Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Mlaware removal

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Mlaware removal

Unread postby Killiney » April 17th, 2008, 9:48 am

I have been advised by a Technical Administrator of another forum I am on to come here for help, so here I am.

Angus [the Technical Admin] has been trying to help me so far with the problem, but feels that I need someone with more expertise.

Right, well, I honestly don't know what to say, or do here, so please help me.

Well, the board says to post a HijackThis log here, so I'll do that

I hope this fits

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:46:17, on 17/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\acer\epm\epm-dm.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Arcade\PCMService.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\lxdicoms.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\acer\epm\epm.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Trend Micro\HijackCheck\HCheck.exe
C:\Program Files\Trend Micro\HijackCheck\HCheck.exe


--
End of file - 2695 bytes

I'm sorry if I'm baffled by the layout of the board, I'm new, and I didn't know where, or what to post.
Killiney
Regular Member
 
Posts: 30
Joined: April 17th, 2008, 9:35 am
Advertisement
Register to Remove

Re: Mlaware removal

Unread postby Katana » April 19th, 2008, 5:40 pm

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.


Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

----------------------------------------------------------------------------------------
Hi Killiney,

This is the right place :)
Can you please post the full HJT log, and also can you give me a description of your problems
( or a link to the thread where Angus was helping)

Installed Programs

Please could you give me a list of the programs that are installed.
  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Mlaware removal

Unread postby Killiney » April 19th, 2008, 6:14 pm

Firstly, I did a scan on HijackThis, and gave you the complete log, secondly, here is the link, though the thread is no longer active after a joint decision that we were troubling the forum:

http://forums.moyabrennan.com/viewtopic.php?t=2716

That's what we have started working out so far, then I was advised to seek this forum's help.

A description of my problems? I honestly don't know how to describe them, but you have the link if I do not make sense.

Angus, in the aforementioned forum noticed a few programs on my laptop that shouldn't be there. I first noticed I was recieving a notification from my Google pop up blocker that 'popus were blocked', little realising that it was just a popup for the PM thingy on the foru, then as we delved deeper, we uncovered several programmes that shouldn't be there.

Angus first said that it could be malware, then we went further down into everything, and we uncovered that I had installed, unkowingly, a rogue antivirus software, which Angus [username - Angoid] said was most certainly an infection, and 'calls the lads in to cause you more problems' [his words], and he suggested I install an anti spyware program, which I did, and then an anti smitfraud programe, then we dug down, and Spybot Search and Destroy came up with a load of websites that it had 'pre-emptively' put there to stop infections getting on to my pc presumably, and then I went back and deleted the log as requested incase someone accidently clicked the links, then I did another HijackThis scan and posted the log, and at the end, we found a programme that is aggressively resisting removal.

Sorry if I couldn't be of any help with that, I'm baffled by technical jargon.
Killiney
Regular Member
 
Posts: 30
Joined: April 17th, 2008, 9:35 am

Re: Mlaware removal

Unread postby Katana » April 19th, 2008, 7:22 pm

Hi Killiney,

That link is perfect :)
I will review that thread and get back with some instructions ASAP.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Mlaware removal

Unread postby Katana » April 19th, 2008, 7:45 pm

OK, it looks like there are some problems there still.

If you look back at the HJT logs that you posted for Angoid, you will see a section like -----
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM\..\Run: [rvr] C:\WINDOWS\system32\rvr.exe


The log you posted here does not have that section, that is why I asked you to post the full log :)
Don't worry, this next tool should tell us what is happening


Deckard's System Scanner (DSS)

Please download and save LINK >>> Deckard's System Scanner (DSS) <<< LINK to your Desktop.
Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply

You may need more than one post as they can be quite big logs.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Malware removal

Unread postby Killiney » April 19th, 2008, 8:05 pm

Hi,

That was a full log, but we removed some of them with the 'fix this' button on HJT.

I hope you can guage what's going on from that link.

I won't be able to do anything at the moment as it is 01.04am, but I will do this today as I can't concentrate properly at the moment, I've marked the notification as 'unread' in my mailbox, so I'll see what happens in a few hours.
Killiney
Regular Member
 
Posts: 30
Joined: April 17th, 2008, 9:35 am

Re: Malware removal

Unread postby Killiney » April 20th, 2008, 6:37 am

Log from main.txt

Deckard's System Scanner v20071014.68
Run by jan1 on 2008-04-20 11:02:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
57: 2008-04-20 10:05:47 UTC - RP190 - Deckard's System Scanner Restore Point
56: 2008-04-19 12:30:40 UTC - RP189 - Software Distribution Service 3.0
55: 2008-04-18 17:49:14 UTC - RP188 - Installed iTunes
54: 2008-04-13 12:20:52 UTC - RP187 - Software Distribution Service 3.0
53: 2008-04-13 09:44:17 UTC - RP186 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-01-06 23:59:46 UTC - RP134 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis (run as jan1.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14:45, on 20/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\lxdicoms.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\Arcade\PCMService.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\jan1\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\jan1.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE Class - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BearFlix] "C:\Program Files\BearFlix\BearFlix.exe" /pause
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [lxdimon.exe] "C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe"
O4 - HKLM\..\Run: [lxdiamon] "C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [rvr] C:\WINDOWS\system32\rvr.exe
O4 - HKLM\..\Run: [uvese] C:\WINDOWS\system32\uvese.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\KHost.exe -all
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-U ... E_UNO1.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Wind ... lisher.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Print Spooler Service (hej7rla5aqambc) - Unknown owner - C:\WINDOWS\system32\uvese.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe
O23 - Service: lxdi_device - - C:\WINDOWS\system32\lxdicoms.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 12242 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080404-203849-432 R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
backup-20080404-203849-349 O4 - HKLM\..\Run: [mav_startupmon] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
backup-20080404-203849-128 O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... YYYYYYYYGB
backup-20080404-203849-524 O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... 0.15-3.cab
backup-20080405-104252-144 O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
backup-20080409-111121-239 R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
backup-20080409-111121-717 O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
backup-20080409-111121-497 O2 - BHO: (no name) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
backup-20080409-111121-892 O4 - HKLM\..\Run: [rvr] C:\WINDOWS\system32\rvr.exe
backup-20080409-111121-706 O4 - HKLM\..\Run: [uvese] C:\WINDOWS\system32\uvese.exe
backup-20080409-111121-529 O4 - HKLM\..\RunServices: [uvese] C:\WINDOWS\system32\uvese.exe
backup-20080409-111121-796 O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 UBHelper - c:\windows\system32\drivers\ubhelper.sys
R1 Hotkey - c:\windows\system32\drivers\hotkey.sys
R2 EpmPsd (Acer EPM Power Scheme Driver) - c:\windows\system32\drivers\epm-psd.sys <Not Verified; Acer Value Labs, USA; Acer EPM Power Scheme Driver>
R2 EpmShd (Acer EPM System Hardware Driver) - c:\windows\system32\drivers\epm-shd.sys <Not Verified; Acer Value Labs, USA; Acer EPM System Hardware Driver>
R2 int15.sys - c:\acer\empowering technology\erecovery\int15.sys
R2 osaio - c:\windows\system32\drivers\osaio.sys <Not Verified; Avocent/OSA Technologies Inc.; Windows (R) Server 2003 DDK driver>
R2 osanbm - c:\windows\system32\drivers\osanbm.sys <Not Verified; Windows (R) 2000 DDK provider; OSA int15 Driver>
R3 ialm - c:\windows\system32\drivers\ialmnt5.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT(R)>
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >
R3 POWERKEY - c:\program files\launch manager\powerkey.sys

S1 Wbutton - c:\windows\system32\drivers\wbutton.sys (file missing)
S3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
S3 WinDriver6 - c:\windows\system32\drivers\windrvr6.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 anbmService (Notebook Manager Service) - c:\acer\emanager\anbmserv.exe <Not Verified; OSA Technologies Inc.; Acer eManager for Notebook>
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>

S2 hej7rla5aqambc (Print Spooler Service) - c:\windows\system32\uvese.exe /service (file missing)
S2 KService - "c:\program files\kontiki\kservice.exe" <Not Verified; Kontiki Inc.; Delivery Manager>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-20 10:56:04 252 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-04-18 18:01:26 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-03-20 and 2008-04-20 -----------------------------

2008-04-18 18:59:31 0 d-------- C:\Documents and Settings\jan1\Application Data\Apple Computer
2008-04-18 18:54:21 0 d-------- C:\Program Files\iPod
2008-04-18 18:51:45 0 d-------- C:\Program Files\iTunes
2008-04-18 18:22:15 0 d-------- C:\Program Files\QuickTime
2008-04-18 18:19:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-18 17:59:51 0 d-------- C:\Program Files\Apple Software Update
2008-04-18 17:48:08 0 d-------- C:\Program Files\Common Files\Apple
2008-04-18 17:47:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-13 13:25:46 0 d--hs---- C:\FOUND.039
2008-04-12 13:42:40 0 d--hs---- C:\FOUND.038
2008-04-11 10:06:42 0 d--hs---- C:\FOUND.037
2008-04-09 11:12:01 0 d-------- C:\!KillBox
2008-04-09 10:19:03 0 d-------- C:\Documents and Settings\jan1\Application Data\Leadertech
2008-04-08 21:49:52 0 d--hs---- C:\FOUND.036
2008-04-08 19:16:54 0 d--hs---- C:\FOUND.035
2008-04-08 18:59:22 0 d--hs---- C:\FOUND.034
2008-04-05 18:34:34 0 dr-h----- C:\$VAULT$.AVG
2008-04-05 18:15:13 0 d-------- C:\Documents and Settings\jan1\Application Data\AVG7
2008-04-05 18:08:52 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-05 18:07:11 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-05 10:26:19 0 dr-h----- C:\Documents and Settings\jan1\Recent
2008-04-04 20:16:09 5686 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-04 20:15:31 85504 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-04 17:56:43 0 d-------- C:\Program Files\MorpheusBar
2008-04-03 22:27:36 0 d-------- C:\WINDOWS\network diagnostic
2008-03-21 10:12:28 0 d--hs---- C:\FOUND.033


-- Find3M Report ---------------------------------------------------------------

2008-03-19 14:01:06 0 d-------- C:\Program Files\Transparent
2008-02-21 13:30:10 0 d-------- C:\Documents and Settings\jan1\Application Data\PC Tools
2008-01-27 14:37:54 81920 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"preload"="C:\Windows\RUNXMLPL.exe" [19/05/2005 17:09]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [23/01/2005 10:36]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [23/01/2005 10:31]
"SoundMan"="SOUNDMAN.EXE" [15/04/2005 11:01 C:\WINDOWS\SOUNDMAN.EXE]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [04/02/2005 11:12]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [04/02/2005 11:11]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [26/10/2005 16:18]
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [26/10/2005 16:11]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [04/08/2004 05:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [04/08/2004 05:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 05:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 05:00]
"PCMService"="C:\Program Files\Arcade\PCMService.exe" [09/03/2005 18:59]
"LaunchAp"="C:\Program Files\Launch Manager\LaunchAp.exe" [25/07/2005 13:36]
"PowerKey"="C:\Program Files\Launch Manager\PowerKey.exe" [30/08/2002 15:02]
"LManager"="C:\Program Files\Launch Manager\HotkeyApp.exe" [06/06/2005 11:52]
"CtrlVol"="C:\Program Files\Launch Manager\CtrlVol.exe" [16/09/2003 14:28]
"LMgrOSD"="C:\Program Files\Launch Manager\OSDCtrl.exe" [25/07/2005 10:45]
"Wbutton"="C:\Program Files\Launch Manager\Wbutton.exe" [25/07/2005 13:34]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [31/10/2005 19:05]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [14/03/2007 03:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [28/03/2008 23:37]
"BearFlix"="C:\Program Files\BearFlix\BearFlix.exe" []
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [24/12/2007 14:03]
"lxdimon.exe"="C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe" [07/05/2007 19:07]
"lxdiamon"="C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe" [05/03/2007 13:40]
"FaxCenterServer"="C:\Program Files\\Lexmark Fax Solutions\fm3032.exe" [07/05/2007 19:10]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11/06/2007 09:25]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [10/12/2007 14:53]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 22:16]
"rvr"="C:\WINDOWS\system32\rvr.exe" []
"uvese"="C:\WINDOWS\system32\uvese.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/03/2008 10:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [24/12/2007 14:03]
"kdx"="C:\Program Files\KHost.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 11:43]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [04/05/2003 18:11:30]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [21/02/2008 11:10:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

*Newly Created Service* - INT15.SYS



-- Hosts -----------------------------------------------------------------------

127.0.0.1 http://www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 http://www.008k.com
127.0.0.1 008k.com
127.0.0.1 http://www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 http://www.032439.com
127.0.0.1 032439.com

7900 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-20 11:31:13 ------------
Killiney
Regular Member
 
Posts: 30
Joined: April 17th, 2008, 9:35 am

Re: Mlaware removal

Unread postby Killiney » April 20th, 2008, 6:39 am

log from extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Celeron(R) M processor 1.50GHz
Percentage of Memory in Use: 49%
Physical Memory (total/avail): 502.42 MiB / 253.79 MiB
Pagefile Memory (total/avail): 1225.82 MiB / 603.98 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1944.03 MiB

C: is Fixed (FAT32) - 35.47 GiB total, 17.86 GiB free.
D: is Fixed (FAT32) - 35.95 GiB total, 35.94 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - SAMSUNG MP0804H - 74.56 GiB - 3 partitions
\PARTITION0 - Unknown - 3.13 GiB
\PARTITION1 (bootable) - Unknown - 35.48 GiB - C:
\PARTITION2 - Unknown - 35.96 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: AVG 7.5.524 v7.5.524 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Lexmark Fax Solutions\\FaxCtr.exe"="C:\\Program Files\\Lexmark Fax Solutions\\FaxCtr.exe:*:Enabled:Lexmark Fax Solutions"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTORRENT"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"="C:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe:*:Enabled:Device Monitor"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\jan1\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=NATHAN
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\jan1
LOGONSERVER=\\NATHAN
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\jan1\LOCALS~1\Temp
TMP=C:\DOCUME~1\jan1\LOCALS~1\Temp
USERDOMAIN=NATHAN
USERNAME=jan1
USERPROFILE=C:\Documents and Settings\jan1
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

jan1 (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Acer Inc.\Acer English Online Help Creator\Uninst.isu"
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNNMP.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uninstall.exe"
ABBYY FineReader 6.0 Sprint --> MsiExec.exe /X{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
Acer eManager for Notebook --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{827289F5-B44F-4E49-9993-840741585A62}
Acer ePowerManagement --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58E5844B-7CE2-413D-83D1-99294BF6C74F}\Setup.exe" -l0x9
Acer GridVista --> C:\WINDOWS\UnInst32.exe GridV.UNI
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Arcade 3.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\Setup.exe" -uninstall
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
BBC iPlayer Download Manager --> MsiExec.exe /I {D466F3D9-510C-4729-B7D4-2E70490E4CDF}
Before You Know It 3.6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{62BCDAA0-C982-4E67-80E7-1E78C081EB92}\Setup.exe" -l0x9
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Earth --> MsiExec.exe /I{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}
Google Photos Screensaver --> MsiExec.exe /X{481E9852-DA0C-403B-ADA4-05D86C8BF9A9}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackCheck\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel(R) Graphics Media Accelerator Driver for Mobile --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Launch Manager V1.0.8.8 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0846526-66DD-4DC9-A02C-98F9A2806812}\Setup.exe" -l0x9
Lexmark 3500-4500 Series --> C:\Program Files\Lexmark 3500-4500 Series\Install\x86\Uninst.exe
Lexmark Fax Solutions --> C:\Program Files\\Lexmark Fax Solutions\Install\x86\Uninst.exe /R:faxunst
Macrogaming SweetIM 2.1 --> MsiExec.exe /X{0FCEABBE-F07B-41A2-9D5C-0540E1F0B67F}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
Nero Suite --> C:\Program Files\Common Files\Nero\Uninstall\Setupx.exe /uninstall ExtraUninstallID=""
NTI Backup NOW! 4 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{ED79C7E1-386E-4C12-81C7-8FEFB6D396B5} /l1033 BUN4
NTI CD & DVD-Maker Gold --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{65C39C99-F2C0-4286-A37A-23182E9A5E8E} /l1033 CDM7
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
PowerProducer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Rifle Range --> C:\PROGRA~1\EGAMES\RIFLER~1\UNWISE.EXE C:\PROGRA~1\EGAMES\RIFLER~1\INSTALL.LOG
SoftV90 Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_266D&SUBSYS_006A1025\HXFSETUP.EXE -U -IVEN_8086&DEV_266D&SUBSYS_006A1025
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
SweetIM For Internet Explorer 3.0b --> MsiExec.exe /X{F6D63A65-BD23-46F3-B9A3-87F442423481}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
VideoEgg Publisher --> C:\Documents and Settings\jan1\Application Data\VideoEgg\Uninstall.exe
Windows Live installer --> MsiExec.exe /X{7BC43F11-02C8-45FA-ABDC-E2F9FF31F825}
Windows Live Messenger --> MsiExec.exe /X{33F8EAD4-B6EC-498B-B487-696B973D1C0C}
Windows Live Sign-in Assistant --> MsiExec.exe /I{CB5EA99C-8A5B-49F2-9A1A-2EF78BE4DB41}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\YAHOO!\Common\YINSTH~1.DLL
Yahoo! Toolbar --> C:\PROGRA~1\YAHOO!\COMMON\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type2113 / Error
Event Submitted/Written: 04/20/2008 11:15:49 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application WINWORD.EXE, version 9.0.0.2717, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2090 / Warning
Event Submitted/Written: 04/19/2008 01:38:34 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type2075 / Warning
Event Submitted/Written: 04/18/2008 04:13:43 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{00000409-78E1-11D2-B60F-006097C998E7}', feature 'HTMLSourceEditing' failed during request for component '{9E0B2BE1-DEDA-11D1-A17E-00A0C90AB50F}'

Event Record #/Type2073 / Warning
Event Submitted/Written: 04/18/2008 04:12:16 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{00000409-78E1-11D2-B60F-006097C998E7}', feature 'HTMLSourceEditing' failed during request for component '{9E0B2BE1-DEDA-11D1-A17E-00A0C90AB50F}'

Event Record #/Type2071 / Warning
Event Submitted/Written: 04/18/2008 04:11:20 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{00000409-78E1-11D2-B60F-006097C998E7}', feature 'HTMLSourceEditing' failed during request for component '{9E0B2BE1-DEDA-11D1-A17E-00A0C90AB50F}'



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type24428 / Error
Event Submitted/Written: 04/20/2008 11:07:11 AM
Event ID/Source: 7011 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for a transaction response from the Apple Mobile Device service.

Event Record #/Type24427 / Error
Event Submitted/Written: 04/20/2008 11:07:11 AM
Event ID/Source: 7011 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for a transaction response from the Schedule service.

Event Record #/Type24426 / Error
Event Submitted/Written: 04/20/2008 11:02:41 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126

Event Record #/Type24423 / Error
Event Submitted/Written: 04/20/2008 11:02:39 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126

Event Record #/Type24420 / Error
Event Submitted/Written: 04/20/2008 11:02:39 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126



-- End of Deckard's System Scanner: finished at 2008-04-20 11:31:13 ------------
Killiney
Regular Member
 
Posts: 30
Joined: April 17th, 2008, 9:35 am

Re: Mlaware removal

Unread postby Katana » April 20th, 2008, 9:51 am

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

uTorrent


I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Please note: you must NOT use this whilst we are cleaning your machine.


Disable Teatimer
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.



Fix With HJT

Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines IF still present
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [BearFlix] "C:\Program Files\BearFlix\BearFlix.exe" /pause
O4 - HKLM\..\Run: [rvr] C:\WINDOWS\system32\rvr.exe
O4 - HKLM\..\Run: [uvese] C:\WINDOWS\system32\uvese.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\KHost.exe -all
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O23 - Service: Print Spooler Service (hej7rla5aqambc) - Unknown owner - C:\WINDOWS\system32\uvese.exe (file missing)

- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u6
http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The Java Runtime Environment (JRE) 6 update 6 allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check for any item with Java Runtime Environment (JRE or J2SE) in the name.
    J2SE Runtime Environment 5.0 Update 3
    Java(TM) 6 Update 5
    Java(TM) SE Runtime Environment 6 Update 1
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.

Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.

Please run Hijack This again and post a fresh log
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Mlaware removal

Unread postby Killiney » April 20th, 2008, 12:02 pm

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:50:04, on 20/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\lxdicoms.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\Arcade\PCMService.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackCheck\HCheck.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE Class - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BearFlix] "C:\Program Files\BearFlix\BearFlix.exe" /pause
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [lxdimon.exe] "C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe"
O4 - HKLM\..\Run: [lxdiamon] "C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-U ... E_UNO1.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Wind ... lisher.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Print Spooler Service (hej7rla5aqambc) - Unknown owner - C:\WINDOWS\system32\uvese.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe
O23 - Service: lxdi_device - - C:\WINDOWS\system32\lxdicoms.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 11666 bytes
Killiney
Regular Member
 
Posts: 30
Joined: April 17th, 2008, 9:35 am

Re: Mlaware removal

Unread postby Katana » April 20th, 2008, 12:56 pm

Did you mean to leave this line ?

O4 - HKLM\..\Run: [BearFlix] "C:\Program Files\BearFlix\BearFlix.exe" /pause



Download and Run ComboFix
  • Download Combofix from one of the links below :

    ComboFix.exe 1
    ComboFix.exe 2
    ComboFix.exe 3

  • You must download it to and run it from your Desktop
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ComboFix SHOULD NOT be used unless requested by a forum helper

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Go Here http://www.kaspersky.com/kos/eng/partne ... bscan.html

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.



Logs/Information to Post in Reply
Please post the following logs/Information in your reply
  • ComboFix Log
  • Kaspersky Log
  • How are things running now ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Mlaware removal

Unread postby Killiney » April 20th, 2008, 1:05 pm

katana wrote:Did you mean to leave this line ?

O4 - HKLM\..\Run: [BearFlix] "C:\Program Files\BearFlix\BearFlix.exe" /pause


I'm sorry, I do not understand. Can you please explain what you mean by 'did you mean to leave this line'?.
Killiney
Regular Member
 
Posts: 30
Joined: April 17th, 2008, 9:35 am

Re: Mlaware removal

Unread postby Katana » April 20th, 2008, 1:24 pm

Killiney wrote:I'm sorry, I do not understand. Can you please explain what you mean by 'did you mean to leave this line'?.


In my previous post, I gave you a list of lines to fix using Hijack This.
One of the lines was O4 - HKLM\..\Run: [BearFlix] "C:\Program Files\BearFlix\BearFlix.exe" /pause

This line still shows in your latest log.

I was asking if
1) you did not fix the line
OR
2) you did fix it and it came back
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Mlaware removal

Unread postby Killiney » April 20th, 2008, 1:40 pm

katana wrote:
Killiney wrote:I'm sorry, I do not understand. Can you please explain what you mean by 'did you mean to leave this line'?.


In my previous post, I gave you a list of lines to fix using Hijack This.
One of the lines was O4 - HKLM\..\Run: [BearFlix] "C:\Program Files\BearFlix\BearFlix.exe" /pause

This line still shows in your latest log.

I was asking if
1) you did not fix the line
OR
2) you did fix it and it came back


Ah, I understand now. Sorry.

I think I may not have clicked the check box. Can you advise how to fix that?
Killiney
Regular Member
 
Posts: 30
Joined: April 17th, 2008, 9:35 am

Re: Mlaware removal

Unread postby Katana » April 20th, 2008, 2:04 pm

Killiney wrote:I think I may not have clicked the check box. Can you advise how to fix that?


Don't worry, just continue with the instructions HERE
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 301 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware