Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

help can't remove malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: help can't remove malware

Unread postby random/random » November 18th, 2007, 5:43 pm

Does windows boot successfully, if instead of selecting safe mode, you select last known good configuration?
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm
Advertisement
Register to Remove

Re: help can't remove malware

Unread postby jemma_79 » November 18th, 2007, 6:16 pm

when the advanced options menu appears start windows normally is highlighted i cannot move and select either safe mode or last known configuration
when the timer is spent windows starts to load but all that appears is a blue screen no start menus or anything
jemma_79
Regular Member
 
Posts: 44
Joined: November 9th, 2007, 6:42 pm

Re: help can't remove malware

Unread postby random/random » November 18th, 2007, 6:18 pm

Is the screen just a blue background? If so, when you press ctrl+alt+del, can you get task manager up?
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Re: help can't remove malware

Unread postby jemma_79 » November 18th, 2007, 6:26 pm

have been able to access task manager
jemma_79
Regular Member
 
Posts: 44
Joined: November 9th, 2007, 6:42 pm

Re: help can't remove malware

Unread postby random/random » November 18th, 2007, 6:29 pm

In task manager, click File > new task
type explorer.exe and then click ok
Please let me know if this loads your desktop and of any error messages you get
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Re: help can't remove malware

Unread postby jemma_79 » November 18th, 2007, 6:42 pm

error message says
windows cannot find explorer.exe make sure you typed the name correctly or click search
jemma_79
Regular Member
 
Posts: 44
Joined: November 9th, 2007, 6:42 pm

Re: help can't remove malware

Unread postby jemma_79 » November 19th, 2007, 12:49 am

ComboFix 07-11-08.1 - user 2007-11-15 21:08:33.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.347 [GMT 0:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFscript.txt
* Created a new restore point

FILE
C:\WINDOWS\bonrep.dll
C:\WINDOWS\ipwypktx.dll
C:\WINDOWS\kbdctrl.dll
C:\WINDOWS\neobus.dll
C:\WINDOWS\qdertu.exe
C:\WINDOWS\system32\ahroxun-edat.exe
C:\WINDOWS\system32\udsacoot.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\user\Desktop\Error Cleaner.url
C:\Documents and Settings\user\Desktop\Favorites\Error Cleaner.url
C:\Documents and Settings\user\Desktop\Favorites\Privacy Protector.url
C:\Documents and Settings\user\Desktop\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\user\Desktop\Privacy Protector.url
C:\Documents and Settings\user\Desktop\Spyware&Malware Protection.url
C:\WINDOWS\bonrep.dll
C:\WINDOWS\dat.txt
C:\WINDOWS\ipwypktx.dll
C:\WINDOWS\kbdctrl.dll
C:\WINDOWS\neobus.dll
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\qdertu.exe
C:\WINDOWS\rs.txt
C:\WINDOWS\search_res.txt
C:\WINDOWS\system32\ahroxun-edat.exe . . . . failed to delete
C:\WINDOWS\system32\udsacoot.exe . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.

2007-11-15 00:19 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-12 23:08 <DIR> d-------- C:\Deckard
2007-11-11 20:38 3,702 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-11 20:23 <DIR> d-------- C:\WINDOWS\system\SmitfraudFix
2007-11-11 20:22 1,043,074 --a------ C:\WINDOWS\system\SmitfraudFix.exe
2007-11-11 20:10 <DIR> d-------- C:\Program Files\SmitfraudFix
2007-11-11 19:37 <DIR> d-------- C:\SmitfraudFix
2007-11-08 02:36 <DIR> d-------- C:\WINDOWS\system32\runtime
2007-11-08 02:36 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-11-08 02:36 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-08 02:36 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-11-07 22:37 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2007-11-07 22:37 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2007-11-07 22:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-11-07 20:48 <DIR> d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-15 21:15 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac.exe
2007-11-15 14:51 --------- d-----w C:\Documents and Settings\user\Application Data\PlayFirst
2007-11-09 13:46 401,720 ----a-w C:\Program Files\hijack.exe
2007-11-08 02:36 --------- d-----w C:\Program Files\SilverCreekCommonFiles
2007-11-08 02:36 --------- d-----w C:\Program Files\Google
2007-11-08 02:36 --------- d-----w C:\Documents and Settings\user\Application Data\AOL
2007-11-08 02:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\WindowsLiveInstaller
2007-11-08 02:35 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-07 23:13 --------- d-----w C:\Program Files\MSN Messenger
2007-11-07 19:55 67,777 ----a-w C:\Program Files\log malware.txt
2007-11-07 16:23 --------- d-----w C:\Documents and Settings\user\Application Data\LimeWire
2007-10-29 13:30 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(251).exe
2007-10-29 12:35 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(252).exe
2007-10-29 10:53 --------- d-----w C:\Program Files\Windows Live
2007-10-29 10:49 --------- d-----w C:\Program Files\Hardwood Spades
2007-10-29 10:26 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(253).exe
2007-10-29 10:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-28 22:08 --------- d-----w C:\Program Files\Common Files\Real
2007-10-23 21:19 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(245).exe
2007-10-23 15:36 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(246).exe
2007-10-23 15:06 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(247).exe
2007-10-23 14:45 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(248).exe
2007-10-23 14:32 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(249).exe
2007-10-22 21:05 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(250).exe
2007-09-28 08:42 65,936 ----a-w C:\WINDOWS\system32\drivers\tmtdi.sys
2007-09-28 08:42 36,112 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-09-28 08:42 333,328 ----a-w C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-09-28 08:42 203,024 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-09-28 08:42 138,512 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-09-28 08:42 1,126,328 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2007-09-18 18:52 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-09-18 18:52 --------- d-----w C:\Program Files\Trymedia
2007-09-18 18:52 --------- d-----w C:\Program Files\Silver Creek Installer
2007-09-18 18:52 --------- d-----w C:\Program Files\Hardwood Backgammon
2007-09-18 18:52 --------- d-----w C:\Program Files\Common Files\CasinoVegasShared
2007-09-18 18:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-18 18:51 --------- d-----w C:\Program Files\namtai_eyetoy_drivers
2007-09-18 18:48 --------- d-----w C:\Program Files\KYE
2007-09-18 18:48 --------- d-----w C:\Program Files\Common Files\snpstd
2007-09-18 15:43 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(136).exe
2007-09-18 14:52 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(137).exe
2007-09-18 13:05 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(138).exe
2007-09-18 12:00 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(139).exe
2007-09-18 08:31 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(140).exe
2007-09-17 20:37 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(141).exe
2007-09-17 08:06 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(142).exe
2007-09-17 07:47 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(143).exe
2007-09-16 20:09 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(144).exe
2007-09-16 16:57 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(145).exe
2007-09-16 13:25 30,489 ----a-w C:\WINDOWS\system32\ekvakuh-easac(146).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(244).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(243).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(242).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(241).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(240).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(239).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(238).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(237).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(236).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(235).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(234).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(233).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(232).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(231).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(230).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(229).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(228).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(227).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(226).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(225).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(224).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(223).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(222).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(221).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(220).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(219).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(218).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(217).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(216).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(215).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(214).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(213).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(212).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(211).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(210).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(209).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(208).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(207).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(206).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(205).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(204).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(203).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(202).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(201).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(200).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(199).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(198).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(197).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(196).exe
2007-09-16 13:25 30,489 ----a-r C:\WINDOWS\system32\ekvakuh-easac(195).exe
2007-05-28 20:41:22 49,152 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007052120070528\index.dat
2007-05-28 20:41:22 49,152 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007052820070529\index.dat
2007-05-29 20:49:39 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007052920070530\index.dat
2007-05-30 19:12:14 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007053020070531\index.dat
2007-05-31 19:38:44 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007053120070601\index.dat
2007-06-02 18:05:32 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007060220070603\index.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

- Not a PE file.

---- Directory of C:\WINDOWS\system32\runtime ----



((((((((((((((((((((((((((((( snapshot@2007-11-15_ 2.35.38.82 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-15 02:34:11 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-11-15 21:15:10 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-11-15 02:34:11 131,072 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-15 21:15:10 131,072 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-11-15 02:34:11 819,200 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-15 21:15:10 819,200 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-11-15 02:34:12 24,064 ----a-w C:\WINDOWS\Temp\ouxtikeah.dll
+ 2007-11-15 21:15:10 24,064 ----a-w C:\WINDOWS\Temp\ouxtikeah.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-01 08:48 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 10:04 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-12 05:19]
"nwiz"="nwiz.exe" [2006-07-12 05:19 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-07-12 05:19]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"TI WLAN"="C:\Program Files\Wireless LAN Utility\TIWLANCu.exe" [2007-03-22 17:54]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-06-22 08:05]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46]
"EPSON Stylus Photo R240 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.exe" [2005-04-25 05:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"iKeyWorks"="C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe" [2006-09-07 08:21]
"WheelMouse"="C:\Program Files\A4Tech\Mouse\Amoumain.exe" [2006-09-07 08:17]
"snpstd"="C:\WINDOWS\vsnpstd.exe" [2004-06-10 12:48]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-28 22:08]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2007-09-28 08:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-08-16 15:19]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 12:00]
"Aim6"="C:\Program Files\AIM6\aim6.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}]
C:\WINDOWS\system32\atpakib-deas.dll 2006-02-28 12:00 5120 C:\WINDOWS\system32\atpakib-deas.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe]
Debugger=C:\WINDOWS\system32\ahroxun-edat.exe

S3 Intels51;Intel(R) 536EP V.92 Modem;C:\WINDOWS\system32\DRIVERS\Intels51.sys
S3 TNET1130;802.11 WLAN;C:\WINDOWS\system32\DRIVERS\TNET1130.sys


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{484F4D45-3248-4f4d-4532-484F4D453248}]
C:\WINDOWS\system32\udsacoot.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-11-15 20:47:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 21:15:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-15 21:17:15 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-15 02:36
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:47:02, on 19/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Wireless LAN Utility\tiwlnsvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Wireless LAN Utility\TIWLANCu.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\Program Files\A4Tech\Mouse\Amoumain.exe
C:\WINDOWS\vsnpstd.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm ... Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TI WLAN] C:\Program Files\Wireless LAN Utility\TIWLANCu.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R240 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE /P30 "EPSON Stylus Photo R240 Series" /O6 "USB001" /M "Stylus Photo R240"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-GB ee://aol/imApp
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://www.king.com/ctl/kingcomie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resou ... NPUpld.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-a8637465bb4ac20b.spaces.live ... nPUpld.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v ... b56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://fortunelounge.microgaming.com/g ... lashAX.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/defaul ... uncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://smiley.oberon-media.com/online/o ... der_v6.cab
O20 - Winlogon Notify: {BC84DF00-BC38-9902-8082-6FCBF2D87A0B} - C:\WINDOWS\system32\atpakib-deas.dll (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: TI Wlan Service (tiwlnsvc) - Unknown owner - C:\Program Files\Wireless LAN Utility\tiwlnsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 9578 bytes
jemma_79
Regular Member
 
Posts: 44
Joined: November 9th, 2007, 6:42 pm

Re: help can't remove malware

Unread postby random/random » November 19th, 2007, 2:59 pm

Since you've posted a HijackThis log, I assume that you've been able to get back into windows?

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{484F4D45-3248-4f4d-4532-484F4D453248}


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt, along with a fresh HJT log as a reply to this topic
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Re: help can't remove malware

Unread postby jemma_79 » November 21st, 2007, 8:04 am

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\fasravbb

*******************

Script file located at: \??\C:\Documents and Settings\bgkerckn.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} deleted successfully.


Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe not found!
Deletion of registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe failed!
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{484F4D45-3248-4f4d-4532-484F4D453248} deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:39, on 21/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Wireless LAN Utility\TIWLANCu.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\Program Files\A4Tech\Mouse\Amoumain.exe
C:\WINDOWS\vsnpstd.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Wireless LAN Utility\tiwlnsvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TI WLAN] C:\Program Files\Wireless LAN Utility\TIWLANCu.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R240 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE /P30 "EPSON Stylus Photo R240 Series" /O6 "USB001" /M "Stylus Photo R240"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-GB ee://aol/imApp
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://www.king.com/ctl/kingcomie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resou ... NPUpld.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-a8637465bb4ac20b.spaces.live ... nPUpld.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v ... b56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://fortunelounge.microgaming.com/g ... lashAX.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/defaul ... uncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://smiley.oberon-media.com/online/o ... der_v6.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: TI Wlan Service (tiwlnsvc) - Unknown owner - C:\Program Files\Wireless LAN Utility\tiwlnsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 9257 bytes

sorry for the delay in getting this to you i have been in hospital
jemma_79
Regular Member
 
Posts: 44
Joined: November 9th, 2007, 6:42 pm

Re: help can't remove malware

Unread postby random/random » November 21st, 2007, 12:14 pm

Please run dss.exe again and post the log it produces
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Re: help can't remove malware

Unread postby jemma_79 » November 21st, 2007, 4:54 pm

Deckard's System Scanner v20071014.68
Run by user on 2007-11-21 20:52:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as user.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:52:35, on 21/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Wireless LAN Utility\TIWLANCu.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\Program Files\A4Tech\Mouse\Amoumain.exe
C:\WINDOWS\vsnpstd.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Wireless LAN Utility\tiwlnsvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\user\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\user.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TI WLAN] C:\Program Files\Wireless LAN Utility\TIWLANCu.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R240 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE /P30 "EPSON Stylus Photo R240 Series" /O6 "USB001" /M "Stylus Photo R240"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-GB ee://aol/imApp
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://www.king.com/ctl/kingcomie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resou ... NPUpld.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-a8637465bb4ac20b.spaces.live ... nPUpld.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v ... b56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://fortunelounge.microgaming.com/g ... lashAX.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/defaul ... uncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://smiley.oberon-media.com/online/o ... der_v6.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: TI Wlan Service (tiwlnsvc) - Unknown owner - C:\Program Files\Wireless LAN Utility\tiwlnsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 9283 bytes

-- Files created between 2007-10-21 and 2007-11-21 -----------------------------

2007-11-21 12:42:50 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-11 20:38:09 3702 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-11 20:23:08 0 d-------- C:\WINDOWS\system\SmitfraudFix <SMITFR~1>
2007-11-11 20:22:44 1043074 --a------ C:\WINDOWS\system\SmitfraudFix.exe
2007-11-11 20:10:47 0 d-------- C:\Program Files\SmitfraudFix <SMITFR~1>
2007-11-11 19:37:15 25600 --a------ C:\WINDOWS\system\WS2Fix.exe
2007-11-11 19:37:15 289144 --a------ C:\WINDOWS\system\VCCLSID.exe <Not Verified; S!Ri; >
2007-11-11 19:37:15 167936 --a------ C:\WINDOWS\system\unzip.exe
2007-11-11 19:37:15 40960 --a------ C:\WINDOWS\system\swsc.exe
2007-11-11 19:37:15 135168 --a------ C:\WINDOWS\system\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2007-11-11 19:37:14 288417 --a------ C:\WINDOWS\system\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-11-11 19:37:14 20480 --a------ C:\WINDOWS\system\SmiUpdate.exe <Not Verified; S-Software; SmiUpdate>
2007-11-11 19:37:14 1497667 --a------ C:\WINDOWS\system\SmitfraudFix.cmd
2007-11-11 19:37:14 16384 --a------ C:\WINDOWS\system\restart.exe <Not Verified; WareSoft Software; restart>
2007-11-11 19:37:14 24576 --a------ C:\WINDOWS\system\Reboot.exe <Not Verified; Option; Explicit Software>
2007-11-11 19:37:14 53248 --a------ C:\WINDOWS\system\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-11-11 19:37:14 77824 --a------ C:\WINDOWS\system\HostsChk.exe <Not Verified; S!Ri.URZ; Hosts Check>
2007-11-11 19:37:14 82432 --a------ C:\WINDOWS\system\GenericRenosFix.exe <Not Verified; S!Ri; >
2007-11-11 19:37:14 1536 --a------ C:\WINDOWS\system\exit.exe
2007-11-11 19:37:14 0 d-------- C:\SmitfraudFix <SMITFR~1>
2007-11-08 02:36:25 0 d-------- C:\Program Files\Windows Live Toolbar
2007-11-08 02:36:25 0 d-------- C:\Program Files\MSXML 4.0
2007-11-08 02:36:25 0 d-------- C:\Program Files\Common Files\ODBC
2007-11-08 02:36:13 0 d-------- C:\Program Files\Common Files\xing shared
2007-11-07 22:36:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-11-07 20:48:41 0 d-------- C:\Program Files\Trend Micro


-- Find3M Report ---------------------------------------------------------------

2007-11-21 12:46:39 0 d-------- C:\Program Files\Windows Live
2007-11-21 12:42:50 0 d-------- C:\Program Files\Common Files
2007-11-15 14:51:53 0 d-------- C:\Documents and Settings\user\Application Data\PlayFirst
2007-11-11 23:05:01 30489 --a------ C:\Documents and Settings\user\Application Data\tmp3.tmp
2007-11-08 02:36:25 0 d-------- C:\Program Files\SilverCreekCommonFiles
2007-11-08 02:36:23 0 d-------- C:\Program Files\Google
2007-11-08 02:36:16 0 d-------- C:\Documents and Settings\user\Application Data\AOL
2007-11-08 02:35:02 0 d-------- C:\Program Files\Common Files\AOL
2007-11-07 23:13:37 0 d-------- C:\Program Files\MSN Messenger
2007-11-07 19:55:04 67777 --a------ C:\Program Files\log malware.txt
2007-11-07 16:23:47 0 d-------- C:\Documents and Settings\user\Application Data\LimeWire
2007-10-29 10:49:54 0 d-------- C:\Program Files\Hardwood Spades
2007-10-28 22:08:56 0 d-------- C:\Program Files\Common Files\Real
2007-10-28 20:44:52 0 d-------- C:\Documents and Settings\user\Application Data\Google
2007-09-24 11:27:05 6970 --a------ C:\WINDOWS\system32\EPPICResdb0000
2007-09-24 11:27:05 121 --a------ C:\WINDOWS\system32\EPPICResdb


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [01/06/2006 08:48 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [16/05/2006 10:04 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/07/2006 05:19]
"nwiz"="nwiz.exe" [12/07/2006 05:19 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/07/2006 05:19]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 10:50]
"TI WLAN"="C:\Program Files\Wireless LAN Utility\TIWLANCu.exe" [22/03/2007 17:54]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [22/06/2004 08:05]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/2005 22:46]
"EPSON Stylus Photo R240 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.exe" [25/04/2005 05:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 02:06]
"iKeyWorks"="C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe" [07/09/2006 08:21]
"WheelMouse"="C:\Program Files\A4Tech\Mouse\Amoumain.exe" [07/09/2006 08:17]
"snpstd"="C:\WINDOWS\vsnpstd.exe" [10/06/2004 12:48]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [12/07/2007 03:00]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [28/10/2007 22:08]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [28/09/2007 08:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [16/08/2007 15:19]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [28/02/2006 12:00]
"Aim6"="C:\Program Files\AIM6\aim6.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background




-- End of Deckard's System Scanner: finished at 2007-11-21 20:53:43 ------------
jemma_79
Regular Member
 
Posts: 44
Joined: November 9th, 2007, 6:42 pm

Re: help can't remove malware

Unread postby random/random » November 21st, 2007, 6:44 pm

Then please upload this file:

C:\WINDOWS\system\exit.exe

To either jotti or virustotal & post the results as a reply to this topic
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Re: help can't remove malware

Unread postby 'KotaGuy » December 14th, 2007, 10:02 am

This topic is now closed due to inactivity. If you wish it to be reopened, please send an email to 'admin at malwareremoval.com' with a link to your thread.

If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 291 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware