Free Malware Removal Forum

by **jaslur1982** » July 20th, 2008, 7:25 am

Hi all,
i am wondering if you can help me?? i keep getting a popup from Trend Internet Security 2008 saying:

TROJAN HORSE PROGRAM FOUND
CLICK THE BUTTON BELOW TO FIND OUT HOW YOU SHOULD DEAL WITH THIS SECURITY THREAT.

TROJAN HORSE: TSPY ONLINE.FXG
ACTION TAKEN: UNABLE TO CLEAN

GET HELP NOW

When i click "GET HELP NOW" it seems as if it just gets you to run the program and once it detects the TSPY, to remove it. But when i do run the scan it is not detected. When i view the virus scan logs, it tells me that the TSPY is located in my temp directory, but when i actually open up my temp folder there are no files named TSPY at all.
I still however deleted everything in the temp folder but continue to receive these threat popups mentioned above.
Trend has been detecting these threats from 29/06/08 to current, it seems as if trend successfully quarantining most of the TSPY, but others not. There may be minimum of five TSPY threats each day in the logs from dates mentioned above.
How do i get rid of this threat permanently??
Any help would me much appreciated,
Thanking you

by **silver** » July 23rd, 2008, 3:35 am

Hi jaslur1982,

Please download HijackThis from here (right-click the link, select Save Target As..., select your Desktop and press Save):

Double-click the program and follow the prompts to install it.
After installing, HijackThis will open automatically.

Select Do a system scan and save a logfile - this will produce a HijackThis log in Notepad. Check in Notepad that Format->Word Wrap is UNchecked.

Please post it in a response to this message. Copy the contents of the log by pressing Ctrl-A then Ctrl-C, then paste it into your response by pressing Ctrl-V.

I will review the log and let you know how to proceed.

by **jaslur1982** » July 23rd, 2008, 10:19 am

Hi Silver,
I HAVE PASTED THE LOG FILE OF HIJACKTHIS AS WELL AS TWO DAYS OF TREND VIRUS LOGS OUT OF THE THREE OR SO WEEKS THIS HAS BEEN HAPPENING.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:04 PM, on 7/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
F:\DVD Software\AnyDvD\AnyDVD.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jase\Desktop\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: - {0B428C12-8F5E-4D26-9ABF-7876339DBCA1} - C:\WINDOWS\system32\Qq8q8lPS.dll
O2 - BHO: solution Class - {99C6D1BB-7555-474C-91DA-D8FB62A9CC75} - C:\WINDOWS\system32\Tt2t2oSV.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "F:\DVD Software\CloneDvD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AnyDVD] F:\DVD Software\AnyDvD\AnyDVD.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Adobe Reader\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

--
End of file - 6752 bytes

VIRUS LOG : 07-07-08

"Virus Scan Logs" "Jul 07, 2008" ""
"Time" "Detected by" "Source Type" "Threat Name" "Infected File" "First Action" "Second Action"
"00:14" "File Monitor" "File" "TSPY_ONLINEG.FXG" "C:\DOCUME~1\Jase\LOCALS~1\Temp\eVB6l1IY.exe" "Quarantined Success" ""
"00:14" "File Monitor" "File" "TSPY_ONLINEG.FXG" "C:\DOCUME~1\Jase\LOCALS~1\Temp\eVB6l1IY.exe" "Quarantined Fail" ""
"02:14" "File Monitor" "File" "TSPY_ONLINEG.FXG" "C:\DOCUME~1\Jase\LOCALS~1\Temp\5oHd10h3.exe" "Quarantined Success" ""
"02:14" "File Monitor" "File" "TSPY_ONLINEG.FXG" "C:\DOCUME~1\Jase\LOCALS~1\Temp\5oHd10h3.exe" "Quarantined Fail" ""
"04:14" "File Monitor" "File" "TSPY_ONLINEG.FXG" "C:\DOCUME~1\Jase\LOCALS~1\Temp\l1meqcCm.exe" "Quarantined Success" ""
"04:14" "File Monitor" "File" "TSPY_ONLINEG.FXG" "C:\DOCUME~1\Jase\LOCALS~1\Temp\l1meqcCm.exe" "Quarantined Fail" ""
"06:14" "File Monitor" "File" "TSPY_ONLINEG.FXG" "C:\DOCUME~1\Jase\LOCALS~1\Temp\mkXVRJ8E.exe" "Quarantined Success" ""
"06:14" "File Monitor" "File" "TSPY_ONLINEG.FXG" "C:\DOCUME~1\Jase\LOCALS~1\Temp\mkXVRJ8E.exe" "Quarantined Fail" ""
"08:15" "File Monitor" "File" "TSPY_ONLINEG.FXG" "C:\DOCUME~1\Jase\LOCALS~1\Temp\P5Gw6PO8.exe" "Quarantined Success" ""
"08:15" "File Monitor" "File" "TSPY_ONLINEG.FXG" "C:\DOCUME~1\Jase\LOCALS~1\Temp\P5Gw6PO8.exe" "Quarantined Fail" ""
"10:15" "File Monitor" "File" "TSPY_ONLINEG.FXG" "C:\DOCUME~1\Jase\LOCALS~1\Temp\d54k863L.exe" "Quarantined Success" ""

VIRUS LOG: 08-07-08

"Virus Scan Logs" "Jul 08, 2008" ""
"Time" "Detected by" "Source Type" "Threat Name" "Infected File" "First Action" "Second Action"
"09:15" "File Monitor" "File" "TSPY_ONLINEG.FXG" "C:\DOCUME~1\Jase\LOCALS~1\Temp\gMs25e8L.exe" "Quarantined Success" ""
"09:15" "File Monitor" "File" "TSPY_ONLINEG.FXG" "C:\DOCUME~1\Jase\LOCALS~1\Temp\gMs25e8L.exe" "Quarantined Fail" ""
"11:15" "File Monitor" "File" "TSPY_ONLINEG.FXG" "C:\DOCUME~1\Jase\LOCALS~1\Temp\yk3OPncj.exe" "Quarantined Success" ""
"11:28" "Manual Scan" "File" "PAK_Generic.001" "C:\Documents and Settings\Jase\Local Settings\Temporary Internet Files\Content.IE5\37BU1H9V\d1b97ae24eef0cb1bc3891178bf311c5[1]" "Quarantined Success" ""
"12:14" "File Monitor" "File" "TSPY_ONLINEG.FXG" "C:\DOCUME~1\Jase\LOCALS~1\Temp\v6rdPrN7.exe" "Quarantined Success" ""
"12:14" "File Monitor" "File" "TSPY_ONLINEG.FXG" "C:\DOCUME~1\Jase\LOCALS~1\Temp\v6rdPrN7.exe" "Quarantined Fail" ""
"14:13" "File Monitor" "File" "TSPY_ONLINEG.FXG" "C:\DOCUME~1\Jase\LOCALS~1\Temp\Ht0324Li.exe" "Quarantined Success" ""
"16:13" "File Monitor" "File" "TSPY_ONLINEG.FXG" "C:\DOCUME~1\Jase\LOCALS~1\Temp\87n523Gl.exe" "Quarantined Success" ""
"19:13" "File Monitor" "File" "TSPY_ONLINEG.FXG" "C:\DOCUME~1\Jase\LOCALS~1\Temp\ogIn814X.exe" "Quarantined Success" ""
"19:13" "File Monitor" "File" "TSPY_ONLINEG.FXG" "C:\DOCUME~1\Jase\LOCALS~1\Temp\ogIn814X.exe" "Quarantined Fail" ""
"21:12" "File Monitor" "File" "TSPY_ONLINEG.FXG" "C:\DOCUME~1\Jase\LOCALS~1\Temp\00JphVcJ.exe" "Quarantined Success" ""

by **silver** » July 23rd, 2008, 9:41 pm

Hi jaslur1982,

It appears that your computer has been infected by a password-stealing trojan. If you use this computer for sensitive purposes, such as internet banking then you should immediately use a known clean machine to change all your passwords. Also consider notifying your bank(s) etc that your login credentials may have been compromised.

------------------------------------------------------------------------

Please open this page in your browser:
http://www.bleepingcomputer.com/submit- ... channel=32

Copy/paste the following into the Browse to the file you want to submit field:

C:\WINDOWS\system32\Qq8q8lPS.dll

Then press Send File, this will upload the file for analysis
Then, repeat for this file:

C:\WINDOWS\system32\Tt2t2oSV.dll

------------------------------------------------------------------------

Your HijackThis program file is currently on your Desktop. We need to put it into a permanent location so the backups it makes are safe from accidental deletion. The easiest way to do this is for you to download the installer version from here (right-click the link, select Save Target As..., select your Desktop and press Save):
http://downloads.malwareremoval.com/HJTInstall.exe

Once the download is complete, delete your old copy of HijackThis.exe from your Desktop, then double-click HJTInstall.exe to install HijackThis.
Once installation is complete, HijackThis will open automatically, choose Do a system scan only and place a checkmark next to the following lines:

O2 - BHO: - {0B428C12-8F5E-4D26-9ABF-7876339DBCA1} - C:\WINDOWS\system32\Qq8q8lPS.dll
O2 - BHO: solution Class - {99C6D1BB-7555-474C-91DA-D8FB62A9CC75} - C:\WINDOWS\system32\Tt2t2oSV.dll

Then close all open windows apart from HijackThis, press Fix checked, OK the prompt and close HijackThis.

------------------------------------------------------------------------

Download Deckard's System Scanner (DSS) to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Make sure Format->Word Wrap is unchecked
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your reply

Once complete, please post both DSS logs, you won't need to produce a new HijackThis log as DSS produces one for you.

by **jaslur1982** » July 23rd, 2008, 10:50 pm

Hi Siver,
I hope I have done this correctly.I have sent off those two files you requested to the bleepingcomputer site and put TREND INTERNET SECURITY 2008 - TSPY ONLINE.FXG under Link to topic where this file was requested:

Below I have also pasted the two log files requested, main.txt as well as extra.txt:

MAIN.TXT

Deckard's System Scanner v20071014.68
Run by Jase on 2008-07-24 10:36:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
7: 2008-07-24 02:36:53 UTC - RP88 - Deckard's System Scanner Restore Point
6: 2008-07-22 03:19:59 UTC - RP87 - System Checkpoint
5: 2008-07-20 11:46:40 UTC - RP86 - System Checkpoint
4: 2008-07-18 14:56:21 UTC - RP85 - System Checkpoint
3: 2008-07-14 13:31:31 UTC - RP84 - System Checkpoint

-- First Restore Point --
1: 2008-07-12 15:16:12 UTC - RP82 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Jase.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:25 AM, on 7/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
F:\DVD Software\AnyDvD\AnyDVD.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Jase\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Jase.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "F:\DVD Software\CloneDvD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AnyDVD] F:\DVD Software\AnyDvD\AnyDVD.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Adobe Reader\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

--
End of file - 6545 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080724-103245-140 O2 - BHO: - {0B428C12-8F5E-4D26-9ABF-7876339DBCA1} - C:\WINDOWS\system32\Qq8q8lPS.dll
backup-20080724-103245-181 O2 - BHO: solution Class - {99C6D1BB-7555-474C-91DA-D8FB62A9CC75} - C:\WINDOWS\system32\Tt2t2oSV.dll

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R3 AnyDVD - c:\windows\system32\drivers\anydvd.sys <Not Verified; SlySoft, Inc.; AnyDVD>
R3 ElbyDelay - c:\windows\system32\drivers\elbydelay.sys <Not Verified; Elaborate Bytes; CDRTools>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ForceWare Intelligent Application Manager (IAM) - c:\program files\nvidia corporation\networkaccessmanager\bin\nsvcappflt.exe <Not Verified; ; app_filter Module>
R2 ForcewareWebInterface (Forceware Web Interface) - "c:\program files\nvidia corporation\networkaccessmanager\apache group\apache2\bin\apache.exe" -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server>
R2 nSvcLog (ForceWare user log service) - c:\program files\nvidia corporation\networkaccessmanager\bin\nsvclog.exe <Not Verified; NVIDIA; NVIDIA nSvcLog>

S3 aspnet_state (ASP.NET State Service) - c:\windows\microsoft.net\framework\v2.0.50727\aspnet_state.exe (file missing)

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-07-24 10:00:00 350 --a------ C:\WINDOWS\Tasks\At35.job
2008-07-24 10:00:00 350 --a------ C:\WINDOWS\Tasks\At11.job
2008-07-23 22:00:00 350 --a------ C:\WINDOWS\Tasks\At47.job
2008-07-23 22:00:00 350 --a------ C:\WINDOWS\Tasks\At23.job
2008-07-22 23:00:00 350 --a------ C:\WINDOWS\Tasks\At48.job
2008-07-22 23:00:00 350 --a------ C:\WINDOWS\Tasks\At24.job
2008-07-22 21:00:00 350 --a------ C:\WINDOWS\Tasks\At46.job
2008-07-22 21:00:00 350 --a------ C:\WINDOWS\Tasks\At22.job
2008-07-22 20:00:00 350 --a------ C:\WINDOWS\Tasks\At45.job
2008-07-22 20:00:00 350 --a------ C:\WINDOWS\Tasks\At21.job
2008-07-22 19:00:00 350 --a------ C:\WINDOWS\Tasks\At44.job
2008-07-22 19:00:00 350 --a------ C:\WINDOWS\Tasks\At20.job
2008-07-22 18:00:00 350 --a------ C:\WINDOWS\Tasks\At43.job
2008-07-22 18:00:00 350 --a------ C:\WINDOWS\Tasks\At19.job
2008-07-22 17:00:00 350 --a------ C:\WINDOWS\Tasks\At42.job
2008-07-22 17:00:00 350 --a------ C:\WINDOWS\Tasks\At18.job
2008-07-22 16:00:00 350 --a------ C:\WINDOWS\Tasks\At41.job
2008-07-22 16:00:00 350 --a------ C:\WINDOWS\Tasks\At17.job
2008-07-22 15:00:00 350 --a------ C:\WINDOWS\Tasks\At40.job
2008-07-22 15:00:00 350 --a------ C:\WINDOWS\Tasks\At16.job
2008-07-22 14:00:00 350 --a------ C:\WINDOWS\Tasks\At39.job
2008-07-22 14:00:00 350 --a------ C:\WINDOWS\Tasks\At15.job
2008-07-22 13:00:00 350 --a------ C:\WINDOWS\Tasks\At38.job
2008-07-22 13:00:00 350 --a------ C:\WINDOWS\Tasks\At14.job
2008-07-22 12:00:00 350 --a------ C:\WINDOWS\Tasks\At37.job
2008-07-22 12:00:00 350 --a------ C:\WINDOWS\Tasks\At13.job
2008-07-22 11:00:00 350 --a------ C:\WINDOWS\Tasks\At36.job
2008-07-22 11:00:00 350 --a------ C:\WINDOWS\Tasks\At12.job
2008-07-19 09:00:00 350 --a------ C:\WINDOWS\Tasks\At34.job
2008-07-19 09:00:00 350 --a------ C:\WINDOWS\Tasks\At10.job
2008-07-19 08:00:00 350 --a------ C:\WINDOWS\Tasks\At9.job
2008-07-19 08:00:00 350 --a------ C:\WINDOWS\Tasks\At33.job
2008-07-19 07:00:00 350 --a------ C:\WINDOWS\Tasks\At8.job
2008-07-19 07:00:00 350 --a------ C:\WINDOWS\Tasks\At32.job
2008-07-19 06:00:00 350 --a------ C:\WINDOWS\Tasks\At7.job
2008-07-19 06:00:00 350 --a------ C:\WINDOWS\Tasks\At31.job
2008-07-19 05:00:00 350 --a------ C:\WINDOWS\Tasks\At6.job
2008-07-19 05:00:00 350 --a------ C:\WINDOWS\Tasks\At30.job
2008-07-19 04:00:00 350 --a------ C:\WINDOWS\Tasks\At5.job
2008-07-19 04:00:00 350 --a------ C:\WINDOWS\Tasks\At29.job
2008-07-19 03:00:00 350 --a------ C:\WINDOWS\Tasks\At4.job
2008-07-19 03:00:00 350 --a------ C:\WINDOWS\Tasks\At28.job
2008-07-19 02:00:00 350 --a------ C:\WINDOWS\Tasks\At3.job
2008-07-19 02:00:00 350 --a------ C:\WINDOWS\Tasks\At27.job
2008-07-19 01:00:00 350 --a------ C:\WINDOWS\Tasks\At26.job
2008-07-19 01:00:00 350 --a------ C:\WINDOWS\Tasks\At2.job
2008-07-19 00:44:00 350 --a------ C:\WINDOWS\Tasks\At1.job
2008-07-19 00:27:00 350 --a------ C:\WINDOWS\Tasks\At25.job

-- Files created between 2008-06-24 and 2008-07-24 -----------------------------

2008-07-22 10:10:31 10752 --a------ C:\WINDOWS\DCEBoot.exe
2008-07-05 18:10:00 29760 --a------ C:\WINDOWS\system32\M6lImI0M.exe
2008-07-04 19:16:35 0 d-------- C:\WINDOWS\CSC
2008-06-29 22:28:15 0 d-------- C:\Documents and Settings\Jase\Application Data\Acronis
2008-06-29 22:04:48 0 d-------- C:\Documents and Settings\LocalService\Application Data\Acronis
2008-06-29 21:55:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Acronis
2008-06-29 21:53:46 0 d-------- C:\Program Files\Common Files\Acronis
2008-06-29 21:53:46 0 d-------- C:\Program Files\Acronis
2008-06-29 18:19:55 0 d-------- C:\WINDOWS\system32\appmgmt
2008-06-29 17:30:03 0 d-------- C:\Documents and Settings\Jase\Application Data\Symantec
2008-06-29 17:28:00 29760 --a------ C:\WINDOWS\system32\qXB4xo2g.exe
2008-06-28 10:59:08 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-06-28 10:57:24 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-28 10:57:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-25 18:22:16 0 d-------- C:\Program Files\Trend Micro

-- Find3M Report ---------------------------------------------------------------

2008-07-10 22:37:03 0 d-------- C:\Documents and Settings\Jase\Application Data\uTorrent
2008-07-07 11:13:48 0 d-------- C:\Documents and Settings\Jase\Application Data\Ahead
2008-06-29 21:53:46 0 d-------- C:\Program Files\Common Files

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nTrayFw"="C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [02/17/2006 10:40 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [01/24/2006 06:15 PM]
"nwiz"="nwiz.exe" [01/24/2006 06:15 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [01/24/2006 06:15 PM]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [10/27/2004 03:21 PM C:\WINDOWS\system32\HdAShCut.exe]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [05/20/2005 09:11 AM]
"CloneDVDElbyDelay"="F:\DVD Software\CloneDvD\ElbyCheck.exe" [11/02/2002 02:33 PM]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [01/12/2006 04:40 PM]
"AnyDVD"="F:\DVD Software\AnyDvD\AnyDVD.exe" [04/19/2008 10:49 AM]
"Adobe Reader Speed Launcher"="F:\Adobe Reader\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [02/16/2008 12:56 AM]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [10/31/2007 12:53 PM]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [10/30/2007 08:11 PM]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [10/30/2007 08:07 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [08/07/2006 10:06 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [05/31/2008 09:29 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [08/04/2004 01:06 AM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [02/01/2006 05:45 PM]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

-- Hosts -----------------------------------------------------------------------

127.0.0.1 http://www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 010402.com
127.0.0.1 http://www.032439.com
127.0.0.1 032439.com
127.0.0.1 http://www.1001-search.info
127.0.0.1 1001-search.info
127.0.0.1 http://www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 http://www.100sexlinks.com

7934 more entries in hosts file.

-- End of Deckard's System Scanner: finished at 2008-07-24 10:37:55 ------------

EXTRA.TXT

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon(tm) 64 X2 Dual Core Processor 3800+
CPU 1: AMD Athlon(tm) 64 X2 Dual Core Processor 3800+
Percentage of Memory in Use: 45%
Physical Memory (total/avail): 990.48 MiB / 538.06 MiB
Pagefile Memory (total/avail): 2386.76 MiB / 2031.83 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1935.69 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 29.29 GiB total, 22.56 GiB free.
D: is Fixed (NTFS) - 232.88 GiB total, 132.8 GiB free.
E: is Fixed (NTFS) - 29.29 GiB total, 29.23 GiB free.
F: is Fixed (NTFS) - 90.46 GiB total, 66.23 GiB free.
G: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD1600JS-00NCB1 - 149.05 GiB - 3 partitions
\PARTITION0 (bootable) - Installable File System - 29.29 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 29.29 GiB - E:
\PARTITION2 - Installable File System - 90.46 GiB - F:

\\.\PHYSICALDRIVE1 - WDC WD2500KS-00MJB0 - 232.88 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 232.88 GiB - D:

-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: ActiveArmor Firewall v1.0 (NVIDIA Corporation)
FW: Trend Micro Personal Firewall v5.2 (Trend Micro Inc.)
AV: Trend Micro Internet Security v16.10.1079 ()

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"="C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe:*:Enabled:Apache HTTP Server"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"F:\\Ws-Ftp Pro\\Ws-Ftp Pro\\wsftpgui.exe"="F:\\Ws-Ftp Pro\\Ws-Ftp Pro\\wsftpgui.exe:*:Enabled:WS_FTP Pro Application"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Jase\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JASE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Jase
LOGONSERVER=\\JASE
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 75 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=4b02
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Jase\LOCALS~1\Temp
TMP=C:\DOCUME~1\Jase\LOCALS~1\Temp
USERDOMAIN=JASE
USERNAME=Jase
USERPROFILE=C:\Documents and Settings\Jase
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Jase (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> F:\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{19822917-61F6-4221-B1D0-1C3B8A06BE60}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{19822917-61F6-4221-B1D0-1C3B8A06BE60}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7C9F6AF4-E9D9-47FE-BE4B-E637C2FCB410}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7C9F6AF4-E9D9-47FE-BE4B-E637C2FCB410}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98181885-5B28-4280-9B56-452FF877D5B9}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98181885-5B28-4280-9B56-452FF877D5B9}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A0B5225-B59B-4D72-B3FE-71AAA693A8E2}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A0B5225-B59B-4D72-B3FE-71AAA693A8E2}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A9BB081B-C020-4D02-A763-D32204D2563D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A9BB081B-C020-4D02-A763-D32204D2563D}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C029DB0E-C59F-417A-90F8-88FD5B2C4AE7}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Acronis True Image Home --> MsiExec.exe /X{633A06C3-B709-479A-AAB3-5EE94AD9EE4B}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
AnyDVD --> "F:\DVD Software\AnyDvD\AnyDVD-uninst.exe" /D="F:\DVD Software\AnyDvD"
Athlon 64 Processor Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9
CloneDVD --> "F:\DVD Software\CloneDvD\CloneDVD-uninst.exe" /D="F:\DVD Software\CloneDvD"
Creative Removable Disk Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9 /remove
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Creative ZEN V Series (R2) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9862E0CB-4727-4FFC-963A-E22A9E9EC10C}\SETUP.EXE" -l0x9 /remove
Enhancement Browser Tools Adsonmedia --> C:\WINDOWS\system32\{eb0c33ef-14e7-99c1-4bc5-c8af5970e9d8}.dll-uninst.exe
Free CD Ripper 3.1 --> "F:\CD Ripper\FreeCDRipper\unins000.exe"
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
High Definition Audio Driver Package - KB888111 --> C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Ipswitch WS_FTP Professional 2007 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AD88355B-A4E0-4DA1-BAC3-EA4FEA930691}\setup.exe" -l0x9 -removeonly
K-Lite Codec Pack 3.4.0 Full --> "F:\Video Codec\K-Lite Codec Pack\unins000.exe"
Microsoft Games for Windows - LIVE Redistributable --> MsiExec.exe /X{2F750C77-1FEC-44F9-88CC-2CE322EBD61E}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.12) --> F:\Firefox\uninstall\helper.exe
Nero 7 Essentials --> MsiExec.exe /I{855C1A51-9A98-9D81-F50D-9B033B921033}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
NVIDIA ForceWare Network Access Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{1F6423DE-7959-4178-80E0-023C7EAA5347} /l1033
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe" -l0x9 -removeonly
Trend Micro Internet Security --> C:\Program Files\Trend Micro\Internet Security\remove.exe
Trend Micro Internet Security --> MsiExec.exe /X{A621B45A-D138-4A95-BE10-7CABA05EF94E}
VideoLAN VLC media player 0.8.6f --> F:\VLC Player\VLC\uninstall.exe
ZENcast Organizer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C029DB0E-C59F-417A-90F8-88FD5B2C4AE7}\setup.exe" -l0x9 /remove

-- Application Event Log -------------------------------------------------------

Event Record #/Type937 / Error
Event Submitted/Written: 07/24/2008 10:21:09 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.2180, faulting module mfc71u.dll, version 7.10.3077.0, fault address 0x000bc442.
Processing media-specific event for [explorer.exe!ws!]

Event Record #/Type929 / Error
Event Submitted/Written: 07/23/2008 10:16:38 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.2180, faulting module mfc71u.dll, version 7.10.3077.0, fault address 0x000bc442.
Processing media-specific event for [explorer.exe!ws!]

Event Record #/Type886 / Error
Event Submitted/Written: 07/19/2008 11:15:07 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module unknown, version 0.0.0.0, fault address 0x01fbc85d.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type830 / Error
Event Submitted/Written: 07/12/2008 10:27:02 AM
Event ID/Source: 1512 / Userenv
Event Description:
Windows cannot unload your registry file. The memory used by the registry has not been freed. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account. If this problem persists, contact your administrator.

DETAIL - Insufficient system resources exist to complete the requested service.

Event Record #/Type825 / Error
Event Submitted/Written: 07/12/2008 09:22:15 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module unknown, version 0.0.0.0, fault address 0x03dbc85d.
Processing media-specific event for [iexplore.exe!ws!]

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type4652 / Error
Event Submitted/Written: 07/24/2008 10:00:00 AM
Event ID/Source: 7901 / Schedule
Event Description:
The At35.job command failed to start due to the following error:
%%2147942405

Event Record #/Type4651 / Error
Event Submitted/Written: 07/24/2008 10:00:00 AM
Event ID/Source: 7901 / Schedule
Event Description:
The At11.job command failed to start due to the following error:
%%2147942405

Event Record #/Type4650 / Error
Event Submitted/Written: 07/24/2008 09:58:38 AM
Event ID/Source: 8003 / MRxSmb
Event Description:
The master browser has received a server announcement from the computer DT-150
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{DB0958A5-C3CA-4BD8-AE.
The master browser is stopping or an election is being forced.

Event Record #/Type4649 / Error
Event Submitted/Written: 07/24/2008 09:57:11 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The SSDP Discovery Service service depends on the HTTP service which failed to start because of the following error:
%%8

Event Record #/Type4648 / Error
Event Submitted/Written: 07/24/2008 09:57:11 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The HTTP service failed to start due to the following error:
%%8

-- End of Deckard's System Scanner: finished at 2008-07-24 10:37:55 ------------

by **silver** » July 23rd, 2008, 11:35 pm

Hi jaslur1982,

Yes, you did the upload just right

there is one more file to be uploaded and checked:

Please open this page in your browser:
http://www.bleepingcomputer.com/submit- ... channel=32

Copy/paste the following into the Browse to the file you want to submit field:

C:\WINDOWS\DCEBoot.exe

Then press Send File, this will upload the file for analysis

------------------------------------------------------------------------

Please open Start->Control Panel->Add/Remove Programs, and remove the following:

Enhancement Browser Tools Adsonmedia

If you get a message that an error occurred and are asked if you wish to remove it from the list, answer Yes

You have uTorrent, a P2P file sharing program installed on your computer. This program does not come bundled with malware as some similar programs do, but peer-to-peer file sharing networks are one of the biggest sources of malware we see. Anything downloaded from them cannot be trusted to be clean, because even if the file appears to be what it claims to be, it can have malware embedded in it.
I strongly recommend you remove uTorrent via Add/Remove Programs.

------------------------------------------------------------------------

Please download OTMoveIt2 by OldTimer to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)

Double-click OTMoveIt2.exe to start the program.

Copy the lines in the OTMoveIt file list below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
OTMoveIt File List:

Code: Select all

C:\WINDOWS\system32\{eb0c33ef-14e7-99c1-4bc5-c8af5970e9d8}.dll-uninst.exe
C:\Windows\fonts\gezeand.fon
C:\windows\system32\rsztafg.dll
C:\windows\system32\rsztapm.dll
C:\WINDOWS\system32\Tt2t2oSV.dll
C:\WINDOWS\system32\Qq8q8lPS.dll
C:\WINDOWS\system32\M6lImI0M.exe
C:\WINDOWS\system32\qXB4xo2g.exe
C:\WINDOWS\Tasks\At*.job
emptytemp

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
Then click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of it and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
If OTMoveIt asks to reboot your computer, allow it to do so. The report will appear in Notepad after the reboot.
Close OTMoveIt2

------------------------------------------------------------------------

Open the ESET Online Scanner in Internet Explorer

Tick the box next to YES, I accept the Terms of Use. and click Start
Allow the ActiveX control to be installed by Internet Explorer
Once the ActiveX has finished loading click Start to initialize and update the scanner
When the Computer scan screen appears, leave Remove found threats UN-checked, but check the box next to Scan unwanted applications. Then click Scan to begin the scan.
Once complete and the summary page appears, press Start->Run, copy/paste the following command into the box and press OK:
notepad "C:\Program Files\EsetOnlineScanner\log.txt"
The log file should now appear in Notepad, copy and paste the contents in your next response.

------------------------------------------------------------------------

Once complete, please post the OTMoveIt report, the Eset scan log and a new HijackThis log

by **jaslur1982** » July 24th, 2008, 6:50 am

Hi Silver,
I have uploaded that file you asked for, on bleepingcomputer.com.

Below I have pasted the results of OtMoveIt, the Eset scan log as well as new HiJackThis log.

OTMOVEIT REPORT

File/Folder C:\WINDOWS\system32\{eb0c33ef-14e7-99c1-4bc5-c8af5970e9d8}.dll-uninst.exe not found.
File/Folder C:\Windows\fonts\gezeand.fon not found.
File/Folder C:\windows\system32\rsztafg.dll not found.
File/Folder C:\windows\system32\rsztapm.dll not found.
File/Folder C:\WINDOWS\system32\Tt2t2oSV.dll not found.
File/Folder C:\WINDOWS\system32\Qq8q8lPS.dll not found.
File/Folder C:\WINDOWS\system32\M6lImI0M.exe not found.
File/Folder C:\WINDOWS\system32\qXB4xo2g.exe not found.
< C:\WINDOWS\Tasks\At*.job >
File/Folder C:\WINDOWS\Tasks\At*.job not found.
< emptytemp >
Temp folders emptied.
IE temp folders emptied.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07242008_180721

ESET SCAN LOG

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3294 (20080724)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=2b0d8ce350307341b86d641fc86cd5eb
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-07-24 10:42:47
# local_time=2008-07-24 06:42:47 (+0800, W. Australia Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=73256
# found=4
# scan_time=1581
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080724-103245-181.dll Win32/Agent.NYJ trojan 2B17E0DDC23DDC318F2176C8F8706183
C:\_OTMoveIt\MovedFiles\07242008_180114\WINDOWS\system32\M6lImI0M.exe a variant of Win32/TrojanDownloader.Firu trojan 971E86D9668CC112F214321B947E421F
C:\_OTMoveIt\MovedFiles\07242008_180114\WINDOWS\system32\qXB4xo2g.exe a variant of Win32/TrojanDownloader.Firu trojan 22373674A5FD2EE8C34FA40F31C0ED59
F:\DVD Software\AnyDvD\RegCheck.exe probably a variant of Win32/Agent trojan 61E3DB7C739C7DAD82DCBFBA79B21C17

HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:47:16 PM, on 7/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
F:\DVD Software\AnyDvD\AnyDVD.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "F:\DVD Software\CloneDvD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AnyDVD] F:\DVD Software\AnyDvD\AnyDVD.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Adobe Reader\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

--
End of file - 6708 bytes

by **jaslur1982** » July 24th, 2008, 6:50 am

Hi Silver,
I have uploaded that file you asked for, on bleepingcomputer.com.

Below I have pasted the results of OtMoveIt, the Eset scan log as well as new HiJackThis log.

OTMOVEIT REPORT

File/Folder C:\WINDOWS\system32\{eb0c33ef-14e7-99c1-4bc5-c8af5970e9d8}.dll-uninst.exe not found.
File/Folder C:\Windows\fonts\gezeand.fon not found.
File/Folder C:\windows\system32\rsztafg.dll not found.
File/Folder C:\windows\system32\rsztapm.dll not found.
File/Folder C:\WINDOWS\system32\Tt2t2oSV.dll not found.
File/Folder C:\WINDOWS\system32\Qq8q8lPS.dll not found.
File/Folder C:\WINDOWS\system32\M6lImI0M.exe not found.
File/Folder C:\WINDOWS\system32\qXB4xo2g.exe not found.
< C:\WINDOWS\Tasks\At*.job >
File/Folder C:\WINDOWS\Tasks\At*.job not found.
< emptytemp >
Temp folders emptied.
IE temp folders emptied.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07242008_180721

ESET SCAN LOG

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3294 (20080724)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=2b0d8ce350307341b86d641fc86cd5eb
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-07-24 10:42:47
# local_time=2008-07-24 06:42:47 (+0800, W. Australia Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=73256
# found=4
# scan_time=1581
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080724-103245-181.dll Win32/Agent.NYJ trojan 2B17E0DDC23DDC318F2176C8F8706183
C:\_OTMoveIt\MovedFiles\07242008_180114\WINDOWS\system32\M6lImI0M.exe a variant of Win32/TrojanDownloader.Firu trojan 971E86D9668CC112F214321B947E421F
C:\_OTMoveIt\MovedFiles\07242008_180114\WINDOWS\system32\qXB4xo2g.exe a variant of Win32/TrojanDownloader.Firu trojan 22373674A5FD2EE8C34FA40F31C0ED59
F:\DVD Software\AnyDvD\RegCheck.exe probably a variant of Win32/Agent trojan 61E3DB7C739C7DAD82DCBFBA79B21C17

HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:47:16 PM, on 7/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
F:\DVD Software\AnyDvD\AnyDVD.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "F:\DVD Software\CloneDvD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AnyDVD] F:\DVD Software\AnyDvD\AnyDVD.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Adobe Reader\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

--
End of file - 6708 bytes

by **silver** » July 24th, 2008, 9:12 pm

Hi jaslur1982,

The OTMoveIt report isn't what I expected to see, did you perform the OTMoveIt instructions more than once?
Otherwise things look good, how is your machine running now?

Next press Start->Run, copy/paste the following command (it's one long command) into the box and press OK:

cmd /c dir "c:\_OTMoveIt" /a /s >> "%userprofile%\desktop\look.txt" 2>>&1

A black box will open and a file will appear on your Desktop called look.txt.
Please wait until the black box closes before opening look.txt
Post the contents of look.txt in your next response.

Then, make a new main.txt with DSS:

Make sure DSS.exe is on your Desktop
Press the Start->Run, copy/paste the following command into the box and press OK:
"%userprofile%\desktop\dss.exe" /config
A configuration box will appear, make sure all boxes are checked in the Main Log section, then un-check everything in the Extra Log section and press Scan!

Once complete, please post the look.txt output and the new DSS main.txt report.
Also, let me know how your machine is running now.

by **jaslur1982** » July 24th, 2008, 10:00 pm

Hi Silver,
you are correct, I did have to run OtMoveIt twice as I thought once it was complete I would have to reboot the machine and the final result would open in notepad, but did not happen. So I ran OtMoveIt again and just copied and pasted the results after I pushed move it. I hope that it is not a problem??

Other than that, my system seems to be running alot smoother responding to my commands more efficiently, and do not seem to have any popups regarding TSPY ONLINE.FXG

Below I have pasted what you have asked for.

CONTENTS OF LOOK.TXT FILE

Volume in drive C has no label.
Volume Serial Number is BC26-4043

Directory of c:\_OTMoveIt

07/24/2008 05:58 PM <DIR> .
07/24/2008 05:58 PM <DIR> ..
07/24/2008 06:07 PM <DIR> MovedFiles
0 File(s) 0 bytes

Directory of c:\_OTMoveIt\MovedFiles

07/24/2008 06:07 PM <DIR> .
07/24/2008 06:07 PM <DIR> ..
07/24/2008 05:58 PM <DIR> 07242008_175827
07/24/2008 05:58 PM 152 07242008_175827.log
07/24/2008 05:58 PM 2 07242008_175827.res
07/24/2008 05:58 PM <DIR> 07242008_175853
07/24/2008 06:01 PM <DIR> 07242008_180114
07/24/2008 06:01 PM 5,804 07242008_180114.log
07/24/2008 06:01 PM 9,822 07242008_180114.res
07/24/2008 06:07 PM <DIR> 07242008_180721
07/24/2008 06:07 PM 1,420 07242008_180721.log
07/24/2008 06:07 PM 2 07242008_180721.res
6 File(s) 17,202 bytes

Directory of c:\_OTMoveIt\MovedFiles\07242008_175827

07/24/2008 05:58 PM <DIR> .
07/24/2008 05:58 PM <DIR> ..
0 File(s) 0 bytes

Directory of c:\_OTMoveIt\MovedFiles\07242008_175853

07/24/2008 05:58 PM <DIR> .
07/24/2008 05:58 PM <DIR> ..
0 File(s) 0 bytes

Directory of c:\_OTMoveIt\MovedFiles\07242008_180114

07/24/2008 06:01 PM <DIR> .
07/24/2008 06:01 PM <DIR> ..
07/24/2008 06:01 PM <DIR> WINDOWS
0 File(s) 0 bytes

Directory of c:\_OTMoveIt\MovedFiles\07242008_180114\WINDOWS

07/24/2008 06:01 PM <DIR> .
07/24/2008 06:01 PM <DIR> ..
07/24/2008 06:01 PM <DIR> system32
07/24/2008 06:01 PM <DIR> Tasks
0 File(s) 0 bytes

Directory of c:\_OTMoveIt\MovedFiles\07242008_180114\WINDOWS\system32

07/24/2008 06:01 PM <DIR> .
07/24/2008 06:01 PM <DIR> ..
07/05/2008 06:09 PM 29,760 M6lImI0M.exe
06/29/2008 05:27 PM 29,760 qXB4xo2g.exe
2 File(s) 59,520 bytes

Directory of c:\_OTMoveIt\MovedFiles\07242008_180114\WINDOWS\Tasks

07/24/2008 06:01 PM <DIR> .
07/24/2008 06:01 PM <DIR> ..
07/19/2008 12:44 AM 350 At1.job
07/19/2008 09:00 AM 350 At10.job
07/24/2008 10:00 AM 350 At11.job
07/24/2008 11:00 AM 350 At12.job
07/24/2008 12:00 PM 350 At13.job
07/24/2008 01:00 PM 350 At14.job
07/24/2008 02:00 PM 350 At15.job
07/24/2008 03:00 PM 350 At16.job
07/24/2008 04:00 PM 350 At17.job
07/24/2008 05:00 PM 350 At18.job
07/24/2008 06:00 PM 350 At19.job
07/19/2008 01:00 AM 350 At2.job
07/22/2008 07:00 PM 350 At20.job
07/22/2008 08:00 PM 350 At21.job
07/22/2008 09:00 PM 350 At22.job
07/23/2008 10:00 PM 350 At23.job
07/22/2008 11:00 PM 350 At24.job
07/19/2008 12:27 AM 350 At25.job
07/19/2008 01:00 AM 350 At26.job
07/19/2008 02:00 AM 350 At27.job
07/19/2008 03:00 AM 350 At28.job
07/19/2008 04:00 AM 350 At29.job
07/19/2008 02:00 AM 350 At3.job
07/19/2008 05:00 AM 350 At30.job
07/19/2008 06:00 AM 350 At31.job
07/19/2008 07:00 AM 350 At32.job
07/19/2008 08:00 AM 350 At33.job
07/19/2008 09:00 AM 350 At34.job
07/24/2008 10:00 AM 350 At35.job
07/24/2008 11:00 AM 350 At36.job
07/24/2008 12:00 PM 350 At37.job
07/24/2008 01:00 PM 350 At38.job
07/24/2008 02:00 PM 350 At39.job
07/19/2008 03:00 AM 350 At4.job
07/24/2008 03:00 PM 350 At40.job
07/24/2008 04:00 PM 350 At41.job
07/24/2008 05:00 PM 350 At42.job
07/24/2008 06:00 PM 350 At43.job
07/22/2008 07:00 PM 350 At44.job
07/22/2008 08:00 PM 350 At45.job
07/22/2008 09:00 PM 350 At46.job
07/23/2008 10:00 PM 350 At47.job
07/22/2008 11:00 PM 350 At48.job
07/19/2008 04:00 AM 350 At5.job
07/19/2008 05:00 AM 350 At6.job
07/19/2008 06:00 AM 350 At7.job
07/19/2008 07:00 AM 350 At8.job
07/19/2008 08:00 AM 350 At9.job
48 File(s) 16,800 bytes

Directory of c:\_OTMoveIt\MovedFiles\07242008_180721

07/24/2008 06:07 PM <DIR> .
07/24/2008 06:07 PM <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
56 File(s) 93,522 bytes
26 Dir(s) 24,535,867,392 bytes free

DSS MAIN.TXT REPORT

Deckard's System Scanner v20071014.68
Run by Jase on 2008-07-25 09:51:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

-- Last 5 Restore Point(s) --
7: 2008-07-24 02:36:53 UTC - RP88 - Deckard's System Scanner Restore Point
6: 2008-07-22 03:19:59 UTC - RP87 - System Checkpoint
5: 2008-07-20 11:46:40 UTC - RP86 - System Checkpoint
4: 2008-07-18 14:56:21 UTC - RP85 - System Checkpoint
3: 2008-07-14 13:31:31 UTC - RP84 - System Checkpoint

-- First Restore Point --
1: 2008-07-12 15:16:12 UTC - RP82 - System Checkpoint

Performed disk cleanup.

-- HijackThis (run as Jase.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:38 AM, on 7/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
F:\DVD Software\AnyDvD\AnyDVD.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jase\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Jase.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "F:\DVD Software\CloneDvD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AnyDVD] F:\DVD Software\AnyDvD\AnyDVD.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Adobe Reader\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

--
End of file - 6740 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080724-103245-140 O2 - BHO: - {0B428C12-8F5E-4D26-9ABF-7876339DBCA1} - C:\WINDOWS\system32\Qq8q8lPS.dll
backup-20080724-103245-181 O2 - BHO: solution Class - {99C6D1BB-7555-474C-91DA-D8FB62A9CC75} - C:\WINDOWS\system32\Tt2t2oSV.dll

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R3 AnyDVD - c:\windows\system32\drivers\anydvd.sys <Not Verified; SlySoft, Inc.; AnyDVD>
R3 ElbyDelay - c:\windows\system32\drivers\elbydelay.sys <Not Verified; Elaborate Bytes; CDRTools>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ForceWare Intelligent Application Manager (IAM) - c:\program files\nvidia corporation\networkaccessmanager\bin\nsvcappflt.exe <Not Verified; ; app_filter Module>
R2 ForcewareWebInterface (Forceware Web Interface) - "c:\program files\nvidia corporation\networkaccessmanager\apache group\apache2\bin\apache.exe" -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server>
R2 nSvcLog (ForceWare user log service) - c:\program files\nvidia corporation\networkaccessmanager\bin\nsvclog.exe <Not Verified; NVIDIA; NVIDIA nSvcLog>

S3 aspnet_state (ASP.NET State Service) - c:\windows\microsoft.net\framework\v2.0.50727\aspnet_state.exe (file missing)

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\svchost.exe (pid 1716)
2006-02-17 10:39:14 131072 --a------ C:\WINDOWS\system32\nvappfilter.dll <Not Verified; NVIDIA; NVIDIA Application Filter>

-- Files created between 2008-06-25 and 2008-07-25 -----------------------------

2008-07-24 18:13:46 0 d-------- C:\Program Files\EsetOnlineScanner
2008-07-22 10:10:31 10752 --a------ C:\WINDOWS\DCEBoot.exe
2008-07-04 19:16:35 0 d-------- C:\WINDOWS\CSC
2008-06-29 22:28:15 0 d-------- C:\Documents and Settings\Jase\Application Data\Acronis
2008-06-29 22:04:48 0 d-------- C:\Documents and Settings\LocalService\Application Data\Acronis
2008-06-29 21:55:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Acronis
2008-06-29 21:53:46 0 d-------- C:\Program Files\Common Files\Acronis
2008-06-29 21:53:46 0 d-------- C:\Program Files\Acronis
2008-06-29 18:19:55 0 d-------- C:\WINDOWS\system32\appmgmt
2008-06-29 17:30:03 0 d-------- C:\Documents and Settings\Jase\Application Data\Symantec
2008-06-28 10:59:08 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-06-28 10:57:24 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-28 10:57:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-25 18:22:16 0 d-------- C:\Program Files\Trend Micro

-- Find3M Report ---------------------------------------------------------------

2008-07-07 11:13:48 0 d-------- C:\Documents and Settings\Jase\Application Data\Ahead
2008-06-29 21:53:46 0 d-------- C:\Program Files\Common Files

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nTrayFw"="C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [02/17/2006 10:40 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [01/24/2006 06:15 PM]
"nwiz"="nwiz.exe" [01/24/2006 06:15 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [01/24/2006 06:15 PM]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [10/27/2004 03:21 PM C:\WINDOWS\system32\HdAShCut.exe]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [05/20/2005 09:11 AM]
"CloneDVDElbyDelay"="F:\DVD Software\CloneDvD\ElbyCheck.exe" [11/02/2002 02:33 PM]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [01/12/2006 04:40 PM]
"AnyDVD"="F:\DVD Software\AnyDvD\AnyDVD.exe" [04/19/2008 10:49 AM]
"Adobe Reader Speed Launcher"="F:\Adobe Reader\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [02/16/2008 12:56 AM]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [10/31/2007 12:53 PM]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [10/30/2007 08:11 PM]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [10/30/2007 08:07 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [08/07/2006 10:06 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [05/31/2008 09:29 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [08/04/2004 01:06 AM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [02/01/2006 05:45 PM]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

-- Hosts -----------------------------------------------------------------------

127.0.0.1 http://www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 010402.com
127.0.0.1 http://www.032439.com
127.0.0.1 032439.com
127.0.0.1 http://www.1001-search.info
127.0.0.1 1001-search.info
127.0.0.1 http://www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 http://www.100sexlinks.com

7934 more entries in hosts file.

-- End of Deckard's System Scanner: finished at 2008-07-25 09:52:31 ------------

by **silver** » July 24th, 2008, 10:20 pm

Hi jaslur1982,

No problem running OTMoveIt twice, it's just that the log showed said none of the files were present - this occurred because they were moved on the previous run.

Clean up with OTMoveIt2:

Double-click OTMoveIt2.exe to start the program.
Close all other programs apart from OTMoveIt2 as this step will require a reboot
On the OTMoveIt main screen, press the CleanUp! button
Say Yes to the prompt and then allow the program to reboot your computer.

Create a new, clean System Restore point which you can use in case of future system problems:
Press Start->All Programs->Accessories->System Tools->System Restore
Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close

Now remove old, infected System Restore points:
Next click Start->Run and type cleanmgr in the box and press OK
Ensure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
Press OK and Yes to confirm

Please also clean out your Trend Micro quarantined files area.

------------------------------------------------------------------------

If the above went well I think your machine is clean of malware

here are some tips to help you keep it that way:

It appears that you have two active firewalls - Trend Micro and ActiveArmor. I recommend you only have one firewall active at once because they can conflict and cause system problems.

I recommend you install a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.
Also: subscribe to the mailing list to get update notifications.

Please take care when downloading programs. One of the easiest ways to be infected is to download freeware/shareware programs which come laden with malware - this includes allowing websites to install browser plug-ins or ActiveX controls. Before downloading, it is crucial to check whether the source is reputable.
One way to check is to use McAfee SiteAdvisor. Copy the domain name into the space provided and SiteAdvisor will give you a report on the website which can help you decide if it is safe. They also have a toolbar for IE and Firefox which adds this functionality to your browser.

Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.

Find out more about how to prevent infection in the future
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

Please post back to let me know that you have read this, and if there are any further issues.

by **jaslur1982** » July 25th, 2008, 5:49 am

Hi Silver,
I have run the cleanup, created a new system restore point, deleted the old infected restore points, and deleted all files out of the quarantined area of Trend.
Thanking you very much for your help, it is much appreciated. Before I logged my problem on here, I tried Trend Micro support and they were useless. Is there anyway if I encounter future problems(which I hope there won't be!!

), to post for your assistence??
Once again, thanking you for your help and quick response time!!
Regards,
Jaslur1982

by **silver** » July 25th, 2008, 9:17 pm

You're most welcome Jaslur1982 and should you have problems in the future by all means come back and we'll help you get cleaned up. Following the prevention advice I posted will however make that possibility much less likely

Best of luck!

This topic is now closed
We are pleased to have been of assistance in getting you clean.

If you have been helped and wish to donate with the costs of this volunteer site, you can do so using this link
Donations For Malware Removal

Free Malware Removal Forum

TREND INTERNET SECURITY 2008 - TSPY ONLINE.FXG

TREND INTERNET SECURITY 2008 - TSPY ONLINE.FXG

Re: TREND INTERNET SECURITY 2008 - TSPY ONLINE.FXG

Re: TREND INTERNET SECURITY 2008 - TSPY ONLINE.FXG

Re: TREND INTERNET SECURITY 2008 - TSPY ONLINE.FXG

Re: TREND INTERNET SECURITY 2008 - TSPY ONLINE.FXG

Re: TREND INTERNET SECURITY 2008 - TSPY ONLINE.FXG

Re: TREND INTERNET SECURITY 2008 - TSPY ONLINE.FXG

Re: TREND INTERNET SECURITY 2008 - TSPY ONLINE.FXG

Re: TREND INTERNET SECURITY 2008 - TSPY ONLINE.FXG

Re: TREND INTERNET SECURITY 2008 - TSPY ONLINE.FXG

Re: TREND INTERNET SECURITY 2008 - TSPY ONLINE.FXG

Re: TREND INTERNET SECURITY 2008 - TSPY ONLINE.FXG

Re: TREND INTERNET SECURITY 2008 - TSPY ONLINE.FXG

Who is online