Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Random restarts. Error code 203 system file Hijackthis Log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Random restarts. Error code 203 system file Hijackthis Log

Unread postby pantera259 » December 30th, 2007, 1:40 am

I've been having problems with my computer restarting itself. I've run adware, spybot, antivirus, and trojan hunter and all programs found viruses or spyware, etc. Eventhough it got rid of these files, my computer continues to shut down with this message: services.exe has been terminated. system will not shut down. error code 203. I have no idea what it means and can't figure out how to get rid of this thing. Here is my Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:24 AM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trillian\trillian.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb106\Dealio.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {845D503F-F28B-4C05-8B00-2B2540799FF2} - C:\WINDOWS\system32\ddccy.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb106\Dealio.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\Death\LOCALS~1\Temp\{7160639A-E814-4AFC-8522-DD10EA7D09BA}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [panda-db] C:\WINDOWS\system32\Sys\panda-db.exe
O4 - HKLM\..\Run: [ErrorRepairPro] ' '
O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Program Files\Dealio\kb106\res\DealioSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb106\Dealio.dll
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/c ... etInst.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0379406500
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\smsbjfbj.dll
O21 - SSODL: eitheror - {2016a466-91a2-43c6-97d8-2fd380f065ef} - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9297 bytes

Can somebody please help me? i'm at my wits end with this one haha

Thanks
pantera259
Active Member
 
Posts: 4
Joined: December 29th, 2007, 6:13 pm
Advertisement
Register to Remove

Re: Random restarts. Error code 203 system file Hijackthis Log

Unread postby Simon V. » January 3rd, 2008, 2:56 pm

Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

I'm sorry for the delay; the forums are quite busy.

Step 1

Please download and install CCleaner.

Open CCleaner. On the Windows tab, leave the default options alone.

  • On the Applications tab, check (tick) all the boxes except Saved Form Information. This will remove all your saved passwords if you leave this box checked.
  • Click on the Run Cleaner button at the bottom right hand corner.
  • Close CCleaner.

Step 2

Please download Combofix:


Double-click on combofix.exe and follow the prompts.
When finished, it will produce a log for you. Save it to a convenient location.

Note: Do not mouseclick Combofix's window whilst it's running. That may cause it to stall.

Step 3

Open CCleaner. In the Left Pane, click Tools.

  • Verify that Uninstall is highlighted in color, or click on it.
  • In the lower right, click Save to Text File.
  • Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
  • You can leave the filename as install.txt.
  • Click Save, then exit Ccleaner.

Step 4

In your next reply, please post:

  • the Combofix log (C:\Combofix.txt)
  • the CCleaner Uninstall List (install.txt)
  • a new HijackThis log
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Random restarts. Error code 203 system file Hijackthis Log

Unread postby pantera259 » January 6th, 2008, 5:18 am

Hey Simon thanks for the response. I really appreciate the help on this one. I ran both of those programs and I've seen an instant increase in my computers speed as well as internet connection speed. Here are the 3 logs:

Combofix log:

ComboFix 08-01-04.1 - Death 2008-01-06 4:06:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.437 [GMT -5:00]
Running from: C:\Documents and Settings\Death\Desktop\ComboFix.exe
* Created a new restore point
.
The following files were disabled during the run:
C:\Program Files\TrojanHunter 5.0\THSec.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\IA
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\xpdx.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\xpdx


((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
.

2008-01-06 04:05 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-06 03:42 . 2008-01-06 03:42 <DIR> d-------- C:\Program Files\CCleaner
2007-12-29 19:38 . 2007-12-29 19:38 <DIR> d-------- C:\Documents and Settings\Death\Application Data\TrojanHunter
2007-12-29 18:21 . 2008-01-06 04:09 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-12-29 17:08 . 2007-12-29 17:08 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-29 16:42 . 2007-12-29 16:42 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-29 16:42 . 2008-01-05 08:00 <DIR> d-------- C:\Documents and Settings\Death\Application Data\AVG7
2007-12-29 16:42 . 2007-12-29 16:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-29 05:10 . 2008-01-06 04:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-29 05:10 . 2007-12-29 05:10 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-29 05:09 . 2007-12-29 05:09 <DIR> d-------- C:\WINDOWS\system32\regdacl
2007-12-29 05:09 . 2007-12-29 05:09 <DIR> d-------- C:\_backupD
2007-12-29 05:09 . 2007-12-29 05:08 280,286 --a------ C:\win32delfkil.exe
2007-12-29 05:09 . 2007-12-29 05:09 90,112 --a------ C:\WINDOWS\system32\regdacl.exe
2007-12-29 05:09 . 2007-12-29 05:09 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2007-12-25 03:13 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-12-25 03:13 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-12-25 03:13 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-12-25 03:13 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-12-24 23:22 . 2007-12-25 03:42 <DIR> d-------- C:\Documents and Settings\Death\Application Data\FUJIFILM
2007-12-24 19:50 . 2007-06-20 15:48 18,224 --a------ C:\WINDOWS\system32\pfdnnt.exe
2007-12-21 00:49 . 2007-12-25 12:20 8,627 --a------ C:\WINDOWS\system32\PAV_FOG.OPC
2007-12-21 00:44 . 2007-12-21 00:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\sentinel
2007-12-21 00:41 . 2007-12-21 00:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Backup
2007-12-21 00:09 . 2007-12-29 16:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-20 15:42 . 2007-12-20 15:42 <DIR> d-------- C:\Converted
2007-12-20 15:39 . 2007-12-14 17:07 513,152 --a------ C:\WINDOWS\system32\drivers\MusCDriverV32.sys
2007-12-20 15:39 . 2007-12-14 17:07 3,768 --a------ C:\WINDOWS\system32\drivers\MusCVideo32.sys
2007-12-17 23:16 . 2007-12-17 23:16 <DIR> d-------- C:\Documents and Settings\Death\Application Data\Viewpoint

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 09:10 --------- d-----w C:\Program Files\Trillian
2008-01-06 08:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-29 21:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-29 21:08 --------- d-----w C:\Program Files\Common Files\Panda Software
2007-12-29 09:32 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2007-12-29 09:32 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-12-11 03:28 --------- d-----w C:\Documents and Settings\Death\Application Data\OpenOffice.org2
2007-12-02 19:12 --------- d-----w C:\Documents and Settings\Death\Application Data\AdobeUM
2007-12-02 18:59 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-19 05:16 --------- d-----w C:\Program Files\iTunes
2007-11-19 05:16 --------- d-----w C:\Program Files\iPod
2007-11-19 05:15 --------- d-----w C:\Program Files\QuickTime
2007-11-17 19:35 --------- d-----w C:\Program Files\BitComet
2007-11-17 01:19 --------- d-----w C:\Documents and Settings\Death\Application Data\uTorrent
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-10 17:43 --------- d-----w C:\Program Files\Java
2007-11-07 03:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-11-07 03:17 --------- d-----w C:\Program Files\AIM6
2007-11-07 03:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-11-07 03:16 --------- d-----w C:\Program Files\Viewpoint
2007-11-07 03:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-07 03:15 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2006-07-21 18:07 59,287 ----a-w C:\Documents and Settings\Death\Application Data\FNTCACHE.BIN
2007-09-20 12:42 6,448 --sh--w C:\WINDOWS\system32\yccdd.bak1
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{845D503F-F28B-4C05-8B00-2B2540799FF2}]
C:\WINDOWS\system32\ddccy.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-07-16 14:17 4670704]
"Aim6"="" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-04-14 22:01 77824 C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-12-14 23:01 5513216]
"nwiz"="nwiz.exe" [2004-12-14 23:01 1490944 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-12-14 23:01 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 03:51 172032]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 03:50 204800]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-31 03:24 180269]
"panda-db"="C:\WINDOWS\system32\Sys\panda-db.exe" [ ]
"ErrorRepairPro"="' '" []
"au"="C:\Program Files\Dealio\DealioAU.exe" [2007-06-27 11:46 238936]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-29 16:42 579072]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2007-09-09 09:31 1046688]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-29 16:42 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 07:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Death\Start Menu\Programs\Startup\
Trillian.lnk - C:\Program Files\Trillian\trillian.exe [2007-12-11]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\system32\smsbjfbj.dll

S1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys []
S2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys []
S3 MusCDriverV32;MusCDriverV32;C:\WINDOWS\system32\drivers\MusCDriverV32.sys [2007-12-14 17:07]
S3 MusCVideo32;MusCVideo32;C:\WINDOWS\system32\DRIVERS\MusCVideo32.sys [2007-12-14 17:07]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{89466100-a11f-11da-9864-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd977942-a14c-11da-961a-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 04:10:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-06 4:11:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-06 09:11:20
.
2007-12-12 08:02:20 --- E O F ---


Cclean Log:

µTorrent
Ad-Aware SE Personal
Adobe Flash Player ActiveX
Adobe Reader 7.0.9
AIM 6
Apple Mobile Device Support
Apple Software Update
AsusUpdate
Athlon 64 Processor Driver
AutoUpdate
AVG 7.5
BitComet 0.96
CCleaner (remove only)
Cool & Quiet
Dealio Toolbar
DivX
Error Repair Professional 3.4
Guitar Pro 5.0
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB926239)
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1
LimeWire 4.12.6
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 5.2
Microsoft IntelliType Pro 5.2
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.11)
Nero Suite
NVIDIA Drivers
OpenOffice.org 2.0
Panda ActiveScan
PowerDVD
QuickTime
RealPlayer
Realtek AC'97 Audio
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
Trillian
TrojanHunter 5.0
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Viewpoint Media Player
Virtual Magnifying Glass
WebFldrs XP
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
WinZip
Yahoo! Browser Services
Yahoo! Messenger
Yahoo! Toolbar

HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:14:29 AM, on 1/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb106\Dealio.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {845D503F-F28B-4C05-8B00-2B2540799FF2} - C:\WINDOWS\system32\ddccy.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb106\Dealio.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [panda-db] C:\WINDOWS\system32\Sys\panda-db.exe
O4 - HKLM\..\Run: [ErrorRepairPro] ' '
O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Program Files\Dealio\kb106\res\DealioSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb106\Dealio.dll
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/c ... etInst.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0379406500
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\smsbjfbj.dll
O21 - SSODL: eitheror - {2016a466-91a2-43c6-97d8-2fd380f065ef} - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9123 bytes



That's everything that was told to be posted. I hope that everything checks out! Again, thanks for the help. lemme know if you find anything!!
pantera259
Active Member
 
Posts: 4
Joined: December 29th, 2007, 6:13 pm

Re: Random restarts. Error code 203 system file Hijackthis Log

Unread postby Simon V. » January 6th, 2008, 6:38 am

Hi :)

I understand that downloading music and other files may be important to you; however, the Peer-to-Peer programs that you are using to do that, even if they are not infected with malware, will bring malware into your system. Therefore, the chances of you becoming infected again are very high. This obviously can result in disabling your computer and could even lead to someone stealing sensitive personal data from your computer. Beyond the inconvenience this causes you, these programs also tend to use your computer as a server to spread more infection all over the internet, so your computer becomes a part of the malware problem.

Remember that no matter how clean the program you're using for Peer-to-Peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via Peer-to-Peer filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Any program or file that offers you the ability to access non-freeware programs at no cost, e.g., pirated software and/or cracks/key generators for gaining access to legitimate software, is 100% guaranteed to contain malware.

Here is some information that looks at the rates of infection:

http://www.benedelman.org/spyware/p2p/

With that being said, I recommend that you remove the following Peer-to-Peer program(s):

(Click on Start, then Control Panel. Double click on Add or Remove Programs)

  • µTorrent
  • BitComet 0.96
  • LimeWire 4.12.6

Also remove the following programs:

  • Error Repair Professional 3.4
  • J2SE Runtime Environment 5.0 Update 10
  • J2SE Runtime Environment 5.0 Update 11
  • J2SE Runtime Environment 5.0 Update 3
  • J2SE Runtime Environment 5.0 Update 6
  • J2SE Runtime Environment 5.0 Update 9
  • Java(TM) 6 Update 2
  • Java(TM) SE Runtime Environment 6 Update 1
  • Spybot - Search & Destroy <-- Only remove this one, leave the 1.4 version alone.
  • Viewpoint Media Player <-- Only remove this if you haven't installed it yourself.

Step 1

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:

Code: Select all
File::

C:\WINDOWS\system32\yccdd.bak1

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{845D503F-F28B-4C05-8B00-2B2540799FF2}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"panda-db"=-
"ErrorRepairPro"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{89466100-a11f-11da-9864-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd977942-a14c-11da-961a-806d6172696f}]


Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save (Save the CFScript in the same location as Combofix.exe)

Image

Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Be sure to save it to a convenient location.

Step 2

Please do an online scan with Kaspersky WebScanner.

Click on Kaspersky Online Scanner. On the welcome screen, click Accept.

You will be promted to install an ActiveX component from Kaspersky, click Install.

  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on Next.
  • Now click on Scan Settings.
  • In the scan settings make sure that the following are selected:

  • Scan using the following Anti-Virus database:

    Extended (if available, otherwise Standard)

  • Scan Options:

    Scan Archives
    Scan Mail Bases

  • Click OK.
  • Now under Select a Target to Scan:

    Select My Computer.

  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button and save the file to your desktop.

Step 3

In your next reply, please post:

  • the Combofix log (C:\Combofix.txt)
  • the Kaspersky Online Scan report
  • a new HijackThis log
  • How is your computer currenly running?
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Random restarts. Error code 203 system file Hijackthis Log

Unread postby pantera259 » January 6th, 2008, 6:13 pm

I couldn't find the link on that website for the virus scanner. so I downloaded the free trial and installed it. The program is a little different from the steps you gave me so I dont know how to save a log of the results of the virus scan. My computer is running noticeably faster tho. Here are my other logs:

Combo Fix Log

ComboFix 08-01-04.1 - Death 2008-01-06 15:19:48.2 - NTFSx86
Running from: C:\Documents and Settings\Death\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Death\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\yccdd.bak1
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\yccdd.bak1

.
((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
.

2008-01-06 04:05 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-06 03:42 . 2008-01-06 03:42 <DIR> d-------- C:\Program Files\CCleaner
2007-12-29 19:38 . 2007-12-29 19:38 <DIR> d-------- C:\Documents and Settings\Death\Application Data\TrojanHunter
2007-12-29 18:21 . 2008-01-06 04:11 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-12-29 17:08 . 2007-12-29 17:08 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-29 16:42 . 2007-12-29 16:42 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-29 16:42 . 2008-01-06 08:00 <DIR> d-------- C:\Documents and Settings\Death\Application Data\AVG7
2007-12-29 16:42 . 2007-12-29 16:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-29 05:10 . 2008-01-06 04:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-29 05:10 . 2007-12-29 05:10 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-29 05:09 . 2007-12-29 05:09 <DIR> d-------- C:\WINDOWS\system32\regdacl
2007-12-29 05:09 . 2007-12-29 05:09 <DIR> d-------- C:\_backupD
2007-12-29 05:09 . 2007-12-29 05:08 280,286 --a------ C:\win32delfkil.exe
2007-12-29 05:09 . 2007-12-29 05:09 90,112 --a------ C:\WINDOWS\system32\regdacl.exe
2007-12-29 05:09 . 2007-12-29 05:09 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2007-12-25 03:13 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-12-25 03:13 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-12-25 03:13 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-12-25 03:13 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-12-24 23:22 . 2007-12-25 03:42 <DIR> d-------- C:\Documents and Settings\Death\Application Data\FUJIFILM
2007-12-24 19:50 . 2007-06-20 15:48 18,224 --a------ C:\WINDOWS\system32\pfdnnt.exe
2007-12-21 00:49 . 2007-12-25 12:20 8,627 --a------ C:\WINDOWS\system32\PAV_FOG.OPC
2007-12-21 00:44 . 2007-12-21 00:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\sentinel
2007-12-21 00:41 . 2007-12-21 00:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Backup
2007-12-21 00:09 . 2007-12-29 16:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-20 15:42 . 2007-12-20 15:42 <DIR> d-------- C:\Converted
2007-12-20 15:39 . 2007-12-14 17:07 513,152 --a------ C:\WINDOWS\system32\drivers\MusCDriverV32.sys
2007-12-20 15:39 . 2007-12-14 17:07 3,768 --a------ C:\WINDOWS\system32\drivers\MusCVideo32.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 20:18 --------- d-----w C:\Program Files\Viewpoint
2008-01-06 20:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-06 20:17 --------- d-----w C:\Program Files\Java
2008-01-06 20:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-06 20:15 --------- d-----w C:\Program Files\LimeWire
2008-01-06 20:15 --------- d-----w C:\Program Files\Error Repair Professional
2008-01-06 20:14 --------- d-----w C:\Program Files\BitComet
2008-01-06 09:10 --------- d-----w C:\Program Files\Trillian
2007-12-29 21:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-29 21:08 --------- d-----w C:\Program Files\Common Files\Panda Software
2007-12-29 09:32 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2007-12-29 09:32 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-12-11 03:28 --------- d-----w C:\Documents and Settings\Death\Application Data\OpenOffice.org2
2007-12-02 19:12 --------- d-----w C:\Documents and Settings\Death\Application Data\AdobeUM
2007-12-02 18:59 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-19 05:16 --------- d-----w C:\Program Files\iTunes
2007-11-19 05:16 --------- d-----w C:\Program Files\iPod
2007-11-19 05:15 --------- d-----w C:\Program Files\QuickTime
2007-11-17 01:19 --------- d-----w C:\Documents and Settings\Death\Application Data\uTorrent
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 03:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-11-07 03:17 --------- d-----w C:\Program Files\AIM6
2007-11-07 03:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-11-07 03:15 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2006-07-21 18:07 59,287 ----a-w C:\Documents and Settings\Death\Application Data\FNTCACHE.BIN
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-07-16 14:17 4670704]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-04-14 22:01 77824 C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-12-14 23:01 5513216]
"nwiz"="nwiz.exe" [2004-12-14 23:01 1490944 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-12-14 23:01 86016]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 03:51 172032]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 03:50 204800]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-31 03:24 180269]
"au"="C:\Program Files\Dealio\DealioAU.exe" [2007-06-27 11:46 238936]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-29 16:42 579072]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2007-09-09 09:31 1046688]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-29 16:42 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 07:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Death\Start Menu\Programs\Startup\
Trillian.lnk - C:\Program Files\Trillian\trillian.exe [2007-12-11]

S1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys []
S2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys []
S3 MusCDriverV32;MusCDriverV32;C:\WINDOWS\system32\drivers\MusCDriverV32.sys [2007-12-14 17:07]
S3 MusCVideo32;MusCVideo32;C:\WINDOWS\system32\DRIVERS\MusCVideo32.sys [2007-12-14 17:07]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 15:21:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-06 15:21:55
ComboFix-quarantined-files.txt 2008-01-06 20:21:47
ComboFix2.txt 2008-01-06 09:11:28
.
2007-12-12 08:02:20 --- E O F ---


HiJackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:12:52 PM, on 1/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb106\Dealio.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb106\Dealio.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Program Files\Dealio\kb106\res\DealioSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb106\Dealio.dll
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/c ... etInst.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0379406500
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O21 - SSODL: eitheror - {2016a466-91a2-43c6-97d8-2fd380f065ef} - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)

--
End of file - 7256 bytes


Let me know if you find anything. my computer and my internet is running noticeably faster. I think it might have fixed the problem, but if you do find anything, please let me know!

Thanks again!
pantera259
Active Member
 
Posts: 4
Joined: December 29th, 2007, 6:13 pm

Re: Random restarts. Error code 203 system file Hijackthis Log

Unread postby Simon V. » January 7th, 2008, 2:17 am

Hi :)

It's not a good idea to have two anti-virus programs installed (you now have Kaspersky and Panda). They could conflict and cause a lot of problems, so please uninstall one of them.

I still would like an online scan report, to make sure you're fully clean:

Please visit TotalScan. (You'll need to use Internet Explorer for the scan)

  • Under Scan Now click the Full Scan button.
  • Follow the prompts to install the Active X if necessary.
  • It will take a while, let it run unhindered.
  • When the scan is finished, a report will be generated.
  • Next to Scan Details click the small Save button and save the report to your desktop.
  • Post the contents of the report in your next reply.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Random restarts. Error code 203 system file Hijackthis Log

Unread postby pantera259 » January 7th, 2008, 10:45 pm

ok, so I did that scan, and it picked up 7 items. it says they are all latent but I'd like to remove them if possible. here's the log:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-01-07 21:44:46
PROTECTIONS: 1
MALWARE: 7
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Kaspersky Anti-Virus 7.0.0.125 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Death\Cookies\death@atdmt[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\sohvjw73.default\cookies.txt[.atdmt.com/]
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{8F6C106B-3567-4278-8293-04F4EA7BF599}\RP659\A0079972.exe
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\sohvjw73.default\cookies.txt[.com.com/]
00517584 Application/SuperFast HackTools No 0 Yes No C:\System Volume Information\_restore{8F6C106B-3567-4278-8293-04F4EA7BF599}\RP659\A0079973.exe
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{8F6C106B-3567-4278-8293-04F4EA7BF599}\RP679\A0082979.exe[nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{8F6C106B-3567-4278-8293-04F4EA7BF599}\RP679\A0082979.exe[nircmd.exe]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{8F6C106B-3567-4278-8293-04F4EA7BF599}\RP668\A0081885.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{8F6C106B-3567-4278-8293-04F4EA7BF599}\RP675\A0082794.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{8F6C106B-3567-4278-8293-04F4EA7BF599}\RP676\A0082816.exe
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{8F6C106B-3567-4278-8293-04F4EA7BF599}\RP679\A0082940.exe[nircmd.exe]
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{8F6C106B-3567-4278-8293-04F4EA7BF599}\RP679\A0082940.exe[nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\WINDOWS\NirCmd.exe
02883328 Trj/Lzx32.J Virus/Trojan No 1 Yes No C:\QooBox\Quarantine\catchme2008-01-06_ 40949.23.zip[xpdx.sys]
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{8F6C106B-3567-4278-8293-04F4EA7BF599}\RP668\A0081847.sys
;===================================================================================================================================================================================
SUSPECTS
Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================


Guess my system isn't fully clean just yet
pantera259
Active Member
 
Posts: 4
Joined: December 29th, 2007, 6:13 pm

Re: Random restarts. Error code 203 system file Hijackthis Log

Unread postby Simon V. » January 8th, 2008, 2:15 am

Hi :)

All those files found by TotalScan are either practically harmless cookies (CCleaner can clean those - see my first post for instructions), or located in the System Restore points, which will be cleaned by uninstalling Combofix.

Open HijackThis, perform a scan and put a check next to the following items (if present):

O21 - SSODL: eitheror - {2016a466-91a2-43c6-97d8-2fd380f065ef} - (no file)

Close all programs except HijackThis and click on Fix checked.

Congratulations, your log now looks clean. Please advise of any problems you are still experiencing, or follow these simple steps to keep your computer clean in the future:

Click Start then Run....

  • Type Combofix /u in the runbox and click OK. (Note: The space between the x and the /u needs to be there)

    Image

  • This will uninstall Combofix.

Make your Internet Explorer More Secure

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab.
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.

    • Change the Download signed ActiveX controls to Prompt.
    • Change the Download unsigned ActiveX controls to Disable.
    • Change the Initialise and script ActiveX controls not marked as safe to Disable.
    • Change the Installation of desktop items to Prompt.
    • Change the Launching programs and files in an IFRAME to Prompt.
    • Change the Navigate sub-frames across different domains to Prompt.
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.

  • Next press the Apply button and then the OK to exit the Internet Properties page.

Use a Firewall - Without a firewall your computer is susceptible to being hacked and taken over. The Windows firewall isn't sufficient as it only monitors incoming connections.

Here are a few (free) firewalls, please download and install one of them:


Visit Microsoft's Update Site Frequently - It is important that you visit http://update.microsoft.com/ regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Ad-Aware - Download and install Ad-Aware (if you have Ad-Aware SE note that it is outdated, and you should update to Ad-Aware 2007). You should scan your computer with the program on a regular basis just as you would with your anti-virus software. A tutorial on installing and using this product can be found here: http://www.bleepingcomputer.com/tutoria ... ial48.html

Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A tutorial can be found here: http://www.bleepingcomputer.com/tutoria ... ial49.html

Install IE-Spyad - IE-Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here: http://www.spywarewarrior.com/uiuc/resource.htm#IESPYAD

Update All Your Security Programs Regularly - Make sure you update all your security programs (Anti-Virus, Firewall, Anti-Spyware) regularly (once a weak, at least). Without regular updates you WILL NOT be protected when new malicious programs are released.

You can also read this excellent article by TonyKlein: So how did I get infected in the first place?

Follow this list and your potential for being infected again will reduce dramatically.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: Random restarts. Error code 203 system file Hijackthis Log

Unread postby 'KotaGuy » January 11th, 2008, 2:10 pm

This topic is now closed. If you wish it to be reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 50 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware