Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Attacked by xp antivirus 2008, need help!!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Attacked by xp antivirus 2008, need help!!

Unread postby hornt1 » June 26th, 2008, 11:41 pm

Hello,

I was attacked by xp antivirus 2008, which brought on the reign of other malware and spyware. I tried cleaning and cleaning and cleaning, but there is still something wrong with my computer. Any help would be amazing!!

Thank You!! :o

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:36:56, on 6/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\services.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Documents and Settings\LeRoy\cftmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\LeRoy\Desktop\HJTInstall.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {663656DF-6BAE-460C-A612-8133DF519346} - C:\WINDOWS\system32\yayyAtSM.dll
O2 - BHO: (no name) - {e4ec88ef-003a-4daf-a451-b7c365a225fc} - C:\WINDOWS\system32\byXqQiHA.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SMrhc3mvj0ee5c] C:\Program Files\rhc3mvj0ee5c\rhc3mvj0ee5c.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdtrg.exe] C:\WINDOWS\system32\kdtrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKLM\..\Run: [98473dfd] rundll32.exe "C:\WINDOWS\system32\moftqvke.dll",b
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\LeRoy\cftmon.exe
O4 - HKLM\..\Run: [winlogon] C:\Documents and Settings\LeRoy\svchost.exe
O4 - HKLM\..\Run: [BM9b740e61] Rundll32.exe "C:\WINDOWS\system32\cempvdwf.dll",s
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\LeRoy\cftmon.exe
O4 - HKCU\..\Run: [winlogon] C:\Documents and Settings\LeRoy\svchost.exe
O4 - HKUS\.DEFAULT\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [winlogon] C:\Documents and Settings\LocalService\svchost.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AUTORUN_VAL] C:\Program Files\AntiSpyCheck 2.1\AntiSpyCheck 2.1.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'Default user')
O4 - Startup: userinit.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MLB.TV NexDef Plug-in.lnk = C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: yayyAtSM - C:\WINDOWS\SYSTEM32\yayyAtSM.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\services.exe

--
End of file - 7639 bytes
hornt1
Active Member
 
Posts: 3
Joined: June 26th, 2008, 11:26 pm
Advertisement
Register to Remove

Re: Attacked by xp antivirus 2008, need help!!

Unread postby Rodav » June 28th, 2008, 3:46 pm

Hello! :hello2: and welcome to the Malware Removal forums.
I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research so please be patient while I work on your log and I will post back here with any recommendations.
As I am still training, everything that I post to you, must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts. While it shouldn't be too long, you can be assured you will get the best possible advice.

  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1481
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Attacked by xp antivirus 2008, need help!!

Unread postby Rodav » June 29th, 2008, 4:37 am

Step 1:
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back into your next reply


Step 2:
Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here.


Step 3:
Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your reply.


Logs to Post:
Please copy and paste the following into your next reply:
  • The SDFix report
  • The Malwarebytes report
  • main.txt and extra.txt from the DSS scan
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1481
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Attacked by xp antivirus 2008, need help!!

Unread postby hornt1 » June 29th, 2008, 2:36 pm

Thank you so much for the reply! I did all that you said. Now here are the logs

SD Fix Report

SDFix: Version 1.198
Run by LeRoy on Sun 06/29/2008 at 04:48

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
265ea3b6
94a83d73

Path :
\SystemRoot\System32\drivers\265ea3b6.sys
\SystemRoot\System32\drivers\94a83d73.sys

265ea3b6 - Deleted
94a83d73 - Deleted



Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Schedule Service Path

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\yayyAtSM.dll - Deleted
C:\WINDOWS\system32\asc94.dll - Deleted
C:\WINDOWS\SYSTEM32\ASC94.DLL - Deleted
C:\-17401~1 - Deleted
C:\Documents and Settings\House\cftmon.exe - Deleted
C:\Documents and Settings\LeRoy\cftmon.exe - Deleted
C:\Documents and Settings\LocalService\cftmon.exe - Deleted
C:\Documents and Settings\LocalService\svchost.exe - Deleted
C:\1.exe - Deleted
C:\d.exe - Deleted
C:\WINDOWS\gfetqaxsmnw.dll - Deleted
C:\WINDOWS\system32\2.tmp - Deleted
C:\Documents and Settings\LeRoy\Start Menu\Programs\Startup\userinit.exe - Deleted
C:\Documents and Settings\LeRoy\svchost.exe - Deleted
C:\userinit.exe - Deleted
C:\WINDOWS\ebot.exe - Deleted
C:\WINDOWS\system32\788877\788877.dll - Deleted
C:\WINDOWS\tovafrnm.exe - Deleted
C:\WINDOWS\system32\drivers\services.exe - Deleted
C:\WINDOWS\system32\drivers\spools.exe - Deleted
C:\WINDOWS\system32\drivers\265ea3b6.sys - Deleted
C:\WINDOWS\system32\drivers\94a83d73.sys - Deleted



Folder C:\WINDOWS\system32\788877 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-29 09:07:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Avid\\MetaSync\\jre\\bin\\java.exe"="C:\\Program Files\\Avid\\MetaSync\\jre\\bin\\java.exe:*:Enabled:java"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.5"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Tue 24 Jun 2008 1,449 A.SH. --- "C:\WINDOWS\system32\mmf.sys"
Wed 4 Aug 2004 1,068,032 A.SHR --- "C:\WINDOWS\system32\wplayer.exe1"
Thu 3 Apr 2008 69,632 A..H. --- "C:\Documents and Settings\LeRoy\Desktop\Samuri Avenger The Blind Wolf\SAG paperwork\SAG PAPERWORK DAYS\~WRL0001.tmp"
Thu 3 Apr 2008 71,168 A..H. --- "C:\Documents and Settings\LeRoy\Desktop\Samuri Avenger The Blind Wolf\SAG paperwork\SAG PAPERWORK DAYS\~WRL0002.tmp"
Wed 2 Apr 2008 69,120 A..H. --- "C:\Documents and Settings\LeRoy\Desktop\Samuri Avenger The Blind Wolf\SAG paperwork\SAG PAPERWORK DAYS\~WRL1412.tmp"
Sat 26 Apr 2008 53,760 A..H. --- "C:\Documents and Settings\LeRoy\Desktop\Samuri Avenger The Blind Wolf\SAG paperwork\SAG PAPERWORK DAYS\~WRL3586.tmp"

Finished!


Malwarebytes' Anti-Malware 1.19
Database version: 902
Windows 5.1.2600 Service Pack 2


11:17:19 AM 6/29/2008
mbam-log-6-29-2008 (11-17-10).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 148362
Time elapsed: 28 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 11
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 112

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\axkmkraf.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\byXqQiHA.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{406a8f7d-b04f-413f-a53d-6880e2b53e44} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{406a8f7d-b04f-413f-a53d-6880e2b53e44} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{4937d5d1-2039-409a-bd83-fec9b39b2356} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{caf9d798-c659-4b9b-8e19-ee27c3d04ee7} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\gxvpsafm.bvfw (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\gxvpsafm.toolbar.1 (Trojan.FakeAlert) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\98473dfd (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM9b740e61 (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\byxqqiha -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\byxqqiha -> No action taken.

Folders Infected:
C:\Documents and Settings\LocalService\Start Menu\Programs\AntiSpyCheck 2.1 (Rogue.AntiSpyCheck) -> No action taken.

Files Infected:
C:\WINDOWS\system32\byXqQiHA.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\AHiQqXyb.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\AHiQqXyb.ini2 (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\axkmkraf.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\farkmkxa.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ftsxutdy.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ydtuxstf.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\oqluebii.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\iibeulqo.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\rmajdhmm.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\mmhdjamr.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\tjqaaenx.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\xneaaqjt.ini (Trojan.Vundo) -> No action taken.
C:\gxcxpd.exe (Trojan.FakeAlert) -> No action taken.
C:\nnjamld.exe (Worm.Socks) -> No action taken.
C:\oippasnn.exe (Trojan.Downloader) -> No action taken.
C:\tqwkrav.exe (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\House\svchost.exe (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\House\Local Settings\Temporary Internet Files\Content.IE5\CZQRCFYV\kb456456[1] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\House\Start Menu\Programs\Startup\userinit.exe (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\LeRoy\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\kb456456[1] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\LeRoy\Local Settings\Temporary Internet Files\Content.IE5\YN80Y8FB\c-setup[1].exe (Trojan.FakeAlert) -> No action taken.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080626-014540-212.dll (Trojan.Vundo) -> No action taken.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080626-014540-674.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP138\A0060768.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP138\A0060771.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP139\A0060786.exe (Worm.Socks) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP139\A0060787.exe (Worm.Socks) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP139\A0060788.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP139\A0060789.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP139\A0060791.exe (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP139\A0060805.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP139\A0060806.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP139\A0060807.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP139\A0061818.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP139\A0061873.exe (Rogue.Installer) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP139\A0061886.exe (Worm.Socks) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP139\A0061887.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP139\A0061897.dll (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP139\A0061902.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP139\A0061903.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP139\A0061904.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP139\A0061905.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0062072.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0062074.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0062075.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0062076.exe (Worm.Socks) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0062077.exe (Worm.Socks) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0062078.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0062080.dll (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0062088.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0062096.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0062102.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0063101.dll (Trojan.Zlob) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0063103.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0063104.exe (Worm.Socks) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0063110.exe (Rogue.VirusHeat) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0064164.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0064220.exe (Rogue.AntivirusXP2008) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0064221.dll (Rogue.AntivirusXP2008) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0064228.exe (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0064234.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0064240.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0065244.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0065253.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0065263.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0065266.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0065269.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0065270.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0065277.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0065290.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0065295.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0065296.dll (Trojan.BHO) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0065297.exe (Worm.Socks) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0065298.exe (Worm.Socks) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0065299.exe (Worm.Socks) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0065300.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0065304.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0065305.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0065306.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0065308.dll (Trojan.BHO) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0065319.dll (Trojan.BHO) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0065320.dll (Trojan.BHO) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0065321.exe (Worm.Socks) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0065326.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0065328.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0065329.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\cbXPfFVN.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\dani.dll (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\fcccbaxw.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\hgGvwxvT.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\iifedBrR.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\lphc7mvj0ee5c.exe (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\pphc7mvj0ee5c.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\scui.cpl (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\vtUMFWMd.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\wplayer.exe1 (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\LocalService\Start Menu\Programs\AntiSpyCheck 2.1\AntiSpyCheck 2.1.lnk (Rogue.AntiSpyCheck) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> No action taken.
C:\WINDOWS\system32\ltgjiseq.dll (Trojan.Agent) -> No action taken.
C:\d1.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\blphc7mvj0ee5c.scr (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\phc7mvj0ee5c.bmp (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\LeRoy\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> No action taken.
C:\Documents and Settings\LocalService\My Documents\My Music\My Music.url (Trojan.Zlob) -> No action taken.
C:\Documents and Settings\LocalService\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> No action taken.
C:\Documents and Settings\LocalService\My Documents\My Videos\My Video.url (Trojan.Zlob) -> No action taken.
C:\Documents and Settings\LocalService\My Documents\My Documents.url (Trojan.Zlob) -> No action taken.
C:\Documents and Settings\LocalService\Desktop\AntiSpyCheck 2.1.lnk (Rogue.AntiSpyCheck) -> No action taken.
C:\Documents and Settings\LocalService\Start Menu\AntiSpyCheck 2.1.lnk (Rogue.AntiSpyCheck) -> No action taken.
C:\Documents and Settings\LocalService\Favorites\Antivirus Scan.url (Rogue.Link) -> No action taken.

Deckard's System Scanner v20071014.68
Run by LeRoy on 2008-06-29 11:21:01
Computer is in Normal Mode.

--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
86: 2008-06-29 18:21:09 UTC - RP142 - Deckard's System Scanner Restore Point
85: 2008-06-29 16:22:11 UTC - RP141 - System Checkpoint
84: 2008-06-25 07:27:20 UTC - RP140 - Removed Sentinel Protection Installer 7.2.2
83: 2008-06-25 06:22:46 UTC - RP139 - Last known good configuration
82: 2008-06-25 06:22:30 UTC - RP138 - Installed Java Runtime Environment


-- First Restore Point --
1: 2008-06-25 06:21:48 UTC - RP57 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as LeRoy.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:12, on 6/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\LeRoy\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\LeRoy.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: {f3bc4b53-09cf-5b5b-ea44-b50123f64598} - {89546f32-105b-44ae-b5b5-fc9035b4cb3f} - C:\WINDOWS\system32\ojvdzz.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SMrhc3mvj0ee5c] C:\Program Files\rhc3mvj0ee5c\rhc3mvj0ee5c.exe
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdtrg.exe] C:\WINDOWS\system32\kdtrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKUS\S-1-5-18\..\Run: [AUTORUN_VAL] C:\Program Files\AntiSpyCheck 2.1\AntiSpyCheck 2.1.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AUTORUN_VAL] C:\Program Files\AntiSpyCheck 2.1\AntiSpyCheck 2.1.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MLB.TV NexDef Plug-in.lnk = C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6155 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080626-014540-120 O17 - HKLM\System\CS1\Services\Tcpip\..\{0E909122-742A-40EC-92F8-5F3691342C32}: NameServer = 208.67.220.220,208.67.222.222
backup-20080626-014540-202 O17 - HKLM\System\CCS\Services\Tcpip\..\{BC83CBF5-91E1-4065-B3AE-74AA88B7D4B8}: NameServer = 208.67.220.220,208.67.222.222
backup-20080626-014540-212 O2 - BHO: (no name) - {663656DF-6BAE-460C-A612-8133DF519346} - C:\WINDOWS\system32\yayyAtSM.dll
backup-20080626-014540-233 O21 - SSODL: qegbdmwf - {901EE6FC-FECD-424C-B886-718323413200} - (no file)
backup-20080626-014540-315 O17 - HKLM\System\CS2\Services\Tcpip\..\{0E909122-742A-40EC-92F8-5F3691342C32}: NameServer = 208.67.220.220,208.67.222.222
backup-20080626-014540-383 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
backup-20080626-014540-465 O3 - Toolbar: (no name) - {7D1DDA59-1111-444F-95B3-2B3B9264BB4E} - (no file)
backup-20080626-014540-542 O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
backup-20080626-014540-590 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
backup-20080626-014540-628 O17 - HKLM\System\CCS\Services\Tcpip\..\{D6B3D078-459A-4529-A331-2320ECDC5247}: NameServer = 208.67.220.220,208.67.222.222
backup-20080626-014540-643 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
backup-20080626-014540-674 O2 - BHO: (no name) - {CE8D3175-4A14-41B6-8EA2-125B2BAF98CA} - C:\WINDOWS\system32\byXqQiHA.dll
backup-20080626-014540-675 O17 - HKLM\System\CCS\Services\Tcpip\..\{0E909122-742A-40EC-92F8-5F3691342C32}: NameServer = 208.67.220.220,208.67.222.222
backup-20080626-014540-736 O17 - HKLM\System\CCS\Services\Tcpip\..\{4BA41AAD-ADBA-4F21-8BE8-E350A937A1A1}: NameServer = 208.67.220.220,208.67.222.222
backup-20080626-014540-860 O3 - Toolbar: (no name) - {85BDD81D-31FD-4A6B-A73C-3955B128D2EC} - (no file)
backup-20080626-014540-871 O17 - HKLM\System\CCS\Services\Tcpip\..\{BC970003-F058-4C6E-A514-8618BA3FA178}: NameServer = 208.67.220.220,208.67.222.222
backup-20080626-014541-114 O22 - SharedTaskScheduler: bergamiol - {049e2207-f9ef-40da-91f7-8819d0c33a84} - (no file)

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 TPkd - c:\windows\system32\drivers\tpkd.sys <Not Verified; PACE Anti-Piracy, Inc.; InterLok(R)>

S3 catchme - c:\docume~1\leroy\locals~1\temp\catchme.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 AvidSDMService (Avid SDM Service) - system32\avidsdmservice.exe <Not Verified; Avid Technology, Inc.; Avid Technology, Inc. AvidSDMService>
R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 DigiRefresh (Digidesign MME Refresh Service) - c:\program files\digidesign\drivers\mmerefresh.exe -s <Not Verified; Digidesign, A Division of Avid Technology, Inc.; Digidesign MME Binder>

S2 AvidStartup (Avid Startup) - system32\avidstartup.exe <Not Verified; ; AvidStartup>
S2 LicCtrlService (LicCtrl Service) - c:\windows\runservice.exe (file missing)
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S3 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" <Not Verified; Nero AG; Nero Home>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-21 15:41:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-29 and 2008-06-29 -----------------------------

2008-06-29 10:04:20 0 d-------- C:\Documents and Settings\LeRoy\Application Data\Malwarebytes
2008-06-29 10:04:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-29 10:04:13 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-29 04:43:16 0 d-------- C:\WINDOWS\ERUNT
2008-06-29 04:35:25 103424 --a------ C:\WINDOWS\system32\ojvdzz.dll
2008-06-29 04:35:24 103424 --a------ C:\WINDOWS\system32\enedsrqw.dll
2008-06-29 04:32:24 82432 -----n--- C:\WINDOWS\system32\axkmkraf.dll
2008-06-29 03:45:05 103424 --a------ C:\WINDOWS\system32\rgmcum.dll
2008-06-29 03:45:03 103424 --a------ C:\WINDOWS\system32\jqknoysj.dll
2008-06-29 03:44:49 90624 --a------ C:\WINDOWS\system32\efkswbhq.dll
2008-06-27 03:05:06 106496 --a------ C:\WINDOWS\system32\emnayuej.dll
2008-06-26 01:32:29 0 d-------- C:\Program Files\Trend Micro
2008-06-26 00:53:39 1270 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-26 00:45:47 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-26 00:45:47 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-26 00:45:47 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-26 00:45:47 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-26 00:45:47 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-26 00:45:47 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-26 00:45:47 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-26 00:45:47 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-06-25 23:36:25 106496 --a------ C:\WINDOWS\system32\cnqptmdh.dll
2008-06-25 23:31:07 91136 --a------ C:\WINDOWS\system32\cempvdwf.dll
2008-06-25 23:30:21 323072 -----n--- C:\WINDOWS\system32\byXqQiHA.dll
2008-06-25 21:45:42 652268 --ahs---- C:\WINDOWS\system32\OpoqAcdd.ini2
2008-06-25 21:30:45 0 d-------- C:\WINDOWS\system32\appmgmt
2008-06-25 20:20:30 0 dr-h----- C:\Documents and Settings\LeRoy\Recent
2008-06-25 20:02:39 106496 --a------ C:\WINDOWS\system32\wytupgbb.dll
2008-06-25 19:59:39 91136 --a------ C:\WINDOWS\system32\ylfhclrc.dll
2008-06-25 07:56:38 652629 --ahs---- C:\WINDOWS\system32\uDffLnnn.ini2
2008-06-25 07:50:44 0 d--hs---- C:\WINDOWS\CSC
2008-06-25 07:31:06 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-06-25 07:31:06 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-06-25 07:30:39 0 d-------- C:\Documents and Settings\LocalService\My Documents
2008-06-25 07:30:39 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-06-25 00:26:45 19190 --ahs---- C:\WINDOWS\system32\MpAdNnpo.ini2
2008-06-25 00:13:09 0 d-------- C:\Program Files\Yahoo!
2008-06-24 23:35:08 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-24 23:34:17 0 d-------- C:\Program Files\Common Files\Download Manager
2008-06-24 23:25:22 0 d-------- C:\Documents and Settings\LeRoy\Application Data\rhc3mvj0ee5c
2008-06-24 23:24:49 4096 --a------ C:\ximnibr.exe
2008-06-24 23:21:38 5729 --ahs---- C:\WINDOWS\system32\RAHkQqss.ini2
2008-06-24 22:58:45 0 d-------- C:\Program Files\Investintech.com Inc
2008-06-16 20:52:29 0 d-------- C:\Program Files\Apple Software Update
2008-06-08 10:51:10 0 d-------- C:\Twixtor4


-- Find3M Report ---------------------------------------------------------------

2008-06-25 00:27:35 0 d-------- C:\Program Files\Common Files
2008-06-24 23:43:29 0 d-------- C:\Documents and Settings\LeRoy\Application Data\Azureus
2008-06-24 22:59:37 1421 --a------ C:\Documents and Settings\LeRoy\Application Data\autobahn.log
2008-06-24 22:23:31 0 d-------- C:\Program Files\Azureus
2008-06-24 17:21:58 1449 --ahs---- C:\WINDOWS\system32\mmf.sys
2008-06-23 23:41:41 0 d-------- C:\Program Files\Java
2008-06-16 20:55:57 0 d-------- C:\Program Files\QuickTime
2008-06-08 12:22:59 0 d-------- C:\Documents and Settings\LeRoy\Application Data\Ahead
2008-06-06 22:47:25 0 d-------- C:\Documents and Settings\LeRoy\Application Data\Adobe
2008-05-05 22:52:52 0 d-------- C:\Program Files\DivX
2008-04-08 08:36:14 117233 --a------ C:\WINDOWS\hpoins11.dat
2008-04-01 12:07:50 45056 --a------ C:\WINDOWS\mmfs.dll
2008-03-31 14:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 14:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 14:25:46 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-03-31 14:25:46 831488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 14:25:46 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89546f32-105b-44ae-b5b5-fc9035b4cb3f}]
06/29/2008 04:35 103424 --a------ C:\WINDOWS\system32\ojvdzz.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMrhc3mvj0ee5c"="C:\Program Files\rhc3mvj0ee5c\rhc3mvj0ee5c.exe" []
"C:\WINDOWS\system32\kdtrg.exe"="C:\WINDOWS\system32\kdtrg.exe" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/05/2007 02:41]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AUTORUN_VAL"=C:\Program Files\AntiSpyCheck 2.1\AntiSpyCheck 2.1.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"



-- End of Deckard's System Scanner: finished at 2008-06-29 11:22:36 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) D CPU 2.80GHz
CPU 1: Intel(R) Pentium(R) D CPU 2.80GHz
Percentage of Memory in Use: 16%
Physical Memory (total/avail): 2046.42 MiB / 1703.73 MiB
Pagefile Memory (total/avail): 3939.11 MiB / 3772.66 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1935.34 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 117.2 GiB total, 71.41 GiB free.
D: is Removable (FAT)
E: is Fixed (NTFS) - 116.55 GiB total, 84.73 GiB free.
G: is CDROM (No Media)
H: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 6Y250M0 - 233.76 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 117.2 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 116.55 GiB - E:

\\.\PHYSICALDRIVE1 - Ativa 1GB USB Device - 949.15 MiB - 1 partition
\PARTITION0 (bootable) - Win95 w/Extended Int 13 - 953.5 MiB - D:



-- Security Center -------------------------------------------------------------

Windows Internal Firewall is disabled.

FirstRunDisabled is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Avid\\MetaSync\\jre\\bin\\java.exe"="C:\\Program Files\\Avid\\MetaSync\\jre\\bin\\java.exe:*:Enabled:java"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.5"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\LeRoy\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CRU-1
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\LeRoy
LOGONSERVER=\\CRU-1
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Avid;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 6 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0604
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\LeRoy\LOCALS~1\Temp
TMP=C:\DOCUME~1\LeRoy\LOCALS~1\Temp
USERDOMAIN=CRU-1
USERNAME=LeRoy
USERPROFILE=C:\Documents and Settings\LeRoy
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

LeRoy (admin)
House


-- Add/Remove Programs ---------------------------------------------------------

HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type2065 / Error
Event Submitted/Written: 06/29/2008 04:30:29 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.40413, faulting module unknown, version 0.0.0.0, fault address 0x02071558.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type2040 / Warning
Event Submitted/Written: 06/25/2008 09:30:52 PM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x8007043C

Event Record #/Type2039 / Warning
Event Submitted/Written: 06/25/2008 09:30:45 PM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x8007043C

Event Record #/Type2004 / Error
Event Submitted/Written: 06/24/2008 10:59:36 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application tqwkrav.exe, version 0.0.0.0, faulting module , version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [tqwkrav.exe!ws!]

Event Record #/Type1936 / Error
Event Submitted/Written: 06/16/2008 09:46:10 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application firefox.exe, version 1.8.20080.40413, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type3015 / Warning
Event Submitted/Written: 06/29/2008 11:19:59 AM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\REVEILLE-PC on the network \Device\NetBT_Tcpip_{BC83CBF5-91E1-4065-B3AE-74AA88B7D4B8}.
The data is the error code.

Event Record #/Type3000 / Error
Event Submitted/Written: 06/29/2008 11:19:08 AM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The Avid Startup service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type2998 / Error
Event Submitted/Written: 06/29/2008 11:19:08 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The LicCtrl Service service failed to start due to the following error:
%%2

Event Record #/Type2992 / Error
Event Submitted/Written: 06/29/2008 10:15:29 AM
Event ID/Source: 8032 / BROWSER
Event Description:
The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{BC83CBF5-91E1-4065-B3AE-74AA88B7D4B8}.
The backup browser is stopping.

Event Record #/Type2991 / Warning
Event Submitted/Written: 06/29/2008 10:12:01 AM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\REVEILLE-PC on the network \Device\NetBT_Tcpip_{BC83CBF5-91E1-4065-B3AE-74AA88B7D4B8}.
The data is the error code.



-- End of Deckard's System Scanner: finished at 2008-06-29 11:22:36 ------------
hornt1
Active Member
 
Posts: 3
Joined: June 26th, 2008, 11:26 pm

Re: Attacked by xp antivirus 2008, need help!!

Unread postby Rodav » June 30th, 2008, 4:42 am

ENABLE WINDOWS FIREWALL
It doesn't appear that you are using a Firewall.

Before we continue, please make sure that Windows Firewall is enabled. Once we get your system clean, I will give detailed instructions on downloading and using a different more secure Firewall.

  • Click Start, then Control Panel
  • Once in the Control Panel, open Security Center followed by Windows Firewall
  • Please choose "Enable" or "Activate Windows Firewall"
  • Click Apply
  • Close the Control Panel

After you have completed this, please proceed with the following.


Step 1:
Please visit http://virusscan.jotti.org/

Copy/paste this file and path into the white box at the top:
C:\WINDOWS\system32\wplayer.exe1

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

If Jotti is busy you could try the same at Virustotal.


Step 2:
Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network.
Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software (for personal use), from one these excellent vendors NOW:

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition
-Anti-virus program for Windows.
-The home edition is freeware for noncommercial user

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

When you have installed an AV, do a full system scan with it and quarantine everything it finds.


Step 3:
  • Click Start > Run type "%userprofile%\desktop\dss.exe" /config click OK
  • This will bring up a pop up box.
  • click the "Check all" button
  • Hit the Scan button.
  • When the scan finishes the main.txt will open in notepad and Extra.txt file will be minimised in Taskbar at the bottom of your screen.


Logs to Post:
In your next reply, please copy and paste the following:
  • The Jotti/Virustotal results
  • The Antivirus report
  • The 2 logs from DSS
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1481
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Attacked by xp antivirus 2008, need help!!

Unread postby hornt1 » July 1st, 2008, 1:28 am

For step 1, The computer could not find that file. Now i think what might have happened was that spybot search and destroy does a scan every day and it might have removed it if it was considered bad, but i'm not sure. i have since turned off the daily scan.

Here are the AV Scan Results

Avira AntiVir Personal

Report file date: Monday, June 30, 2008 20:57

Scanning for 1369578 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: CRU-1

Version information:
BUILD.DAT : 8.1.00.295 16479 Bytes 4/9/2008 16:24:00
AVSCAN.EXE : 8.1.2.12 311553 Bytes 3/18/2008 18:02:56
AVSCAN.DLL : 8.1.1.0 53505 Bytes 2/7/2008 17:43:37
LUKE.DLL : 8.1.2.9 151809 Bytes 2/28/2008 17:41:23
LUKERES.DLL : 8.1.2.1 12033 Bytes 2/21/2008 17:28:40
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 19:33:34
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 6/24/2008 03:55:29
ANTIVIR2.VDF : 7.0.5.20 142336 Bytes 6/30/2008 03:55:32
ANTIVIR3.VDF : 7.0.5.25 18432 Bytes 6/30/2008 03:55:33
Engineversion : 8.1.0.59
AEVDF.DLL : 8.1.0.5 102772 Bytes 2/25/2008 18:58:21
AESCRIPT.DLL : 8.1.0.44 278907 Bytes 7/1/2008 03:55:55
AESCN.DLL : 8.1.0.22 119157 Bytes 7/1/2008 03:55:53
AERDL.DLL : 8.1.0.20 418165 Bytes 7/1/2008 03:55:52
AEPACK.DLL : 8.1.1.6 364918 Bytes 7/1/2008 03:55:49
AEOFFICE.DLL : 8.1.0.20 192891 Bytes 7/1/2008 03:55:46
AEHEUR.DLL : 8.1.0.32 1274231 Bytes 7/1/2008 03:55:44
AEHELP.DLL : 8.1.0.15 115063 Bytes 7/1/2008 03:55:41
AEGEN.DLL : 8.1.0.29 307573 Bytes 7/1/2008 03:55:40
AEEMU.DLL : 8.1.0.6 430451 Bytes 7/1/2008 03:55:37
AECORE.DLL : 8.1.0.31 168310 Bytes 7/1/2008 03:55:35
AVWINLL.DLL : 1.0.0.7 14593 Bytes 1/24/2008 02:07:53
AVPREF.DLL : 8.0.0.1 25857 Bytes 2/18/2008 19:37:50
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 22:26:47
AVREG.DLL : 8.0.0.0 30977 Bytes 1/24/2008 02:07:49
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 17:29:23
AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 2/28/2008 17:31:31
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 02:28:02
SMTPLIB.DLL : 1.2.0.19 28929 Bytes 1/24/2008 02:08:39
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 21:05:10
RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 3/10/2008 23:37:25
RCTEXT.DLL : 8.0.32.0 86273 Bytes 3/6/2008 21:02:11

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, E:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Monday, June 30, 2008 20:57

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'MMERefresh.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AvidSDMService.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
30 processes with 30 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'E:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '19' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\ximnibr.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '48d6abad.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The fund was classified as suspicious.
[NOTE] The file was moved to '48d2ad09.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp1.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The fund was classified as suspicious.
[NOTE] The file was moved to '49534922.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp12.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The fund was classified as suspicious.
[NOTE] The file was moved to '48d2ad0b.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp14.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The fund was classified as suspicious.
[NOTE] The file was moved to '48d2ad0a.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp4.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The fund was classified as suspicious.
[NOTE] The file was moved to '49534923.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp5.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The fund was classified as suspicious.
[NOTE] The file was moved to '49534924.qua'!
C:\Documents and Settings\House\Local Settings\Temporary Internet Files\Content.IE5\0VERQBEH\kb671231[1]
[DETECTION] Is the Trojan horse TR/Monder.WG
[NOTE] The file was moved to '489fad0f.qua'!
C:\Documents and Settings\House\Local Settings\Temporary Internet Files\Content.IE5\Y9U38BSP\kb767887[1]
[DETECTION] Is the Trojan horse TR/Vundo.ewz.30
[NOTE] The file was moved to '48a0ad11.qua'!
C:\Documents and Settings\LeRoy\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.94443
[DETECTION] Is the Trojan horse TR/Agent.42496
[NOTE] The file was moved to '48aaad12.qua'!
C:\Documents and Settings\LeRoy\Desktop\Movie Magic\Screenwriter 2000\Movie Magic Screenwriter 2000\screenwriter 2000 setup.exe
[0] Archive type: ZIP SFX (self extracting)
--> netpub.exe
[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/Hupigon.Gen Backdoor server programs
[NOTE] The file was moved to '48dbad69.qua'!
C:\Documents and Settings\LeRoy\Local Settings\Temporary Internet Files\Content.IE5\SAFDEF1N\kb671231[1]
[DETECTION] Is the Trojan horse TR/Monder.WG
[NOTE] The file was moved to '489fad7d.qua'!
C:\Documents and Settings\LeRoy\Local Settings\Temporary Internet Files\Content.IE5\YN80Y8FB\kb767887[1]
[DETECTION] Is the Trojan horse TR/Vundo.ewz.30
[NOTE] The file was moved to '48a0ad7f.qua'!
C:\Documents and Settings\LeRoy\My Documents\Azureus Downloads\Filmmakers Package\Movie Magic Budget and Schedule\Movie Magic Screenwriter, Budgeting And Scheduling, And Dramatica 4.zip
[0] Archive type: ZIP
--> Movie Magic/Screenwriter 2000/Movie Magic Screenwriter 2000/screenwriter 2000 setup.exe
[1] Archive type: ZIP SFX (self extracting)
--> netpub.exe
[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/Hupigon.Gen Backdoor server programs
[NOTE] The file was moved to '48dfadc4.qua'!
C:\Documents and Settings\LeRoy\My Documents\Azureus Downloads\Movie Magic\Screenwriter 2000\Movie Magic Screenwriter 2000\screenwriter 2000 setup.exe
[0] Archive type: ZIP SFX (self extracting)
--> netpub.exe
[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/Hupigon.Gen Backdoor server programs
[NOTE] The file was moved to '48dbadc2.qua'!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ML49EJK9\mega-codec.v.4.051[2].exe
[DETECTION] Contains detection pattern of the dropper DR/Dldr.DNSChanger.Gen
[NOTE] The file was moved to '48d0add7.qua'!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OH2ZOL67\setup[1].exe
[DETECTION] Is the Trojan horse TR/Dldr.Zlob.Gen
[NOTE] The file was moved to '48ddadd7.qua'!
C:\Program Files\Image-Line\FL Studio 6\talio.dll
[DETECTION] Is the Trojan horse TR/Dldr.Small.btf.3
[NOTE] The file was moved to '48d5b0f7.qua'!
C:\SDFix\backups\backups.zip
[0] Archive type: ZIP
--> backups/2.tmp
[DETECTION] Is the Trojan horse TR/Fakealert.AG
--> backups/788877.dll
[DETECTION] Is the Trojan horse TR/BHO.Gen
--> backups/asc94.dll
[DETECTION] Is the Trojan horse TR/Zlob.cnd.1
--> backups/cftmon.exe
[DETECTION] Contains detection pattern of the worm WORM/Socks.agj
--> backups/ebot.exe
[DETECTION] Is the Trojan horse TR/Vapsup.hen.2
--> backups/svchost.exe
[DETECTION] Contains detection pattern of the worm WORM/Socks.AE.15
--> backups/tovafrnm.exe
[DETECTION] Is the Trojan horse TR/Vapsup.hen.1
--> backups/userinit.exe
[DETECTION] Contains detection pattern of the worm WORM/Socks.AE.15
--> backups/yayyAtSM.dll
[DETECTION] Is the Trojan horse TR/Dldr.Agent.pni
[NOTE] The file was moved to '48ccb1bb.qua'!
C:\SDFix\backups\catchme.zip
[0] Archive type: ZIP
--> 265ea3b6.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
--> 94a83d73.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
--> services.exe
[DETECTION] Contains detection pattern of the worm WORM/Socks.AE.15
--> spools.exe
[DETECTION] Contains detection pattern of the worm WORM/Socks.agj
[NOTE] The file was moved to '48ddb1bb.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP139\A0061875.exe
[DETECTION] Is the Trojan horse TR/Dldr.FraudLoad.991744
[NOTE] The file was moved to '4899b1a3.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0062082.dll
[DETECTION] Is the Trojan horse TR/Vapsup.hen
[NOTE] The file was moved to '4899b1a7.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0063115.dll
[DETECTION] Is the Trojan horse TR/Dldr.Zlob.ABKM.12
[NOTE] The file was moved to '4899b1a8.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0063116.exe
[DETECTION] Is the Trojan horse TR/Dldr.Zlob.lps.63
[NOTE] The file was moved to '49e66541.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0063127.exe
[DETECTION] Is the Trojan horse TR/Dldr.Zlob.lps.62
[NOTE] The file was moved to '4899b1aa.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0064161.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '4899b1a9.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0064231.exe
[0] Archive type: RAR SFX (self extracting)
--> install.exe
[DETECTION] Is the Trojan horse TR/Agent.42496
[NOTE] The file was moved to '4899b1b0.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0065307.exe
[DETECTION] Is the Trojan horse TR/Vapsup.hen.2
[NOTE] The file was moved to '4899b1b5.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0065309.exe
[DETECTION] Is the Trojan horse TR/Vapsup.hen.1
[NOTE] The file was moved to '4899b1b6.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0065323.exe
[DETECTION] Is the Trojan horse TR/Vapsup.hen.2
[NOTE] The file was moved to '49e6655f.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP140\A0065327.exe
[DETECTION] Is the Trojan horse TR/Vapsup.hen.1
[NOTE] The file was moved to '4899b1b7.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP141\A0065377.dll
[DETECTION] Is the Trojan horse TR/Trash.Gen
[NOTE] The file was moved to '4899b1b8.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP141\A0065379.dll
[DETECTION] Is the Trojan horse TR/Trash.Gen
[NOTE] The file was moved to '4899b1b9.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP141\A0065381.dll
[DETECTION] Is the Trojan horse TR/Agent.81920
[NOTE] The file was moved to '49e66552.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP141\A0065383.dll
[DETECTION] Is the Trojan horse TR/Trash.Gen
[NOTE] The file was moved to '4899b1bb.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP141\A0065385.exe
[DETECTION] Is the Trojan horse TR/Trash.Gen
[NOTE] The file was moved to '4899b1ba.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP141\A0065386.exe
[DETECTION] Is the Trojan horse TR/Trash.Gen
[NOTE] The file was moved to '49e66553.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP141\A0065387.exe
[DETECTION] Is the Trojan horse TR/Trash.Gen
[NOTE] The file was moved to '4899b1bc.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP141\A0065388.exe
[DETECTION] Is the Trojan horse TR/Trash.Gen
[NOTE] The file was moved to '49e66555.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP141\A0065389.exe
[DETECTION] Is the Trojan horse TR/Trash.Gen
[NOTE] The file was moved to '49e66554.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP141\A0065390.exe
[DETECTION] Is the Trojan horse TR/Trash.Gen
[NOTE] The file was moved to '4899b1bd.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP141\A0065391.dll
[DETECTION] Is the Trojan horse TR/Trash.Gen
[NOTE] The file was moved to '49e66556.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP141\A0065392.dll
[DETECTION] Is the Trojan horse TR/Trash.Gen
[NOTE] The file was moved to '4899b1be.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP141\A0065393.dll
[DETECTION] Is the Trojan horse TR/Trash.Gen
[NOTE] The file was moved to '49e66557.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP141\A0065394.dll
[DETECTION] Is the Trojan horse TR/BHO.adt
[NOTE] The file was moved to '49e66559.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP141\A0065396.dll
[DETECTION] Is the Trojan horse TR/Trash.Gen
[NOTE] The file was moved to '4899b1bf.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP141\A0065397.dll
[DETECTION] Is the Trojan horse TR/Trash.Gen
[NOTE] The file was moved to '49e66528.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP141\A0065398.exe
[DETECTION] Is the Trojan horse TR/Trash.Gen
[NOTE] The file was moved to '4899b1c1.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP141\A0065399.exe
[DETECTION] Is the Trojan horse TR/Trash.Gen
[NOTE] The file was moved to '49e6652a.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP141\A0065400.cpl
[DETECTION] Is the Trojan horse TR/Trash.Gen
[NOTE] The file was moved to '4899b1b2.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP141\A0065401.dll
[DETECTION] Is the Trojan horse TR/Trash.Gen
[NOTE] The file was moved to '49e6655b.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP141\A0065405.scr
[DETECTION] Is the Trojan horse TR/Trash.Gen
[NOTE] The file was moved to '4899b1b4.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP141\A0065410.dll
[DETECTION] Is the Trojan horse TR/Trash.Gen
[NOTE] The file was moved to '4899b1c3.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP142\A0065421.dll
[DETECTION] Is the Trojan horse TR/Trash.Gen
[NOTE] The file was moved to '4899b1c0.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP144\A0065434.dll
[DETECTION] Is the Trojan horse TR/Trash.Gen
[NOTE] The file was moved to '4899b1c2.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP144\A0065435.exe
[DETECTION] Contains detection pattern of the dropper DR/Tool.Reboot.F.105
[NOTE] The file was moved to '49e6652c.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP144\A0065436.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '4899b1c5.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP144\A0065437.exe
[0] Archive type: ZIP SFX (self extracting)
--> netpub.exe
[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/Hupigon.Gen Backdoor server programs
[NOTE] The file was moved to '4899b1c4.qua'!
C:\System Volume Information\_restore{0FCC9EA1-683F-4505-9E6D-64AD2B4FBCBF}\RP144\A0065438.dll
[DETECTION] Is the Trojan horse TR/Dldr.Small.btf.3
[NOTE] The file was moved to '49e6652d.qua'!
C:\WINDOWS\system32\cempvdwf.dll
[DETECTION] Is the Trojan horse TR/Monder.acy
[NOTE] The file was moved to '48d6b2b9.qua'!
C:\WINDOWS\system32\efkswbhq.dll
[DETECTION] Is the Trojan horse TR/Monder.WG
[NOTE] The file was moved to '48d4b2c2.qua'!
C:\WINDOWS\system32\emnayuej.dll
[DETECTION] Is the Trojan horse TR/Monderc.106496
[NOTE] The file was moved to '48d7b2c9.qua'!
C:\WINDOWS\system32\enedsrqw.dll
[DETECTION] Is the Trojan horse TR/Vundo.ewz.30
[NOTE] The file was moved to '48ceb2cb.qua'!
C:\WINDOWS\system32\jqknoysj.dll
[DETECTION] Is the Trojan horse TR/Vundo.ewz.30
[NOTE] The file was moved to '48d4b2d4.qua'!
C:\WINDOWS\system32\ojvdzz.dll
[DETECTION] Is the Trojan horse TR/Vundo.ewz.30
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26003
[WARNING]
C:\WINDOWS\system32\rgmcum.dll
[DETECTION] Is the Trojan horse TR/Vundo.ewz.30
[NOTE] The file was moved to '48d6b493.qua'!
C:\WINDOWS\system32\ylfhclrc.dll
[DETECTION] Is the Trojan horse TR/Monder.acy
[NOTE] The file was moved to '48cfb4a4.qua'!
Begin scan in 'E:\' <Music>


End of the scan: Monday, June 30, 2008 21:41
Used time: 43:18 min

The scan has been done completely.

12035 Scanning directories
314685 Files were scanned
72 viruses and/or unwanted programs were found
6 Files were classified as suspicious:
0 files were deleted
0 files were repaired
66 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
314613 Files not concerned
2606 Archives were scanned
2 Warnings
66 Notes




Deckard's System Scanner v20071014.68
Run by LeRoy on 2008-06-30 22:14:10
Computer is in Normal Mode.

--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
89: 2008-07-01 05:14:15 UTC - RP145 - Deckard's System Scanner Restore Point
88: 2008-07-01 03:52:58 UTC - RP144 - Avira AntiVir Personal - 6/30/2008 20:52
87: 2008-06-30 18:59:10 UTC - RP143 - System Checkpoint
86: 2008-06-29 18:21:09 UTC - RP142 - Deckard's System Scanner Restore Point
85: 2008-06-29 16:22:11 UTC - RP141 - System Checkpoint


-- First Restore Point --
1: 2008-06-25 06:21:48 UTC - RP57 - System Checkpoint


Performed disk cleanup.



-- HijackThis (run as LeRoy.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:14:24, on 6/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\LeRoy\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\LeRoy.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: {f3bc4b53-09cf-5b5b-ea44-b50123f64598} - {89546f32-105b-44ae-b5b5-fc9035b4cb3f} - C:\WINDOWS\system32\ojvdzz.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SMrhc3mvj0ee5c] C:\Program Files\rhc3mvj0ee5c\rhc3mvj0ee5c.exe
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdtrg.exe] C:\WINDOWS\system32\kdtrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-18\..\Run: [AUTORUN_VAL] C:\Program Files\AntiSpyCheck 2.1\AntiSpyCheck 2.1.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AUTORUN_VAL] C:\Program Files\AntiSpyCheck 2.1\AntiSpyCheck 2.1.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MLB.TV NexDef Plug-in.lnk = C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6929 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080626-014540-120 O17 - HKLM\System\CS1\Services\Tcpip\..\{0E909122-742A-40EC-92F8-5F3691342C32}: NameServer = 208.67.220.220,208.67.222.222
backup-20080626-014540-202 O17 - HKLM\System\CCS\Services\Tcpip\..\{BC83CBF5-91E1-4065-B3AE-74AA88B7D4B8}: NameServer = 208.67.220.220,208.67.222.222
backup-20080626-014540-212 O2 - BHO: (no name) - {663656DF-6BAE-460C-A612-8133DF519346} - C:\WINDOWS\system32\yayyAtSM.dll
backup-20080626-014540-233 O21 - SSODL: qegbdmwf - {901EE6FC-FECD-424C-B886-718323413200} - (no file)
backup-20080626-014540-315 O17 - HKLM\System\CS2\Services\Tcpip\..\{0E909122-742A-40EC-92F8-5F3691342C32}: NameServer = 208.67.220.220,208.67.222.222
backup-20080626-014540-383 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
backup-20080626-014540-465 O3 - Toolbar: (no name) - {7D1DDA59-1111-444F-95B3-2B3B9264BB4E} - (no file)
backup-20080626-014540-542 O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
backup-20080626-014540-590 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
backup-20080626-014540-628 O17 - HKLM\System\CCS\Services\Tcpip\..\{D6B3D078-459A-4529-A331-2320ECDC5247}: NameServer = 208.67.220.220,208.67.222.222
backup-20080626-014540-643 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
backup-20080626-014540-674 O2 - BHO: (no name) - {CE8D3175-4A14-41B6-8EA2-125B2BAF98CA} - C:\WINDOWS\system32\byXqQiHA.dll
backup-20080626-014540-675 O17 - HKLM\System\CCS\Services\Tcpip\..\{0E909122-742A-40EC-92F8-5F3691342C32}: NameServer = 208.67.220.220,208.67.222.222
backup-20080626-014540-736 O17 - HKLM\System\CCS\Services\Tcpip\..\{4BA41AAD-ADBA-4F21-8BE8-E350A937A1A1}: NameServer = 208.67.220.220,208.67.222.222
backup-20080626-014540-860 O3 - Toolbar: (no name) - {85BDD81D-31FD-4A6B-A73C-3955B128D2EC} - (no file)
backup-20080626-014540-871 O17 - HKLM\System\CCS\Services\Tcpip\..\{BC970003-F058-4C6E-A514-8618BA3FA178}: NameServer = 208.67.220.220,208.67.222.222
backup-20080626-014541-114 O22 - SharedTaskScheduler: bergamiol - {049e2207-f9ef-40da-91f7-8819d0c33a84} - (no file)

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 TPkd - c:\windows\system32\drivers\tpkd.sys <Not Verified; PACE Anti-Piracy, Inc.; InterLok(R)>

S3 catchme - c:\docume~1\leroy\locals~1\temp\catchme.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirScheduler (Avira AntiVir Personal – Free Antivirus Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; AntiVir Workstation>
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 AvidSDMService (Avid SDM Service) - system32\avidsdmservice.exe <Not Verified; Avid Technology, Inc.; Avid Technology, Inc. AvidSDMService>
R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 DigiRefresh (Digidesign MME Refresh Service) - c:\program files\digidesign\drivers\mmerefresh.exe -s <Not Verified; Digidesign, A Division of Avid Technology, Inc.; Digidesign MME Binder>

S2 AvidStartup (Avid Startup) - system32\avidstartup.exe <Not Verified; ; AvidStartup>
S2 LicCtrlService (LicCtrl Service) - c:\windows\runservice.exe (file missing)
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S3 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" <Not Verified; Nero AG; Nero Home>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\explorer.exe (pid 1048)
2007-01-15 17:25:48 1261568 --a------ C:\Program Files\Common Files\Ahead\Lib\NeroSearchBar.dll <Not Verified; Nero AG; Nero File Dialog>
2006-10-11 14:56:06 2830336 --a------ C:\Program Files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll <Not Verified; BCGSoft Ltd; BCGControlBar Professional Dynamic Link Library>


-- Scheduled Tasks -------------------------------------------------------------

2008-06-21 15:41:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-30 and 2008-06-30 -----------------------------

2008-06-30 20:53:10 0 d-------- C:\Program Files\Avira
2008-06-30 20:53:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-29 10:04:20 0 d-------- C:\Documents and Settings\LeRoy\Application Data\Malwarebytes
2008-06-29 10:04:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-29 10:04:13 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-29 04:43:16 0 d-------- C:\WINDOWS\ERUNT
2008-06-26 01:32:29 0 d-------- C:\Program Files\Trend Micro
2008-06-26 00:53:39 1270 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-26 00:45:47 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-26 00:45:47 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-26 00:45:47 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-26 00:45:47 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-26 00:45:47 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-26 00:45:47 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-26 00:45:47 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-26 00:45:47 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-06-25 23:36:25 106496 --a------ C:\WINDOWS\system32\cnqptmdh.dll
2008-06-25 21:45:42 652268 --ahs---- C:\WINDOWS\system32\OpoqAcdd.ini2
2008-06-25 21:30:45 0 d-------- C:\WINDOWS\system32\appmgmt
2008-06-25 20:20:30 0 dr-h----- C:\Documents and Settings\LeRoy\Recent
2008-06-25 20:02:39 106496 --a------ C:\WINDOWS\system32\wytupgbb.dll
2008-06-25 07:56:38 652629 --ahs---- C:\WINDOWS\system32\uDffLnnn.ini2
2008-06-25 07:50:44 0 d--hs---- C:\WINDOWS\CSC
2008-06-25 07:31:06 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-06-25 07:31:06 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-06-25 07:30:39 0 d-------- C:\Documents and Settings\LocalService\My Documents
2008-06-25 07:30:39 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-06-25 00:26:45 19190 --ahs---- C:\WINDOWS\system32\MpAdNnpo.ini2
2008-06-25 00:13:09 0 d-------- C:\Program Files\Yahoo!
2008-06-24 23:35:08 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-24 23:34:17 0 d-------- C:\Program Files\Common Files\Download Manager
2008-06-24 23:25:22 0 d-------- C:\Documents and Settings\LeRoy\Application Data\rhc3mvj0ee5c
2008-06-24 23:21:38 5729 --ahs---- C:\WINDOWS\system32\RAHkQqss.ini2
2008-06-24 22:58:45 0 d-------- C:\Program Files\Investintech.com Inc
2008-06-16 20:52:29 0 d-------- C:\Program Files\Apple Software Update
2008-06-08 10:51:10 0 d-------- C:\Twixtor4


-- Find3M Report ---------------------------------------------------------------

2008-06-25 00:27:35 0 d-------- C:\Program Files\Common Files
2008-06-24 23:43:29 0 d-------- C:\Documents and Settings\LeRoy\Application Data\Azureus
2008-06-24 22:59:37 1421 --a------ C:\Documents and Settings\LeRoy\Application Data\autobahn.log
2008-06-24 22:23:31 0 d-------- C:\Program Files\Azureus
2008-06-24 17:21:58 1449 --ahs---- C:\WINDOWS\system32\mmf.sys
2008-06-23 23:41:41 0 d-------- C:\Program Files\Java
2008-06-16 20:55:57 0 d-------- C:\Program Files\QuickTime
2008-06-08 12:22:59 0 d-------- C:\Documents and Settings\LeRoy\Application Data\Ahead
2008-06-06 22:47:25 0 d-------- C:\Documents and Settings\LeRoy\Application Data\Adobe
2008-05-05 22:52:52 0 d-------- C:\Program Files\DivX
2008-04-08 08:36:14 117233 --a------ C:\WINDOWS\hpoins11.dat
2008-04-01 12:07:50 45056 --a------ C:\WINDOWS\mmfs.dll
2008-03-31 14:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 14:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 14:25:46 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-03-31 14:25:46 831488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 14:25:46 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89546f32-105b-44ae-b5b5-fc9035b4cb3f}]
C:\WINDOWS\system32\ojvdzz.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMrhc3mvj0ee5c"="C:\Program Files\rhc3mvj0ee5c\rhc3mvj0ee5c.exe" []
"C:\WINDOWS\system32\kdtrg.exe"="C:\WINDOWS\system32\kdtrg.exe" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/05/2007 02:41]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05/27/2008 10:50]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AUTORUN_VAL"=C:\Program Files\AntiSpyCheck 2.1\AntiSpyCheck 2.1.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

*Newly Created Service* - SSMDRV

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"



-- End of Deckard's System Scanner: finished at 2008-06-30 22:15:07 ------------





Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) D CPU 2.80GHz
CPU 1: Intel(R) Pentium(R) D CPU 2.80GHz
Percentage of Memory in Use: 18%
Physical Memory (total/avail): 2046.42 MiB / 1659.33 MiB
Pagefile Memory (total/avail): 3939.11 MiB / 3677.09 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1926.34 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 117.2 GiB total, 71.29 GiB free.
D: is Removable (FAT)
E: is Fixed (NTFS) - 116.55 GiB total, 84.73 GiB free.
G: is CDROM (No Media)
H: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 6Y250M0 - 233.76 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 117.2 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 116.55 GiB - E:

\\.\PHYSICALDRIVE1 - Ativa 1GB USB Device - 949.15 MiB - 1 partition
\PARTITION0 (bootable) - Win95 w/Extended Int 13 - 953.5 MiB - D:



-- Security Center -------------------------------------------------------------

Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: Avira AntiVir PersonalEdition v8.0.1.15 (Avira GmbH)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Avid\\MetaSync\\jre\\bin\\java.exe"="C:\\Program Files\\Avid\\MetaSync\\jre\\bin\\java.exe:*:Enabled:java"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.5"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\LeRoy\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CRU-1
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\LeRoy
LOGONSERVER=\\CRU-1
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Avid;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 6 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0604
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\LeRoy\LOCALS~1\Temp
TMP=C:\DOCUME~1\LeRoy\LOCALS~1\Temp
USERDOMAIN=CRU-1
USERNAME=LeRoy
USERPROFILE=C:\Documents and Settings\LeRoy
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

LeRoy (admin)
House


-- Add/Remove Programs ---------------------------------------------------------

Avira AntiVir Personal – Free Antivirus --> C:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type2091 / Warning
Event Submitted/Written: 06/30/2008 08:56:53 PM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
DR/Tool.Reboot.F.105C:\Documents and Settings\LeRoy\Desktop\SmitfraudFix.exe

Event Record #/Type2088 / Warning
Event Submitted/Written: 06/30/2008 08:56:02 PM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
TR/Trash.GenC:\WINDOWS\system32\axkmkraf.dll

Event Record #/Type2065 / Error
Event Submitted/Written: 06/29/2008 04:30:29 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.40413, faulting module unknown, version 0.0.0.0, fault address 0x02071558.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type2040 / Warning
Event Submitted/Written: 06/25/2008 09:30:52 PM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x8007043C

Event Record #/Type2039 / Warning
Event Submitted/Written: 06/25/2008 09:30:45 PM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x8007043C



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type3085 / Error
Event Submitted/Written: 06/30/2008 09:44:07 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The Avid Startup service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type3083 / Error
Event Submitted/Written: 06/30/2008 09:44:03 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The LicCtrl Service service failed to start due to the following error:
%%2

Event Record #/Type3060 / Warning
Event Submitted/Written: 06/30/2008 08:34:48 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type3059 / Error
Event Submitted/Written: 06/30/2008 08:23:28 AM
Event ID/Source: 59 / SideBySide
Event Description:
Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_39049d00\MFC80U.DLL.
Reference error message: The operation completed successfully.
.

Event Record #/Type3058 / Error
Event Submitted/Written: 06/30/2008 08:23:28 AM
Event ID/Source: 59 / SideBySide
Event Description:
Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC.
Reference error message: The referenced assembly is not installed on your system.
.



-- End of Deckard's System Scanner: finished at 2008-06-30 22:15:07 ------------
hornt1
Active Member
 
Posts: 3
Joined: June 26th, 2008, 11:26 pm

Re: Attacked by xp antivirus 2008, need help!!

Unread postby Rodav » July 1st, 2008, 8:39 am

The file I asked you to upload earlier was deleted by Malwarebytes, I just needed to be sure.


P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Azureus

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

If you wish to keep them, please do not use them until your computer is cleaned.


Step 1:
Download OTMoveIt2 by Old Timer and save it to your Desktop.
  • Double-click OTMoveIt2.exe to run it.
  • Copy the lines in the codebox below.
Code: Select all
C:\WINDOWS\system32\cnqptmdh.dll
C:\WINDOWS\system32\OpoqAcdd.ini2
C:\WINDOWS\system32\wytupgbb.dll
C:\WINDOWS\system32\uDffLnnn.ini2
C:\WINDOWS\system32\MpAdNnpo.ini2
C:\Documents and Settings\LeRoy\Application Data\rhc3mvj0ee5c
C:\WINDOWS\system32\RAHkQqss.ini2

  • Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt2


Step 2:
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    O2 - BHO: {f3bc4b53-09cf-5b5b-ea44-b50123f64598} - {89546f32-105b-44ae-b5b5-fc9035b4cb3f} - C:\WINDOWS\system32\ojvdzz.dll (file missing)
    O4 - HKLM\..\Run: [SMrhc3mvj0ee5c] C:\Program Files\rhc3mvj0ee5c\rhc3mvj0ee5c.exe
    O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdtrg.exe] C:\WINDOWS\system32\kdtrg.exe
    O4 - HKUS\S-1-5-18\..\Run: [AUTORUN_VAL] C:\Program Files\AntiSpyCheck 2.1\AntiSpyCheck 2.1.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AUTORUN_VAL] C:\Program Files\AntiSpyCheck 2.1\AntiSpyCheck 2.1.exe (User 'Default user')


  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application and Restart your computer.


Step 3:
Click start/ run and copy and paste the following::

"%userprofile%\desktop\dss.exe" /daft

Read the disclaimer and click OK.
  • Click on the Scan button.
  • Place a checkmark next to the following entries in case they appear:

    .reg
    .scr
  • Click the Fix button.
  • Re-scan and save a logfile. By default, it will save as daft.txt
  • I'll need that log later.
If everything is ok again, it should display the "all associations ok message"

Post back with the contents of daft.txt.


Step 4:
Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan and then put the kettle on!
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Copy and paste the report into your next reply along.


Step 5:
Run DSS normally and in your next reply, please post:
  • The OTMovit2 results
  • The Daft.txt from Step 3.
  • The online Kaspersky results
  • The new DSS log
Also please let me know how your computer is running.
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1481
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Attacked by xp antivirus 2008, need help!!

Unread postby Rodav » July 4th, 2008, 5:57 am

Hi hornt1, do you still need any more help?
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1481
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Attacked by xp antivirus 2008, need help!!

Unread postby Shaba » July 6th, 2008, 11:19 am

Due to Lack of Response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 301 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware