Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

My Documents page opens twice for every reboot of WINXP3 :

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: My Documents page opens twice for every reboot of WINXP3 :

Unread postby snagarjunas » March 9th, 2010, 1:48 pm

Hello Wingman,

Please check in MSCONFIG... Startup tab... to see if there is an "explorer.exe" entry present. If it is, please remove the checkmark (UNCHECK), click OK, then restart your computer. Let me know if the problem remains.

This is the first one I checked and came to a conclusion that there is no reference to "explorer.exe" when my machine was behaving in unexpected manner and contacted you in search of help.

Also you can check in Control Panel > Folder Options> View tab...
Check to see if the entry "Restore previous folder windows at logon" is checked... if it is, UNCHECK it. Reboot and see if you still have the problem.

This entry is already in unchecked condition.

Let me know if any thing need to be done more.


Thanks,

Nagarjun S.
snagarjunas
Regular Member
 
Posts: 26
Joined: February 12th, 2010, 3:13 pm
Advertisement
Register to Remove

Re: My Documents page opens twice for every reboot of WINXP3 :

Unread postby Wingman » March 9th, 2010, 2:37 pm

Hello snagarjunas,

I see lots of different "drive" designations in yur logs...F, K, J, L, are these USB drives, flash drives, etc? If so, have these been plugged in and scanned in the prvious scans?
Your last RSIT log shows:
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b81bc05a-779b-11de-a5fb-0016763a7c6f}]
shell\AutoRun\command - K:\folder.tmp/tmp.exe
shell\explore\command - K:\folder.tmp/tmp.exe
shell\open\command - K:\folder.tmp/tmp.exe

Any USB drives, pen drive, smartcard, etc... that has been used in this computer needs to be scanned.

Step 1.
ERUNT - Emergency Recovery Utility NT
Please run this again, as changes may have occurred between the last run and now. Better to be safe than to be sorry.
Modifying the Registry can create unforeseen problems, so it's always wise to create a backup before doing so.
Run:
  1. Please navigate to Start >> All Programs >> ERUNT... double-click ERUNT from the menu.
    VISTA - W7 users: right-click on ERUNT from the menu, select "Run As Administrator", to run the process.
  2. Click on OK within the pop-up menu.
  3. In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry.
    • Current user registry.
  4. Next click on "OK"... at the prompt... reply "Yes".
    After a short duration the Registry backup is complete! pop-up message will appear.
  5. Now click on "OK". A registry backup has now been created.
< STOP > If you did not successfully complete this step. < STOP > Do not continue with any other steps, post back and let me know!

Step 2.
OTM
  1. Please download OTM.exe...by Old Timer. Save it to your desktop.
  2. Double click on OTM.exe to run it.
    If you receive the "Open File - Security Warning", please press Run.
  3. Please copy and paste the text in the Code box below, into OTM (1).
    Please refer to the OTM screen image below, for reference.
    Warning: Do not type it out... errors could damage your machine.
    Code: Select all
    :Processes
    :Reg
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spellcheck]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TypingSatellite]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b81bc05a-779b-11de-a5fb-0016763a7c6f}]
    :Commands
    [EmptyTemp]
    [Start Explorer]
    [Reboot]
    

    Please refer to this image to use OTM.exe

    Image
  4. Click on MoveIt! (2)
  5. The end results of the processing will be in 2 places:
    • The Results window on the right side of the OTM screen.
    • A log (text) file created in "C:\_OTM\MovedFiles\mmddyyyy_hhmmss.log"
  6. Copy all the text from the Results window... Open Notepad, paste the OTM results into the Notepad file, save it on your desktop.
  7. Click Exit (3) when done.
  8. Please paste the entire content from the OTM (Results) window (Notepad file) or the OTM log file, in your next reply.
NOTE: If your computer did not automatically reboot... please reboot it (normally) now!
Caution: Be careful of what you copy and paste with this tool. OTM is a powerful program, designed to move highly persistent files and folders and is intended by the developer to be used under the guidance and supervision of a trained malware removal expert.


Step 3.
Malwarebytes' Anti-Malware
  1. Please start MBAM (Malwarebytes' Anti-Malware) again.
  2. Press the Update tab.. then press the Check for Updates...button. <<---Important!
    Once any updates are installed or you get the message that you are up-to-date
  3. Press the Scanner tab...
  4. Select FULL SCAN this time... then press the Scan...button. This scan will take a while, so please be patient.
    When the scan finishes...
  5. Check all items except any items (if present) in the C:\System Volume Information folder... then click on Remove Selected.
  6. Let MBAM remove what it can... if there are files to be deleted on reboot... please reboot the machine so MBAM can finish the removal.
    If you rebooted, then you'll need to start MBAM again.
  7. Press the LOG... tab. Locate the most current log file.
    Please copy and paste the most recent log (from this new run) in your next reply.

Step 4.
Kaspersky Online Scanner.
Please go to Kaspersky Online Virus Scanner © Kaspersky Lab to perform an online antivirus scan.
  1. Read the "Advantages - Requirements and Limitations" then press... the ACCEPT...button.
    The latest program and definition files will be downloaded. It takes time, please be patient, let it finish.
  2. Once the files have been downloaded, click on the SETTINGS...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the SAVE...button, if you made any changes.
  3. Now under the Scan section on the left:
      Select My Computer
    The program will start scanning your system. This takes a while, be patient... let it run.
    Once the scan is complete it will display if your system has been infected.
  4. Save the scan results as a Text file ... save it to your desktop.
  5. Copy and paste the saved scan results file in your next reply.

Step 5.
Re-run - RSIT (Random's System Information Tool)
You should still have this program on your desktop.
  1. Double click on RSIT.exe to run it.
  2. Please read the disclaimer... click on Continue.
    RSIT will start running. When done... ONLY the "C:\RSIT\log.txt"...will be reproduced.<<will be maximized
  3. Please post ONLY the "log.txt", file contents in your next reply.


Step 6.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. OTM scan results.
  3. MBAM full scan results
  4. KAS online scan results.
  5. RSIT log.txt file contents.
  6. How is the computer behaving?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14115
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: My Documents page opens twice for every reboot of WINXP3 :

Unread postby snagarjunas » March 11th, 2010, 12:43 pm

Hello Wingman,

I see lots of different "drive" designations in yur logs...F, K, J, L, are these USB drives, flash drives, etc? If so, have these been plugged in and scanned in the prvious scans?
Yes Wingman. When ever we connect thumb-drives to PC we will scan them and use.

1. Any problem executing the instructions?
There was some problem executing step.4 - asking for Java Framework which is not pre installed in PC.
2. OTM scan results.
All processes killed
========== PROCESSES ==========
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spellcheck\ not found.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TypingSatellite\ not found.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b81bc05a-779b-11de-a5fb-0016763a7c6f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b81bc05a-779b-11de-a5fb-0016763a7c6f}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 62145 bytes
->Temporary Internet Files folder emptied: 18064395 bytes
->FireFox cache emptied: 84721438 bytes
->Google Chrome cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NAGARJUN-BD982A

User: NetworkService
->Temp folder emptied: 32768 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 82403 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 98.00 mb


OTM by OldTimer - Version 3.1.9.0 log created on 03112010_063013

Files moved on Reboot...
File C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_77c.dat not found!

Registry entries deleted on Reboot...

3. MBAM full scan results
Malwarebytes' Anti-Malware 1.44
Database version: 3850
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/11/2010 7:57:37 AM
mbam-log-2010-03-11 (07-57-37).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|I:\|J:\|)
Objects scanned: 234327
Time elapsed: 51 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\S-1-5-21-9503996780-7247579897-128137294-7875\sysdate.exe (Worm.Autorun.B) -> Delete on reboot.

4. KAS online scan results.
Mentioned in Question 1.

5. RSIT log.txt file contents.
6. How is the computer behaving?

Observations - Hope helpful for the problem :


1. Found "spider" SAV File of size 1KB in "My Documents" folder on every system reboot.
I have tried to delete it - but no avail, creating again
I think this file should be the one causing My Doc's folder to open on reboot.
2. Toolbars > Language bar is into enable/checked on system reboot if I disable/uncheck it.



Let me know if any thing needs to be done to solve the issue.

Thanks,

Nagarjun S.
snagarjunas
Regular Member
 
Posts: 26
Joined: February 12th, 2010, 3:13 pm

Re: My Documents page opens twice for every reboot of WINXP3 :

Unread postby Wingman » March 11th, 2010, 4:21 pm

Hello snagarjunas,
I'm sorry about the KAS scan, I forgot that it requires JAVA Runtime modules to be installed.

I believe the Spider.sav file is a saved game from Spider Solitaire.
If you can't delete the file, you can probably get rid of it by opening Spider Solitaire and going to Game > Open Last Saved Game. Either finish the game or quit.

Step 1.
HJT - Process Manager - List File
  1. Please Run HijackThis. Located in: C:\Program Files\Trend Micro\hijackthis.exe
      If you are on the "scan & fix stuff" page... Press the "Main Menu"...button.
  2. From the Main Menu...Press the "Open the Misc Tools"...button.
  3. Press the "Open Process Manager" button. Uncheck "Show DLLs" box...(if checked)
  4. Click the "Floppy Disk" icon next to "Show DLLs".
  5. Save the file "processlist.txt" to your desktop and exit HijackThis.
  6. Copy and paste the contents of the processlist.txt file into your next reply.

Step 2.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. HJT processlist.txt file contents.
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14115
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: My Documents page opens twice for every reboot of WINXP3 :

Unread postby snagarjunas » March 12th, 2010, 12:27 pm

Hello Wingman,

HJT processlist.txt file contents
Process list saved on 9:56:48 PM, on 3/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)

[pid] [full path to filename] [file version] [company name]
556 C:\WINDOWS\System32\smss.exe 5.1.2600.5512 Microsoft Corporation
640 C:\WINDOWS\system32\winlogon.exe 5.1.2600.5512 Microsoft Corporation
684 C:\WINDOWS\system32\services.exe 5.1.2600.5755 Microsoft Corporation
696 C:\WINDOWS\system32\lsass.exe 5.1.2600.5512 Microsoft Corporation
872 C:\WINDOWS\system32\Ati2evxx.exe 6.14.10.4119 ATI Technologies Inc.
888 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 Microsoft Corporation
1016 C:\WINDOWS\System32\svchost.exe 5.1.2600.5512 Microsoft Corporation
1052 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 Microsoft Corporation
1440 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.5512 Microsoft Corporation
1468 C:\WINDOWS\system32\Ati2evxx.exe 6.14.10.4119 ATI Technologies Inc.
1620 C:\WINDOWS\Explorer.EXE 6.0.2900.5512 Microsoft Corporation
1932 C:\Program Files\K7 Computing\Common\K7SysTry.exe 3.0.0.2 K7 Computing Pvt Ltd
1940 C:\Program Files\K7 Computing\K7TSecurity\Common\K7TSecurity.exe 2.0.0.3 K7 Computing Pvt Ltd
1972 C:\WINDOWS\flashmute.exe
2012 C:\Program Files\Skype\Phone\Skype.exe 4.1.0.179 Skype Technologies S.A.
2036 C:\WINDOWS\system32\ctfmon.exe 5.1.2600.5512 Microsoft Corporation
440 C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe 1.0.0.1 Yahoo! Inc.
1040 C:\WINDOWS\system32\inetsrv\inetinfo.exe 5.1.2600.5512 Microsoft Corporation
1820 C:\Program Files\K7 Computing\K7TSecurity\Common\K7TSMngr.exe 4.0.0.6 K7 Computing Pvt Ltd
2200 C:\WINDOWS\System32\snmp.exe 5.1.2600.5512 Microsoft Corporation
2284 c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe 2005.90.4035.0 Microsoft Corporation
2384 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 Microsoft Corporation
2600 C:\Program Files\K7 Computing\Common\K7EmlPxy.exe 4.0.1.0 K7 Computing Pvt Ltd
2616 C:\Program Files\K7 Computing\K7TSecurity\K7AntiVirus\K7RTScan.exe 4.0.0.7 K7 Computing Pvt Ltd
2748 C:\Program Files\Mozilla Firefox\firefox.exe 1.9.0.3224 Mozilla Corporation
2776 C:\Program Files\Messenger\msmsgs.exe 4.7.0.3001 Microsoft Corporation
1264 C:\WINDOWS\system32\wuauclt.exe 7.4.7600.226 Microsoft Corporation
4060 C:\Program Files\Trend Micro\Administrator.exe 2.0.0.2 Trend Micro Inc.


Thanks,

Nagarjun S.
snagarjunas
Regular Member
 
Posts: 26
Joined: February 12th, 2010, 3:13 pm

Re: My Documents page opens twice for every reboot of WINXP3 :

Unread postby Wingman » March 12th, 2010, 8:47 pm

Hello snagarjunas,

Please print these instructions... you will not have browser / Internet access, during some of these steps! .

Please do not make any changes to your system: do not add or remove any software, run any scans or "fix" programs and/or remove any files unless instructed to do so, by me. Please read these instructions carefully before executing and then perform the steps, in the order given. lf, you have any questions or problems, executing these instructions, <<STOP>> do not proceed, post back with the question or problem.

Step 1.
ERUNT - Emergency Recovery Utility NT
Please run this again, as changes may have occurred between the last run and now. Better to be safe than to be sorry.
Modifying the Registry can create unforeseen problems, so it's always wise to create a backup before doing so.
Run:
  1. Please navigate to Start >> All Programs >> ERUNT... double-click ERUNT from the menu.
  2. Click on OK within the pop-up menu.
  3. In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry.
    • Current user registry.
  4. Next click on "OK"... at the prompt... reply "Yes".
    After a short duration the Registry backup is complete! pop-up message will appear.
  5. Now click on "OK". A registry backup has now been created.
< STOP > If you did not successfully complete this step. < STOP > Do not continue with any other steps, post back and let me know!

Step 2.
ComboFix
Please download ImageComboFix.exe... © Copyrighted to sUBs. Save it to your desktop. <<--- IMPORTANT!! .
Alternate download sites: Mirror #2 or Mirror #3

If you previously downloaded ComboFix, please delete that version and download it again. This tool is frequently updated.

This program is a powerful tool, intended by its creator, to be "used under the guidance and supervision of trained malware removers".
Using this tool incorrectly could cause problems with your operating system... preventing it from ever starting again!


The first thing you need to do is print out How-To-Use-ComboFix. Read these instructions thoroughly.
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!

  1. Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
  2. Double click the ComboFix.exe icon on your desktop to begin execution. If you receive the "Open File - Security Warning"... press Run.
  3. Press Yes to the Disclaimer prompt.
    ComboFix screen appears... preparing to run. ComboFix will now begin creating a System Restore Point and then backup your registry.
  4. If not already installed... Press Yes to the "Install Recovery Console" prompt.
  5. Press Yes at the Recovery Console installation results prompt... Even if unsuccessful, have ComboFix continue the scan.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash!
    ComboFix will disconnect you from the Internet, may cause your desktop to disappear and also change your clock settings... this is normal, so don't worry. They will be restored when finished. The ComboFix window data will be changing with various "Stages"... completed. When finished the screen will show that a log is being created.
    ComboFix disables autorun of all CD, floppy and USB devices to assist with malware removal and increase security.
    When finished... Notepad will open ... ComboFix will produce a log file called "log.txt".
  6. Please copy/paste the contents of log.txt... in your next reply.
Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, NOT for general public or personal use. Using this tool incorrectly could lead to serious problems with your operating system such as preventing it from ever starting again. This site, sUBs and myself will not be responsible for any damage caused to your machine by misusing or running ComboFix on your own. Please read Combofix's Disclaimer.

** Enable your Antivirus and Firewall, before connecting to the Internet again! **

Step 3.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. ComboFix log.txt file contents.
  3. How is the computer behaving?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14115
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: My Documents page opens twice for every reboot of WINXP3 :

Unread postby snagarjunas » March 13th, 2010, 1:39 pm

Hello Wingman :o ,

Wonderful !!!! My Docs page didnt open on start up after running Combofix.


ComboFix log.txt file contents
ComboFix 10-03-13.01 - Administrator 03/13/2010 22:44:22.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.474 [GMT 5.5:30]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\SpeedBit Video Downloader\Toolbar\tbhelper.dll
c:\recycler\k-1-3542-4232123213-7676767-8888886
c:\recycler\S-1-5-21-1187264937-5440967869-842225532-3047
c:\recycler\S-1-5-21-2215232100-7013182109-837186417-0421
c:\recycler\S-1-5-21-2294923565-5272236269-259662486-6924
c:\recycler\S-1-5-21-2779180332-3011020995-293433696-0591
c:\recycler\S-1-5-21-3219560768-5576605367-690717582-0531
c:\recycler\S-1-5-21-3876358862-2480955551-884031126-0645
c:\recycler\S-1-5-21-4442507300-9020668391-825571525-0035
c:\recycler\S-1-5-21-5148314327-2202551180-871557244-7559
c:\recycler\S-1-5-21-5498072511-5074276213-855740042-2954
c:\recycler\S-1-5-21-5985567866-3063666418-831793449-6984
c:\recycler\S-1-5-21-6913243644-0054412127-110968891-2083
c:\recycler\S-1-5-21-7179797060-4522372746-265844130-3320
c:\recycler\S-1-5-21-7451100132-3012636525-117058201-6999
c:\recycler\S-1-5-21-7478120050-6814740892-164146503-0108
c:\recycler\S-1-5-21-7677334388-7671294617-770031329-4247
c:\recycler\S-1-5-21-7838973727-9473592360-949721695-1875
c:\recycler\S-1-5-21-8884958561-9447100109-981184978-4281
c:\recycler\S-1-5-21-9503996780-7247579897-128137294-7875
c:\recycler\S-1-5-21-9992691240-0013729917-831593531-1107
c:\windows\system32\Cache
c:\windows\system32\win32.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-13 to 2010-03-13 )))))))))))))))))))))))))))))))
.

2010-03-11 14:00 . 2010-03-11 14:00 -------- d-----w- c:\program files\IQ Challenge
2010-03-08 14:13 . 2010-03-08 14:13 -------- d-----w- c:\program files\SDKTech
2010-03-05 17:10 . 2010-03-05 17:10 -------- d-----w- c:\program files\ESET
2010-02-26 17:10 . 2010-02-26 17:10 -------- d-----w- C:\_OTM
2010-02-23 17:22 . 2010-02-23 17:22 -------- d-----w- C:\rsit
2010-02-23 15:57 . 2010-02-23 15:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-02-23 15:56 . 2010-01-07 10:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-23 15:56 . 2010-02-23 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-23 15:56 . 2010-02-23 15:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-23 15:56 . 2010-01-07 10:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-21 06:13 . 2010-02-21 06:14 -------- d-----w- c:\program files\ERUNT
2010-02-14 15:02 . 2010-02-14 15:02 -------- d-----w- c:\program files\Nitro PDF
2010-02-14 14:33 . 2010-02-14 16:33 -------- d-----w- c:\program files\Okdo Word Rtf to Excel Converter
2010-02-14 06:43 . 2002-07-17 02:35 16512 ----a-w- c:\windows\system32\drivers\ASPI32.SYS
2010-02-14 06:43 . 2001-03-17 16:04 22528 ----a-w- c:\windows\system32\WNASPI32.DLL
2010-02-12 19:04 . 2010-03-12 16:25 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-13 15:55 . 2009-11-11 11:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2010-03-08 14:11 . 2010-02-04 17:24 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2010-03-05 10:36 . 2009-11-11 11:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2010-02-26 16:26 . 2009-06-30 17:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-22 16:47 . 2009-05-09 17:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2010-02-05 05:09 . 2010-02-05 05:09 251376 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-02-04 17:24 . 2010-02-04 17:24 53136 ----a-w- c:\windows\system32\PxSecure.dll
2010-02-04 17:24 . 2010-02-04 17:24 49352 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-02-04 17:24 . 2010-02-04 17:24 30280 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-02-04 17:24 . 2010-02-04 17:24 24496 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-02-04 17:24 . 2010-02-04 17:24 -------- d-----w- c:\program files\Prevx
2010-02-04 15:59 . 2010-02-04 15:58 610780 ----a-w- c:\windows\onceagain.exe
2010-02-03 18:55 . 2010-02-03 18:55 -------- d-----w- c:\program files\NetLimiter
2010-02-03 18:55 . 2010-02-03 18:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\LockTime
2010-02-02 17:10 . 2009-04-27 16:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-02 16:46 . 2009-04-28 15:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-02 16:37 . 2009-04-30 14:27 1650944 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\9.0\1033\ResourceCache.dll
2010-02-02 16:33 . 2009-04-30 14:19 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2010-01-29 04:33 . 2009-06-30 18:14 -------- d-----w- c:\program files\SpeedBit Video Accelerator
2009-12-31 16:50 . 2008-04-14 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-29 17:42 . 2010-01-28 12:05 195038 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2009-12-21 19:14 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2009-05-23 17:47 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2008-04-14 12:00 . 2008-04-14 12:00 1033728 --sh--r- c:\windows\explorer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31B27F2D-6BC6-451B-B3D2-4EAB36B2FC3B}]
2009-10-19 16:35 2655736 ----a-w- c:\program files\SpeedBit Video Downloader\Toolbar\tbcore3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-18 39408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150600.exe" [2009-06-05 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"K7SystemTray"="c:\program files\K7 Computing\Common\K7SysTry.exe" [2007-10-10 28672]
"K7TSStart"="c:\program files\K7 Computing\K7TSecurity\Common\K7TSecurity.exe" [2007-10-10 38168]
"FlashMute"="c:\windows\flashmute.exe" [2006-03-11 221184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-7-3 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-06-12 11:48 133104 ----atw- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-03-20 09:02 1312256 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2005-10-26 10:47 159744 ----a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

P2 K7RTScan;K7RealTime AntiVirus Services;c:\program files\K7 Computing\K7TSecurity\K7AntiVirus\K7RTScan.exe [10/9/2007 8:33 PM 38168]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2/4/2010 10:54 PM 30280]
R1 K7TdiHlp;K7TDI Helper Service;c:\windows\system32\drivers\K7TdiHlp.sys [12/6/2009 12:59 PM 13984]
R2 K7EmlPxy;K7Computng - EMail Proxy Server;c:\program files\K7 Computing\Common\K7EmlPxy.exe [2/6/2008 6:43 PM 79128]
R2 K7Sentry;K7Sentry;c:\windows\system32\drivers\K7Sentry.sys [12/6/2009 12:59 PM 213912]
R2 K7TSMngr;K7TotalSecurity Manager;c:\program files\K7 Computing\K7TSecurity\Common\K7TSMngr.exe [10/10/2007 11:46 PM 140568]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2/4/2010 10:54 PM 49352]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2/4/2010 10:54 PM 24496]
S2 gupdate1ca62c053e4acfe;Google Update Service (gupdate1ca62c053e4acfe);c:\program files\Google\Update\GoogleUpdate.exe [11/11/2009 4:45 PM 133104]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys --> c:\windows\system32\drivers\Ambfilt.sys [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2/14/2010 12:13 PM 16512]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [8/5/2009 10:06 AM 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [8/5/2009 10:06 AM 8320]
.
Contents of the 'Scheduled Tasks' folder

2010-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-11 11:15]

2010-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-11 11:15]

2010-03-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1417001333-1177238915-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-12 11:48]

2010-03-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1417001333-1177238915-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-12 11:48]

2010-03-13 c:\windows\Tasks\User_Feed_Synchronization-{114E22D0-BB77-4EE8-8C40-73F1695AE81B}.job
- c:\windows\system32\msfeedssync.exe [2009-03-07 23:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.in/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{BE6A0119-BAEA-4F51-8C80-8F75DAACB58D} - http://www.orangeshark.com/brainIQ/brai ... &from=icon
LSP: c:\program files\NetLimiter\nl_lsp.dll
TCP: {DBF22DD0-4D56-475F-A65C-6F5A81BB0965} = 202.153.32.2,202.153.32.3
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vwum9cwp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/
FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{EBFCD017-BCAD-42C3-9ED5-89DBDFC59171} - (no file)
SafeBoot-Rohos
MSConfigStartUp-eSnips - c:\program files\eSnips\ClientGW.exe
MSConfigStartUp-Software Informer - c:\program files\Software Informer\softinfo.exe
AddRemove-Adobe Flash Player Plugin - c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
AddRemove-MP3 Cutter_is1 - d:\softwares installation\MP3 Cutter\unins000.exe
AddRemove-TOEFL Sample Questions - d:\softwares installation\TOEFL Sample Questions\DeIsL1.isu
AddRemove-TypingMaster 2001 - d:\softwares installation\Typing\IsStub32.exe
AddRemove-{43EBFA90-95DF-4b69-A63F-68B3FAE4E8F8}_is1 - d:\softwares installation\Vocaboly\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-13 22:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1801674531-1417001333-1177238915-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f9,94,59,2c,05,ba,03,4e,86,2b,b6,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f9,94,59,2c,05,ba,03,4e,86,2b,b6,\

[HKEY_USERS\S-1-5-21-1801674531-1417001333-1177238915-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*(*s*)"\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"

[HKEY_USERS\S-1-5-21-1801674531-1417001333-1177238915-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*(*s*)"\OpenWithProgids]
"(sn_auto_file"=hex(0):

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):bc,10,2f,38,2d,d1,c9,4a,13,d0,b2,6d,eb,8c,52,ec,df,14,90,df,a6,
eb,cb,58,e0,0c,a4,2c,55,e8,23,30,3f,af,d6,b4,7b,02,aa,e8,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{cee3950c-e7cc-41a4-b7c3-046f132daf62}]
@Denied: (Full) (Everyone)
"Model"=dword:00000096
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(696)
c:\program files\NetLimiter\nl_lsp.dll
c:\windows\system32\nl_msgc.dll
.
Completion time: 2010-03-13 22:50:44
ComboFix-quarantined-files.txt 2010-03-13 17:20

Pre-Run: 3,245,445,120 bytes free
Post-Run: 3,216,826,368 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
d:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 80BAF260B27514C780C8FE59A9BB7225

I have some questions to ask :

1. Any specific reason for My Docs page opening on every start up ?
2. Presently I am using K7 antivirus which is ready to expire. I have McAfee Virusscan + AntiSpyware licenced version. Is it the better recommended to use ?


Thanks,

Nagarjun S.
snagarjunas
Regular Member
 
Posts: 26
Joined: February 12th, 2010, 3:13 pm

Re: My Documents page opens twice for every reboot of WINXP3 :

Unread postby Wingman » March 13th, 2010, 5:09 pm

Hello snagarjunas,
It's hard to say explicitly... it could have been one of the profile entries or a left over file from a previous infection. Bottom line is...it appears to have been removed.

If the version of McAfee is a paid for version, then I would go ahead an use it. There are some good free (for home/personal use) anti-virus products available. We can discuss these when we are finished. We'll run some additional scans, to make sure we catch anything that may be left behind.

Please do not make any changes to your system: do not add or remove any software, run any scans or "fix" programs and/or remove any files unless instructed to do so, by me. Please read these instructions carefully before executing and then perform the steps, in the order given. lf, you have any questions or problems, executing these instructions, <<STOP>> do not proceed, post back with the question or problem.

Step 1.
ERUNT - Emergency Recovery Utility NT
Please run this again, as changes may have occurred between the last run and now. Better to be safe than to be sorry.
Modifying the Registry can create unforeseen problems, so it's always wise to create a backup before doing so.
Run:
  1. Please navigate to Start >> All Programs >> ERUNT... double-click ERUNT from the menu.
  2. Click on OK within the pop-up menu.
  3. In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry.
    • Current user registry.
  4. Next click on "OK"... at the prompt... reply "Yes".
    After a short duration the Registry backup is complete! pop-up message will appear.
  5. Now click on "OK". A registry backup has now been created.
< STOP > If you did not successfully complete this step. < STOP > Do not continue with any other steps, post back and let me know!

Step 2.
Malwarebytes' Anti-Malware
  1. Please start MBAM (Malwarebytes' Anti-Malware) again.
  2. Press the Update tab.. then press the Check for Updates...button. <<---Important!
    Once any updates are installed or you get the message that you are up-to-date
  3. Press the Scanner tab...
  4. Select FULL SCAN this time... then press the Scan...button. This scan will take a while, so please be patient.
    When the scan finishes...
  5. Check all items except any items (if present) in the C:\System Volume Information folder... then click on Remove Selected.
  6. Let MBAM remove what it can... if there are files to be deleted on reboot... please reboot the machine so MBAM can finish the removal.
    If you rebooted, then you'll need to start MBAM again.
  7. Press the LOG... tab. Locate the most current log file.
    Please copy and paste the most recent log (from this new run) in your next reply.

Step 3.
ESET NOD32 Online Scan
Please temporarily disable your Anti-virus real-time protection. If active, it could impact the online scan.
Please go to ESET Online Scanner - © ESET All Rights Reserved... to run an online scan.
** Make sure you are using an account that has Administrative privileges **
    Press the "ESET Online Scanner" button.
  1. Check the box next to "YES, I accept the Terms of Use."
  2. Click "Start"... a window will open... it may appear nothing is happening... please be patient.
  3. Click Yes... at the run ActiveX prompt. Click Install... at the install ActiveX prompt.
    Once installed, the scanner will be initialized.
  4. Click "Start". Make sure that the options:
    • Remove found threats is UNCHECKED
    • Leave the "default" settings under Advanced as they are, if not set , please check:
      • Scan for potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth Technology
  5. Click "Start"... ESET scanner will begin to download the virus signatures database.
    When the signatures have been downloaded, the scan will start automatically.
  6. Wait for the scan to finish... it may take a while... please be patient. When the scan is finished...
  7. Use Notepad to open the log file located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  8. Copy and paste the contents of log.txt in your next reply.
Remember to enable your Anti-virus protection... before continuing!

Step 4.
Re-run - RSIT (Random's System Information Tool)
You should still have this program on your desktop.
  1. Double click on RSIT.exe to run it.
  2. Please read the disclaimer... click on Continue.
    RSIT will start running. When done... ONLY the "C:\RSIT\log.txt"...will be reproduced.<<will be maximized
  3. Please post ONLY the "log.txt", file contents in your next reply.


Step 5.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. MBAM scan results.
  3. ESET scan results.
  4. RSIT log.txt file contents.
  5. How is the computer behaving?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14115
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: My Documents page opens twice for every reboot of WINXP3 :

Unread postby snagarjunas » March 14th, 2010, 9:52 am

Hello Wingman,

We have performed this scanning just before a week and deleted the infected items.I dont think that new virus entered into PC. I want to make sure that is it necessary to run this all-over again.


Thanks,

Nagarjun S.
snagarjunas
Regular Member
 
Posts: 26
Joined: February 12th, 2010, 3:13 pm

Re: My Documents page opens twice for every reboot of WINXP3 :

Unread postby Wingman » March 14th, 2010, 12:08 pm

These scans are for your benefit. I want to make sure your computer is clean. If the scans come back clean, then we can do some cleanup and send you on your way.

If you choose not to run the scans then there is no point continuing and I will ask for this topic to be closed.

Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14115
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: My Documents page opens twice for every reboot of WINXP3 :

Unread postby snagarjunas » March 15th, 2010, 12:28 am

Hello Wingman,

Thanks for your support. I ll continue the scan mentioned asap.

As well as my K7 license has expired today and will not protect my PC realtime. Shall I install McAfee or wait until you instruct.


Thanks,

Nagarjun S.
snagarjunas
Regular Member
 
Posts: 26
Joined: February 12th, 2010, 3:13 pm

Re: My Documents page opens twice for every reboot of WINXP3 :

Unread postby Wingman » March 15th, 2010, 7:21 pm

Hello snagarjunas,
As I said before... If the version of McAfee is a paid for version, then I would go ahead an use it.

Otherwise there are some good free AV products avaialble. I was going to wait but you should have this information

Anti-virus software will help detect, cleanse, and erase harmful virus files on a computer, Web server, or network.
Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories.

To protect your computer from infection...download a (free for personal use) anti-virus program from one these reliable vendors.
  1. Antivir PersonalEdition Classic- Superior detection, the "free" version has no email scan.
  2. avast! Free Antivirus - Excellent detection, the freeware version includes email scanning.
  3. Microsoft Security Essentials ** - New, from Microsoft, with email scanning, easy to install, easy to use.
    ** Your PC must run genuine Windows to install Microsoft Security Essentials.

A good (pay for) Anti-virus program is ESET NOD32 Antivirus - 30 day free trial.

Installing a new AV product.
Do NOT uninstall any existing anti-virus product yet!
  1. Download the new Anti-virus product to your computer.
  2. Save any work. Close all applications, especially your Internet connection.
  3. Uninstall any existing anti-virus product... Use the AV uninstall option if available.
  4. Reboot your computer, if not done during the uninstall.
  5. Install the new AV product... following installation instructions.
  6. Check for updates to the new AV product, if not done during install setup.
  7. Run a full scan of your computer.

It is strongly recommended that you run only one antivirus program at a time.
Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.


I hope this helps you decide. Please continue with the previous scans and pst the requested information.
Also, let me know which AV you decided to use.

Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14115
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: My Documents page opens twice for every reboot of WINXP3 :

Unread postby Wingman » March 18th, 2010, 12:24 pm

3 Day Response
Hello...
It has been more than 2 days since my last post to you.
  • Do you still need help with this problem?
  • Do you need more time?
  • Are you having problems understanding or following my instructions?
  • Did you receive help elsewhere or resolve the problem yourself?
Just let me know what's going on otherwise...
After 24 hrs., if you have not replied to this thread... it will be closed!
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14115
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: My Documents page opens twice for every reboot of WINXP3 :

Unread postby snagarjunas » March 18th, 2010, 1:57 pm

Hello Wingman,

As this website was under maintenance I was unable to post reply.

1 MBAM scan results.
Malwarebytes' Anti-Malware 1.44
Database version: 3868
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/15/2010 10:39:05 AM
mbam-log-2010-03-15 (10-39-05).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|I:\|J:\|)
Objects scanned: 238896
Time elapsed: 34 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

2 ESET scan results.
Log file didn't open after complete scan. I have seen only 1 was detected as before.
3 RSIT log.txt file contents.
Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrator at 2010-03-18 23:19:02
Microsoft Windows XP Professional Service Pack 3
System drive C: has 3 GB (14%) free of 20 GB
Total RAM: 958 MB (42% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:15 PM, on 3/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\K7 Computing\Common\K7SysTry.exe
C:\Program Files\K7 Computing\K7TSecurity\Common\K7TSecurity.exe
C:\WINDOWS\flashmute.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\K7 Computing\K7TSecurity\Common\K7TSMngr.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\K7 Computing\Common\K7EmlPxy.exe
C:\Program Files\K7 Computing\K7TSecurity\K7AntiVirus\K7RTScan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\RSIT.exe
C:\Program Files\Trend Micro\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SBCONVERT - {31B27F2D-6BC6-451B-B3D2-4EAB36B2FC3B} - C:\Program Files\SpeedBit Video Downloader\Toolbar\tbcore3.dll
O2 - BHO: SBCONVERT - {A1056498-D09A-41E4-864B-505EDD640D9E} - C:\Program Files\SpeedBit Video Downloader\TBU11\SpeedBitVideoDownloader.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: GrabberObj Class - {FF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~1\SPEEDB~1\Toolbar\grabber.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: SpeedBit Video Downloader - {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - C:\Program Files\SpeedBit Video Downloader\Toolbar\tbcore3.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [K7SystemTray] "C:\Program Files\K7 Computing\Common\K7SysTry.exe"
O4 - HKLM\..\Run: [K7TSStart] "C:\Program Files\K7 Computing\K7TSecurity\Common\K7TSecurity.exe"
O4 - HKLM\..\Run: [FlashMute] C:\WINDOWS\flashmute.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1150600.exe -Update -1150600 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.way2gamez.com/Jsp/play.jsp?gameid=td104"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: IQ Challenge - {BE6A0119-BAEA-4F51-8C80-8F75DAACB58D} - http://www.orangeshark.com/brainIQ/brai ... &from=icon (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBF22DD0-4D56-475F-A65C-6F5A81BB0965}: NameServer = 202.153.32.2,202.153.32.3
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Update Service (gupdate1ca62c053e4acfe) (gupdate1ca62c053e4acfe) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: K7Computng - EMail Proxy Server (K7EmlPxy) - K7 Computing Pvt Ltd - C:\Program Files\K7 Computing\Common\K7EmlPxy.exe
O23 - Service: K7RealTime AntiVirus Services (K7RTScan) - K7 Computing Pvt Ltd - C:\Program Files\K7 Computing\K7TSecurity\K7AntiVirus\K7RTScan.exe
O23 - Service: K7TotalSecurity Manager (K7TSMngr) - K7 Computing Pvt Ltd - C:\Program Files\K7 Computing\K7TSecurity\Common\K7TSMngr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7882 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1417001333-1177238915-500Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1417001333-1177238915-500UA.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{114E22D0-BB77-4EE8-8C40-73F1695AE81B}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2009-08-04 1586472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31B27F2D-6BC6-451B-B3D2-4EAB36B2FC3B}]
SBCONVERT Class - C:\Program Files\SpeedBit Video Downloader\Toolbar\tbcore3.dll [2009-10-19 2655736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A1056498-D09A-41E4-864B-505EDD640D9E}]
SBCONVERT Class - C:\Program Files\SpeedBit Video Downloader\TBU11\SpeedBitVideoDownloader.dll [2009-07-05 2498056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-06-18 259696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll [2009-10-12 762864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll [2009-06-18 470512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF7C3CF0-4B15-11D1-ABED-709549C10000}]
GrabberObj Class - C:\PROGRA~1\SPEEDB~1\Toolbar\grabber.dll [2009-10-19 185944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-06-18 259696]
{0329E7D6-6F54-462D-93F6-F5C3118BADF2} - SpeedBit Video Downloader - C:\Program Files\SpeedBit Video Downloader\Toolbar\tbcore3.dll [2009-10-19 2655736]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"MsmqIntCert"=regsvr32 /s mqrt.dll []
"K7SystemTray"=C:\Program Files\K7 Computing\Common\K7SysTry.exe [2007-10-10 28672]
"K7TSStart"=C:\Program Files\K7 Computing\K7TSecurity\Common\K7TSecurity.exe [2007-10-10 38168]
"FlashMute"=C:\WINDOWS\flashmute.exe [2006-03-12 221184]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"=C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE [2007-03-01 4670968]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-06-18 39408]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2009-10-09 25623336]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"Google Update"=C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-12 133104]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"=C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1150600.exe [2009-06-05 468408]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-12 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe [2009-03-20 1312256]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe [2005-10-26 159744]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2005-08-31 46080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoResolveSearch"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\WINDOWS\system32\mqsvc.exe"="C:\WINDOWS\system32\mqsvc.exe:*:Enabled:Message Queuing"
"C:\Program Files\Nokia\Nokia Software Updater\nsu_ui_client.exe"="C:\Program Files\Nokia\Nokia Software Updater\nsu_ui_client.exe:*:Enabled:Nokia Software Updater"
"C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll"="C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll:*:Enabled:Google Talk Plugin"
"C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe"="C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin"
"C:\Program Files\TeamViewer\Version4\TeamViewer.exe"="C:\Program Files\TeamViewer\Version4\TeamViewer.exe:*:Enabled:Teamviewer Remote Control Application"
"C:\Program Files\Skype\Plugin Manager\skypePM.exe"="C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\mqsvc.exe"="C:\WINDOWS\system32\mqsvc.exe:*:Enabled:Message Queuing"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b81bc05a-779b-11de-a5fb-0016763a7c6f}]
shell\AutoRun\command - "System\AutoDrive.exe"  
shell\Explore\command - System\AutoDrive.exe  
shell\Open\command - System\AutoDrive.exe  


======List of files/folders created in the last 1 months======

2010-03-14 16:18:37 ----HDC---- C:\WINDOWS\$NtUninstallKB975561$
2010-03-13 23:03:05 ----SHD---- C:\RECYCLER
2010-03-13 22:50:45 ----A---- C:\ComboFix.txt
2010-03-13 22:40:21 ----A---- C:\WINDOWS\zip.exe
2010-03-13 22:40:21 ----A---- C:\WINDOWS\SWXCACLS.exe
2010-03-13 22:40:21 ----A---- C:\WINDOWS\SWSC.exe
2010-03-13 22:40:21 ----A---- C:\WINDOWS\SWREG.exe
2010-03-13 22:40:21 ----A---- C:\WINDOWS\sed.exe
2010-03-13 22:40:21 ----A---- C:\WINDOWS\PEV.exe
2010-03-13 22:40:21 ----A---- C:\WINDOWS\NIRCMD.exe
2010-03-13 22:40:21 ----A---- C:\WINDOWS\MBR.exe
2010-03-13 22:40:21 ----A---- C:\WINDOWS\grep.exe
2010-03-13 22:39:30 ----D---- C:\Qoobox
2010-03-11 19:30:46 ----D---- C:\Program Files\IQ Challenge
2010-03-08 19:43:40 ----D---- C:\Program Files\SDKTech
2010-03-05 22:40:24 ----D---- C:\Program Files\ESET
2010-02-26 22:40:31 ----D---- C:\_OTM
2010-02-26 00:14:04 ----HDC---- C:\WINDOWS\$NtUninstallKB979306$
2010-02-23 22:52:09 ----D---- C:\rsit
2010-02-23 21:27:00 ----D---- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2010-02-23 21:26:52 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-02-23 21:26:51 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-02-22 17:55:10 ----HDC---- C:\WINDOWS\$NtUninstallKB977165$
2010-02-21 11:45:27 ----D---- C:\WINDOWS\ERDNT
2010-02-21 11:43:06 ----D---- C:\Program Files\ERUNT

======List of files/folders modified in the last 1 months======

2010-03-18 23:19:11 ----D---- C:\WINDOWS\Prefetch
2010-03-18 23:19:04 ----D---- C:\Program Files\Trend Micro
2010-03-18 23:08:21 ----D---- C:\Program Files\Mozilla Firefox
2010-03-18 22:10:01 ----D---- C:\WINDOWS\Temp
2010-03-18 21:46:00 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-03-18 21:01:01 ----D---- C:\WINDOWS\system32\CatRoot2
2010-03-18 20:57:45 ----D---- C:\WINDOWS\system32\inetsrv
2010-03-17 20:40:29 ----D---- C:\WINDOWS
2010-03-15 23:40:37 ----D---- C:\WINDOWS\Debug
2010-03-15 17:18:26 ----D---- C:\Documents and Settings\Administrator\Application Data\Skype
2010-03-14 22:17:25 ----A---- C:\WINDOWS\NeroDigital.ini
2010-03-14 16:18:44 ----HD---- C:\WINDOWS\inf
2010-03-14 16:18:39 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-03-14 16:18:39 ----D---- C:\Program Files\Movie Maker
2010-03-14 16:18:38 ----D---- C:\WINDOWS\system32
2010-03-14 16:18:23 ----HD---- C:\WINDOWS\$hf_mig$
2010-03-13 22:49:59 ----SD---- C:\WINDOWS\Tasks
2010-03-13 22:49:04 ----A---- C:\WINDOWS\system.ini
2010-03-13 22:46:58 ----D---- C:\WINDOWS\system32\drivers
2010-03-13 22:46:58 ----D---- C:\WINDOWS\AppPatch
2010-03-13 22:46:56 ----D---- C:\Program Files\Common Files
2010-03-11 19:30:46 ----RD---- C:\Program Files
2010-03-11 07:58:33 ----D---- C:\WINDOWS\java
2010-03-09 23:16:29 ----A---- C:\WINDOWS\win.ini
2010-03-08 19:44:56 ----SHD---- C:\WINDOWS\Installer
2010-03-08 19:41:56 ----D---- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2010-03-08 19:16:18 ----D---- C:\WINDOWS\Network Diagnostic
2010-03-05 22:40:27 ----SD---- C:\WINDOWS\Downloaded Program Files
2010-03-05 16:06:51 ----D---- C:\Documents and Settings\Administrator\Application Data\skypePM
2010-03-04 13:53:11 ----A---- C:\WINDOWS\POD.INI
2010-03-02 11:00:12 ----A---- C:\WINDOWS\system32\MRT.exe
2010-03-01 21:57:15 ----D---- C:\WINDOWS\Microsoft.NET
2010-02-26 21:56:57 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2010-02-26 00:14:32 ----D---- C:\WINDOWS\ie8updates
2010-02-23 22:40:57 ----D---- C:\WINDOWS\Help
2010-02-22 22:17:49 ----D---- C:\Documents and Settings\Administrator\Application Data\U3

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 K7TdiHlp;K7TDI Helper Service; \??\C:\WINDOWS\system32\drivers\K7TdiHlp.sys []
R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2009-03-15 56268]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2008-04-14 12032]
R2 K7Sentry;K7Sentry; \??\C:\WINDOWS\system32\drivers\K7Sentry.sys []
R2 pxrts;pxrts; C:\WINDOWS\System32\drivers\pxrts.sys [2010-02-04 49352]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-08-31 1333760]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 MQAC;Message Queuing access control; \??\C:\WINDOWS\system32\drivers\mqac.sys []
R3 P16X;FM801A PCI Audio (WDM); C:\WINDOWS\system32\drivers\FM801A.sys [2007-11-30 1293312]
R3 pxkbf;pxkbf; C:\WINDOWS\System32\drivers\pxkbf.sys [2010-02-04 24496]
R3 RMCAST;Reliable Multicast Protocol driver; \??\C:\WINDOWS\system32\drivers\RMCast.sys []
R3 RTL8023xp;Realtek 10/100/1000 NIC Family all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2006-01-18 80512]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-14 17152]
S3 Ambfilt;Ambfilt; C:\WINDOWS\system32\drivers\Ambfilt.sys []
S3 ASPI;Advanced SCSI Programming Interface Driver; \??\C:\WINDOWS\System32\DRIVERS\ASPI32.sys []
S3 catchme;catchme; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys []
S3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-10-19 4034048]
S3 Monfilt;Monfilt; C:\WINDOWS\system32\drivers\Monfilt.sys []
S3 nmwcd;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\ccdcmb.sys [2009-02-09 17664]
S3 nmwcdc;Nokia USB Generic; C:\WINDOWS\system32\drivers\ccdcmbo.sys [2009-02-09 22016]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent; C:\WINDOWS\system32\drivers\nmwcdnsu.sys [2009-03-19 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic; C:\WINDOWS\system32\drivers\nmwcdnsuc.sys [2009-03-19 8320]
S3 pccsmcfd;PCCS Mode Change Filter Driver; C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys [2008-08-26 18816]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2008-04-14 20992]
S3 SE27bus;Sony Ericsson Device 039 Driver driver (WDM); C:\WINDOWS\system32\DRIVERS\SE27bus.sys [2006-09-18 61600]
S3 SE27mdfl;Sony Ericsson Device 039 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\SE27mdfl.sys [2006-09-18 9360]
S3 SE27mdm;Sony Ericsson Device 039 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\SE27mdm.sys [2006-09-18 97184]
S3 SE27mgmt;Sony Ericsson Device 039 USB WMC Device Management Drivers (WDM); C:\WINDOWS\system32\DRIVERS\SE27mgmt.sys [2006-09-18 88688]
S3 se27nd5;Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (NDIS); C:\WINDOWS\system32\DRIVERS\se27nd5.sys [2006-09-18 18704]
S3 SE27obex;Sony Ericsson Device 039 USB WMC OBEX Interface; C:\WINDOWS\system32\DRIVERS\SE27obex.sys [2006-09-18 86560]
S3 se27unic;Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (WDM); C:\WINDOWS\system32\DRIVERS\se27unic.sys [2006-09-18 90800]
S3 upperdev;upperdev; C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys [2009-02-09 7808]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 usbser;USB Modem Driver; C:\WINDOWS\system32\DRIVERS\usbser.sys [2008-04-14 26112]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 w200bus;Sony Ericsson W200 driver (WDM); C:\WINDOWS\system32\DRIVERS\w200bus.sys [2006-11-07 61504]
S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\w200mdfl.sys [2006-11-07 9328]
S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\w200mdm.sys [2006-11-07 97056]
S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM); C:\WINDOWS\system32\DRIVERS\w200mgmt.sys [2006-11-07 88560]
S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface; C:\WINDOWS\system32\DRIVERS\w200obex.sys [2006-11-07 86368]
S3 Wdf01000;Kernel Mode Driver Frameworks service; C:\WINDOWS\System32\Drivers\wdf01000.sys [2008-03-27 503008]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-15 82688]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-08-31 376832]
R2 IISADMIN;IIS Admin; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-14 15360]
R2 K7EmlPxy;K7Computng - EMail Proxy Server; C:\Program Files\K7 Computing\Common\K7EmlPxy.exe [2008-02-06 79128]
R2 K7RTScan;K7RealTime AntiVirus Services; C:\Program Files\K7 Computing\K7TSecurity\K7AntiVirus\K7RTScan.exe [2007-10-09 38168]
R2 K7TSMngr;K7TotalSecurity Manager; C:\Program Files\K7 Computing\K7TSecurity\Common\K7TSMngr.exe [2007-10-10 140568]
R2 MSSQL$SQLEXPRESS;SQL Server (SQLEXPRESS); c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2009-05-27 29262680]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP); C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-14 15360]
R2 SNMP;SNMP Service; C:\WINDOWS\System32\snmp.exe [2008-04-14 33280]
R2 SQLBrowser;SQL Server Browser; c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2008-11-24 239968]
R2 SQLWriter;SQL Server VSS Writer; c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2008-11-24 87904]
R2 W3SVC;World Wide Web Publishing; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-14 15360]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2005-08-30 516096]
S2 gupdate1ca62c053e4acfe;Google Update Service (gupdate1ca62c053e4acfe); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-11-11 133104]
S2 MSMQ;Message Queuing; C:\WINDOWS\system32\mqsvc.exe [2008-04-14 4608]
S2 MSMQTriggers;Message Queuing Triggers; C:\WINDOWS\system32\mqtgsvc.exe [2008-04-14 117248]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-18 182768]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2009-03-04 621056]
S3 SNMPTRAP;SNMP Trap Service; C:\WINDOWS\System32\snmptrap.exe [2008-04-14 8704]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 MSSQLServerADHelper;SQL Server Active Directory Helper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2008-11-24 45408]
S4 msvsmon90;Visual Studio 2008 Remote Debugger; C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2007-11-07 3004416]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

4 How is the computer behaving?
My Docs page is not opening on startup.

I have some questions to ask

1. "Language bar" enables if in disabled before, everytime after I start the machine. This should not happen before I contacted you in search of help.
2. In ESET NOD32 settings we made "Remove found threats is UNCHECKED." Why are we not deleting the found virus.
3. Created "Recycler" folder in all the drives. I think I have observed this after we performed "Combofix" run.


I will install Mcafee licensed antivirus on my machine.

Let me know if anything more to be done.


Thanks,

Nagarjun S.
snagarjunas
Regular Member
 
Posts: 26
Joined: February 12th, 2010, 3:13 pm

Re: My Documents page opens twice for every reboot of WINXP3 :

Unread postby Wingman » March 18th, 2010, 6:49 pm

Hello snagarjunas,
snagarjunas wrote:1. "Language bar" enables if in disabled before, everytime after I start the machine. This should not happen before I contacted you in search of help.
This can occur when there are more languages enabled. You eliminate the Language Bar from being displayed:
  • Go to Control Panel > Regional and Language Options
  • Press the Languages tab... then the Details button.
    The default language will be in bold letters...
  • You can remove the other languages, this eliminates the Language Bar...
    or
  • In the "Preferences" section, choose the Languages Bar button
  • Then UNCHECK "Show Language Bar on Desktop".

snagarjunas wrote:2. In ESET NOD32 settings we made "Remove found threats is UNCHECKED." Why are we not deleting the found virus.
Rather than have the online scan remove possible infected files,
I want to see the file and what "kind" of infection is reported. Certain infections are better to be removed by specific programs. It may seem like an extra process to some but knowing how to safely remove an infection is the goal.

snagarjunas wrote:3. Created "Recycler" folder in all the drives. I think I have observed this after we performed "Combofix" run.
ComboFix changes some system settings... the "Recycler" folder is the Recycle Bin folder... these are normally hidden from view.
You can hide them again by:
  • Control Panel > Folder Options
  • Choose the View tab.
  • Scroll down and CHECK "Hide protected operating system files (Recommended)"
  • Click "Apply", then click OK.

Unless there are other malware concerns or questions, we can begin some clean up and I can provide some final recommendations.

Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14115
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 34 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware