View Full Version : Did scan still infected ... please help
justice_dj23
02-04-2008, 11:56 AM
Was using Morpheus to download music, had trojans popping left and right. I ran AVG and Bitdefender online scan and it deleted the many viruses that I had it said I was still infected. I deleted everything that said Morpheus on my computer through add and remove programs. I don't know what to do from here, I saved the log, can someone please help me uninfect my computer.:frown:
I have 2 hard drives on my computer. One is for music and pictures, when Bitdefender went to scan that drive it came up and said that I was still infected.
I am using a Compaq. 18 gb ram using Windows XP. This is my first time on your forum. I know about computers and I did everything that I could do. I am stuck. I did save the Bitdefender log if you need to see it. Anyone can help me, please help! Thank you!
justice_dj23
02-04-2008, 12:17 PM
I ran the Hjt and here is the log. Thank you very much for helping me.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15:27 PM, on 2/4/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.alot.com/sidebar?pr=asst&client_id=7472830001C83EBA021275BA&install_time=14-12-2007:20:33&src_id=11003&tb_version=1.0.1.0&q=&url=http://www.yahoo.com/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: ALOT eMusic Toolbar - {8260C2B8-E0D1-448a-B062-33D12D468BF0} - C:\Program Files\alot\bin\alot.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ALOT eMusic Toolbar - {8260C2B8-E0D1-448a-B062-33D12D468BF0} - C:\Program Files\alot\bin\alot.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Literati - http://download2.games.yahoo.com/games/clients/y/tt5_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
--
End of file - 5367 bytes
justice_dj23
02-04-2008, 12:25 PM
I had SP2 before and my computer got messed up. But I can't remember what happened. I would like to have it on there. But I don't know how to do it. Thank you, Black Mirror for your help.
chryssi2001
02-04-2008, 01:25 PM
Hello justice :), i was asked by BlackMirror to help.
I am an authorised malware helper.
As soon as your computer is clean you should update to SP2, and install a firewall.
Please do not use P2P programs while i am trying to get your pc cleaned.
You will bring more infections on it.
I would suggest you uninstall them completely, but that's your choice.
---------------------------------------------
Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) and Save it to your desktop.
Don't use it yet.
---------------------------------------------
Go to Start-Settings-Control Panel, click on Add remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on remove. Then close the Control Panel.
alot
---------------------------------------------
Disable AVG Anti-Spyware
Please disable AVG Anti-Spyware until the computer is clean.
Open AVG Anti-Spyware by double-clicking the multi-colored box emblazoned with an 'S' in the system tray.
In the 'Resident Shield' section, toggle the AVG Anti-Spyware active protection 'off' by clicking 'Change state' which will then change the protection status to 'inactive'.
If you are instructed to reboot at any time during your cleanup, AVG Anti-Spyware will prompt you as to whether you would like to "Restart the Resident Shield".
Reply 'no' and set it to 'inactive' for the duration of your cleanup.
Don't forget to re-enable it, when your computer is clean.
---------------------------------------------
FIX HIJACKTHIS ENTRIES
Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.alot.com/sidebar?pr=as...www.yahoo.com/ (obfuscated)
O2 - BHO: ALOT eMusic Toolbar - {8260C2B8-E0D1-448a-B062-33D12D468BF0} - C:\Program Files\alot\bin\alot.dll
O3 - Toolbar: ALOT eMusic Toolbar - {8260C2B8-E0D1-448a-B062-33D12D468BF0} - C:\Program Files\alot\bin\alot.dll
Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
---------------------------------------------
OTMoveIt2
Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
C:\Program Files\alot
Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
---------------------------------------------
Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Post that log back here.
---------------------------------------------
Post back:
A new HijackThis log.
OTMoveIt2 report.
Malwarebytes' Anti-Malware report.
Tell me how the pc behaves now.
justice_dj23
02-04-2008, 02:12 PM
Please do not use P2P programs while i am trying to get your pc cleaned.
You will bring more infections on it.
I would suggest you uninstall them completely, but that's your choice.
What do you mean by this?
---------------------------------------------
Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) and Save it to your desktop.
Don't use it yet.
---------------------------------------------
Go to Start-Settings-Control Panel, click on Add remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on remove. Then close the Control Panel.
alot
---------------------------------------------
I removed alot thru add/remove..
Please disable AVG Anti-Spyware until the computer is clean.
Open AVG Anti-Spyware by double-clicking the multi-colored box emblazoned with an 'S' in the system tray.
In the 'Resident Shield' section, toggle the AVG Anti-Spyware active protection 'off' by clicking 'Change state' which will then change the protection status to 'inactive'.
If you are instructed to reboot at any time during your cleanup, AVG Anti-Spyware will prompt you as to whether you would like to "Restart the Resident Shield".
Reply 'no' and set it to 'inactive' for the duration of your cleanup.
Don't forget to re-enable it, when your computer is clean.
done this..
---------------------------------------------
FIX HIJACKTHIS ENTRIES
Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.alot.com/sidebar?pr=as...www.yahoo.com/ (obfuscated)
O2 - BHO: ALOT eMusic Toolbar - {8260C2B8-E0D1-448a-B062-33D12D468BF0} - C:\Program Files\alot\bin\alot.dll
O3 - Toolbar: ALOT eMusic Toolbar - {8260C2B8-E0D1-448a-B062-33D12D468BF0} - C:\Program Files\alot\bin\alot.dll
Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
these were not present
---------------------------------------------
OTMoveIt2
Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
C:\Program Files\alot
Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
this is what happened and came up in the box on the right::::
File/Folder C:\Program Files\alot not found.
OTMoveIt2 v1.0.17 log created on 02042008_134846
This is as far as i have gotten so far......i downloaded the antimalware program (malwarebytes)but have not installed it...Thank you very much Chrissy for your help so far...i am running this program currently...
justice_dj23
02-04-2008, 02:50 PM
Here is the log from Malwarebytes:
Malwarebytes' Anti-Malware 1.02
Database version: 318
Scan type: Full Scan (A:\|C:\|D:\|E:\|)
Objects scanned: 46148
Time elapsed: 27 minute(s), 34 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\WINDOWS\System32\f02WtR (Malware.Trace) -> Quarantined and deleted successfully.
Files Infected:
(No malicious items detected)
What is the next step that I should do? Thank you very much for your help.
chryssi2001
02-04-2008, 02:51 PM
Hello justice,
Did you posted also in another forum?
Did you remove those lines yourself or any other program you run removed them?
Let me know what programs you run up to now, example SuperAntispyware, or others.
Post a new HijackThis log, together with Malwarebytes' Anti-Malware report.
Our posts crossed. Please post a new HijackThis log.
---------------------------------
LIST OF PROGRAMS USING HIJACKTHIS
Open HijackThis.
Click on Open the Misc Tools section.
Look under System tools.
Click on the Open Uninstall Manager... button.
Click on the Save list... button.
It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
Notepad will open. Please copy and paste the contents of this log in your next reply.
See in this link details.
http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
---------------------------------
Please post a new HijackThis log.
justice_dj23
02-04-2008, 02:58 PM
Hello justice,
Did you posted also in another forum?
no i have not posted in any other forums.
Did you remove those lines yourself or any other program you run removed them?
The lines got removed i assume from when i took alot out of add/remove programs.
Let me know what programs you run up to now, example SuperAntispyware, or others.
i used AVG and Bitdefender.
Post a new HijackThis log, together with Malwarebytes' Anti-Malware report.
I already posted the malware report here is the hijack this report:::
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:56:34 PM, on 2/4/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Literati - http://download2.games.yahoo.com/games/clients/y/tt5_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
--
End of file - 4853 bytes
justice_dj23
02-04-2008, 03:03 PM
Sorry Chrissy but our paths crossed and here is the log file you were referring to:::
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
AVG 7.5
AVG Anti-Spyware 7.5
Basic Webcam
Easy CD & DVD Creator 6
eMusic Download Manager 3.0
ESET Online Scanner
HijackThis 2.0.2
Mahjongg Master 3
Malwarebytes' Anti-Malware
PhoTags Express
Pop-Up Stopper Free Edition
Rahjongg The Curse of Ra
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Uninstall Dual Mode Camera
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Win A Million
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB918439
Windows XP Hotfix - KB918899
Windows XP Hotfix - KB925486
Yahoo! Anti-Spy
Yahoo! Messenger
Yahoo! Toolbar
ZyDAS IEEE 802.11 b+g Wireless LAN - USB
chryssi2001
02-04-2008, 03:05 PM
Please post a programs list, see my previous post.
justice_dj23
02-04-2008, 03:17 PM
Please post a programs list, see my previous post.
Im very sorry Chrissy but our paths crossed and that was my mistake...i misread your instructions...see the last post on page 2...thank you again for all of your help thus far.:)
justice_dj23
02-04-2008, 05:29 PM
Should i run the SASuperantispyware program now?.And is my computer now virus free?:confused:
kelly
02-04-2008, 06:08 PM
Run the SAS.
justice_dj23
02-04-2008, 07:58 PM
Thank you everyone that help me. I appreciate it!!:)
chryssi2001
02-05-2008, 12:53 AM
Hello justice,
Alot_Toolbar - detected by Kaspersky antivirus as AdWare.Win32.Comet.be
This is the information i have about the toolbar which i told you to remove.
-----------------------------------------
As far as i am concerned your pc is clean now. No need for me to run another scan.
I see you have eMusic Download Manager. Be carefull.
The program is not bad, it's the way it works, when you download music.
-----------------------------------------
Let's clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.
Please download OTMoveIt2 (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) and save it to desktop.
Double-click OTMoveIt2.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
-----------------------------------------
I am not removing Malwarebytes' Anti-Malware, you can use it often to scan your pc for infections.
-----------------------------------------
This is a good time to clear your existing system restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created.
-----------------------------------------
Update Your Windows XP to SP2.
Go to Microsoft (http://www.microsoft.com/windowsxp/sp2/default.mspx) and update to SP2.
After doing so, set automatic updates on.
If you have difficulties after that with certain programs, this is a very good forum and they will help you.
-----------------------------------------
Here are some free programs I recommend that could help you improve your computer's security.
Spybot Search and Destroy 1.5.1
Download it from here (http://www.safer-networking.org/en/mirrors/index.html). Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)
Find here changes from older version 1.4 here (http://www.safer-networking.org/en/spybotsd15/index.html)
Install Spyware Guard
Download it from here (http://www.javacoolsoftware.com/spywareguard.html)
Find here the tutorial on how to use Spyware Guard here (http://www.bleepingcomputer.com/tutorials/tutorial50.html)
Install SpyWare Blaster
Download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
Find here the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Install WinPatrol
Download it from here (http://www.winpatrol.com/download.html)
Here you can find information about how WinPatrol works here (http://www.winpatrol.com/features.html)
Install FireTrust SiteHound
You can find information and download it from here (http://www.firetrust.com/en/products/sitehound)
Install MVPS Hosts File from here (http://mvps.org/winhelp2002/hosts.htm)
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)
Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Please check out Tony Klein's article "How did I get infected in the first place?" (http://castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html)
Read some information here (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) how to prevent Malware.
Happy safe surfing!
justice_dj23
02-05-2008, 09:48 AM
I'm still getting trojans popping up and I have Lop virus again also. What should I do now? :confused:
chryssi2001
02-05-2008, 09:56 AM
Hi justice,
Can i have a new HijackThis log please? Did you have Lop before? It didn't show in your last HijackThis log.
justice_dj23
02-05-2008, 10:01 AM
Hi justice,
Can i have a new HijackThis log please? Did you have Lop before? It didn't show in your last HijackThis log.
I have Lop before. Here is my hjt:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:13 AM, on 2/5/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Literati - http://download2.games.yahoo.com/games/clients/y/tt5_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
--
End of file - 4984 bytes
chryssi2001
02-05-2008, 10:11 AM
Hi justice,
I'm still getting trojans popping up and I have Lop virus again
Lop is not showing. What are the symptoms you get? What are the trojans popping up?
----------------------------------------
Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.
Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your reply.
justice_dj23
02-05-2008, 10:17 AM
How do you know if your using Adminstrator account and if not how do you change it? I have the problem with the Lop off and on since fall. I don't know what the trojans was, I just healed them but forced to send them to the vault in AVG then empty the vault. I didn't have the chance to do this morning with the restore points b/c the virus immediately came up.
chryssi2001
02-05-2008, 10:24 AM
Are you the owner of this pc? If yes you are set as Administrator. I doubt if i will find anything in DSS scanner, since you healed and moved the infections to the vault.
Can you open AVG7 vault, and copy here the infected file names, with the path please?
Example: C:\windows\system32\file name
To be easier for you, copy them in Notepad and post them back here.
justice_dj23
02-05-2008, 10:32 AM
Are you the owner of this pc? If yes you are set as Administrator. I doubt if i will find anything in DSS scanner, since you healed and moved the infections to the vault.
Can you open AVG7 vault, and copy here the infected file names, with the path please?
Example: C:\windows\system32\file name
To be easier for you, copy them in Notepad and post them back here.
This is my computer but I don't think that I am set as the administrator b/c a friend tried to help me and not to keep myself as the administrator on the account.
My initial scan from AVG came up clean but while I was on the internet the trojans popped up and my vault is empty. I empty it. I can't find anywhere in AVG where the files names or paths are. Please help!!
Justice,
Open Control Panel, select 'User Accounts' applet. You can view all the accounts that have been created as well as their status.
Rob
justice_dj23
02-05-2008, 10:48 AM
Thank you. I am the administrator. Should I run that one scan now?
Thank you. I am the administrator. Should I run that one scan now?
Justice,
If your still having problems, yes.
btw, did SAS find anything?
Rob
justice_dj23
02-05-2008, 11:07 AM
Justice,
If your still having problems, yes.
btw, did SAS find anything?
Rob
SAS found 114 adware tracking cookies and 1 malware which was a antivirus program that I didn't put on there. It deleted everything. Here is the scan results::
Deckard's System Scanner v20071014.68
Run by Erin on 2008-02-05 11:00:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.
-- Last 5 Restore Point(s) --
75: 2008-02-05 16:00:50 UTC - RP232 - Deckard's System Scanner Restore Point
74: 2008-02-04 23:16:17 UTC - RP231 - Installed SUPERAntiSpyware Free Edition
73: 2008-02-04 16:22:56 UTC - RP230 - Removed Ad-Aware 2007
72: 2008-02-03 20:20:32 UTC - RP229 - System Checkpoint
71: 2008-02-02 06:27:29 UTC - RP228 - System Checkpoint
-- First Restore Point --
1: 2007-11-19 19:21:04 UTC - RP158 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
Total Physical Memory: 352 MiB (512 MiB recommended).
-- HijackThis (run as Erin.exe) ------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:16 AM, on 2/5/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
C:\WINDOWS\System32\dllhost.exe
C:\Documents and Settings\Erin\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Erin.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Literati - http://download2.games.yahoo.com/games/clients/y/tt5_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
--
End of file - 4934 bytes
-- File Associations -----------------------------------------------------------
All associations okay.
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
R3 ZDPSp50 (ZDPSp50 NDIS Protocol Driver) - c:\windows\system32\drivers\zdpsp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 JL2005C (Dual Mode Camera) - c:\windows\system32\drivers\jl2005c.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
All services whitelisted.
-- Device Manager: Disabled ----------------------------------------------------
Class GUID: {D45B1C18-C8FA-11D1-9F77-0000F805F530}
Description: NT Apm/Legacy Interface Node
Device ID: ROOT\NTAPM\0000
Manufacturer: Microsoft
Name: NT Apm/Legacy Interface Node
PNP Device ID: ROOT\NTAPM\0000
Service: NtApm
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel 21143-Based PCI Fast Ethernet Adapter (Generic)
Device ID: PCI\VEN_1011&DEV_0019&SUBSYS_B0BB0E11&REV_41\2&EBB567F&0&28
Manufacturer: Intel
Name: Intel 21143-Based PCI Fast Ethernet Adapter (Generic)
PNP Device ID: PCI\VEN_1011&DEV_0019&SUBSYS_B0BB0E11&REV_41\2&EBB567F&0&28
Service: DC21x4
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: IEEE 1394 Controller
Device ID: PCI\VEN_9004&DEV_5800&SUBSYS_B0CB0E11&REV_10\2&EBB567F&0&38
Manufacturer:
Name: IEEE 1394 Controller
PNP Device ID: PCI\VEN_9004&DEV_5800&SUBSYS_B0CB0E11&REV_10\2&EBB567F&0&38
Service:
-- Files created between 2008-01-05 and 2008-02-05 -----------------------------
2008-02-05 09:56:46 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-04 18:14:16 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-04 14:15:04 0 d-------- C:\Documents and Settings\Erin\Application Data\Malwarebytes
2008-02-04 14:14:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-04 12:36:15 0 d-------- C:\Program Files\EsetOnlineScanner
2008-02-04 12:15:02 0 d-------- C:\Program Files\Trend Micro
2008-02-04 09:58:33 0 d-------- C:\WINDOWS\BDOSCAN8
2008-02-02 16:11:54 0 d-------- C:\WINDOWS\System32\nGpxx01
2008-01-09 15:01:48 53248 --a------ C:\WINDOWS\bdoscandel.exe
2008-01-05 18:12:55 0 d-------- C:\Documents and Settings\Erin\Application Data\Roxio
-- Find3M Report ---------------------------------------------------------------
2007-12-14 21:33:26 0 d-------- C:\Program Files\Morpheus
2007-12-14 20:33:10 0 d-------- C:\Program Files\eMusic Download Manager
2007-12-06 08:00:48 11977423 -----n--- C:\avg7qt.dat
2007-12-06 00:09:34 0 d-------- C:\Program Files\PhoTags Express
2007-12-06 00:02:00 0 d-------- C:\Program Files\MyDSC2
2007-12-06 00:02:00 0 d-------- C:\Program Files\JL2005C
2007-12-06 00:01:56 0 d-------- C:\Program Files\JL2005D
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [12/22/2007 09:46 AM]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [05/01/2003 06:44 PM]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [07/18/2003 05:23 PM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE" [03/17/2005 11:10 AM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [03/27/2007 03:22 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 02:06 PM]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ZDWLan Utility.lnk - C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe [8/20/2007 9:57:00 PM]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"DisableRegistryTools"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\MSMSGS.EXE" /background
-- End of Deckard's System Scanner: finished at 2008-02-05 11:03:24 ------------
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Professional (build 2600) SP 1.0
Architecture: X86; Language: English
CPU 0: Intel Pentium II processor
Percentage of Memory in Use: 64%
Physical Memory (total/avail): 351.55 MiB / 126.18 MiB
Pagefile Memory (total/avail): 855.17 MiB / 587.21 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1938.71 MiB
A: is Removable (No Media)
C: is Fixed (FAT32) - 18.64 GiB total, 13.01 GiB free.
D: is Fixed (FAT32) - 7.46 GiB total, 3.28 GiB free.
E: is Removable (No Media)
F: is CDROM (No Media)
\\.\PHYSICALDRIVE2 - IOMEGA ZIP 100
\\.\PHYSICALDRIVE1 - QUANTUM Bigfoot TX8.0AT - 7.48 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 7.48 GiB - D:
\\.\PHYSICALDRIVE0 - WDC WD200BB-00DEA0 - 18.64 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 18.65 GiB - C:
-- Security Center -------------------------------------------------------------
AUOptions is disabled.
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Erin\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HOME-LQNSTGCS77
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Erin
LOGONSERVER=\\HOME-LQNSTGCS77
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\Sys tem32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WS F;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 5 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0502
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Erin\LOCALS~1\Temp
TMP=C:\DOCUME~1\Erin\LOCALS~1\Temp
USERDOMAIN=HOME-LQNSTGCS77
USERNAME=Erin
USERPROFILE=C:\Documents and Settings\Erin
windir=C:\WINDOWS
-- User Profiles ---------------------------------------------------------------
Erin (admin)
-- Add/Remove Programs ---------------------------------------------------------
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player Plugin --> C:\WINDOWS\System32\Macromed\Flash\uninstall_plugi n.exe
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Basic Webcam --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\ID river.exe /M{701FD972-904D-458E-A7E5-6F1F13F3D946} /l1033
Easy CD & DVD Creator 6 --> MsiExec.exe /I{46DDF76F-ACD4-42BC-B48F-B89C4EE2E1A9}
eMusic Download Manager 3.0 --> C:\Program Files\eMusic Download Manager\uninst.exe
ESET Online Scanner --> C:\WINDOWS\System32\OnlineScannerUninstaller.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Mahjongg Master 3 --> C:\PROGRA~1\EGAMES\MAHJON~1\UNWISE.EXE C:\PROGRA~1\EGAMES\MAHJON~1\INSTALL.LOG
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
PhoTags Express --> C:\PROGRA~1\PHOTAG~1\Setup.exe /remove /q0
Pop-Up Stopper Free Edition --> C:\PROGRA~1\PANICW~1\POP-UP~1\UNWISE.EXE C:\PROGRA~1\PANICW~1\POP-UP~1\INSTALL.LOG
Rahjongg The Curse of Ra --> C:\PROGRA~1\EGAMES\RAHJON~1\UNWISE.EXE C:\PROGRA~1\EGAMES\RAHJON~1\INSTALL.LOG
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Uninstall Dual Mode Camera --> "C:\Program Files\JL2005D\unins000.exe"
Win A Million --> C:\PROGRA~1\EGAMES\WINAMI~1\UNWISE.EXE C:\PROGRA~1\EGAMES\WINAMI~1\INSTALL.LOG
Yahoo! Anti-Spy --> C:\PROGRA~1\YAHOO!\COMMON\unypsr.exe
Yahoo! Messenger --> C:\PROGRA~1\YAHOO!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\YAHOO!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe
ZyDAS IEEE 802.11 b+g Wireless LAN - USB --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{581CE7EA-A30D-0000-1211-088635773309}\setup.exe" -l0x9
-- Application Event Log -------------------------------------------------------
Event Record #/Type544 / Error
Event Submitted/Written: 02/05/2008 09:43:41 AM
Event ID/Source: 100 / AVG7
Event Description:
2008-02-05 14:43:41,295 HOME-LQNSTGCS77 [001652:001712] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(2644) call failed with WIN32 error 87, returning session id is 0
Event Record #/Type532 / Error
Event Submitted/Written: 02/04/2008 00:49:19 PM
Event ID/Source: 1015 / Perflib
Event Description:
The timeout waiting for the performance data collection function "PerfOS"
in the "C:\WINDOWS\System32\perfos.dll" Library to finish has expired. There may be a problem with
this extensible counter or the service it is collecting data from or the
system may have been very busy when this call was attempted.
Event Record #/Type527 / Error
Event Submitted/Written: 02/04/2008 09:10:08 AM
Event ID/Source: 1015 / Perflib
Event Description:
The timeout waiting for the performance data collection function "PerfOS"
in the "C:\WINDOWS\System32\perfos.dll" Library to finish has expired. There may be a problem with
this extensible counter or the service it is collecting data from or the
system may have been very busy when this call was attempted.
Event Record #/Type526 / Error
Event Submitted/Written: 02/03/2008 03:45:06 PM
Event ID/Source: 1015 / Perflib
Event Description:
The timeout waiting for the performance data collection function "PerfOS"
in the "C:\WINDOWS\System32\perfos.dll" Library to finish has expired. There may be a problem with
this extensible counter or the service it is collecting data from or the
system may have been very busy when this call was attempted.
Event Record #/Type518 / Error
Event Submitted/Written: 02/02/2008 03:36:19 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2800.1106, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type3679 / Warning
Event Submitted/Written: 02/05/2008 09:34:43 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.
Event Record #/Type3622 / Warning
Event Submitted/Written: 02/03/2008 08:34:23 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.
Event Record #/Type3604 / Warning
Event Submitted/Written: 02/02/2008 09:26:16 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.
Event Record #/Type3601 / Warning
Event Submitted/Written: 01/31/2008 11:18:25 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.
Event Record #/Type3586 / Warning
Event Submitted/Written: 01/30/2008 11:31:32 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.
-- End of Deckard's System Scanner: finished at 2008-02-05 11:03:24 ------------
Justice,
Download and install ProcessExplorer from Microsoft --->> http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
You can run it from the desktop and it will display nearly everything that is running on your system. Might give us more info on your problem.
Rob
justice_dj23
02-05-2008, 11:35 AM
I have no idea if I did this right but here is what I came up with::
Process PID CPU Description Company Name
System Idle Process 0 85.85
Interrupts n/a 0.94 Hardware Interrupts
DPCs n/a 0.94 Deferred Procedure Calls
System 4 3.77
SMSS.EXE 552 Windows NT Session Manager Microsoft Corporation
CSRSS.EXE 616 0.94 Client Server Runtime Process Microsoft Corporation
WINLOGON.EXE 640 Windows NT Logon Application Microsoft Corporation
SERVICES.EXE 684 3.77 Services and Controller app Microsoft Corporation
SVCHOST.EXE 848 Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 872 Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 940 Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 972 Generic Host Process for Win32 Services Microsoft Corporation
SPOOLSV.EXE 1248 Spooler SubSystem App Microsoft Corporation
ALG.EXE 1608 Application Layer Gateway Service Microsoft Corporation
AVGAMSVR.EXE 1652 AVG Alert Manager GRISOFT, s.r.o.
AVGUPSVC.EXE 1716 AVG Update Service GRISOFT, s.r.o.
AVGEMC.EXE 1764 AVG E-Mail Scanner GRISOFT, s.r.o.
SVCHOST.EXE 1848 Generic Host Process for Win32 Services Microsoft Corporation
WDFMGR.EXE 1892 Windows User Mode Driver Manager Microsoft Corporation
MsPMSPSv.exe 1940 WMDM PMSP Service Microsoft Corporation
dllhost.exe 2648 COM Surrogate Microsoft Corporation
msdtc.exe 3160 MS DTC console program Microsoft Corporation
LSASS.EXE 696 LSA Shell (Export Version) Microsoft Corporation
EXPLORER.EXE 1484 Windows Explorer Microsoft Corporation
AVGCC.EXE 1928 AVG Control Center GRISOFT, s.r.o.
DrgToDsc.exe 2000 Drag To Disc Application Roxio
PSFree.exe 2020 Pop-Up Stopper Free Edition Panicware, Inc.
YAHOOM~1.EXE 2032 Yahoo! Messenger Yahoo! Inc.
SUPERAntiSpyware.exe 2044 SUPERAntiSpyware SUPERAntiSpyware.com
ZDWlan.exe 176 0.94 IEEE 802.11 Wireless LAN Utility MFC Application
IEXPLORE.EXE 2540 Internet Explorer Microsoft Corporation
procexp.exe 1288 2.83 Sysinternals Process Explorer Sysinternals
notepad.exe 3104 Notepad Microsoft Corporation
notepad.exe 3080 Notepad Microsoft Corporation
chryssi2001
02-05-2008, 11:38 AM
Hello justice,
It's really obvious where you got infected from.
-------------------------------------------
P2P PROGRAMS
IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
Morpheus
eMusic Download Manager
I'd like you to read the Guidelines for P2P Programs (http://spywarewarrior.com/viewtopic.php?t=26216) where we explain why it's not a good idea to have them.
Also available here (http://www.malwareremoval.com/forum/viewtopic.php?f=4&t=23812).
My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
If you choose not to remove them, please do not use them until this computer is clean.
-------------------------------------------
OTMoveIt2.exe
Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
C:\WINDOWS\System32\nGpxx01
Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
-------------------------------------------
Tell me if you still have pop-ups.
justice_dj23
02-05-2008, 11:50 AM
I took out the P2P. I am really confused right now. I did what you told me, I think. Here is a copy of what it showed. But I got a pop up saying a file couldn't be deleted::
C:\WINDOWS\System32\nGpxx01 moved successfully.
OTMoveIt2 v1.0.17 log created on 02052008_114744
File delete failed. C:\Documents and Settings\Erin\Desktop\OTMoveIt2.exe scheduled to be deleted on reboot.
File/Folder C:\avenger.zip not found.
File/Folder C:\Avenger not found.
File/Folder C:\avenger.txt not found.
File/Folder C:\bfu.zip not found.
File/Folder C:\BFU not found.
File/Folder C:\combofix.exe not found.
File/Folder C:\QooBox not found.
File/Folder C:\catchme.exe not found.
File/Folder C:\nircmd.exe not found.
File/Folder C:\swreg.exe not found.
File/Folder C:\Swxcacls.exe not found.
File/Folder C:\Swsc.exe not found.
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files deleted successfully.
C:\Deckard\System Scanner\backup\WINDOWS\temp\WMD deleted successfully.
C:\Deckard\System Scanner\backup\WINDOWS\temp\WMFA deleted successfully.
C:\Deckard\System Scanner\backup\WINDOWS\temp deleted successfully.
C:\Deckard\System Scanner\backup\WINDOWS deleted successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\Erin\LOCALS~1\Temp\WER12.t mp.dir00 deleted successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\Erin\LOCALS~1\Temp\2007120 60011.000 deleted successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\Erin\LOCALS~1\Temp\RarSFX0 deleted successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\Erin\LOCALS~1\Temp\History \History.IE5 deleted successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\Erin\LOCALS~1\Temp\History deleted successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\Erin\LOCALS~1\Temp\Tempora ry Internet Files\Content.IE5\CHIVO5Y7 deleted successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\Erin\LOCALS~1\Temp\Tempora ry Internet Files\Content.IE5\SBQPCLI5 deleted successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\Erin\LOCALS~1\Temp\Tempora ry Internet Files\Content.IE5\OHU7S92V deleted successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\Erin\LOCALS~1\Temp\Tempora ry Internet Files\Content.IE5\YJCXYHM9 deleted successfully.
File delete failed. C:\Deckard\System Scanner\backup\DOCUME~1\Erin\LOCALS~1\Temp\Tempora ry Internet Files\Content.IE5\W155SRE8\click,BTgsAChzAwCXCAgAz dgCAAIAJAAAAP8AAAABCwIACgMcrQMA2gUAAMZkBAAAAAAAAAA AAAAAAAAAAAAAAAAAAHCXJEcAAAAA,,http%3A%2F%2Fwww.bl ingcheese.com%2Fadv-160-600[1] scheduled to be deleted on reboot.
File delete failed. C:\Deckard\System Scanner\backup\DOCUME~1\Erin\LOCALS~1\Temp\Tempora ry Internet Files\Content.IE5\W155SRE8\click,BTgsAChzAwD.TwgA2 PUCAAIAeAAAAP8AAAABCwIAAgIcrQMAhowEAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAGSaJEcAAAAA,,http%3A%2F%2Fwww.bl ingcheese.com%2Fadv-300-250[1] scheduled to be deleted on reboot.
chryssi2001
02-05-2008, 11:58 AM
Hi justice,
OTMoveIt2 said it's deleted.
You run OTMoveIt2 clean up too. That's why you are confused.
It removed DSS and it's self.
You don't have OTMoveIt2 on your desktop now do you?
Everything should be running fine now. :)
Please confirm it.
justice_dj23
02-05-2008, 12:01 PM
Hi justice,
OTMoveIt2 said it's deleted.
You run OTMoveIt2 clean up too. That's why you are confused.
It removed DSS and it's self.
You don't have OTMoveIt2 on your desktop now do you?
Everything should be running fine now. :)
Please confirm it.
The OTMoveIt2 is not on the desktop anymore. Will come back if I have any problems with virus. Thank you very much!!!:)
Justice,
It is frustrating - we know.
Some malware bury deep within core system components and are not easy to spot or remove even for a tech working at the pc. Trying to help from cyberspace makes it even more difficult.
Unfortunately one needs to be patient, and hopefully will learn from this experience.
Rob
Hi justice,
OTMoveIt2 said it's deleted.
You run OTMoveIt2 clean up too. That's why you are confused.
It removed DSS and it's self.
You don't have OTMoveIt2 on your desktop now do you?
Everything should be running fine now. :)
Please confirm it.
The OTMoveIt2 is not on the desktop anymore. Will come back if I have any problems with virus. Thank you very much!!!:)
Well done Chryssi!
chryssi2001
02-05-2008, 12:20 PM
@ Justice,
Thank you very much!!!
You are welcome! :)
@ Kern,
Well done Chryssi!
Thanks :)
vBulletin® v3.7.2, Copyright ©2000-2009, Jelsoft Enterprises Ltd.