Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

W32/Xorpix.ar!tr, Winsys2f.dll, Winsys2freg

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

W32/Xorpix.ar!tr, Winsys2f.dll, Winsys2freg

Unread postby comcom » December 13th, 2006, 8:21 am

Got infected by W32/Xorpix.ar!tr (def@Fortiguard Center)
http://www.fortinet.com/VirusEncycloped ... fid=251483

I cannot get rid of the Winsys2f.dll file and the Winsys2freg Registry entry

The .dll stays in memory and re-writes the Reg entry soon as I erase it

HJT file attached:

Logfile of HijackThis v1.99.1
Scan saved at 7:29:37 PM, on 12/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forum.lockon.ru/?langid=1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - (no file)
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [LtcyCfgApply] "C:\Documents and Settings\Administrator\My Documents\PCI Latency Tool\LtcyCfg.exe" /a
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/res ... nPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0381297796
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7E43523-D0B1-4A5E-A37D-8ED5FDC6C024}: NameServer = 203.144.255.71 203.144.255.72
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\winsys2f.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR1\RpcSandraSrv.exe

Appreciate any help
comcom
Active Member
 
Posts: 8
Joined: December 13th, 2006, 5:47 am
Location: Bangkok, Thailand
Advertisement
Register to Remove

Unread postby Bob4 » December 14th, 2006, 12:56 pm

_________________________________
Welcome to the Forums.
The fixes we will use are specific to your problems and should only be used for this issue on this machine.
Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end!
Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of time.
If you have any questions about any advice given here please STOP and ask!



!!! IMPORTANT !!!
You are running HJT directly from the desktop.
Create a folder called HJT either in C: or My documents and place the
hijackthis.exe in there.
This will ensure we have back ups made and it doesn't get deleted .




Please disable SpybotSD TeaTimer, as it may hinder the removal of the infection. You can enable it after you're clean.
To disable SpybotSD TeaTimer:
Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on System Startup icon.
Uncheck Teatimer box.
Click Allow Change box.
______________________________
HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked
O2 - BHO: (no name) - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - (no file)
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\winsys2f.dll (file missing)





____________________________
Please download the Killbox by Option^Explicit

Note: In the event you already have Killbox, this is a new version that I need you to download.
Save it to your desktop.
Please double-click Killbox.exe to run it.
Select:
Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\winsys2f.dll

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).


If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.




______________________________

Download and install CCleaner from here


If you use either the Firefox or Mozilla browsers, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla.

  • Set Cookie Retention.
    Click on the Options block on the left, then choose Cookies.
    Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
  • Reset Temp File Removal for Regular Use.
    Click on the Options block on the left. Select the Advanced button.
    Check "Only delete files in Windows Temp folders older than 48 hours".


    Now run the program and click on Run Cleaner
    ( Do not use the Issues block to clean anything with this program. It is for experts only and it is risky).


___________________________________
Download AVG Anti-Spyware.

  • Install AVG Anti-Spyware.
  • Launch AVG by double-clicking on the icon.
  • The program will now open to the main screen.
  • You will need to update AVG to the latest definition files.

    • At the top of the main screen click Update.

      • Then in the Manual Update section, click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
  • When updates are completed, close AVG.

If you are having problems with the updater, you can use this link to manually update AVG.
AVG manual updates
Do not use it yet.


________________________________________
Safe mode:
Please reboot to safe mode:
After the very first black screen start tapping the
F8 key untill prompted with a list choose safe
mode.




_________________________________________
AVG Part 2
AVG
Close all open windows/programs/folders. Have nothing else open while ewido performs its scan!
Click on scanner
Click on Settings
Under How to act
Choose quarintine

Under Reports check automatically create report after every scan.
Now back to the scan tab andClick on Complete system scan

Let the program scan the machine .
When finished click apply all actions.


Exit AVG.
It will save a log in C:\Program Files\Grisoft\AVG anti-spyware 7.5\Reports

Reboot normaly.

Post the log from AVG and a new Hijackthis log.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Kill Bpx,

Unread postby comcom » December 14th, 2006, 8:33 pm

Bob4,

I have moved the HJT to it's own folder on C:|HJT.

I performed the first operation RUN HJT scan only and FIX

O2 - BHO: (no name) - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - (no file)
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\winsys2f.dll (file missing)

Then I try to RUN Killbox Ver2.0.0.648 and get error message:
"Pendingfilerenameoperationsregistrydatahas beenremovedbyexternalprocess"
and the reboot and file delete will not execute ?

I tried to use load componant MsComCtl but it did not help ?

Waiting your response;
comcom
Active Member
 
Posts: 8
Joined: December 13th, 2006, 5:47 am
Location: Bangkok, Thailand

Unread postby Bob4 » December 15th, 2006, 8:54 am

That file may already be deleted. ;)

Continue on with my instructions and run AVG as described above and then post a new HJT log and the report from AVG.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

O20 - Winlogon Notify: winsys2freg - C:\Documents and Settin

Unread postby comcom » December 15th, 2006, 8:27 pm

Bob4,

Yes it gone now !

HJT report:

Logfile of HijackThis v1.99.1
Scan saved at 7:30:37 AM, on 12/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\FSI\F-Prot\F-StopW.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forum.lockon.ru/?langid=1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [LtcyCfgApply] "C:\Documents and Settings\Administrator\My Documents\PCI Latency Tool\LtcyCfg.exe" /a
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/res ... nPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0381297796
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7E43523-D0B1-4A5E-A37D-8ED5FDC6C024}: NameServer = 203.144.255.71 203.144.255.72
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR1\RpcSandraSrv.exe

I don't want to ad AVG on my machine so I didn't run that report.
I like my F-Prot and Spybot well enough and I don't like to overload on the av prog's.

Thanks for your help ! much appreciated :headbang:
comcom
Active Member
 
Posts: 8
Joined: December 13th, 2006, 5:47 am
Location: Bangkok, Thailand

Unread postby Bob4 » December 15th, 2006, 10:07 pm

I don't want to ad AVG on my machine so I didn't run that report.


Your call I guess. But AVG antimalware is not an antivirus program for say. It is anti malware and picks up things alot of other virus scanners miss. It's free and you could uninstall it once done.
\ Alls I want to do is make sure your clean before I let you go.

Lets do this then.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Please post the log from Combo fix for me.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Combofix report,

Unread postby comcom » December 16th, 2006, 5:51 am

Bob4,

Combofix report attached:

Administrator - 06-12-16 16:54:42.21 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Combofix"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Administrator\Application Data\Install.dat
C:\WINDOWS\xpupdate.exe
C:\Documents and Settings\All Users.WINDOWS\Documents\Settings
C:\WINDOWS\system32\components


((((((((((((((((((((((((((((((( Files Created from 2006-11-16 to 2006-12-16 ))))))))))))))))))))))))))))))))))


2006-12-16 16:53 <DIR> d-------- C:\Combofix
2006-12-15 08:26 <DIR> dr-h----- C:\Documents and Settings\Administrator\Recent
2006-12-15 07:58 <DIR> d-------- C:\Program Files\CCleaner
2006-12-15 07:56 <DIR> d-------- C:\TEMP
2006-12-14 09:28 <DIR> d-------- C:\Program Files\Hex Workshop
2006-12-14 08:54 <DIR> d-------- C:\HJT
2006-12-13 10:52 798 --a------ C:\WINDOWS\system32\qvxga7met4.exe
2006-12-13 10:51 798 --a------ C:\WINDOWS\system32\qvxga6met3.exe
2006-12-13 10:51 3,072 --a------ C:\WINDOWS\system32\vxga3me22472656.exe
2006-12-13 10:50 817 --a------ C:\WINDOWS\system32\qvx5gamet2.exe
2006-12-13 10:50 6,751 --a------ C:\WINDOWS\system32\vxga8me6.exe
2006-12-13 10:50 3,072 -r-hs---- C:\WINDOWS\system32\vxga3me22441921.exe
2006-12-13 10:50 18,015 --a------ C:\WINDOWS\system32\w.exe
2006-12-13 10:50 16,896 --a------ C:\WINDOWS\system32\vxga4me1.exe
2006-12-13 09:30 8,287 --a------ C:\WINDOWS\system32\kernels88.exe
2006-12-13 09:30 8,287 --a------ C:\syst.exe
2006-12-13 09:30 8,287 --a------ C:\3456346345643.exe
2006-12-13 09:30 7,637 --a------ C:\WINDOWS\system32\dlh9jkd1q7.exe
2006-12-13 09:30 7,125 --a------ C:\WINDOWS\system32\dlh9jkd1q6.exe
2006-12-13 09:30 6,239 --a------ C:\WINDOWS\system32\m3KLPon.exe
2006-12-13 09:30 6,199 --a------ C:\WINDOWS\system32\vxg4am1et2.exe
2006-12-13 09:30 6,010 --a------ C:\WINDOWS\system32\vxga1me4t1.exe
2006-12-13 09:30 54,367 --a------ C:\WINDOWS\system32\google.png.exe
2006-12-13 09:30 29,279 --a------ C:\WINDOWS\system32\spoolsvv.exe
2006-12-13 09:30 29,271 --a------ C:\WINDOWS\system32\vxga4m1et4.exe
2006-12-13 09:30 18,901 --a------ C:\WINDOWS\system32\dlh9jkd1q2.exe
2006-12-13 09:30 18,015 ---h----- C:\WINDOWS\system32\syspools.exe
2006-12-13 09:30 16 --a------ C:\WINDOWS\system32\dlh9jkd1q8.exe
2006-12-13 08:57 <DIR> d-------- C:\Program Files\Hackman
2006-12-12 12:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\XLnow
2006-12-12 11:21 <DIR> d-------- C:\Program Files\Vbsedit
2006-12-12 11:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Adersoft
2006-12-10 08:18 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Adobe Systems
2006-12-10 08:17 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-12-10 07:58 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2006-12-09 17:47 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\FLEXnet
2006-12-08 10:15 <DIR> d-------- C:\Program Files\LoTextureTool
2006-12-07 15:12 7,662,876 --a------ C:\SU-25.cmd
2006-12-05 15:36 <DIR> d-------- C:\WINDOWS\system32\dllcache
2006-12-05 14:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\BrineSoft
2006-12-05 14:07 <DIR> d-------- C:\Program Files\HHD Software
2006-12-05 14:07 <DIR> d-------- C:\Program Files\Common Files\HHD Software
2006-12-04 10:18 <DIR> d-------- C:\CDDS-Studio
2006-12-04 10:11 <DIR> d-------- C:\SkinsWorkfolder
2006-12-02 12:23 <DIR> d-------- C:\Program Files\DDS Converter 2
2006-11-20 14:24 5,120 --a------ C:\explorer1.exe
2006-11-20 14:24 5,120 --a------ C:\62959379.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-12 11:21 -------- d-------- C:\Program Files\Common Files\System
2006-12-11 17:42 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-10 08:56 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2006-12-10 08:52 -------- d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2006-12-10 08:17 -------- d-------- C:\Program Files\Common Files
2006-12-10 08:16 -------- d-------- C:\Program Files\Adobe
2006-12-10 08:06 -------- d-------- C:\Program Files\RegScrubXP
2006-12-09 17:44 -------- d-------- C:\Program Files\Common Files\Adobe
2006-12-05 14:07 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-11-12 09:20 14 --a------ C:\WINDOWS\system32\SysEngine2.SYS
2006-11-06 20:04 -------- d-------- C:\Program Files\Java
2006-10-06 16:09 205 --a------ C:\WINDOWS\system32\r.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Acrobat\\AdobeUpdateManager.exe\" AcPro7_0_8 -reboot 1"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NVRTCLK"="C:\\WINDOWS\\system32\\NVRTCLK\\NVRTClk.exe"
"Ptipbmf"="rundll32.exe ptipbmf.dll,SetWriteCacheMode"
"LtcyCfgApply"="\"C:\\Documents and Settings\\Administrator\\My Documents\\PCI Latency Tool\\LtcyCfg.exe\" /a"
"Profiler"="C:\\Program Files\\Saitek\\Software\\Profiler.exe"
"SaiSmart"="C:\\Program Files\\Saitek\\Software\\SaiSmart.exe"
"IAAnotif"="C:\\Program Files\\Intel\\Intel Application Accelerator\\iaanotif.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"F-StopW"="C:\\Program Files\\FSI\\F-Prot\\F-StopW.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\AutorunsDisabled]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"CTHelper"="CTHELPER.EXE"
"SBDrvDet"="C:\\Program Files\\Creative\\SB Drive Det\\SBDrvDet.exe /r"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"CnxDslTaskBar"="C:\\Program Files\\Conexant\\AccessRunner ADSL\\CnxDslTb.exe"
"CloneCDTray"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{65A63651-8AFB-4A2B-AC75-CB4C68B0DDB0}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:b1,00,00,00
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061215-085154-626
O20 - Winlogon Notify: winsys2freg - C:\WINDOWS\
backup-20061215-085154-846
O2 - BHO: (no name) - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - (no file)
backup-20061215-083539-134
O20 - Winlogon Notify: winsys2freg - C:\WINDOWS\
backup-20061215-083539-591
O2 - BHO: (no name) - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - (no file)
backup-20061215-082534-587
O20 - Winlogon Notify: winsys2freg - C:\WINDOWS\
backup-20061215-082534-807
O2 - BHO: (no name) - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - (no file)
backup-20061215-082204-406
O20 - Winlogon Notify: winsys2freg - C:\WINDOWS\
backup-20061215-082204-854
O2 - BHO: (no name) - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - (no file)
backup-20061215-081854-142
O20 - Winlogon Notify: winsys2freg - C:\WINDOWS\
backup-20061215-072649-955
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\winsys2f.dll (file missing)
backup-20061215-072649-913
O2 - BHO: (no name) - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - (no file)
backup-20061213-142825-271
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\winsys2f.dll
backup-20061213-140835-433
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\winsys2f.dll
backup-20061213-133301-451
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\winsys2f.dll
backup-20061213-133114-924
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\winsys2f.dll
backup-20061213-133043-537
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\winsys2f.dll
backup-20061213-133043-748
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
backup-20061213-132655-627
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\winsys2f.dll
backup-20061213-132655-165
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
backup-20061213-132654-352
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
Completion time: 06-12-16 16:55:56.10
C:\ComboFix.txt ... 06-12-16 16:55

How's it look Doc ?
comcom
Active Member
 
Posts: 8
Joined: December 13th, 2006, 5:47 am
Location: Bangkok, Thailand

Re: Combofix report,

Unread postby Bob4 » December 16th, 2006, 8:12 am

comcom wrote:How's it look Doc ?


Not so good I'm afraid. :shock: The following files we are about to remove are mostly Trojan down loaders. They actually download other nasties. With that said I say:

I relay think you should consider running AVG. As I said once were done with it you can uninstall it. It uninstalls cleanly.

I understand you not wanting to crowd your computer.

If you decide to try it set it up EXACTLY as I asked. Make that the last thing you do with this post. If not I won't bother you by asking again. ;)



________________
Please double-click Killbox.exe to run it.
Select:
Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\qvxga7met4.exe
C:\WINDOWS\system32\qvxga6met3.exe
C:\WINDOWS\system32\vxga3me22472656.exe
C:\WINDOWS\system32\qvx5gamet2.exe
C:\WINDOWS\system32\vxga8me6.exe
C:\WINDOWS\system32\vxga3me22441921.exe
C:\WINDOWS\system32\w.exe
C:\WINDOWS\system32\vxga4me1.exe
C:\WINDOWS\system32\kernels88.exe
C:\syst.exe
C:\3456346345643.exe
C:\WINDOWS\system32\dlh9jkd1q7.exe
C:\WINDOWS\system32\dlh9jkd1q6.exe
C:\WINDOWS\system32\m3KLPon.exe
C:\WINDOWS\system32\vxg4am1et2.exe
C:\WINDOWS\system32\vxga1me4t1.exe
C:\WINDOWS\system32\google.png.exe
C:\WINDOWS\system32\spoolsvv.exe
C:\WINDOWS\system32\vxga4m1et4.exe
C:\WINDOWS\system32\dlh9jkd1q2.exe
C:\WINDOWS\system32\syspools.exe
C:\WINDOWS\system32\dlh9jkd1q8.exe
C:\62959379.exe
C:\WINDOWS\system32\r.exe


Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).


If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.



______________________________
Submit a file to Jotti
Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath, copy and paste these filepaths: 1 at a time.

C:\explorer1.exe

Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the result and post it here in this thread.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html



_________________________________
Please do an online scan with Kaspersky Online Scanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
Scan using the following Anti-Virus database:

Extended (If available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK

Now under select a target to scan select My Computer

The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Copy and paste that information in your next post.


__________________
open CCleaner
click on tools
highlight uninstall
down on the bottom click save to text file.
Save it to your desktop and post
the contents
of that log for me.


In your next reply I would like to see:
  • A new HJT log
  • The report from Kasperskys
  • The uninstall list from CCleaner
  • The report from Jottis
  • The log from AVG should you decide to try it.

User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Jotti Scan

Unread postby comcom » December 18th, 2006, 6:05 am

Bob4,

Jotti scan:

Service load: 0% 100%

File: explorer1.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 a4e90d2ff61d0d51951f2cc47298db03
Packers detected: -

Scanner results
AntiVir Found HEUR/Crypted
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Trojan.DownLoader.14983
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found Dloader.F!tr
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VirusBuster Found nothing
VBA32 Found Trojan.DownLoader.14983

KASPERSKY ONLINE SCANNER REPORTKASPERSKY ONLINE SCANNER REPORT
Monday, December 18, 2006 4:58:11 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build
2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 18/12/2006
Kaspersky Anti-Virus database records: 251598


Scan Settings
Scan using the following antivirus databaseextended
Scan Archivestrue
Scan Mail Basestrue

Scan TargetMy Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics
Total number of scanned objects58807
Number of viruses found9
Number of infected objects30 / 0
Number of suspicious objects0
Duration of the scan process00:56:09

Infected Object NameVirus NameLast Action
C:\!KillBox\3456346345643.exe Infected: Trojan-Downloader.Win32.Small.dam
skipped

C:\!KillBox\google.png.exe Infected: Trojan-Downloader.Win32.Small.dam
skipped

C:\!KillBox\kernels88.exe Infected: Trojan-Downloader.Win32.Small.dam
skipped

C:\!KillBox\m3KLPon.exe Infected: Trojan-Downloader.Win32.Small.dam
skipped

C:\!KillBox\spoolsvv.exe Infected: Trojan-Downloader.Win32.Small.dam
skipped

C:\!KillBox\syst.exe Infected: Trojan-Downloader.Win32.Small.dam skipped

C:\!KillBox\vxg4am1et2.exe Infected: Trojan-Downloader.Win32.Tiny.et
skipped

C:\!KillBox\vxga1me4t1.exe Infected: Email-Worm.Win32.Banwarum.f skipped

C:\!KillBox\vxga3me22441921.exe Infected:
Trojan-Downloader.Win32.Small.cug skipped

C:\!KillBox\vxga4m1et4.exe Infected: Trojan-Proxy.Win32.Agent.ji skipped

C:\!KillBox\vxga4me1.exe Infected: Trojan.Win32.Agent.oh skipped

C:\!KillBox\vxga8me6.exe Infected: Trojan-Downloader.Win32.Small.dam
skipped

C:\CDDS-Studio\sltcpmlm.t Object is locked skipped

C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Administrator\Local
Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local
Settings\History\History.IE5\MSHist012006121820061219\index.dat Object is
locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet
Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\My Documents\Anti
Virus_Registry_Anti-Worm Freeware\Sysinternals Analysis
Software\Process_Kill\PsKill.zip/pskill.exe Infected:
not-a-virus:RiskTool.Win32.PsKill.k skipped

C:\Documents and Settings\Administrator\My Documents\Anti
Virus_Registry_Anti-Worm Freeware\Sysinternals Analysis
Software\Process_Kill\PsKill.zip ZIP: infected - 1 skipped

C:\Documents and Settings\Administrator\My Documents\Anti
Virus_Registry_Anti-Worm Freeware\Sysinternals Analysis
Software\PsTools\psexec.exe Infected:
not-a-virus:RiskTool.Win32.PsExec.153 skipped

C:\Documents and Settings\Administrator\My Documents\Anti
Virus_Registry_Anti-Worm Freeware\Sysinternals Analysis
Software\PsTools\pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.k
skipped

C:\Documents and Settings\Administrator\My Documents\Anti
Virus_Registry_Anti-Worm Freeware\Sysinternals Analysis
Software\PsTools\PsTools.zip/pskill.exe Infected:
not-a-virus:RiskTool.Win32.PsKill.k skipped

C:\Documents and Settings\Administrator\My Documents\Anti
Virus_Registry_Anti-Worm Freeware\Sysinternals Analysis
Software\PsTools\PsTools.zip/psexec.exe Infected:
not-a-virus:RiskTool.Win32.PsExec.153 skipped

C:\Documents and Settings\Administrator\My Documents\Anti
Virus_Registry_Anti-Worm Freeware\Sysinternals Analysis
Software\PsTools\PsTools.zip ZIP: infected - 2 skipped

C:\Documents and Settings\Administrator\My
Documents\Killbox\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected:
not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Administrator\My
Documents\Killbox\SmitfraudFix.zip ZIP: infected - 1 skipped

C:\Documents and Settings\Administrator\My Documents\Sysinternals Analysis
Software\Process_Kill\pskill.exe Infected:
not-a-virus:RiskTool.Win32.PsKill.k skipped

C:\Documents and Settings\Administrator\My Documents\Sysinternals Analysis
Software\Process_Kill\PsKill.zip/pskill.exe Infected:
not-a-virus:RiskTool.Win32.PsKill.k skipped

C:\Documents and Settings\Administrator\My Documents\Sysinternals Analysis
Software\Process_Kill\PsKill.zip ZIP: infected - 1 skipped

C:\Documents and Settings\Administrator\My Documents\Sysinternals Analysis
Software\PsTools\psexec.exe Infected:
not-a-virus:RiskTool.Win32.PsExec.153 skipped

C:\Documents and Settings\Administrator\My Documents\Sysinternals Analysis
Software\PsTools\pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.k
skipped

C:\Documents and Settings\Administrator\My Documents\Sysinternals Analysis
Software\PsTools\PsTools.zip/pskill.exe Infected:
not-a-virus:RiskTool.Win32.PsKill.k skipped

C:\Documents and Settings\Administrator\My Documents\Sysinternals Analysis
Software\PsTools\PsTools.zip/psexec.exe Infected:
not-a-virus:RiskTool.Win32.PsExec.153 skipped

C:\Documents and Settings\Administrator\My Documents\Sysinternals Analysis
Software\PsTools\PsTools.zip ZIP: infected - 2 skipped

C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked
skipped

C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked
skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Dr
Watson\user.dmp Object is locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked
skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is
locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is
locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object
is locked skipped

C:\Documents and Settings\NetworkService.NT AUTHORITY\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked
skipped

C:\Documents and Settings\NetworkService.NT AUTHORITY\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is
locked skipped

C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is
locked skipped

C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG
Object is locked skipped

C:\Program Files\EA Games\Command & Conquer(tm) Generals Zero
Hour\game.dat Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is
locked skipped

C:\vrstmqns.t Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{F2586213-A9DB-4F17-A07B-4D141C4F9F94}.crmlog
Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\taskdir.exe_tobedeleted Infected:
Trojan-Downloader.Win32.Small.dam skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked
skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is
locked skipped

Scan process completed.

CC Cleaner uninstall.txt:

ACDSee 7.0 PowerPack
Ace DivX Player
Adobe Acrobat 7.0 Professional
Adobe Acrobat 7.0.8 Professional
Adobe Flash Player 9 ActiveX
Adobe Illustrator CS
Adobe SVG Viewer 3.0
ASUS Probe V2.23.03
AsusUpdate
AutoUpdate
AVIcodec (remove only)
BugOff 1.10
CCleaner (remove only)
CloneCD
Command & Conquer The First Decade
Conexant AccessRunner PCI ADSL WAN Adapter
CorelDRAW Graphics Suite 12
DDS Converter 2.1
Debugging Tools for Windows
DH Driver Cleaner Professional Edition
DivX Converter
DivX Player
DivX Web Player
DivX
EndItAll 2.0
F-Prot for Windows
Fraps
Hackman Disassembler
Hackman Hex Editor
Hex Workshop
HHD Software Hex Editor 2.3
HijackThis 1.99.1
IncrediBubble
Intel Application Accelerator RAID Edition
Intel(R) Processor ID Utility
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_06
Kaspersky Online Scanner
Lock On 1.1
Lock On: Modern Air Combat
LockOn Configurator(remove only)
LockOn Mission Randomizer
Microsoft .NET Framework 2.0
Microsoft XML Notepad 1.0
ModMan 5.0.0.12
Nero 6 Ultra Edition
Notepad++
NVIDIA Drivers
O&O SafeErase
PartitionMagic
PowerQuest PartitionMagic 8.0
RegCool
RegScrubXP 3.25
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
SiSoftware Sandra Professional 2005.SR1 (Win64/32/CE)
Spelling Dictionaries For Adobe Reader Package
Spybot - Search & Destroy 1.4
SST Programming Software
Trixie
TweakNow RegCleaner Standard
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
Vbsedit
WebFldrs XP
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Support Tools
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB884020
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885626
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
WinRAR archiver
XviD MPEG-4 Codec

Logfile of HijackThis v1.99.1
Scan saved at 5:13:54 PM, on 12/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forum.lockon.ru/?langid=1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [LtcyCfgApply] "C:\Documents and Settings\Administrator\My Documents\PCI Latency Tool\LtcyCfg.exe" /a
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/res ... nPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0381297796
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7E43523-D0B1-4A5E-A37D-8ED5FDC6C024}: NameServer = 203.144.255.71 203.144.255.72
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR1\RpcSandraSrv.exe

Kaspersky, HJT, CC cleaner and Jottis attached:

I will do AVG seperate post
comcom
Active Member
 
Posts: 8
Joined: December 13th, 2006, 5:47 am
Location: Bangkok, Thailand

Unread postby Bob4 » December 18th, 2006, 8:50 am

You have a file or 2 that seriously worry me.

C:\vrstmqns.t
C:\WINDOWS\system32\taskdir.exe


These show signs of a mass file infector.
I would back up any important data now!

If you can pull this machine off the internet and just use it to clean this infection we may have a better chance.


It looks like you have been infected by a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

Its very possible that anything could have been installed on your computer by the remote attacker, including opening other backdoors and installing rootkits. While we can attempt to clean what we see in your logs, we can't guarantee that your computer will be completely in the clear since we have no way of knowing that has been done to the computer. Your computer could be completely compromised at this moment. It may be prudent to backup your information, reformat, and reinstall.

More information on Remote Access Trojans can be found
here

I suggest you do the following immediately:
  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
  • Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

If, however, you decide that the computer is not used for any sensitive work, or if you do not wish to reformat at this time, I can help you clean your computer to the best of my abilities.
But to be honest I would reformat this machine now.


Should you have any questions, please feel free to ask.

Please let me know what you decide to do in your next post.

Should you decide to clean this machine start by doing the following.



Please double-click Killbox.exe to run it.
Select:
Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\vrstmqns.t
C:\WINDOWS\system32\taskdir.exe
C:\explorer1.exe


Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).


If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.





* Download Dr.Web CureIt to the desktop
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

run this program.
If it produces a log post that for me.




[/color]

  • Create a folder on your desktop called Sysclean.
  • Go to http://www.trendmicro.com/download/dcs.asp and download sysclean package to the folder you made.
  • Go to http://www.trendmicro.com/download/pattern.asp and download the Virus Pattern File (Official Pattern Release) to your desktop.
    This file will be called lptXXX.zip (XXX represents the version number)
  • Unzip lptXXX.zip and you'll get the file lpt$vpn.XXX. Read here how to unzip/extract properly.
  • Move the lpt$vpn.XXX to the Sysclean-folder you created on your desktop.
  • Open the sysclean-folder and doubleclick sysclean.com.
  • Check: "Automatically clean or delete detected files".
  • Click scan.

Open your sysclean-folder and copy and paste the contents of sysclean.log in your next reply.





In your next reply I would like to see:
  • A new HJT log
  • The report from sysclean
  • The report from DRcureit ( if it produces one)
  • Also let me know if you have a lot of .t files showing up.

User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

DRcureit, Sysclean, HJT logs

Unread postby comcom » December 19th, 2006, 11:27 pm

Bob4,

Logfile of HijackThis v1.99.1
Scan saved at 10:31:41 AM, on 12/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forum.lockon.ru/?langid=1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [LtcyCfgApply] "C:\Documents and Settings\Administrator\My Documents\PCI Latency Tool\LtcyCfg.exe" /a
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/res ... nPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0381297796
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7E43523-D0B1-4A5E-A37D-8ED5FDC6C024}: NameServer = 203.144.255.71 203.144.255.72
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR1\RpcSandraSrv.exe



/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2006-12-20, 09:28:04, Auto-clean mode specified.
2006-12-20, 09:28:04, Running scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\TSC.BIN"...
2006-12-20, 09:28:10, Scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\TSC.BIN" has finished running.
2006-12-20, 09:28:10, TSC Log:

Damage Cleanup Engine (DCE) 3.98(Build 1012)
Windows XP(Build 2600: Service Pack 2)

Start time : Wed Dec 20 2006 09:28:04

Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Administrator\Desktop\Sysclean\tsc.ptn" (version 816) [success]

Complete time : Wed Dec 20 2006 09:28:10
Execute pattern count(3022), Virus found count(0), Virus clean count(0), Clean failed count(0)

2006-12-20, 09:29:01, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2006-12-20, 09:29:09, An error was detected on "D:\System Volume Information\*.*": Access is denied.
2006-12-20, 09:51:49, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 09:29:09
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

C:\!KillBox\3456346345643.exe [TROJ_SMALL.EBT]
C:\!KillBox\dlh9jkd1q6.exe [TROJ_SMALL.EOF]
C:\!KillBox\dlh9jkd1q7.exe [TROJ_SMALL.EOE]
C:\!KillBox\kernels88.exe [TROJ_SMALL.EBT]
C:\!KillBox\m3KLPon.exe [WORM_NUWAR.OG]
C:\!KillBox\spoolsvv.exe [TROJ_SMALL.DXA]
C:\!KillBox\syst.exe [TROJ_SMALL.EBT]
C:\!KillBox\vxg4am1et2.exe [TROJ_TINY.DY]
C:\!KillBox\vxga1me4t1.exe [TROJ_SMALL.FAY]
C:\!KillBox\vxga3me22441921.exe [TROJ_DLOADER.W]
C:\!KillBox\vxga3me22472656.exe [TROJ_DLOADER.W]
C:\!KillBox\vxga4m1et4.exe [TROJ_AGENT.BPM]
C:\!KillBox\vxga4me1.exe [TROJ_AGENT.HYS]
2006-12-20, 09:51:49, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 09:29:09
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

Success Clean [ TROJ_SMALL.EBT]( 1) from C:\!KillBox\3456346345643.exe
Success Clean [ TROJ_SMALL.EOF]( 1) from C:\!KillBox\dlh9jkd1q6.exe
Success Clean [ TROJ_SMALL.EBT]( 1) from C:\!KillBox\kernels88.exe
Success Clean [ WORM_NUWAR.OG]( 1) from C:\!KillBox\m3KLPon.exe
Success Clean [ TROJ_SMALL.DXA]( 1) from C:\!KillBox\spoolsvv.exe
Success Clean [ TROJ_SMALL.EBT]( 1) from C:\!KillBox\syst.exe
Success Clean [ TROJ_TINY.DY]( 1) from C:\!KillBox\vxg4am1et2.exe
Success Clean [ TROJ_SMALL.FAY]( 1) from C:\!KillBox\vxga1me4t1.exe
Success Clean [ TROJ_DLOADER.W]( 1) from C:\!KillBox\vxga3me22441921.exe
Success Clean [ TROJ_DLOADER.W]( 1) from C:\!KillBox\vxga3me22472656.exe
Success Clean [ TROJ_AGENT.BPM]( 1) from C:\!KillBox\vxga4m1et4.exe
Success Clean [ TROJ_AGENT.HYS]( 1) from C:\!KillBox\vxga4me1.exe
2006-12-20, 09:51:49, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 09:29:09
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

2006-12-20, 09:51:49, Scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN" has finished running.
2006-12-20, 09:51:49, The user stopped the operation.


/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2006-12-20, 09:52:10, Auto-clean mode specified.
2006-12-20, 09:52:10, Running scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\TSC.BIN"...
2006-12-20, 09:52:15, Scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\TSC.BIN" has finished running.
2006-12-20, 09:52:15, TSC Log:

Damage Cleanup Engine (DCE) 3.98(Build 1012)
Windows XP(Build 2600: Service Pack 2)

Start time : Wed Dec 20 2006 09:52:11

Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Administrator\Desktop\Sysclean\tsc.ptn" (version 816) [success]

Complete time : Wed Dec 20 2006 09:52:15
Execute pattern count(3022), Virus found count(0), Virus clean count(0), Clean failed count(0)

2006-12-20, 09:52:41, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2006-12-20, 09:52:48, An error was detected on "D:\System Volume Information\*.*": Access is denied.
2006-12-20, 09:53:35, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 09:52:48
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

C:\!KillBox\dlh9jkd1q7.exe [TROJ_SMALL.EOE]
2006-12-20, 09:53:35, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 09:52:48
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

2006-12-20, 09:53:35, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 09:52:48
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

2006-12-20, 09:53:35, Scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN" has finished running.
2006-12-20, 09:53:36, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 09:53:35
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

22 files have been read.
22 files have been checked.
14 files have been scanned.
14 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/20/2006 09:53:36
---------*---------*---------*---------*---------*---------*---------*---------*
2006-12-20, 09:53:36, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 09:53:35
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

22 files have been read.
22 files have been checked.
14 files have been scanned.
14 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/20/2006 09:53:36 0.24 seconds has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-12-20, 09:53:36, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 09:53:35
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

22 files have been read.
22 files have been checked.
14 files have been scanned.
14 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/20/2006 09:53:36 0.24 seconds has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-12-20, 09:53:36, Scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN" has finished running.


/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2006-12-20, 09:53:54, Auto-clean mode specified.
2006-12-20, 09:53:54, Running scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\TSC.BIN"...
2006-12-20, 09:53:57, Scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\TSC.BIN" has finished running.
2006-12-20, 09:53:57, TSC Log:

Damage Cleanup Engine (DCE) 3.98(Build 1012)
Windows XP(Build 2600: Service Pack 2)

Start time : Wed Dec 20 2006 09:53:54

Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Administrator\Desktop\Sysclean\tsc.ptn" (version 816) [success]

Complete time : Wed Dec 20 2006 09:53:57
Execute pattern count(3022), Virus found count(0), Virus clean count(0), Clean failed count(0)

2006-12-20, 09:54:10, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2006-12-20, 09:54:13, An error was detected on "D:\System Volume Information\*.*": Access is denied.
2006-12-20, 09:57:17, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 09:54:13
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

C:\!KillBox\dlh9jkd1q7.exe [TROJ_SMALL.EOE]
2006-12-20, 09:57:17, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 09:54:13
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

2006-12-20, 09:57:17, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 09:54:13
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

2006-12-20, 09:57:17, Scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN" has finished running.
2006-12-20, 09:57:17, The user stopped the operation.


/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2006-12-20, 09:57:20, Auto-clean mode specified.
2006-12-20, 09:57:20, Running scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\TSC.BIN"...
2006-12-20, 09:57:23, Scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\TSC.BIN" has finished running.
2006-12-20, 09:57:23, TSC Log:

Damage Cleanup Engine (DCE) 3.98(Build 1012)
Windows XP(Build 2600: Service Pack 2)

Start time : Wed Dec 20 2006 09:57:20

Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Administrator\Desktop\Sysclean\tsc.ptn" (version 816) [success]

Complete time : Wed Dec 20 2006 09:57:23
Execute pattern count(3022), Virus found count(0), Virus clean count(0), Clean failed count(0)

2006-12-20, 09:57:36, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2006-12-20, 09:57:39, An error was detected on "D:\System Volume Information\*.*": Access is denied.
2006-12-20, 10:17:07, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 09:57:39
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

58842 files have been read.
58842 files have been checked.
48956 files have been scanned.
99651 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/20/2006 10:17:07
---------*---------*---------*---------*---------*---------*---------*---------*
2006-12-20, 10:17:07, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 09:57:39
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

58842 files have been read.
58842 files have been checked.
48956 files have been scanned.
99651 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/20/2006 10:17:07 19 minutes 28 seconds (1168.52 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-12-20, 10:17:07, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 09:57:39
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

58842 files have been read.
58842 files have been checked.
48956 files have been scanned.
99651 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/20/2006 10:17:07 19 minutes 28 seconds (1168.52 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-12-20, 10:17:07, Scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN" has finished running.
2006-12-20, 10:17:08, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 10:17:07
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

22 files have been read.
22 files have been checked.
14 files have been scanned.
14 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/20/2006 10:17:08
---------*---------*---------*---------*---------*---------*---------*---------*
2006-12-20, 10:17:08, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 10:17:07
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

22 files have been read.
22 files have been checked.
14 files have been scanned.
14 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/20/2006 10:17:08 0.42 seconds has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-12-20, 10:17:08, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 10:17:07
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

22 files have been read.
22 files have been checked.
14 files have been scanned.
14 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/20/2006 10:17:08 0.42 seconds has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-12-20, 10:17:08, Scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN" has finished running.

DRcureit gen no report, Prog ran and show "NO Virus found"

I'am not getting alot of .t files ?
Should I search for them ?
comcom
Active Member
 
Posts: 8
Joined: December 13th, 2006, 5:47 am
Location: Bangkok, Thailand

DRcureit, Sysclean, HJT

Unread postby comcom » December 19th, 2006, 11:33 pm

Bob4,

Logfile of HijackThis v1.99.1
Scan saved at 10:31:41 AM, on 12/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forum.lockon.ru/?langid=1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [LtcyCfgApply] "C:\Documents and Settings\Administrator\My Documents\PCI Latency Tool\LtcyCfg.exe" /a
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/res ... nPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0381297796
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7E43523-D0B1-4A5E-A37D-8ED5FDC6C024}: NameServer = 203.144.255.71 203.144.255.72
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR1\RpcSandraSrv.exe



/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2006-12-20, 09:28:04, Auto-clean mode specified.
2006-12-20, 09:28:04, Running scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\TSC.BIN"...
2006-12-20, 09:28:10, Scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\TSC.BIN" has finished running.
2006-12-20, 09:28:10, TSC Log:

Damage Cleanup Engine (DCE) 3.98(Build 1012)
Windows XP(Build 2600: Service Pack 2)

Start time : Wed Dec 20 2006 09:28:04

Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Administrator\Desktop\Sysclean\tsc.ptn" (version 816) [success]

Complete time : Wed Dec 20 2006 09:28:10
Execute pattern count(3022), Virus found count(0), Virus clean count(0), Clean failed count(0)

2006-12-20, 09:29:01, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2006-12-20, 09:29:09, An error was detected on "D:\System Volume Information\*.*": Access is denied.
2006-12-20, 09:51:49, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 09:29:09
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

C:\!KillBox\3456346345643.exe [TROJ_SMALL.EBT]
C:\!KillBox\dlh9jkd1q6.exe [TROJ_SMALL.EOF]
C:\!KillBox\dlh9jkd1q7.exe [TROJ_SMALL.EOE]
C:\!KillBox\kernels88.exe [TROJ_SMALL.EBT]
C:\!KillBox\m3KLPon.exe [WORM_NUWAR.OG]
C:\!KillBox\spoolsvv.exe [TROJ_SMALL.DXA]
C:\!KillBox\syst.exe [TROJ_SMALL.EBT]
C:\!KillBox\vxg4am1et2.exe [TROJ_TINY.DY]
C:\!KillBox\vxga1me4t1.exe [TROJ_SMALL.FAY]
C:\!KillBox\vxga3me22441921.exe [TROJ_DLOADER.W]
C:\!KillBox\vxga3me22472656.exe [TROJ_DLOADER.W]
C:\!KillBox\vxga4m1et4.exe [TROJ_AGENT.BPM]
C:\!KillBox\vxga4me1.exe [TROJ_AGENT.HYS]
2006-12-20, 09:51:49, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 09:29:09
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

Success Clean [ TROJ_SMALL.EBT]( 1) from C:\!KillBox\3456346345643.exe
Success Clean [ TROJ_SMALL.EOF]( 1) from C:\!KillBox\dlh9jkd1q6.exe
Success Clean [ TROJ_SMALL.EBT]( 1) from C:\!KillBox\kernels88.exe
Success Clean [ WORM_NUWAR.OG]( 1) from C:\!KillBox\m3KLPon.exe
Success Clean [ TROJ_SMALL.DXA]( 1) from C:\!KillBox\spoolsvv.exe
Success Clean [ TROJ_SMALL.EBT]( 1) from C:\!KillBox\syst.exe
Success Clean [ TROJ_TINY.DY]( 1) from C:\!KillBox\vxg4am1et2.exe
Success Clean [ TROJ_SMALL.FAY]( 1) from C:\!KillBox\vxga1me4t1.exe
Success Clean [ TROJ_DLOADER.W]( 1) from C:\!KillBox\vxga3me22441921.exe
Success Clean [ TROJ_DLOADER.W]( 1) from C:\!KillBox\vxga3me22472656.exe
Success Clean [ TROJ_AGENT.BPM]( 1) from C:\!KillBox\vxga4m1et4.exe
Success Clean [ TROJ_AGENT.HYS]( 1) from C:\!KillBox\vxga4me1.exe
2006-12-20, 09:51:49, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 09:29:09
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

2006-12-20, 09:51:49, Scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN" has finished running.
2006-12-20, 09:51:49, The user stopped the operation.


/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2006-12-20, 09:52:10, Auto-clean mode specified.
2006-12-20, 09:52:10, Running scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\TSC.BIN"...
2006-12-20, 09:52:15, Scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\TSC.BIN" has finished running.
2006-12-20, 09:52:15, TSC Log:

Damage Cleanup Engine (DCE) 3.98(Build 1012)
Windows XP(Build 2600: Service Pack 2)

Start time : Wed Dec 20 2006 09:52:11

Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Administrator\Desktop\Sysclean\tsc.ptn" (version 816) [success]

Complete time : Wed Dec 20 2006 09:52:15
Execute pattern count(3022), Virus found count(0), Virus clean count(0), Clean failed count(0)

2006-12-20, 09:52:41, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2006-12-20, 09:52:48, An error was detected on "D:\System Volume Information\*.*": Access is denied.
2006-12-20, 09:53:35, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 09:52:48
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

C:\!KillBox\dlh9jkd1q7.exe [TROJ_SMALL.EOE]
2006-12-20, 09:53:35, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 09:52:48
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

2006-12-20, 09:53:35, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 09:52:48
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

2006-12-20, 09:53:35, Scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN" has finished running.
2006-12-20, 09:53:36, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 09:53:35
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

22 files have been read.
22 files have been checked.
14 files have been scanned.
14 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/20/2006 09:53:36
---------*---------*---------*---------*---------*---------*---------*---------*
2006-12-20, 09:53:36, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 09:53:35
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

22 files have been read.
22 files have been checked.
14 files have been scanned.
14 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/20/2006 09:53:36 0.24 seconds has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-12-20, 09:53:36, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 09:53:35
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

22 files have been read.
22 files have been checked.
14 files have been scanned.
14 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/20/2006 09:53:36 0.24 seconds has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-12-20, 09:53:36, Scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN" has finished running.


/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2006-12-20, 09:53:54, Auto-clean mode specified.
2006-12-20, 09:53:54, Running scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\TSC.BIN"...
2006-12-20, 09:53:57, Scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\TSC.BIN" has finished running.
2006-12-20, 09:53:57, TSC Log:

Damage Cleanup Engine (DCE) 3.98(Build 1012)
Windows XP(Build 2600: Service Pack 2)

Start time : Wed Dec 20 2006 09:53:54

Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Administrator\Desktop\Sysclean\tsc.ptn" (version 816) [success]

Complete time : Wed Dec 20 2006 09:53:57
Execute pattern count(3022), Virus found count(0), Virus clean count(0), Clean failed count(0)

2006-12-20, 09:54:10, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2006-12-20, 09:54:13, An error was detected on "D:\System Volume Information\*.*": Access is denied.
2006-12-20, 09:57:17, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 09:54:13
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

C:\!KillBox\dlh9jkd1q7.exe [TROJ_SMALL.EOE]
2006-12-20, 09:57:17, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 09:54:13
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

2006-12-20, 09:57:17, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 09:54:13
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

2006-12-20, 09:57:17, Scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN" has finished running.
2006-12-20, 09:57:17, The user stopped the operation.


/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2006-12-20, 09:57:20, Auto-clean mode specified.
2006-12-20, 09:57:20, Running scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\TSC.BIN"...
2006-12-20, 09:57:23, Scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\TSC.BIN" has finished running.
2006-12-20, 09:57:23, TSC Log:

Damage Cleanup Engine (DCE) 3.98(Build 1012)
Windows XP(Build 2600: Service Pack 2)

Start time : Wed Dec 20 2006 09:57:20

Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Administrator\Desktop\Sysclean\tsc.ptn" (version 816) [success]

Complete time : Wed Dec 20 2006 09:57:23
Execute pattern count(3022), Virus found count(0), Virus clean count(0), Clean failed count(0)

2006-12-20, 09:57:36, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2006-12-20, 09:57:39, An error was detected on "D:\System Volume Information\*.*": Access is denied.
2006-12-20, 10:17:07, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 09:57:39
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

58842 files have been read.
58842 files have been checked.
48956 files have been scanned.
99651 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/20/2006 10:17:07
---------*---------*---------*---------*---------*---------*---------*---------*
2006-12-20, 10:17:07, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 09:57:39
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

58842 files have been read.
58842 files have been checked.
48956 files have been scanned.
99651 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/20/2006 10:17:07 19 minutes 28 seconds (1168.52 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-12-20, 10:17:07, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 09:57:39
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

58842 files have been read.
58842 files have been checked.
48956 files have been scanned.
99651 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/20/2006 10:17:07 19 minutes 28 seconds (1168.52 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-12-20, 10:17:07, Scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN" has finished running.
2006-12-20, 10:17:08, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 10:17:07
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

22 files have been read.
22 files have been checked.
14 files have been scanned.
14 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/20/2006 10:17:08
---------*---------*---------*---------*---------*---------*---------*---------*
2006-12-20, 10:17:08, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 10:17:07
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

22 files have been read.
22 files have been checked.
14 files have been scanned.
14 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/20/2006 10:17:08 0.42 seconds has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-12-20, 10:17:08, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2006 10:17:07
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 123 (145572 Patterns) (2006/12/19) (412300)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

22 files have been read.
22 files have been checked.
14 files have been scanned.
14 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/20/2006 10:17:08 0.42 seconds has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-12-20, 10:17:08, Scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN" has finished running.

DRcureit reports "NO VIRUS FOUND"

I'am not getting alot of .t files
comcom
Active Member
 
Posts: 8
Joined: December 13th, 2006, 5:47 am
Location: Bangkok, Thailand

Unread postby Bob4 » December 20th, 2006, 7:33 am

Please download FixAbwiz.exe to your desktop:
Please reboot into Safe Mode.
Double-click FixAbwiz.exe and let it run.
When the tool is ready, it will produce a log.
Reboot into normal Windows and post back with that log aswell as a fresh HijackThis log.
Run the removal tool again to ensure that the system is clean


___________________
Download GMER's application from here

or

Here
Save it to your desktop.
Create a new folder in c: drive called Gmer
Click on Start then My Computer then double click Local Disk C:

Now right click anywhere on the open window and choose New then Folder Type in GMER and hit the Enter key.

Unzip the GMER zip file by double clicking on the desktop icon and save it to the GMER folder you just made.

Now Navigate to that folder (Gmer)
and double click the GMER.exe file

Click the Rootkit tab and click the Scan button.


IMPORTANT: Do NOT use the computer while the scan is in progress.

Please, do not select the "Show all" checkbox during the scan.
Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode. Other rootkitrevealers don't.


_________________
In your next reply I would like to see:
  • A new HJT log
  • the report from Gmer
  • The report from FixAbwiz


User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

FixAbwiz, GMER, HJT

Unread postby comcom » December 20th, 2006, 9:52 pm

Bob4,

Symantec Trojan.Abwiz.F Removal Tool 1.0.0

Trojan.Abwiz.F has not been found on your computer.


GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2006-12-21 08:56:12
Windows 5.1.2600 Service Pack 2


---- Registry - GMER 1.0.12 ----

Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OOSAFEERASE02.00.00.01MSWINDOWS 9EE12B6E8D57A22D44B389959A4727CAF92EE9895A24EDD7571FB2BD02A4C01E746263E5CC03B61E14DCB896B057174CE9BCDDA526C4D729E0112EE67CF5A5967C2E8734C0EC8215CB60AE48B798E938DF6E415FDE4A9300E276B6B987E63674AD86745EFAFE6396FE9CEFB2B025792633E061661899932A16C5052B68C91AD541DEED3B101A5EB90922EAB4A3073FC27E62753D688CE909F62B3702E7E22174FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E667BA7FD869164D6794A9C6AECB7A5D1407A2D97226D213B555BA5649288FFC6BDA001DA3A22D852E03257B28A3B320E5A36F939773BD381936C5B0836AFA074368C01D5AEDCBC91CC048C5EE35E2507487C0ABA1647F58220F4C2E1376313D77BD1719E2F1AFEFCC75371003F14347A13C193B9D83369A3E43815404C6DF30F33318F333ED3AF4E8D008B9E401868FEBE5303FB17A8538E30DDC5FC62BBCE54BB61B46A5F5CF4CB813155875D9E129F5BB7F69E8C513DAB0369ABCAF44FD5632493D59F57258DBA9937A347C4A90858707441F33390A24E3A0B70E760BDF7001FEDEAE471EC0FB4F3D98C9A272CE0C8A298279E47998A7E1C0F72B394923123482A2F81E0AFAFCDE8D95C9F7C65E978E157EC5B381F16EB09E649E761E0914EE9071A0E398791F329

---- Files - GMER 1.0.12 ----

ADS C:\BOOT.BAK:KAVICHS
ADS C:\boot.ini:KAVICHS
ADS C:\cmdcons\BOOTSECT.DAT:KAVICHS
ADS C:\cmdcons\migrate.inf:KAVICHS
ADS C:\cmdcons\winnt.sif:KAVICHS
ADS C:\Documents and Settings\Administrator\Application Data\ACD Systems\Catalogs\70\Default\Asset.cdx:KAVICHS
ADS C:\Documents and Settings\Administrator\Application Data\ACD Systems\Catalogs\70\Default\Asset.dbf:KAVICHS
ADS C:\Documents and Settings\Administrator\Application Data\ACD Systems\Catalogs\70\Default\Asset.fpt:KAVICHS
ADS C:\Documents and Settings\Administrator\Application Data\ACD Systems\Catalogs\70\Default\AssetExif.cdx:KAVICHS
ADS C:\Documents and Settings\Administrator\Application Data\ACD Systems\Catalogs\70\Default\AssetExif.dbf:KAVICHS
ADS C:\Documents and Settings\Administrator\Application Data\ACD Systems\Catalogs\70\Default\AssetExif.fpt:KAVICHS
ADS ...
ADS D:\RECYCLER\S-1-5-21-1214440339-1078081533-725345543-1003\desktop.ini:KAVICHS
ADS D:\RECYCLER\S-1-5-21-1214440339-1078081533-725345543-1003\INFO2:KAVICHS
ADS D:\RECYCLER\S-1-5-21-484763869-329068152-1417001333-500\INFO2:KAVICHS

---- EOF - GMER 1.0.12 ----

Logfile of HijackThis v1.99.1
Scan saved at 8:58:32 AM, on 12/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Gmer\gmer.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forum.lockon.ru/?langid=1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [LtcyCfgApply] "C:\Documents and Settings\Administrator\My Documents\PCI Latency Tool\LtcyCfg.exe" /a
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/res ... nPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0381297796
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR1\RpcSandraSrv.exe

diagnoses ?
comcom
Active Member
 
Posts: 8
Joined: December 13th, 2006, 5:47 am
Location: Bangkok, Thailand

Unread postby Bob4 » December 20th, 2006, 10:49 pm

LOg looks clean,. Everything seem to be running OK?


Great news ! Image

Your log now appears to be clean.

Lets do a few things to tidy up.
Please do these in the order I suggest!


___________________________________
If we have set your computer to see all files and folders we must reprotect them.

UNDO SHOW ALL FILES
click on the My Computer icon.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Deselect in the checkbox labeled Display the contents of system folders.
Deselect the checkbox labeled Show hidden files and folders.
Select the checkmark from the checkbox labeled Hide file extensions for known file types.
Replace the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK .
Now many important files are safe.

___________________________________
Please create a 'clean' System Restore Point:
The reason for doing this is in case you need system restore you don't put back all we just took out.
Right click My Computer
Then Propeties then system restore
Place a check mark by turn off system restore
Click APPLY
Windows will give you a warning click yes
REBOOT

Now go right back to the same place and unchecksystem restore
Click APPLYand OK





___________________________________
A few things to help with possible threats
SpywareBlaster

Install SpywareBlaster

SpywareBlaster will add a large list of programs and sites to your Internet Explorer settings that will protect you from accidentally running or downloading known malicious programs.
After the installation, click Download Latest Protection Updates. When it finishes, click Enable All Protection.


______________________________
SiteHound

http://www.firetrust.com/firetrustsitehound.html

This tool bar will help protect you from.

Over 4,000 fake bank and credit sites.
Tens of thousands of pornographic
and adult sites.
The never ending fake phishing sites.
Malicious sites, which can infect you
with spyware and adware if you visit
them.
Sites to download software which
may infect your computer with
spyware, a virus or adware


___________________________________
Download and keep these updated and run weekly if you don't already have them.

Adaware
Tutorial

spybot seach & destroy
Tutorial




___________________________________
Download and Install a HOSTS File
A Hosts file is a plain text file which prevents your computer from connecting to malware and spyware sites by redirecting the connection request to 127.0.0.1, which is your local address. If you use a proxy server, or if you are on AOL, be sure to read the special instructions.
You can download the MVPS Hosts File and see a HOSTS file tutorial here :
This website also contains useful tips, and links to other resources and utilities.


___________________________________
Make your Internet Explorer more secure
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click on the Security tab
3. Click the Internet icon so it becomes highlighted.
4. Click on Default Level and click Ok
5. Click on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

6. Next press the Apply button and then the OK to exit the Internet Properties page.






Safe and Happy Surfing. :)
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 289 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware