 08:02 <DIR> d-------- C:\Program Files\Yahoo!
2008-07-02 08:01 . 2008-07-02 08:01 <DIR> d-------- C:\Program Files\Recuva
2008-07-02 07:33 . 2008-07-02 07:33 <DIR> d-------- C:\Program Files\Data Doctor Recovery Pen Drive (Demo)
2008-07-01 21:51 . 2008-07-01 21:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-30 12:21 . 2008-06-30 12:21 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-28 01:39 . 2004-08-04 00:56 116,224 --a------ C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-06-28 01:39 . 2001-08-17 22:36 23,040 --a------ C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-06-28 01:38 . 2001-08-17 22:37 99,865 --a------ C:\WINDOWS\system32\dllcache\xlog.exe
2008-06-28 01:38 . 2001-08-17 22:37 27,648 --a------ C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-06-28 01:38 . 2004-08-03 22:29 19,455 --a------ C:\WINDOWS\system32\dllcache\wvchntxx.sys
2008-06-28 01:38 . 2001-08-17 22:36 17,408 --a------ C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-06-28 01:38 . 2001-08-17 12:11 16,970 --a------ C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-06-28 01:38 . 2004-08-03 22:29 12,063 --a------ C:\WINDOWS\system32\dllcache\wsiintxx.sys
2008-06-28 01:38 . 2001-08-17 22:37 4,608 --a------ C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-06-28 01:36 . 2001-08-17 13:28 794,654 --a------ C:\WINDOWS\system32\dllcache\usr1801.sys
2008-06-28 01:35 . 2001-08-17 22:36 216,064 --a------ C:\WINDOWS\system32\dllcache\um34scan.dll
2008-06-28 01:34 . 2001-08-17 22:36 525,568 --a------ C:\WINDOWS\system32\dllcache\tridxp.dll
2008-06-28 01:33 . 2001-08-17 14:56 172,768 --a------ C:\WINDOWS\system32\dllcache\t2r4disp.dll
2008-06-28 01:32 . 2001-08-17 12:18 285,760 --a------ C:\WINDOWS\system32\dllcache\stlnata.sys
2008-06-28 01:31 . 2004-08-03 22:41 404,990 --a------ C:\WINDOWS\system32\dllcache\slntamr.sys
2008-06-28 01:30 . 2001-08-17 22:36 386,560 --a------ C:\WINDOWS\system32\dllcache\sgiul50.dll
2008-06-28 01:29 . 2001-08-17 22:36 495,616 --a------ C:\WINDOWS\system32\dllcache\sblfx.dll
2008-06-28 01:28 . 2004-08-04 00:56 397,056 --a------ C:\WINDOWS\system32\dllcache\s3gnb.dll
2008-06-28 01:27 . 2001-08-17 13:28 899,146 --a------ C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-06-28 01:26 . 2004-08-04 00:56 259,328 --a------ C:\WINDOWS\system32\dllcache\perm3dd.dll
2008-06-28 01:25 . 2001-08-17 14:05 351,616 --a------ C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-06-28 01:24 . 2004-08-03 22:31 132,695 --a------ C:\WINDOWS\system32\dllcache\netwlan5.sys
2008-06-28 01:23 . 2004-08-04 00:56 1,737,856 --a------ C:\WINDOWS\system32\dllcache\mtxparhd.dll
2008-06-28 01:22 . 2001-08-17 12:50 320,384 --a------ C:\WINDOWS\system32\dllcache\mgaum.sys
2008-06-28 01:21 . 2001-08-17 13:28 802,683 --a------ C:\WINDOWS\system32\dllcache\ltsm.sys
2008-06-28 01:20 . 2001-08-17 22:36 90,200 --a------ C:\WINDOWS\system32\dllcache\io8ports.dll
2008-06-28 01:20 . 2001-08-17 12:12 45,632 --a------ C:\WINDOWS\system32\dllcache\ip5515.sys
2008-06-28 01:20 . 2001-08-17 22:36 45,568 --a------ C:\WINDOWS\system32\dllcache\kdsui.dll
2008-06-28 01:20 . 2004-08-03 23:08 40,832 --a------ C:\WINDOWS\system32\dllcache\irbus.sys
2008-06-28 01:20 . 2001-08-17 13:50 38,784 --a------ C:\WINDOWS\system32\dllcache\io8.sys
2008-06-28 01:20 . 2001-08-17 13:49 26,624 --a------ C:\WINDOWS\system32\dllcache\irstusb.sys
2008-06-28 01:20 . 2001-08-17 13:49 23,552 --a------ C:\WINDOWS\system32\dllcache\irmk7.sys
2008-06-28 01:20 . 2001-08-17 13:51 18,688 --a------ C:\WINDOWS\system32\dllcache\irsir.sys
2008-06-28 01:20 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-06-28 01:20 . 2001-08-17 13:47 13,056 --a------ C:\WINDOWS\system32\dllcache\inport.sys
2008-06-28 01:18 . 2001-08-17 13:28 542,879 --a------ C:\WINDOWS\system32\dllcache\hsf_msft.sys
2008-06-28 01:17 . 2001-08-17 14:56 1,733,120 --a------ C:\WINDOWS\system32\dllcache\g400d.dll
2008-06-28 01:16 . 2001-08-17 13:28 595,647 --a------ C:\WINDOWS\system32\dllcache\es56cvmp.sys
2008-06-28 01:15 . 2001-08-17 13:28 634,134 --a------ C:\WINDOWS\system32\dllcache\el656ct5.sys
2008-06-28 01:14 . 2001-08-17 12:14 952,007 --a------ C:\WINDOWS\system32\dllcache\diwan.sys
2008-06-28 01:13 . 2004-08-04 00:56 249,856 --a------ C:\WINDOWS\system32\dllcache\ctmasetp.dll
2008-06-28 01:12 . 2001-08-17 12:13 980,034 --a------ C:\WINDOWS\system32\dllcache\cicap.sys
2008-06-28 01:11 . 2004-08-04 00:56 1,888,992 --a------ C:\WINDOWS\system32\dllcache\ati3duag.dll
2008-06-28 01:10 . 2001-08-17 13:28 762,780 --a------ C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-06-27 14:19 . 2008-06-27 14:19 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-27 14:19 . 2008-06-27 14:19 <DIR> d-------- C:\Program Files\AVG
2008-06-27 14:19 . 2008-06-27 14:19 <DIR> d-------- C:\Documents and Settings\user\Application Data\AVGTOOLBAR
2008-06-27 14:19 . 2008-06-27 14:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-27 14:19 . 2008-07-03 21:09 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-27 14:19 . 2008-07-03 21:09 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-18 11:44 . 2008-06-18 11:45 2,362,422 --a------ C:\djtyuyifui.bmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-08 21:36 --------- d-----w C:\Program Files\Live-Player
2008-05-21 09:12 --------- d-----w C:\Documents and Settings\user\Application Data\Image Zone Express
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-24 05:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-21 07:04 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2008-04-21 07:04 1,494,528 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-04-21 07:03 151,040 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
2008-04-21 07:03 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2008-04-21 07:03 1,023,488 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2008-04-20 05:07 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Preload"="C:\Windows\RUNXMLPL.exe" [2005-05-19 17:09 32768]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 16:32 761945]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 19:51 53248]
"ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 17:15 45056]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 20:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 20:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 20:00 455168]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-19 09:43 7397376]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-01-19 09:43 86016]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"LaunchAp"="C:\Program Files\Launch Manager\LaunchAp.exe" [2005-07-25 13:36 32768]
"LManager"="C:\Program Files\Launch Manager\HotkeyApp.exe" [2006-04-19 15:08 69632]
"CtrlVol"="C:\Program Files\Launch Manager\CtrlVol.exe" [2003-09-16 14:28 20480]
"LMgrOSD"="C:\Program Files\Launch Manager\OSDCtrl.exe" [2005-07-25 10:45 241664]
"Wbutton"="C:\Program Files\Launch Manager\Wbutton.exe" [2006-04-20 09:23 86016]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 15:00 345088]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-03-30 18:47 421888]
"Boot"="C:\Acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 22:12 579584]
"Acer ePresentation HPD"="C:\Acer\Empowering Technology\ePresentation\ePresentation.exe" [2006-03-31 16:39 204800]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-04-28 16:43 401408]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2006-06-23 10:39 225280]
"LogitechCameraAssistant"="C:\Program Files\Acer\OrbiCam\CameraAssistant.exe" [2006-06-26 15:47 331776]
"LogitechVideo[inspector]"="C:\Program Files\Acer\OrbiCam\InstallHelper.exe" [2006-06-26 15:55 73728]
"LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [2004-11-01 18:22 262144]
"ImageItEncrypt"="C:\WINDOWS\system32\ImageItEncrypt.exe" [2005-12-30 14:02 40960]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49 49152]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2006-06-13 05:20 127036]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"pdfFactory Dispatcher v2"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2005-04-03 19:06 483328]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-03 21:09 1232152]
"RTHDCPL"="RTHDCPL.EXE" [2006-01-11 17:23 15961088 C:\WINDOWS\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-09-09 11:20 88203 C:\WINDOWS\AGRSMMSG.exe]
C:\Documents and Settings\user\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-04-09 08:25:44 344064]
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-07-02 09:07:31 122880]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-11-10 12:44:22 45056]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24 258048]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-03 21:09]
R1 Hotkey;Hotkey;C:\WINDOWS\system32\drivers\Hotkey.sys [2003-04-28 11:27]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-03 21:09]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-03 21:09]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-03 21:09]
R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2005-04-22 16:57]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-22 16:57]
R3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\DRIVERS\lv321av.sys [2006-06-19 12:20]
R3 LVPrcMon;Logitech LVPrcMon Driver;C:\WINDOWS\system32\drivers\LVPrcMon.sys [2006-06-23 10:40]
S1 Wbutton;Wbutton;C:\WINDOWS\system32\drivers\Wbutton.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f4fc47d0-9cda-11dc-b3ae-0013028e7be1}]
\Shell\AutoOpen\command - .\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-11 14:31:28
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-07-11 14:37:55 - machine was rebooted [user]
ComboFix-quarantined-files.txt 2008-07-11 21:37:38
Pre-Run: 15,651,799,040 bytes free
Post-Run: 15,835,824,128 bytes free
220 --- E O F --- 2008-07-11 13:44:370 -
Hello Matt200,
Can you please do this click on start,my computer,QooBox,Quarantine open the subfolders. Now rename each file I mean removing the .vir entry. Archive them all. How to archive them see this topic look at the 2 post. Please make a new topic in this forum section and upload the archive there as an attachment. To do that just make a new topic once you are in creating screen scroll down till you see the attachments section press on browse,and navigate to the location of your archive press on upload. There is a 2 mb upload file limit. Please upload also djtyuyifui.bmp which is locate when you click on start,my computer there you will find it.
Please download SDFix. Save it on your desktop. Be sure that you are logged on with an administrator account. Double click on it don't change the installation directory. Reboot your pc into safe mode by pressing the F8 button before the windows splash screen select safe mode press enter. Navigate to start,my computer,SDFix and double click on RunThis.bat
press y and press enter. Please post the sdfix report.
Kind regards,
Niels0 -
Hi Niels
If i go to click on start,my computer, i cant see QooBox,Quarantine ???
regards
Matt0 -
Hello Matt200,
I thought that you knew that but you should also double click on the icon off the partition or hard disk were you have installed windows or your software on it is called C: but it can differ. Sorry for the confusion.
Kind regards,
Niels0 -
Hi Niels
As you can see, I am not quite the boffin. I have found the folders (thanks for previous explination). But the your next process is a little unclear to me. You say "Now rename each file I mean removing the .vir entry." do you mean that I must delete the ".vir" extention for each f the files? Must i then archive all the files together?
There are 2 folders that contain sub-folders with a few files with the .vir extentions.
Sorry, but I am a ###### when it comes to stuff like this.
regards
Matt
ps. the good news is the pop-ups are gone, but my pc is a bit slow.0 -
Hello Matt200,
You will see something like this blabla.exe.vir Right click on it and select rename. You will now see that the name is now highlighted. Select only .vir press on the delete button on your keyboard. Is it clear now?The problem is that I don't have an English windows version and I am also not a native speaker. Archive these files into archives that don't exceed 2 MB.
Please start Hijack This again but now once you are at the main screen press on open the misc tools section. Under startuplist please select list all minor section press now on generate Startuplist log. And attach the output at your next post.
Can you also please post also a sdfix log?
Kind regards,
Niels0 -
Hi Niels
I have it now thanks.
I will do this tonight and post the results.
thank you
Matt.0 -
Here is the Hijackthis Log
StartupList report, 7/26/2008, 11:29:06 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16674)
* Using default options
* Showing rarely important sections
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\user\Start Menu\Programs\Startup]
Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Acer Empowering Technology.lnk = ?
HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Preload = C:\Windows\RUNXMLPL.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
RTHDCPL = RTHDCPL.EXE
AzMixerSel = C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
AGRSMMSG = AGRSMMSG.exe
ntiMUI = C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
MSPY2002 = C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
PHIME2002ASync = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
RemoteControl = "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
LaunchAp = "C:\Program Files\Launch Manager\LaunchAp.exe"
LManager = "C:\Program Files\Launch Manager\HotkeyApp.exe"
CtrlVol = "C:\Program Files\Launch Manager\CtrlVol.exe"
LMgrOSD = "C:\Program Files\Launch Manager\OSDCtrl.exe"
Wbutton = "C:\Program Files\Launch Manager\Wbutton.exe"
eDataSecurity Loader = C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0
ePower_DMC = C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
Boot = C:\Acer\Empowering Technology\ePower\Boot.exe
Acer ePresentation HPD = C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
eRecoveryService = C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
LVCOMSX = C:\WINDOWS\system32\LVCOMSX.EXE
LogitechCameraAssistant = C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
LogitechVideo[inspector] = C:\Program Files\Acer\OrbiCam\InstallHelper.exe /inspect
LogitechCameraService(E) = C:\WINDOWS\system32\ElkCtrl.exe /automation
ImageItEncrypt = C:\WINDOWS\system32\ImageItEncrypt.exe
HP Software Update = "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
DLA = C:\WINDOWS\System32\DLA\DLACTRLW.EXE
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
pdfFactory Dispatcher v2 = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
AVG8_TRAY = C:\PROGRA~1\AVG\AVG8\avgtray.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
--------------------------------------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\AutoCADScriptFile\shell\open\command
(Default) = "C:\WINDOWS\notepad.exe" "%1"
--------------------------------------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe
[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP
[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
--------------------------------------------------
Load/Run keys from C:\WINDOWS\WIN.INI:
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=avgrsstx.dll
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Checking for EXPLORER.EXE instances:
C:\WINDOWS\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present
--------------------------------------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
WormRadar.com IESiteBlocker.NavFilter - C:\Program Files\AVG\AVG8\avgssie.dll - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
(no name) - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}
(no name) - C:\WINDOWS\System32\DLA\DLASHX_W.DLL - {5CA3D70E-1895-11CF-8E15-001234567890}
(no name) - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL - {A057A204-BACC-4D26-9990-79A187E2698E}
--------------------------------------------------
Enumerating Download Program Files:
[shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9e.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
--------------------------------------------------
Enumerating Windows NT/2000/XP services
Memory Check Service: C:\Acer\Empowering Technology\ePerformance\MemCheck.exe (autostart)
AEGIS Protocol (IEEE 802.1x) v3.4.9.0: system32\DRIVERS\AegisP.sys (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
AVG8 E-mail Scanner: C:\PROGRA~1\AVG\AVG8\avgemc.exe (autostart)
AVG8 WatchDog: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (autostart)
AVG8 Network Redirector: \SystemRoot\System32\Drivers\avgtdix.sys (autostart)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
C-DillaCdaC11BA: C:\WINDOWS\system32\drivers\CDAC11BA.EXE (autostart)
CdaC15BA: \??\C:\WINDOWS\system32\drivers\CDAC15BA.SYS (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DLABOIOM: System32\DLA\DLABOIOM.SYS (autostart)
DLADResN: System32\DLA\DLADResN.SYS (autostart)
DLAIFS_M: System32\DLA\DLAIFS_M.SYS (autostart)
DLAOPIOM: System32\DLA\DLAOPIOM.SYS (autostart)
DLAPoolM: System32\DLA\DLAPoolM.SYS (autostart)
DLAUDFAM: System32\DLA\DLAUDFAM.SYS (autostart)
DLAUDF_M: System32\DLA\DLAUDF_M.SYS (autostart)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
DRVNDDM: System32\Drivers\DRVNDDM.SYS (autostart)
Acer EPM Power Scheme Driver: \??\C:\WINDOWS\system32\drivers\epm-psd.sys (autostart)
Acer EPM System Hardware Driver: \??\C:\WINDOWS\system32\drivers\epm-shd.sys (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
Intel® PROSet/Wireless Event Log: C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (autostart)
Fax: %systemroot%\system32\fxssvc.exe (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
int15: \??\C:\WINDOWS\system32\drivers\int15.sys (autostart)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Logitech Process Monitor: c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (autostart)
NVIDIA Display Driver Service: %SystemRoot%\system32\nvsvc32.exe (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Pml Driver HPZ12: C:\WINDOWS\system32\HPZipm12.exe (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Intel® PROSet/Wireless Registry Service: C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (autostart)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Intel® PROSet/Wireless Service: C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (autostart)
WLAN Transport: system32\DRIVERS\s24trans.sys (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
tvicport: \??\C:\WINDOWS\system32\drivers\tvicport.sys (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
zntport: \??\C:\WINDOWS\system32\drivers\zntport.sys (autostart)
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
--------------------------------------------------
End of report, 17,012 bytes
Report generated in 0.453 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only0 -
SDFix: Version 1.208
Run by Administrator on Sat 07/26/2008 at 11:54 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
No Trojan Files Found
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-27 00:07:03
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files :
Files with Hidden Attributes :
Thu 13 Apr 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTICDMK7.dll"
Thu 13 Apr 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIMP3.dll"
Thu 13 Apr 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIMPEG2.dll"
Thu 13 Apr 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIFCD3.dll"
Thu 13 Apr 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIBUN4.dll"
Sat 8 Dec 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 23 Jan 2003 65,952 ..SHR --- "C:\Program Files\Autodesk\Autodesk Express Viewer\Setup.exe"
Mon 21 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\BITD.tmp"
Wed 14 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d20174378a49939f5f8825cfb630e979\BITCB.tmp"
Finished!0 -
Hello Matt200,
Please try this :
Click on start,my computer,double click on the icon off the partition or hard disk were windows is installed on. Open the windows folder and the Prefetch folder please delete only the oldest entries inside the prefetch folder.
Please prevent limewire from loading at start-up.
Please press the windows button together with r now type msconfig press enter. Now select selective start-up. Reboot your pc. Now each time you boot select an new start-up item that you find on the startup tab once you are in msconfig. Write always down the process that doesn't slow your boot time.
Kind regards,
Niels0
