Free Malware Removal Forum

[IASS]

Logfile of HijackThis v1.99.1
Scan saved at 11:36:56, on 21.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Gizmo Project\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\Superhunter\NetSpeeder\NetSpeeder.exe
C:\Program Files\WinTools\RAM Saver Pro\ramsaverpro.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - Default URLSearchHook is missing
O2 - BHO: IeControler Class - {9AFD91F9-6B03-4D22-A1E1-67D224CB7AB1} - C:\Program Files\Superhunter\NetSpeeder\IEMate.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: PROMT - {FF284F5C-7CF9-4682-8701-D467C1DBB99F} - C:\Program Files\PRMT6\PRMTIE\prmtie.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [NetSpeeder] "C:\Program Files\Superhunter\NetSpeeder\NetSpeeder.exe" hide
O4 - HKCU\..\Run: [Advanced Uninstaller PRO Installation Monitor] "C:\Program Files\ Uninstaller PRO 2006 version 7\monitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegPowerClean] "C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe" /AC
O4 - HKCU\..\Run: [RAMSaverPro] C:\Program Files\WinTools\RAM Saver Pro\ramsaverpro.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download with Rapget - D:\rapget126\rapget.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [!ANetSpeeder] NetSpeeder
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3904120171
O17 - HKLM\System\CCS\Services\Tcpip\..\{F573A9D2-8CF0-484E-A08E-BB5A0455AC8D}: NameServer = 213.158.0.6,212.48.193.36
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: DCOM Server 54573 - {2C1CD3D7-86AC-4068-93BC-A02304B54573} - (no file)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANSYS FLEXlm license manager - Eset - (no file)
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Gizmo Project\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

[John B.]

Hi! and welcome to the Malware Removal forums.
My name is John Brouwer - if it helps, you can call me John for short. I'll be glad to help you with your computer problems.

HijackThis logs can take some time to research, so please be patient with me. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happens.
I am currently looking over your log. As I am a trainee, everything that I post to you must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long. I will post back shortly with a potential fix.

Please be patient and I'd be grateful if you would note the following:

• I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine.
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.
• Finally, please make a uninstall list using HijackThis
  To access the Uninstall Manager you would do the following:
  
  1. Start HijackThis
  2. Click on the Config button
  3. Click on the Misc Tools button
  4. Click on the Open Uninstall Manager button.
  
  You will now be presented with a screen similar to the one below:
  
  
  
  5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.

Greets, John.

[IASS]

7-Zip 4.42
Aaaa-?aa o?eony ?eoaou
ABBYY Lingvo 12 Multilingual Edition
Ad-Aware SE Personal
Adobe Acrobat 7.0 Professional
Adobe Flash Player 9 ActiveX
Adobe Flash Player 9 ActiveX
Advanced Uninstaller PRO 2006 - version 7
Almeza MultiSet 3.0
a-squared Anti-Malware 2.1
AsusUpdate
AusLogics BoostSpeed
AutoCAD 2008 - English
Autodesk DWF Viewer 7
CCleaner (remove only)
Copy Handler
Debugging Tools for Windows
DFE-520TX
D-Link PCI Fast Ethernet Adapter
EasyLingo v2.0
eMule
ErrorDoctor
First Step Guide
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915800)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
ImageMixer VCD2
InterVideo WinDVD 8
J2SE Runtime Environment 5.0 Update 11
L&H TTS3000 Deutsch
L&H TTS3000 Espaсol
L&H TTS3000 Franзais
L&H TTS3000 Italiano
L&H TTS3000 Russian
Lernout & Hauspie TruVoice American English TTS Engine
Lizardtech DjVu Control
Megaupload Toolbar
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft DirectX Transform optional components
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MSN
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 6.0 Parser (KB927977)
Mustek 12000 SP PLUS v2.0
NetSpeeder
NOD32 antivirus system
NOD32 FiX
NVIDIA Drivers
OpenSSL 0.9.6m
Pando
PCI Audio Applications
PCI Audio Driver
PE Builder v3.1.3
PowerISO
PowerQuest BootMagic 8.0
PowerQuest PartitionMagic 8.0
PROMT Expert 7 Giant
QuickTime
RAM Saver Pro
Registry Mechanic 6.0
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Skype 3.1
Skype Plugin Manager
Sony USB Driver
Spybot - Search & Destroy 1.4
The Rosetta Stone
The Rosetta Stone Classic
Total Commander (Remove or Repair)
TrojanHunter 4.6
Unlocker 1.8.5
Update for Windows XP (KB894391)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
Voice Editor
Windows Defender
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB891781
WinRAR archiver
XoftSpy
Yahoo! Browser Services
Yahoo! Mail
Yahoo! Messenger
Yahoo! Toolbar

[John B.]

Hi IASS,

Optional Fix!
You're running MegaUpload online storage and file delivery service - from the toolbar eula: "This toolbar integrates certain services from alexa internet,inc. ("Alexa"). The toolbar may exchange data with Alexa in order to provide: (a) information to you about the web pages you view (ranking information, for example) and (b) basic information to alexa on your use of the toolbar, including the ip address of your computer, the url of the web pages you visit and, because the toolbar communicates via http, data typical of normal http communications such as user agent and operating system, will be communicated." You may want to consider removing the toolbar.

Step 1: Disable Windows Defender
Please disable Windows Defender Real Time Protection as it may interfere with the fix. To disable Windows Defender:

• Open Windows Defender
• Click Tools
• Click General Settings
• Scroll down to Real Time Protection Options
• Uncheck Turn on Real Time Protection (recommended)
• Close Windows Defender

Once your log is clean you can re-enable Windows Defender Real Time Protection.

Step 2: Delete service
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat Please save it on your desktop.

@echo off
sc stop "ANSYS FLEXlm license manager"
sc delete "ANSYS FLEXlm license manager"
exit

Double click FixServices.bat. A window will open and close. This is normal.

Step 3: Delete programs

• Click Start
• Go to Control Panel
• Go to Add/Remove Programs
• Find and click Remove for the following (if present). It could be that they have a space or something between it, but it has to look like it:
  
  RegistryPowerCleaner << Note: This might look like a legit program to you but in our databases it's known as a program which does like it's legit but is actually malware!
  MegaUpload Toolbar << Note: This one is optional!

Step 4: Remove HijackThis entries

• Run HijackThis
• Click on the Scan button
• Put a check beside all of the items listed below (if present):
  
  O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL << Note: This one is optional!
  O4 - HKCU\..\Run: [RegPowerClean] "C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe" /AC
  O21 - SSODL: DCOM Server 54573 - {2C1CD3D7-86AC-4068-93BC-A02304B54573} - (no file)
  O23 - Service: ANSYS FLEXlm license manager - Eset - (no file)
  
• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

Step 5: Delete folders
Use Explorer to navigate to and delete the following folders (if present):

C:\Program Files\MegaUpload << This one is optional! Not sure about the name of the folder but it begins with MegaUpload.

C:\Program Files\Winferno\RegistryPowerCleaner

Now just exit Explorer.

Step 6: Update Adobe Reader
It looks like your version of Adobe Reader is out of date and you're vulnarable for infections.
Please download the newest version here:
http://www.adobe.com/uk/products/reader/

Install it, then go to Add Remove Programs and remove any older versions that may remain.

Step 7: Update Java
Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of Java(TM) SE Runtime Environment 6.
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.

Step 8: Run CCleaner
CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!

• Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
• Then select the items you wish to clean up.
  
  • In the Windows Tab:
    
    • Clean all entries in the Internet Explorer section except Cookies
    • Clean all the entries in the Windows Explorer section
    • Clean all entries in the System section
    • Clean all entries in the Advanced section
    • Clean any others that you choose
  • In the Applications Tab:
    
    • Clean all except cookies in the Firefox/Mozilla section if you use it
    • Clean all in the Opera section if you use it
    • Clean Sun Java in the Internet Section
    • Clean any others that you choose
• Click the Run Cleaner button.
• A pop up box will appear advising this process will permanently delete files from your system.
• Click OK and it will scan and clean your system.
• Click exit when done.
• If it asks you to reboot at the end, click NO

CCleaner should be run with the above settings for each User Account!

Step 9: Run Kaspersky Online Scan
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives Scan Mail Bases
  
• Click OK
• Now under select a target to scan:
  Select My Computer
  
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  
  • Now click on the Save as Text button:
• Save the file to your desktop.

Step 10: Post logs

• Uninstall log (if you haven't posted it yet)
• Kaspersky log
• Fresh HijackThis log
• Tell me about any problems/questions

Greets, John.

[John B.]

Do you still need any help?

[IASS]

I don't understand What to do with : Step 10: Post logs ???

[John B.]

Hi,

In that step I ask you to post the logs which I asked you to save in the earlier steps. With post I mean copy them and then paste them into a reply.

Greets, John.

[IASS]

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, March 30, 2007 6:32:04 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 30/03/2007
Kaspersky Anti-Virus database records: 289049
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 83589
Number of viruses found: 0
Number of infected objects: 0 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:32:45

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Windows_OneCare_Evt.evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{C59EFA1D-584D-4F42-8C99-90EEDB5BF205}.bin Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-03152007-051438.log Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\ADMIN\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\ADMIN\Local Settings\Temp\IMG2114.tmp Object is locked skipped
C:\Documents and Settings\ADMIN\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ADMIN\Local Settings\History\History.IE5\MSHist012007033020070331\index.dat Object is locked skipped
C:\Documents and Settings\ADMIN\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ADMIN\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ADMIN\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ADMIN\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\ADMIN\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\ADMIN\ntuser.dat Object is locked skipped
C:\Program Files\eMule\Temp\002.part Object is locked skipped
C:\Program Files\eMule\Temp\003.part Object is locked skipped
C:\Program Files\eMule\Temp\005.part Object is locked skipped
C:\Program Files\eMule\Temp\006.part Object is locked skipped
C:\Program Files\eMule\Temp\010.part Object is locked skipped
C:\Program Files\eMule\Temp\007.part Object is locked skipped
C:\Program Files\eMule\Temp\008.part Object is locked skipped
C:\Program Files\eMule\Temp\009.part Object is locked skipped
C:\Program Files\eMule\Temp\011.part Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2007-03-28.18-49-52.log Object is locked skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped

Scan process completed.

[John B.]

Hi,

Thanks for giving the Kaspersky log It was clean

Please do the following things
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button

You will now be presented with a screen similar to the one below:



5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Leave the notepad file open.
6. Go to this link and then press post reply: http://www.malwareremoval.com/forum/viewtopic.php?t=19339
7. Simply copy and paste the contents of that notepad file here into that reply and press submit
8. Now close the notepad file
9. Make a new HijackThis log like you did it the first time and please post it here like you did in step 7

Greets, John.

[John B.]

Do you still need help?

[IASS]

Aaaa-?aa o?eony ?eoaou
ABBYY Lingvo 12 Multilingual Edition
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 8
Advanced Uninstaller PRO 2006 - version 7
Almeza MultiSet 3.0
a-squared Anti-Malware 2.1
AsusUpdate
AusLogics BoostSpeed
AutoCAD 2008 - English
Autodesk CAD Manager Tools
Autodesk DWF Viewer 7
Babylon
CCleaner (remove only)
CDCheck
Copy Handler
Debugging Tools for Windows
DFE-520TX
D-Link PCI Fast Ethernet Adapter
EasyLingo v2.0
eMule
ErrorDoctor
First Step Guide
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
HijackThis 1.99.1
ImageMixer VCD2
InterVideo WinDVD 8
Java(TM) SE Runtime Environment 6
Java(TM) SE Runtime Environment 6 Update 1
L&H TTS3000 Deutsch
L&H TTS3000 Espaсol
L&H TTS3000 Franзais
L&H TTS3000 Italiano
L&H TTS3000 Russian
Lernout & Hauspie TruVoice American English TTS Engine
Lizardtech DjVu Control
Macromedia Flash Player 8
Magic ISO Maker v5.3 (build 0229)
MagicDisc 2.5.74
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft DirectX Transform optional components
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MSN
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 6.0 Parser (KB927977)
Mustek 12000 SP PLUS v2.0
My Web Search (Popular Screensavers)
NetSpeeder
NOD32 antivirus system
NOD32 FiX
NVIDIA Drivers
OpenSSL 0.9.6m
Pando
PCI Audio Applications
PCI Audio Driver
PE Builder v3.1.3
PowerISO
PowerQuest BootMagic 8.0
PowerQuest PartitionMagic 8.0
PROMT Expert 7 Giant
QuickTime
RAM Saver Pro
Rapidown 5.9 SE - http://www.rapidown.com.br
Rapidshare Unlimited 2.0
Registry Mechanic 6.0
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Skype 3.1
Skype Plugin Manager
Sony USB Driver
Spybot - Search & Destroy 1.4
Spyware Doctor 5.0
The Rosetta Stone
The Rosetta Stone Classic
Total Commander (Remove or Repair)
TrojanHunter 4.6
Uniblue Registry Booster
Unlocker 1.8.5
Voice Editor
Windows Defender
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
WinRAR archiver
XoftSpy
Yahoo! Browser Services
Yahoo! Mail
Yahoo! Messenger
Yahoo! Toolbar

[IASS]

Aaaa-?aa o?eony ?eoaou
ABBYY Lingvo 12 Multilingual Edition
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 8
Advanced Uninstaller PRO 2006 - version 7
Almeza MultiSet 3.0
a-squared Anti-Malware 2.1
AsusUpdate
AusLogics BoostSpeed
AutoCAD 2008 - English
Autodesk CAD Manager Tools
Autodesk DWF Viewer 7
Babylon
CCleaner (remove only)
CDCheck
Copy Handler
Debugging Tools for Windows
DFE-520TX
D-Link PCI Fast Ethernet Adapter
EasyLingo v2.0
eMule
ErrorDoctor
First Step Guide
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
HijackThis 1.99.1
ImageMixer VCD2
InterVideo WinDVD 8
Java(TM) SE Runtime Environment 6
Java(TM) SE Runtime Environment 6 Update 1
L&H TTS3000 Deutsch
L&H TTS3000 Espaсol
L&H TTS3000 Franзais
L&H TTS3000 Italiano
L&H TTS3000 Russian
Lernout & Hauspie TruVoice American English TTS Engine
Lizardtech DjVu Control
Macromedia Flash Player 8
Magic ISO Maker v5.3 (build 0229)
MagicDisc 2.5.74
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft DirectX Transform optional components
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MSN
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 6.0 Parser (KB927977)
Mustek 12000 SP PLUS v2.0
My Web Search (Popular Screensavers)
NetSpeeder
NOD32 antivirus system
NOD32 FiX
NVIDIA Drivers
OpenSSL 0.9.6m
Pando
PCI Audio Applications
PCI Audio Driver
PE Builder v3.1.3
PowerISO
PowerQuest BootMagic 8.0
PowerQuest PartitionMagic 8.0
PROMT Expert 7 Giant
QuickTime
RAM Saver Pro
Rapidown 5.9 SE - http://www.rapidown.com.br
Rapidshare Unlimited 2.0
Registry Mechanic 6.0
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Skype 3.1
Skype Plugin Manager
Sony USB Driver
Spybot - Search & Destroy 1.4
Spyware Doctor 5.0
The Rosetta Stone
The Rosetta Stone Classic
Total Commander (Remove or Repair)
TrojanHunter 4.6
Uniblue Registry Booster
Unlocker 1.8.5
Voice Editor
Windows Defender
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
WinRAR archiver
XoftSpy
Yahoo! Browser Services
Yahoo! Mail
Yahoo! Messenger
Yahoo! Toolbar

[John B.]

Hi,

You're running an illegal copy of NOD32. Cracked software is a major source of infection and it may very well be why you got infected.
As we don't help people who run illegal software I suggest you to uninstall NOD32 and NOD32 FiX!!!

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation
Additional information on the safety of Peer to Peer programs themselves is here :
Clean/Infected P2P Programs
Please decide if you want to keep using P2P.

• Click Start
• Go to Control Panel
• Go to Add/Remove Programs
• Find and click Remove for the following (if present):
  
  Java(TM) SE Runtime Environment 6
  My Web Search
  NOD32 antivirus system
  NOD32 FiX
  <your p2p programs, if you don't want to keep them>

Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
Computer Safety On line - Anti-Virus
I use AVG Anti-Virus (Free Edition) but you might just prefer something different!

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Please post a fresh HijackThis log and also tell me from which country you come/which language you use because I saw this in your Uninstall log:

Aaaa-?aa o?eony ?eoaou
...
L&H TTS3000 Espa?ol
L&H TTS3000 Fran?ais

Those can be special letters the forum can't see.

Greets, John.

[NonSuch]

Due to inactivity, this topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.