Jump to content


Photo

Dr/Zlob.Gen Drop.Agent.age


  • This topic is locked This topic is locked
37 replies to this topic

#1 pavel2012

pavel2012

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 21 April 2007 - 03:43 AM

I'm on XP and mostly use Opera. I heard something installing itself in the background recently and Antivir put them into quarantine but since then, everything's slowed down, pages are changing etc.
Here is my logfile. Hope someone can help

Logfile of HijackThis v1.99.1
Scan saved at 09:30:06, on 21/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\tsnp2std.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Wireless LAN USB Dongle\ZDWlan.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.btopenworld.com/searchpane
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.ebay.co.uk...SAPI.dll?MyeBay
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....ink/?LinkId=374
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Wireless LAN USB Dongle.lnk = C:\Program Files\Wireless LAN USB Dongle\ZDWlan.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,521 posts

Posted 23 April 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 pavel2012

pavel2012

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 24 April 2007 - 08:58 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]

I dont mind waiting but thought the thread might need bumping

#4 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 26 April 2007 - 04:14 AM

Hi pavel2012,

Welcome to SpywareInfo! :wave:

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

OK, hereís what we do first.

Spyware Doctor's OnGuard protective functionality may interfere with certain fixes we need to make. Please follow these instructions to disable it.

To deactivate Spyware Doctor's OnGuard Tools:
  • From within Spyware Doctor, click the "OnGuard" button on the left side.
  • Uncheck "Activate OnGuard".

NEXT:

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)



Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Let's run some cleanup and diagnostic scans to make sure we're not leaving anything behind.

Please download CCleaner (freeware) and save it to your desktop:
  • Run the CCleaner installer.
  • During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
  • Once installed, run CCleaner and click the Windows tab.
  • Select the following:
    • Check everything under the Internet Explorer section.
    • Check everything under the Windows Explorer section.
    • Check everything under the System section.
    • Check ONLY Old Prefetch data under the Advanced section.
  • Then, click the Applications tab:
    • UNCHECK everything there.
  • Next, click the Options button, then click the Advanced button:
    • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".
  • Next, click the Cleaner button, then click the Run Cleaner button (bottom right), then Exit.
CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you donít know how to use it, you may cause irreparable damage to your system.


NEXT:

Please download ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.
  • Save it to your desktop.
  • Double-click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT:

Please do an online scan with Panda ActiveScan:
  • Once you are on the Panda site click the "Scan your PC" button located at the bottom of the page.
  • A new window will open... click the "Check Now" button.
  • Enter your Country.
  • Enter your State/Province.
  • Enter your e-mail address.
  • Select either Home User or Company.
  • Click the big "Free Online Scan" button.
  • If it wants to install an ActiveX component allow it.
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes).
  • When the download is complete, click on "Local Disks" to start the scan.
  • When the scan completes, if anything malicious is detected, click the "See Report" button; then "Save Report" and save it to a convenient location. Post the contents of the Panda scan report in your next reply.

NEXT:

Please do an online scan with Kaspersky Online Scanner:
  • Click on Kaspersky Online Scanner.
  • You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on Next.
  • Now click on Scan Settings.
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click OK.
  • Now under select a target to scan:
    • Select My Computer.
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report As button.
    • In the File name: field, type kavscan.
    • In the Save as type: field, select Text file (*.txt).
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  • The log from the ComboFix scan.
  • The log from the Panda scan.
  • The log from the Kaspersky scan.
  • A new HijackThis log.
(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#5 pavel2012

pavel2012

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 27 April 2007 - 02:06 AM

"his" - 07-04-27 7:59:38 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\his\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\his\Desktop.\internet explorer.lnk
C:\install.log


((((((((((((((((((((((((((((((( Files Created from 2007-03-27 to 2007-04-27 ))))))))))))))))))))))))))))))))))


2007-04-27 00:07 <DIR> d-------- C:\Program Files\CCleaner
2007-04-25 23:06 <DIR> d-------- C:\Program Files\SEAGULL
2007-04-25 23:03 833,536 --a------ C:\Program Files\unrbzftp.exe
2007-04-21 09:25 <DIR> d-------- C:\HJT
2007-04-16 20:52 618,496 --a------ C:\WINDOWS\system32\Eraser.dll
2007-04-16 20:52 286,720 --a------ C:\WINDOWS\system32\erasext.dll
2007-04-16 20:52 241,664 --a------ C:\WINDOWS\system32\eraserl.exe
2007-04-16 20:52 2,694,679 --a------ C:\Program Files\eraser582setup.exe
2007-04-16 20:52 <DIR> d-------- C:\Program Files\Eraser
2007-04-16 19:06 <DIR> d-------- C:\Program Files\ewido anti-spyware 4.0
2007-04-16 00:50 <DIR> d-------- C:\DOCUME~1\his\APPLIC~1\Visicom Media
2007-04-16 00:49 2,462,816 --a------ C:\Program Files\aceftp3pro.exe
2007-04-16 00:49 <DIR> d-------- C:\Program Files\vmntoolbar
2007-04-16 00:49 <DIR> d-------- C:\Program Files\Visicom Media
2007-04-14 12:50 <DIR> d-------- C:\DOCUME~1\his\APPLIC~1\Talkback
2007-04-12 20:42 14,994,152 --a------ C:\Program Files\GoogleEarthWin_EARD.exe
2007-04-12 20:28 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-04-12 20:09 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-04-12 20:09 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-04-12 20:09 59,472 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-04-12 20:09 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-04-12 20:09 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-04-12 20:09 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-04-12 20:09 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-04-12 20:09 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-04-12 20:09 <DIR> d-------- C:\DOCUME~1\his\APPLIC~1\PC Tools
2007-04-12 20:07 <DIR> d-------- C:\Program Files\Norton Security Scan
2007-04-12 07:56 <DIR> d-------- C:\Program Files\Mach5 Software
2007-03-31 18:23 1,024 -r-h----- C:\WINDOWS\system32\NTIBUN4.dll
2007-03-31 18:22 13,952 --------- C:\WINDOWS\system32\drivers\UBHelper.sys
2007-03-31 18:21 <DIR> d-------- C:\Program Files\Common Files\muvee Technologies
2007-03-31 18:20 <DIR> d-------- C:\Program Files\Common Files\NewTech Infosystems
2007-03-31 18:19 1,024 -r-h----- C:\WINDOWS\system32\NTIMP3.dll
2007-03-31 18:19 1,024 -r-h----- C:\WINDOWS\system32\NTIFCD3.dll
2007-03-31 18:19 1,024 -r-h----- C:\WINDOWS\system32\NTICDMK7.dll
2007-03-31 02:25 7,864,320 --a------ C:\DOCUME~1\his\ntuser.dat
2007-03-29 20:30 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-03-29 20:30 <DIR> d-------- C:\Program Files\Picklish
2007-03-29 20:27 4,748,638 --a------ C:\Program Files\picklish_setup.exe
2007-03-29 19:42 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-03-29 19:42 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-03-29 19:39 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-03-29 19:34 25,755,448 --a------ C:\Program Files\wmp11-windowsxp-x86-enu.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-24 11:08 -------- d-------- C:\Program Files\soulseek
2007-04-22 19:22 -------- d-------- C:\Program Files\opera
2007-04-16 20:03 -------- d-------- C:\Program Files\trojanhunter 4.6
2007-04-16 01:02 18586453 --a------ C:\Program Files\win-drivers.zip
2007-04-15 09:33 -------- d-------- C:\Program Files\pcbugdoctor
2007-04-15 09:26 -------- d--h----- C:\Program Files\installshield installation information
2007-04-15 09:26 -------- d-------- C:\Program Files\google
2007-04-12 20:06 809688 --a------ C:\Program Files\google updater.exe
2007-03-31 18:23 -------- d-------- C:\Program Files\newtech infosystems
2007-03-31 18:22 50 --a------ C:\AUTOEXEC.BAT
2007-03-31 18:19 6144 --a------ C:\WINDOWS\system32\drivers\NTIDrvr.sys
2007-03-31 18:19 1024 -r-h----- C:\WINDOWS\system32\ntimpeg2.dll
2007-03-28 18:55 60 --a------ C:\WINDOWS\system32\sysdrv.dat
2007-03-28 18:52 -------- d-------- C:\Program Files\wireless lan usb dongle
2007-03-28 18:52 -------- d-------- C:\Program Files\sisagp
2007-03-28 18:52 -------- d-------- C:\Program Files\sis vga utilities v3.67a
2007-03-28 18:52 -------- d-------- C:\Program Files\microsoft works
2007-03-28 18:51 -------- d-------- C:\Program Files\divx
2007-03-21 18:44 -------- d-------- C:\DOCUME~1\his\APPLIC~1\dvdcss
2007-03-16 18:56 -------- d-------- C:\Program Files\msn messenger
2007-03-16 18:51 18040176 --a------ C:\Program Files\install_messenger_nous.exe
2007-03-16 18:48 1001536 --a------ C:\Program Files\mmssetup.exe
2007-03-13 20:38 -------- d-------- C:\Program Files\Common Files\nikon
2007-03-13 20:36 -------- d-------- C:\Program Files\canon
2007-03-12 17:03 -------- d-------- C:\Program Files\mp3 player utilities
2007-03-05 20:32 359112 --a------ C:\Program Files\limewirewin.exe
2007-03-03 11:38 -------- d-------- C:\DOCUME~1\his\APPLIC~1\otvreg
2007-02-18 17:00 1410680 --a------ C:\Program Files\install_flash_player.exe
2007-02-15 00:44 1181812 --a------ C:\Program Files\flvplayer_setup.exe
2007-02-10 12:16 13588888 --a------ C:\Program Files\o2ksp3.exe
2007-02-03 20:54 86094 --a------ C:\WINDOWS\bpmnt.dll
2007-02-03 20:54 71749 --a------ C:\WINDOWS\hcextoutput.dll
2007-02-03 20:54 229957 --a------ C:\WINDOWS\tsc.exe
2007-02-03 20:54 1101904 --a------ C:\WINDOWS\vsapi32.dll
2007-01-31 22:52 11356484 --a------ C:\Program Files\trojanhuntersetup.exe
2007-01-20 12:05 18951556 --a------ C:\Program Files\windowslivemessenger81.exe
2007-01-06 21:05 6469352 --a------ C:\Program Files\avgas-setup-7.5.0.50.exe
2007-01-05 23:54 842672 --a------ C:\Program Files\slsk156c.exe
2007-01-02 13:53 251656 --a------ C:\Program Files\jre-1_5_0_10-windows-i586-p-iftw.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
@=""
"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"tsnp2std"="C:\\WINDOWS\\tsnp2std.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"snp2std"="C:\\WINDOWS\\vsnp2std.exe"
"SDTray"="C:\\Program Files\\Spyware Doctor\\SDTrayApp.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch(2).lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch(2).lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch(2).lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch(2)"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~3\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray(2).lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Utility Tray(2).lnk"
"backup"="C:\\WINDOWS\\pss\\Utility Tray(2).lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\system32\\sistray.exe "
"item"="Utility Tray(2)"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Utility Tray.lnk"
"backup"="C:\\WINDOWS\\pss\\Utility Tray.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\system32\\sistray.exe "
"item"="Utility Tray"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AGRSMMSG"
"hkey"="HKLM"
"command"="AGRSMMSG.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL_Demo]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DSGDemo"
"hkey"="HKLM"
"command"="C:\\Applications\\Tool\\AOL Demo\\DSGDemo.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCWipeTM Startup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BCWipeTM"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Jetico\\BCWipe\\BCWipeTM.exe\" startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="eraser"
"hkey"="HKCU"
"command"="C:\\Program Files\\Eraser\\eraser.exe -hide"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsnMsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Monitor"
"hkey"="HKCU"
"command"="C:\\Program Files\\OLYMPUS\\OLYMPUS Master\\Monitor.exe -NoStart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SDTrayApp"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Spyware Doctor\\SDTrayApp.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Windows KeyHook]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="keyhook"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\keyhook.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Rundll32"
"hkey"="HKLM"
"command"="Rundll32.exe SiSPower.dll,ModeAgent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SOUNDMAN"
"hkey"="HKLM"
"command"="SOUNDMAN.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THGuard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="THGuard"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="vidalia"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Vidalia\\vidalia.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YAHOOM~1"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{23c8462b-aa0c-11db-863d-0011e2059e25}]
Shell\AutoRun\command E:\setupSNK.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{60d0d564-8a92-11db-85d6-7494b4123456}]
Shell\AutoRun\command E:\setupSNK.exe



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070426-124725-795
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20070426-124725-816
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton Security Scan.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-27 08:03:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-27 8:04:02
C:\ComboFix-quarantined-files.txt ... 07-04-27 08:04

#6 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 27 April 2007 - 03:34 AM

Hiya pavel2012, :wave:

Did you manage to get the other logs? Thanks! :)
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#7 pavel2012

pavel2012

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 27 April 2007 - 04:07 AM

Doing them now.

Incident Status Location

Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\his\Application Data\Mozilla\Firefox\Profiles\p1bej2iw.default\cookies-1.txt[.questionmarket.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\his\Application Data\Mozilla\Firefox\Profiles\p1bej2iw.default\cookies-1.txt[.mediaplex.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\his\Application Data\Mozilla\Firefox\Profiles\p1bej2iw.default\cookies-1.txt[.doubleclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\his\Application Data\Mozilla\Firefox\Profiles\p1bej2iw.default\cookies-1.txt[.atdmt.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\his\Application Data\Mozilla\Firefox\Profiles\p1bej2iw.default\cookies-1.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\his\Application Data\Mozilla\Firefox\Profiles\p1bej2iw.default\cookies-1.txt[server.iad.liveperson.net/hc/45553385]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\his\Application Data\Mozilla\Firefox\Profiles\p1bej2iw.default\cookies.txt[server.iad.liveperson.net/hc/45553385]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\his\Application Data\Mozilla\Firefox\Profiles\p1bej2iw.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\his\Application Data\Mozilla\Firefox\Profiles\p1bej2iw.default\cookies.txt[server.iad.liveperson.net/hc/45553385]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\his\Application Data\Mozilla\Firefox\Profiles\p1bej2iw.default\cookies.txt[server.iad.liveperson.net/]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\his\Desktop\ComboFix.exe[ComboFixT\nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Potentially unwanted tool:Application/Restart Not disinfected C:\WINDOWS\system32\Tools\Restart.exe

#8 pavel2012

pavel2012

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 27 April 2007 - 05:42 AM

One problem which has been present throughout is that the computer takes a long time to turn off. This is still happening. Otherwise, things seem to be running a bit more efficiently.

Logfile of HijackThis v1.99.1
Scan saved at 11:39:34, on 27/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\tsnp2std.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Wireless LAN USB Dongle\ZDWlan.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.btopenworld.com/searchpane
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.ebay.co.uk...SAPI.dll?MyeBay
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....ink/?LinkId=374
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Wireless LAN USB Dongle.lnk = C:\Program Files\Wireless LAN USB Dongle\ZDWlan.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

#9 pavel2012

pavel2012

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 27 April 2007 - 12:39 PM

Antivir keeps flashing up a warning that
C:\WINDOWS\system32\Activescan\pskavs
is a virus. Is it ok or should I delete it?

#10 pavel2012

pavel2012

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 30 April 2007 - 02:36 AM

Is there anybody out there?

#11 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 01 May 2007 - 12:01 AM

Hi pavel2012, :wave:

Iím sorry for my late reply. I had lost my Internet access for the last 5 days! :(


Antivir keeps flashing up a warning that
C:\WINDOWS\system32\Activescan\pskavs
is a virus. Is it ok or should I delete it?

Nope, just leave it alone. That is a false positive. Happens from time to time.

Weíll look into the slow shutoff times when we are sure that your system is clean of malware, OK?

Using Windows Explorer (right-click your Start button and select Explore), please navigate to and delete the following FILES (if they exist):

C:\WINDOWS\hcextoutput.dll


Please let me know if you encountered any problems finding or deleting the file.


NEXT:

Please go to: VirusTotal
  • At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to next file:

    C:\Program Files\unrbzftp.exe

  • Click "Open".
  • Then click the "Send" button at the top of the VirusTotal page.
  • This will scan the file. Please be patient.
  • Once scanned, copy and paste the results in your next reply.

NEXT:

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below (don't forget to copy and paste REGEDIT4 as well):

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
@=-


Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop.

It should look like this: Posted Image

Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful.

In case you still are unsure on how to create a REG file, please take a look HERE with screenshots.


NEXT:

Did you manage to do the Kaspersky online scan and get the results from the scan? Iíd like to see that also, please.

Your log shows that you have disabled some startup programs using msconfig. This is not recommended because I cannot clearly see everything that is loading on your computer at startup. This can be bad if they are malware, so I would like you to re-enable those startup entries.

To re-enable all startup items please follow these instructions:
  • Please go to Start -> Run and type (or copy and paste):

    msconfig

  • Click OK.
  • If not already selected go to the General tab.
  • Under Startup Selection select "Normal Startup - load all device drivers and services".
  • Click Apply and then Close.
  • When you are prompted to reboot, select "Exit Without Restart".
  • Post a new HijackThis log when you are done.

NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  • The report from VirusTotal.
  • The log from the Kaspersky scan.
  • A new HijackThis log.

Edited by Sempurna, 01 May 2007 - 12:02 AM.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#12 pavel2012

pavel2012

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 01 May 2007 - 07:43 AM

The report from kaspersky said there was nothing to report. thats why i didnt post it.
I couldnt get onto that virustotal site. I tried in mozilla and internet explorer and it wouldnt connect.
here is the new hijack this log.
(As i did a quick scan down the logfile, this entry jumped out at me. I've never been on that website
O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk)

Logfile of HijackThis v1.99.1
Scan saved at 13:40:29, on 01/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\tsnp2std.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\vsnp2std.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Eraser\eraser.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Wireless LAN USB Dongle\ZDWlan.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.btopenworld.com/searchpane
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.c...earch.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.rd.yahoo.c...earch.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.c...earch.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.c...earch.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....ink/?LinkId=374
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [AOL_Demo] C:\Applications\Tool\AOL Demo\DSGDemo.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch(2).lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Utility Tray(2).lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Wireless LAN USB Dongle.lnk = C:\Program Files\Wireless LAN USB Dongle\ZDWlan.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

#13 pavel2012

pavel2012

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 01 May 2007 - 07:46 AM

the other thing i wanted to say is that its taking a lot longer to load everything up after start up these days, especially the wireless connection stuff.

#14 pavel2012

pavel2012

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 01 May 2007 - 10:40 AM

the other changes i noticed were that another yahoo messenger icon appeared on the desktop
after the first reboot and a java teacup appeared in the system tray which has been asking me to update ever since. I remember that icon appearing on another computer which was infected so I've left it alone so far.

#15 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 02 May 2007 - 01:15 AM

Hi pavel2012, :wave:

OK, letís do this next, and then work on your slow startup times.

Please run HijackThis and fix these next entries:

O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE



NEXT:

Please download Autoruns by Sysinternals and save it to your desktop:
  • Unzip (extract) it to your desktop, open the Autoruns folder, and double-click autoruns.exe to run it.
  • In the main Autoruns window, go to the Logon tab, and uncheck the following entries:

    tsnp2std
    SunJavaUpdateSched
    snp2std
    THGuard
    QuickTime Task
    BCWipeTM Startup
    AOL_Demo
    Yahoo! Pager
    Vidalia
    OM_Monitor
    MsnMsgr
    Eraser


  • Then please exit Autoruns.
You may also check with these websites about any programs on your system that can be stopped from running at startup without compromising performance or usage:Reboot your computer to set the new startup settings.


NEXT:

Sometimes a bad DNS entry is cached. Letís clear out the DNS cache:
  • Please go to Start -> Run and type (or copy and paste):

    cmd

  • Click OK.
  • A black DOS window with the Command Prompt or C:\WINDOWS\system32\cmd.exe header will now appear. Now type (or copy and paste):

    ipconfig /flushdns

  • Hit Enter.
  • Type Exit and hit Enter again to exit the command prompt window.

NEXT:

Your version of Sun Java is out-of-date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older Java version components and update:
  • CLICK HERE to download the offline installer.
    • Select Java Runtime Environment (JRE) 6u1 and click the Download button to the right.
    • Check the box that says Accept License Agreement.
    • Click on the link to download Windows Offline Installation, Multi-language.
    • Save the file to your desktop.
  • Next, uninstall your currently installed version from Add/Remove Programs.
  • If you have older versions listed uninstall them also. If you simply update to the new version it leaves the older versions still installed, complete with previous vulnerabilities.
  • Examples of older versions in Add/Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 2
  • Reboot your system.
  • Install the new version by double-clicking on the file you downloaded.

NEXT:

How are things running now?
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#16 pavel2012

pavel2012

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 02 May 2007 - 04:33 AM

well its starting up and shutting down a lot easier now. I haven't got time to test it all out at the moment
but i will make a post later when I've had the chance.

#17 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 03 May 2007 - 12:25 AM

No worries, take your time. :)
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#18 pavel2012

pavel2012

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 03 May 2007 - 03:15 AM

Everything seems fine at the moment so thanks a lot. :D

#19 pavel2012

pavel2012

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 03 May 2007 - 06:46 AM

still having trouble shutting down though.

#20 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 03 May 2007 - 09:27 AM

OK, let's check to see if your OS files are OK or not.

For this next step, please have your original Windows XP installation CD handy.

Then, please go to Start -> My Computer:
  • Right-click on Local Disk (C:) (or whichever is your primary drive), and select Properties.
  • Now go to the Tools tab, and click the Check Now button.
  • Put a checkmark next to:
    • Automatically fix file system errors.
    • Scan for and attempt recovery of bad sectors.
  • Then click the Start button.
  • You will receive a prompt to reboot your computer. Select Yes or OK, and please reboot your computer if it doesnít do so automatically.
  • The Check Disk utility will now scan your hard drive for any damaged system files and/or hard drive sectors. Please be patient, as this scan may take awhile to complete.
  • Follow any prompts that may appear.

NEXT:

For this next step, please have your original Windows XP installation CD handy.
  • Then, please go to Start -> Run and type (or copy and paste):

    sfc /scannow

  • Click OK.
  • The System File Checker will now run. If it finds any corrupt OS files, it will prompt you to insert your Windows XP installation CD. If nothing is found, it will close by itself.
  • Please be patient as this scan may take awhile to complete.

NEXT:

First of all, please register (it's free, don't worry) with PC Pitstop and run the full tests here:
http://www.pcpitstop...top/default.asp

When the tests are complete, a results page will pop up. Click "Share Results with TechExpress" on the top right-hand side. Then copy the URL provided and post it here for me.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#21 pavel2012

pavel2012

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 03 May 2007 - 07:44 PM

http://www.pcpitstop...P6FHWYVBMWSWRBW

#22 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 04 May 2007 - 05:06 AM

Hi pavel2012, :wave:

At the PC Pitstop page, you will find a Customized Tune-up Tips section just for your system. Do the tips and suggestions, and let me know whether the problem persists.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#23 pavel2012

pavel2012

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 05 May 2007 - 11:55 AM

It does seem a lot better now but one worrying thing just happened that never has before.
I was viewing a friends myspace page and the screen just went black and the computer shut down,
all in a split second

#24 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 05 May 2007 - 09:14 PM

I'm wondering whether you could be having some sort of hardware problem. Let's check your RAM and see whether it is failing.

You can download the Windows Memory Diagnostic and determine if there are problems with your RAM or the memory system of your motherboard.

Please let me know the results of the RAM test.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#25 pavel2012

pavel2012

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 07 May 2007 - 07:05 AM

I havent got the installation disc for this computer. It was sold to me without one.

#26 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 07 May 2007 - 08:09 AM

Are you running a test that requires the installation disc? Is the test asking for a missing file to be replaced?

If the test is asking for a missing/corrupt OS file to be replaced, you can direct it to your dllcache or [/b]i386[/b] folders.

How did the memory test go?
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#27 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 07 May 2007 - 08:09 AM

Are you running a test that requires the installation disc? Is the test asking for a missing/corrupt file to be replaced?

If the test is asking for a missing/corrupt OS file to be replaced, you can direct it to your dllcache or i386 folders.

How did the memory test go?

Edited by Sempurna, 07 May 2007 - 08:10 AM.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#28 pavel2012

pavel2012

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 23 May 2007 - 03:24 AM

I'm sorry I didnt reply sooner. I was in hospital. I am having trouble getting online with my wireless connection and antivir has picked up various problems. I will post another logfile just in case.
Also, the problem with shutting down has persisted.

Logfile of HijackThis v1.99.1
Scan saved at 09:22:42, on 23/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Eraser\eraser.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Wireless LAN USB Dongle\ZDWlan.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\AntiVir PersonalEdition Classic\avscan.exe
C:\Program Files\Canon\Digital Photo Professional\DPP\DPPEditor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.rd.yahoo.c...earch.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.c...earch.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.c...earch.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....ink/?LinkId=374
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [XPRepairBusiness] C:\Program Files\XP Repair Pro\xprepairpro.exe /s
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch(2).lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray(2).lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Wireless LAN USB Dongle.lnk = C:\Program Files\Wireless LAN USB Dongle\ZDWlan.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

#29 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 23 May 2007 - 06:23 AM

Hi pavel2012, :wave:

Iím so sorry to hear that you were in hospital. I hope things are better for you now.

Thereís no evidence of any malware in your HJT log. Of course, HJT doesnít catch everything that could be present in a computer.

Let me see a new ComboFix log to see if thereís anything suspicious in your system.


NEXT:

Please run CCleaner again, and let it clean out any junk files that might be slowing your system down.

Then please do this next.

Sometimes a bad DNS entry is cached. Letís clear out the DNS cache:
  • Please go to Start -> Run and type (or copy and paste):

    cmd

  • Click "OK".
  • A black DOS window with the "Command Prompt" or "C:\WINDOWS\system32\cmd.exe" header will now appear. Now type (or copy and paste):

    ipconfig /flushdns

  • Hit "Enter".
  • Type Exit and hit "Enter" again to exit the command prompt window.

NEXT:

I think the problem with shutting down could be due to corrupt OS files, or damaged sectors in your hard disk, or a RAM problem.

First of all, please search for your i386 and dllcache folders. Remember (or write down) their locations.

Then please do the Check Disk and sfc /scannow directions I posted above in post #20. If the scans ask you to replace a corrupt file, please point them to your i386 or dllcache folders.

Did you manage to do the [b]Windows Memory Diagnostic[/b[ test in post #24 above?

Please let me know how things go.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#30 pavel2012

pavel2012

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 23 May 2007 - 03:09 PM

"his" - 07-05-23 20:48:47 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\his\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-23 to 2007-05-23 ))))))))))))))))))))))))))))))))))


2007-05-23 10:20 <DIR> d-------- C:\WINDOWS\XDRV
2007-05-23 10:20 <DIR> d-------- C:\Program Files\Wireless LAN USB Dongle
2007-05-23 10:18 32,768 --------- C:\WINDOWS\system32\MWLPS.dll
2007-05-20 12:11 2,719,216 --a------ C:\Program Files\ccsetup140.exe
2007-05-12 10:08 3,534,076 --a------ C:\Program Files\eMule0.47c-Installer.exe
2007-05-12 10:08 <DIR> d-------- C:\Program Files\eMule
2007-05-12 10:04 2,968,332 --a------ C:\Program Files\emuleplus12b.exe
2007-05-07 13:00 654,920 --a------ C:\Program Files\mtinst.exe
2007-05-04 20:08 <DIR> d-------- C:\Program Files\XP Repair Pro
2007-05-02 10:30 13,801,120 --a------ C:\Program Files\jre-6u1-windows-i586-p.exe
2007-04-27 11:54 <DIR> d-------- C:\DOCUME~1\his\APPLIC~1\Popular Sites
2007-04-27 11:53 <DIR> d-------- C:\DOCUME~1\his\APPLIC~1\vmntoolbar
2007-04-27 11:53 <DIR> d-------- C:\DOCUME~1\his\APPLIC~1\Dynamic
2007-04-27 08:59 43,584 --a------ C:\WINDOWS\system32\drivers\avipbb.sys
2007-04-27 08:59 28,352 --a------ C:\WINDOWS\system32\drivers\ssmdrv.sys
2007-04-27 08:09 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-27 08:04 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-04-27 00:07 <DIR> d-------- C:\Program Files\CCleaner


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-23 10:21 -------- d--h----- C:\Program Files\installshield installation information
2007-05-23 08:33 -------- d-------- C:\Program Files\eraser
2007-05-21 22:06 -------- d-------- C:\Program Files\soulseek
2007-05-18 23:23 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-05-18 15:00 -------- d-------- C:\Program Files\norton security scan
2007-05-01 17:58 -------- d-------- C:\Program Files\visicom media
2007-05-01 09:27 -------- d-------- C:\Program Files\spyware doctor
2007-04-28 09:21 -------- d-------- C:\Program Files\yahoo!
2007-04-27 11:55 2560 --a------ C:\DOCUME~1\his\APPLIC~1\ftp site.ftp
2007-04-27 11:55 2560 --a------ C:\DOCUME~1\his\APPLIC~1\default.cls
2007-04-27 11:55 12288 --a------ C:\DOCUME~1\his\APPLIC~1\settings.cfg
2007-04-27 09:38 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2007-04-16 20:52 2694679 --a------ C:\Program Files\eraser582setup.exe
2007-04-16 20:09 2462816 --a------ C:\Program Files\aceftp3pro.exe
2007-04-16 01:02 18586453 --a------ C:\Program Files\win-drivers.zip
2007-04-16 00:50 -------- d-------- C:\DOCUME~1\his\APPLIC~1\visicom media
2007-04-15 09:33 -------- d-------- C:\Program Files\pcbugdoctor
2007-04-15 09:26 -------- d-------- C:\Program Files\google
2007-04-14 12:50 -------- d-------- C:\DOCUME~1\his\APPLIC~1\talkback
2007-04-12 20:09 -------- d-------- C:\DOCUME~1\his\APPLIC~1\pc tools
2007-03-31 18:23 1024 -r-h----- C:\WINDOWS\system32\ntibun4.dll
2007-03-31 18:23 -------- d-------- C:\Program Files\newtech infosystems
2007-03-31 18:22 50 --a------ C:\AUTOEXEC.BAT
2007-03-31 18:20 -------- d-------- C:\Program Files\Common Files\newtech infosystems
2007-03-31 18:19 6144 --a------ C:\WINDOWS\system32\drivers\NTIDrvr.sys
2007-03-31 18:19 1024 -r-h----- C:\WINDOWS\system32\ntimpeg2.dll
2007-03-31 18:19 1024 -r-h----- C:\WINDOWS\system32\ntimp3.dll
2007-03-31 18:19 1024 -r-h----- C:\WINDOWS\system32\ntifcd3.dll
2007-03-31 18:19 1024 -r-h----- C:\WINDOWS\system32\nticdmk7.dll
2007-03-29 20:30 -------- d-------- C:\Program Files\picklish
2007-03-29 20:28 4748638 --a------ C:\Program Files\picklish_setup.exe
2007-03-29 19:42 -------- d-------- C:\Program Files\windows media connect 2
2007-03-29 19:35 25755448 --a------ C:\Program Files\wmp11-windowsxp-x86-enu.exe
2007-03-28 18:55 60 --a------ C:\WINDOWS\system32\sysdrv.dat
2007-03-28 18:52 -------- d-------- C:\Program Files\sisagp
2007-03-28 18:52 -------- d-------- C:\Program Files\sis vga utilities v3.67a
2007-03-28 18:52 -------- d-------- C:\Program Files\microsoft works
2007-03-16 18:51 18040176 --a------ C:\Program Files\install_messenger_nous.exe
2007-03-16 18:48 1001536 --a------ C:\Program Files\mmssetup.exe
2007-02-18 17:00 1410680 --a------ C:\Program Files\install_flash_player.exe
2007-02-15 00:44 1181812 --a------ C:\Program Files\flvplayer_setup.exe
2007-02-10 12:16 13588888 --a------ C:\Program Files\o2ksp3.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"SoundMan"="SOUNDMAN.EXE"
"SiSPower"="Rundll32.exe SiSPower.dll,ModeAgent"
"SiS Windows KeyHook"="C:\\WINDOWS\\system32\\keyhook.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"tsnp2std"="C:\\WINDOWS\\tsnp2std.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"snp2std"="C:\\WINDOWS\\vsnp2std.exe"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"BCWipeTM Startup"="\"C:\\Program Files\\Jetico\\BCWipe\\BCWipeTM.exe\" startup"
"AOL_Demo"="C:\\Applications\\Tool\\AOL Demo\\DSGDemo.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"Eraser"="C:\\Program Files\\Eraser\\eraser.exe -hide"
"XPRepairBusiness"="C:\\Program Files\\XP Repair Pro\\xprepairpro.exe /s"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\AutorunsDisabled]
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"Vidalia"="\"C:\\Program Files\\Vidalia\\vidalia.exe\""
"OM_Monitor"="C:\\Program Files\\OLYMPUS\\OLYMPUS Master\\Monitor.exe -NoStart"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Eraser"="C:\\Program Files\\Eraser\\eraser.exe -hide"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{23c8462b-aa0c-11db-863d-0011e2059e25}]
Shell\AutoRun\command E:\setupSNK.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{60d0d564-8a92-11db-85d6-7494b4123456}]
Shell\AutoRun\command E:\setupSNK.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton Security Scan.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-23 20:53:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-05-23 20:54:12
C:\ComboFix-quarantined-files.txt ... 07-05-23 20:54
C:\ComboFix2.txt ... 07-05-23 08:46
C:\ComboFix3.txt ... 07-04-27 08:04

#31 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 28 May 2007 - 03:50 AM

Hi pavel2012, :wave:

Iím sorry for my late reply. I didnít get a notification that you had replied to you thread. Many apologies. :(

Nothing overly suspicious in your ComboFix log. Just need to upload a couple of files to VirusTotal to check them out.

Please go to: VirusTotal
  • At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to next file:

    C:\WINDOWS\system32\MWLPS.dll

  • Click "Open".
  • Then click the "Send" button at the top of the VirusTotal page.
  • This will scan the file. Please be patient.
  • Once scanned, copy and paste the results in your next reply.
Then please do the same as above for the following files:

C:\WINDOWS\system32\sysdrv.dat


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  • The reports from VirusTotal.
  • A new HijackThis log.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#32 pavel2012

pavel2012

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 28 May 2007 - 03:49 PM

Complete scanning result of "MWLPS.dll", received in VirusTotal at 05.28.2007, 22:42:43 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.29.0 05.28.2007 no virus found
AntiVir 7.4.0.27 05.28.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.28.2007 no virus found
AVG 7.5.0.467 05.28.2007 no virus found
BitDefender 7.2 05.28.2007 no virus found
CAT-QuickHeal 9.00 05.28.2007 no virus found
ClamAV devel-20070416 05.28.2007 no virus found
DrWeb 4.33 05.28.2007 no virus found
eSafe 7.0.15.0 05.28.2007 no virus found
eTrust-Vet 30.7.3670 05.28.2007 no virus found
Ewido 4.0 05.28.2007 no virus found
FileAdvisor 1 05.28.2007 no virus found
Fortinet 2.85.0.0 05.28.2007 no virus found
F-Prot 4.3.2.48 05.25.2007 no virus found
F-Secure 6.70.13030.0 05.28.2007 no virus found
Ikarus T3.1.1.8 05.28.2007 no virus found
Kaspersky 4.0.2.24 05.28.2007 no virus found
McAfee 5040 05.28.2007 no virus found
Microsoft 1.2503 05.28.2007 no virus found
NOD32v2 2293 05.27.2007 no virus found
Norman 5.80.02 05.28.2007 no virus found
Panda 9.0.0.4 05.28.2007 no virus found
Prevx1 V2 05.28.2007 no virus found
Sophos 4.18.0 05.28.2007 no virus found
Sunbelt 2.2.907.0 05.26.2007 no virus found
Symantec 10 05.28.2007 no virus found
TheHacker 6.1.6.124 05.28.2007 no virus found
VBA32 3.12.0 05.28.2007 no virus found
VirusBuster 4.3.23:9 05.28.2007 no virus found
Webwasher-Gateway 6.0.1 05.28.2007 no virus found

Aditional Information
File size: 32768 bytes
MD5: fd2dfa7f9dbebc87959a7da315469f26
SHA1: 0b0bef3edc4f9d766a2415f17db8a837415f2834

#33 pavel2012

pavel2012

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 28 May 2007 - 03:58 PM

Complete scanning result of "SYSDRV.DAT", received in VirusTotal at 05.28.2007, 22:53:45 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.29.0 05.28.2007 no virus found
AntiVir 7.4.0.27 05.28.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.28.2007 no virus found
AVG 7.5.0.467 05.28.2007 no virus found
BitDefender 7.2 05.28.2007 no virus found
CAT-QuickHeal 9.00 05.28.2007 no virus found
ClamAV devel-20070416 05.28.2007 no virus found
DrWeb 4.33 05.28.2007 no virus found
eSafe 7.0.15.0 05.28.2007 no virus found
eTrust-Vet 30.7.3670 05.28.2007 no virus found
Ewido 4.0 05.28.2007 no virus found
FileAdvisor 1 05.28.2007 no virus found
Fortinet 2.85.0.0 05.28.2007 no virus found
F-Prot 4.3.2.48 05.25.2007 no virus found
F-Secure 6.70.13030.0 05.28.2007 no virus found
Ikarus T3.1.1.8 05.28.2007 no virus found
Kaspersky 4.0.2.24 05.28.2007 no virus found
McAfee 5040 05.28.2007 no virus found
Microsoft 1.2503 05.28.2007 no virus found
NOD32v2 2293 05.27.2007 no virus found
Norman 5.80.02 05.28.2007 no virus found
Panda 9.0.0.4 05.28.2007 no virus found
Prevx1 V2 05.28.2007 no virus found
Sophos 4.18.0 05.28.2007 no virus found
Sunbelt 2.2.907.0 05.26.2007 no virus found
Symantec 10 05.28.2007 no virus found
TheHacker 6.1.6.124 05.28.2007 no virus found
VBA32 3.12.0 05.28.2007 no virus found
VirusBuster 4.3.23:9 05.28.2007 no virus found
Webwasher-Gateway 6.0.1 05.28.2007 no virus found

Aditional Information
File size: 60 bytes
MD5: 120019ba060852f53e4a53edce7e1de0
SHA1: f5f73f0c06b29fe74289e1cee503be0004e7a2c0

#34 pavel2012

pavel2012

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 28 May 2007 - 04:16 PM

Logfile of HijackThis v1.99.1
Scan saved at 22:07:21, on 28/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Wireless LAN USB Dongle\ZDWlan.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.rd.yahoo.c...earch.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.c...earch.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.c...earch.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....ink/?LinkId=374
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [XPRepairBusiness] C:\Program Files\XP Repair Pro\xprepairpro.exe /s
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch(2).lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray(2).lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Wireless LAN USB Dongle.lnk = C:\Program Files\Wireless LAN USB Dongle\ZDWlan.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

#35 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 29 May 2007 - 12:37 AM

Hi pavel2012, :wave:

I hope that you are feeling better after your recent stay in hospital. :)

The logs appear to be clean. Any persistent problem or suspicious behaviour on your machine that I should know about?
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#36 pavel2012

pavel2012

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 30 May 2007 - 09:27 AM

Its pretty good at the moment so thanks for all your help.

#37 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 31 May 2007 - 02:12 AM

You're most welcome. :)

I'll leave this thread open for a couple of weeks in case any problems re-appear.

Cheers! :wave:
~ Sempurna
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#38 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 25 June 2007 - 06:07 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying HERE with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button