Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fighting A Losing Battle, I Think I Have Everything Lol


  • This topic is locked This topic is locked
12 replies to this topic

#1 FunderDog

FunderDog

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:34 AM

Posted 10 September 2007 - 08:39 AM

Have had no probs for ages, but had to re-locate for a short while and since going on-line at new place am getting everything despite having Superantispyware and Avast.

Anyway I have def got NOTEPAD.exe and FDA.exe and a whole host of others have disabled the RPC thingy as got fed up with the (your computer will restart in .... seconds) also have a continual attack which Superantispyware manages to block a request to change my homepage to "Hotlinks"

My level of pc literacy is quite high but this spyware/malware stuff is a blackart to me.

Here is my hijack this log after the Superantispyware scan and reboot...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:39:06, on 10/09/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
E:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system\NOTEPAD.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Canopus Shared\ProCoder 2\Kernel\PNXSERVR.exe
E:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\mmdmm.exe
C:\fda.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///E:/Davideo-net/web-ot/test.htm
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Canopus Shared\ProCoder 2\Kernel\PNXSERVR.exe" -SelfLaunch
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmsass] mmdmm.exe
O4 - HKLM\..\Run: [china] C:\fda.exe
O4 - HKLM\..\RunServices: [mmsass] mmdmm.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1454471165-2111687655-1801674531-500\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-21-1454471165-2111687655-1801674531-500 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User '?')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = E:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA011463-56C0-424A-A587-78F3BA7340A6}: NameServer = 62.24.128.17 62.24.128.18
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - E:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NOTEPAD - Unknown owner - C:\WINDOWS\system\NOTEPAD.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 6314 bytes

====================

Thanks in advance for any help.

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:34 PM

Posted 11 September 2007 - 01:30 PM

Hello FunderDog,

I am SifuMike and I will be helping you. :thumbsup:

You will need to use Internet Explorer for this scan.

Disable your antivirus program and go here to run BitDefender Online Scan.
Click on I Agree.
Avoid clicking on other links as you don't need to try out the full install at this point, just the online scanner.

When the ActiveX Control has loaded, click on "Click here to scan".
Please be patient, as this scan may take a few hours. It all depends on the number of files on your computer.

NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat the BitDefender Online Scan.


When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.


******************
Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log and the BitDefender log

Edited by SifuMike, 11 September 2007 - 01:40 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 FunderDog

FunderDog
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:34 AM

Posted 11 September 2007 - 06:14 PM

Thankyou so much for coming to my aid, since my inital post i have dabbled out of sheer frustration with less than perfect results, anyway i have carried out your instructions

the bitdefender text , copy n paste onto this forum page was a bit too big so i have ftp'ed it to here...

www.davideodesign.co.uk/bitdef.htm

sorry for this rather unorthodox manner.

the sdfix report as below...


SDFix: Version 1.103

Run by Administrator on 11/09/2007 at 23:37

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\.exe - Deleted
C:\WINDOWS\system32\.exe - Deleted
C:\WINDOWS\system32\TFTP2556 - Deleted
C:\WINDOWS\system32\TFTP2284 - Deleted
C:\WINDOWS\system32\TFTP3208 - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\WINDOWS\system32\flvDX.dll
C:\WINDOWS\system32\mkxmm.exe
C:\System Volume Information\_restore{4812EABF-E6DF-4B6F-BC66-A178790DCFF9}\RP242\A0053765.exe
C:\System Volume Information\_restore{4812EABF-E6DF-4B6F-BC66-A178790DCFF9}\RP244\A0064911.exe
C:\System Volume Information\_restore{4812EABF-E6DF-4B6F-BC66-A178790DCFF9}\RP245\A0064932.exe
C:\System Volume Information\_restore{4812EABF-E6DF-4B6F-BC66-A178790DCFF9}\RP245\A0071170.exe
C:\System Volume Information\_restore{4812EABF-E6DF-4B6F-BC66-A178790DCFF9}\RP245\A0078253.EXE
C:\System Volume Information\_restore{4812EABF-E6DF-4B6F-BC66-A178790DCFF9}\RP245\A0078256.exe
C:\!KillBox\mmdmm.exe
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\LastGood.Tmp\INF\oem6.inf
C:\WINDOWS\LastGood.Tmp\INF\oem6.PNF
C:\WINDOWS\LastGood.Tmp\INF\swflash.inf
C:\WINDOWS\LastGood.Tmp\INF\swflash.PNF

Finished!


and finally the hijackthislog...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:46:44, on 11/09/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Canopus Shared\ProCoder 2\Kernel\PNXSERVR.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///E:/Davideo-net/web-ot/test.htm
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Canopus Shared\ProCoder 2\Kernel\PNXSERVR.exe" -SelfLaunch
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = E:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA011463-56C0-424A-A587-78F3BA7340A6}: NameServer = 62.24.128.18 62.24.128.17
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - E:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 6151 bytes


As i type this avast informs me of yet another virus, DAMN

Look forward to your reply.

Best,

David

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:34 PM

Posted 11 September 2007 - 06:20 PM

Hi FunderDog

copy n paste onto this forum page was a bit too big so i have ftp'ed it to here...



Please attach the file to this thread. We use that for big files. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:34 PM

Posted 11 September 2007 - 06:30 PM

Never mind my previous post. I can see your BitDefender log OK. :thumbsup:

Edited by SifuMike, 11 September 2007 - 06:31 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:34 PM

Posted 11 September 2007 - 06:43 PM

Hi David,

I am not seeing any malware in your log, so let's dig deeper.

As i type this avast informs me of yet another virus, DAMN


What is it finding and where is it?

Are you using a firewall?
If not, here are five free firewalls available for personal use. If one conflicts with your system, try another. I use Comodo Firewall.

You Need a (Properly Configured) Firewall
Understanding and Using Firewalls


Comodo Firewall Pro
Comodo Firewall Pro user guide

Sunbelt Kerio Firewall

Outpost Firewall Free

Jetico Personal Firewall

ZoneAlarm
ZoneAlarm Manual http://download.zonelabs.com/bin/media/pdf/ZAP40_manual.pdf


NOTE: If you have downloaded ComboFix previously please delete that version and download it again!

1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Edited by SifuMike, 11 September 2007 - 06:47 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 FunderDog

FunderDog
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:34 AM

Posted 11 September 2007 - 07:54 PM

Sorry i didn't take note its like a reflex now to just press avast's delete infected file button. Altho i do recall it residing in the system32 folder (as always)

I really appreciate all this help. :thumbsup:

Have just installed Zone Alarm as i have heard of this app before here is the combofix and hijackthis log.

ComboFix 07-09-10.6 - "Administrator" 2007-09-12 1:48:00.6 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.677 [GMT 1:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini


((((((((((((((((((((((((( Files Created from 2007-08-12 to 2007-09-12 )))))))))))))))))))))))))))))))
.

2007-09-12 01:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-09-12 01:35 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-09-11 23:36 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-11 21:17 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-09-10 21:09 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-09-10 21:09 <DIR> d-------- C:\WINDOWS\nview
2007-09-10 21:08 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-09-10 15:01 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Uniblue
2007-09-10 14:38 68,528 --a------ C:\WINDOWS\system32\msv.exe
2007-09-10 14:38 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-10 14:19 <DIR> d--hs---- C:\FOUND.001
2007-09-10 11:57 46,080 --ah----- C:\WINDOWS\system32\mkxmm.exe
2007-09-09 21:55 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-09 21:55 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-09 21:55 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-09 21:55 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-09 21:55 1,600 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-09 00:08 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-09 00:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-09 00:08 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-08 00:21 155,648 --a------ C:\WINDOWS\system32\adadix32.dll
2007-09-08 00:21 143,360 --a------ C:\WINDOWS\adiras.exe
2007-09-08 00:21 127,065 --a------ C:\WINDOWS\system32\drivers\adiusbaw.sys
2007-09-08 00:20 50,007 --a------ C:\WINDOWS\system32\drivers\adildr.sys
2007-09-08 00:20 46,892 --a------ C:\WINDOWS\system32\adadix16.dll
2007-09-08 00:20 4,981 --a------ C:\WINDOWS\system32\adadix2k.dll
2007-09-08 00:20 24,576 --a------ C:\WINDOWS\enddisk32.exe
2007-09-08 00:20 22,395 --a------ C:\WINDOWS\system32\drivers\fpga.bin
2007-09-08 00:20 143,360 --a------ C:\WINDOWS\system32\coclassfast.dll
2007-09-08 00:20 143,360 --a------ C:\WINDOWS\autoclk.exe
2007-09-08 00:20 127,456 --a------ C:\WINDOWS\system32\ipdetect.exe
2007-09-08 00:20 114,688 --a------ C:\WINDOWS\system32\unaddrv.exe
2007-09-08 00:20 <DIR> d-------- C:\Program Files\SAGEM
2007-09-08 00:16 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2007-09-05 00:59 <DIR> d-------- C:\MoTemp
2007-08-24 03:52 <DIR> d-------- C:\hed-fire
2007-08-24 01:45 <DIR> d-------- C:\fumer3
2007-08-24 01:22 <DIR> d-------- C:\FumeFX8098674
2007-08-18 03:09 <DIR> d-------- C:\Program Files\DCPFLICS
2007-08-18 01:08 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2007-08-18 01:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Autodesk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-12 01:36 75932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-09-12 01:36 74396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-09-12 01:36 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-09-12 01:36 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-09-12 01:36 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-09-12 01:36 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-09-08 00:21 23 --a------ C:\WINDOWS\system32\drivers\adidsl.cfg
2007-09-06 11:09 801144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-09-06 11:05 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 11:05 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 11:03 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 11:02 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 11:00 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-09-06 11:00 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-10 22:25 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-09 20:08 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Download Manager
2007-06-29 00:43 8466432 --------- C:\WINDOWS\system32\nvcpl.dll
2007-06-29 00:43 81920 --a------ C:\WINDOWS\system32\nvwddi.dll
2007-06-29 00:43 81920 --------- C:\WINDOWS\system32\nvmctray.dll
2007-06-29 00:43 753664 --a------ C:\WINDOWS\system32\nvcplui.exe
2007-06-29 00:43 6807328 --a------ C:\WINDOWS\system32\dllcache\nv4_mini.sys
2007-06-29 00:43 6729728 --a------ C:\WINDOWS\system32\nvoglnt.dll
2007-06-29 00:43 6234112 --a------ C:\WINDOWS\system32\nvdisps.dll
2007-06-29 00:43 5690624 --a------ C:\WINDOWS\system32\dllcache\nv4_disp.dll
2007-06-29 00:43 5690624 --------- C:\WINDOWS\system32\nv4_disp.dll
2007-06-29 00:43 5455872 --a------ C:\WINDOWS\system32\nvdispsr.dll
2007-06-29 00:43 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-06-29 00:43 458752 --a------ C:\WINDOWS\system32\nvmccssr.dll
2007-06-29 00:43 45056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2007-06-29 00:43 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-06-29 00:43 425984 --a------ C:\WINDOWS\system32\keystone.exe
2007-06-29 00:43 37376 --a------ C:\WINDOWS\system32\nvcodins.dll
2007-06-29 00:43 37376 --------- C:\WINDOWS\system32\nvcod.dll
2007-06-29 00:43 360448 --------- C:\WINDOWS\system32\nvapi.dll
2007-06-29 00:43 3600384 --a------ C:\WINDOWS\system32\nvvitvsr.dll
2007-06-29 00:43 3518464 --a------ C:\WINDOWS\system32\nvvitvs.dll
2007-06-29 00:43 335872 --a------ C:\WINDOWS\system32\nvwrses.dll
2007-06-29 00:43 335872 --a------ C:\WINDOWS\system32\nvwrsel.dll
2007-06-29 00:43 3321856 --a------ C:\WINDOWS\system32\nvgames.dll
2007-06-29 00:43 327680 --a------ C:\WINDOWS\system32\nvwrsfr.dll
2007-06-29 00:43 327680 --a------ C:\WINDOWS\system32\nvwrsesm.dll
2007-06-29 00:43 327680 --a------ C:\WINDOWS\system32\nvrshe.dll
2007-06-29 00:43 327680 --a------ C:\WINDOWS\system32\nvrsar.dll
2007-06-29 00:43 323584 --a------ C:\WINDOWS\system32\nvwrspt.dll
2007-06-29 00:43 323584 --a------ C:\WINDOWS\system32\nvwrsit.dll
2007-06-29 00:43 319488 --a------ C:\WINDOWS\system32\nvwrsptb.dll
2007-06-29 00:43 319488 --a------ C:\WINDOWS\system32\nvwrsnl.dll
2007-06-29 00:43 315392 --a------ C:\WINDOWS\system32\nvwrsru.dll
2007-06-29 00:43 315392 --a------ C:\WINDOWS\system32\nvwrshu.dll
2007-06-29 00:43 311296 --a------ C:\WINDOWS\system32\nvwrsde.dll
2007-06-29 00:43 3072000 --a------ C:\WINDOWS\system32\nvgamesr.dll
2007-06-29 00:43 307200 --a------ C:\WINDOWS\system32\nvexpbar.dll
2007-06-29 00:43 303104 --a------ C:\WINDOWS\system32\nvwrstr.dll
2007-06-29 00:43 303104 --a------ C:\WINDOWS\system32\nvwrssl.dll
2007-06-29 00:43 303104 --a------ C:\WINDOWS\system32\nvwrsfi.dll
2007-06-29 00:43 299008 --a------ C:\WINDOWS\system32\nvwrssk.dll
2007-06-29 00:43 299008 --a------ C:\WINDOWS\system32\nvwrsno.dll
2007-06-29 00:43 294912 --a------ C:\WINDOWS\system32\nvwrssv.dll
2007-06-29 00:43 294912 --a------ C:\WINDOWS\system32\nvwrspl.dll
2007-06-29 00:43 294912 --a------ C:\WINDOWS\system32\nvwrsda.dll
2007-06-29 00:43 286720 --a------ C:\WINDOWS\system32\nvwrseng.dll
2007-06-29 00:43 286720 --a------ C:\WINDOWS\system32\nvwrscs.dll
2007-06-29 00:43 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
2007-06-29 00:43 2854912 --a------ C:\WINDOWS\system32\nvmoblsr.dll
2007-06-29 00:43 282624 --a------ C:\WINDOWS\system32\nvwrsar.dll
2007-06-29 00:43 282624 --a------ C:\WINDOWS\system32\nvrsfr.dll
2007-06-29 00:43 282624 --a------ C:\WINDOWS\system32\nvrses.dll
2007-06-29 00:43 282624 --a------ C:\WINDOWS\system32\nvrsel.dll
2007-06-29 00:43 278528 --a------ C:\WINDOWS\system32\nvwrshe.dll
2007-06-29 00:43 278528 --a------ C:\WINDOWS\system32\nvrsit.dll
2007-06-29 00:43 278528 --a------ C:\WINDOWS\system32\nvrsde.dll
2007-06-29 00:43 274432 --a------ C:\WINDOWS\system32\nvrspt.dll
2007-06-29 00:43 274432 --a------ C:\WINDOWS\system32\nvrsnl.dll
2007-06-29 00:43 274432 --a------ C:\WINDOWS\system32\nvrsesm.dll
2007-06-29 00:43 270336 --a------ C:\WINDOWS\system32\nvrsru.dll
2007-06-29 00:43 266240 --a------ C:\WINDOWS\system32\nvrsptb.dll
2007-06-29 00:43 266240 --a------ C:\WINDOWS\system32\nvrsja.dll
2007-06-29 00:43 262144 --a------ C:\WINDOWS\system32\nvrsko.dll
2007-06-29 00:43 258048 --a------ C:\WINDOWS\system32\nvrstr.dll
2007-06-29 00:43 258048 --a------ C:\WINDOWS\system32\nvrssl.dll
2007-06-29 00:43 258048 --a------ C:\WINDOWS\system32\nvrssk.dll
2007-06-29 00:43 258048 --a------ C:\WINDOWS\system32\nvrshu.dll
2007-06-29 00:43 253952 --a------ C:\WINDOWS\system32\nvrssv.dll
2007-06-29 00:43 253952 --a------ C:\WINDOWS\system32\nvrspl.dll
2007-06-29 00:43 253952 --a------ C:\WINDOWS\system32\nvrsno.dll
2007-06-29 00:43 253952 --a------ C:\WINDOWS\system32\nvrsda.dll
2007-06-29 00:43 249856 --a------ C:\WINDOWS\system32\nvrsfi.dll
2007-06-29 00:43 249856 --a------ C:\WINDOWS\system32\nvrscs.dll
2007-06-29 00:43 245760 --a------ C:\WINDOWS\system32\nvrseng.dll
2007-06-29 00:43 2416640 --a------ C:\WINDOWS\system32\nvwssr.dll
2007-06-29 00:43 2330624 --a------ C:\WINDOWS\system32\nvwss.dll
2007-06-29 00:43 229376 --a------ C:\WINDOWS\system32\nvmccs.dll
2007-06-29 00:43 225280 --a------ C:\WINDOWS\system32\nvrszhc.dll
2007-06-29 00:43 212992 --a------ C:\WINDOWS\system32\nvwrsja.dll
2007-06-29 00:43 196608 --a------ C:\WINDOWS\system32\nvwrsko.dll
2007-06-29 00:43 188416 --a------ C:\WINDOWS\system32\nvmccss.dll
2007-06-29 00:43 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2007-06-29 00:43 167936 --a------ C:\WINDOWS\system32\nvwrszht.dll
2007-06-29 00:43 163840 --a------ C:\WINDOWS\system32\nvwrszhc.dll
2007-06-29 00:43 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
2006-05-03 09:06:54 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 17:16]
"ashMaiSv"="C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe" [2007-09-06 11:05]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 11:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 01:50]
"NexusServer"="C:\Program Files\Common Files\Canopus Shared\ProCoder 2\Kernel\PNXSERVR.exe" [2004-04-28 01:41]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [2006-12-21 13:24]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-06-29 00:43]
"nwiz"="nwiz.exe" [2007-06-29 00:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2007-06-29 00:43]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-09-08 23:27]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"Steam"="" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Network Security"=C:\WINDOWS\System32\NSecurity.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - E:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 02:48:20]
Adobe Reader Synchronizer.lnk - E:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 01:01:50]

C:\DOCUME~1\ADMINI~1\STARTM~1\PROGRAMS\STARTUP\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

S4 NOTEPAD;NOTEPAD;"C:\WINDOWS\system\NOTEPAD.exe"

*Newly Created Service* - SRESCAN
*Newly Created Service* - VSMON
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-12 01:48:55
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-12 1:49:24
C:\ComboFix-quarantined-files.txt ... 2007-09-12 01:49
C:\ComboFix3.txt ... 2007-09-09 21:02
C:\ComboFix2.txt ... 2007-09-10 17:32
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:49:59, on 12/09/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
E:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Canopus Shared\ProCoder 2\Kernel\PNXSERVR.exe
E:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///E:/Davideo-net/web-ot/test.htm
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Canopus Shared\ProCoder 2\Kernel\PNXSERVR.exe" -SelfLaunch
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = E:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA011463-56C0-424A-A587-78F3BA7340A6}: NameServer = 62.24.128.17 62.24.128.18
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - E:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 6527 bytes


Best

David

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:34 PM

Posted 11 September 2007 - 08:47 PM

Hi David,

You have some suspicious files we need to check.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\system32\mkxmm.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Perform the same for next file:

C:\WINDOWS\autoclk.exe


Once scanned, copy and paste the results also in your next reply.

NOTE: I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 FunderDog

FunderDog
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:34 AM

Posted 11 September 2007 - 10:22 PM

The plot thickens, what kind of people write this stuff, what do they hope to gain from all this malarkey.


File mkxmm.exe received on 09.12.2007 05:05:56 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 9/32 (28.13%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 43 and 62 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.9.11.1 2007.09.11 -
AntiVir 7.6.0.5 2007.09.12 -
Authentium 4.93.8 2007.09.12 -
Avast 4.7.1043.0 2007.09.11 -
AVG 7.5.0.485 2007.09.11 -
BitDefender 7.2 2007.09.12 -
CAT-QuickHeal 9.00 2007.09.11 (Suspicious) - DNAScan
ClamAV 0.91.2 2007.09.12 Trojan.Poebot-36
DrWeb 4.33 2007.09.11 BackDoor.IRC.Sdbot.901
eSafe 7.0.15.0 2007.09.11 -
eTrust-Vet 31.1.5127 2007.09.12 -
Ewido 4.0 2007.09.11 -
FileAdvisor 1 2007.09.12 -
Fortinet 3.11.0.0 2007.09.12 -
F-Prot 4.3.2.48 2007.09.12 -
F-Secure 6.70.13030.0 2007.09.11 W32/Poebot.ATP
Ikarus T3.1.1.12 2007.09.12 -
Kaspersky 4.0.2.24 2007.09.12 -
McAfee 5117 2007.09.11 -
Microsoft 1.2803 2007.09.12 -
NOD32v2 2522 2007.09.11 -
Norman 5.80.02 2007.09.11 W32/Poebot.ATP
Panda 9.0.0.4 2007.09.11 Bck/Poebot.LI
Prevx1 V2 2007.09.12 -
Rising 19.40.20.00 2007.09.12 -
Sophos 4.21.0 2007.09.12 -
Sunbelt 2.2.907.0 2007.09.12 -
Symantec 10 2007.09.12 -
TheHacker 6.1.10.184 2007.09.11 -
VBA32 3.12.2.4 2007.09.12 BackDoor.IRC.Sdbot.901
VirusBuster 4.3.26:9 2007.09.11 Worm.RBot.JKP
Webwasher-Gateway 6.0.1 2007.09.12 Win32.Malware.gen (suspicious)
Additional information
File size: 46080 bytes
MD5: 77d8868ceda13f41f1581d39ca139a41
SHA1: 81bb1dff714b328061fb4ca2539624d05c67862c


File autoclk.exe received on 09.12.2007 05:12:51 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 43 and 62 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.9.11.1 2007.09.11 -
AntiVir 7.6.0.5 2007.09.12 -
Authentium 4.93.8 2007.09.12 -
Avast 4.7.1043.0 2007.09.11 -
AVG 7.5.0.485 2007.09.11 -
BitDefender 7.2 2007.09.12 -
CAT-QuickHeal 9.00 2007.09.11 -
ClamAV 0.91.2 2007.09.12 -
DrWeb 4.33 2007.09.11 -
eSafe 7.0.15.0 2007.09.11 -
eTrust-Vet 31.1.5127 2007.09.12 -
Ewido 4.0 2007.09.11 -
FileAdvisor 1 2007.09.12 -
Fortinet 3.11.0.0 2007.09.12 -
F-Prot 4.3.2.48 2007.09.12 -
F-Secure 6.70.13030.0 2007.09.11 -
Ikarus T3.1.1.12 2007.09.12 -
Kaspersky 4.0.2.24 2007.09.12 -
McAfee 5117 2007.09.11 -
Microsoft 1.2803 2007.09.12 -
NOD32v2 2523 2007.09.12 -
Norman 5.80.02 2007.09.11 -
Panda 9.0.0.4 2007.09.11 -
Prevx1 V2 2007.09.12 -
Rising 19.40.20.00 2007.09.12 -
Sophos 4.21.0 2007.09.12 -
Sunbelt 2.2.907.0 2007.09.12 -
Symantec 10 2007.09.12 -
TheHacker 6.1.10.184 2007.09.11 -
VBA32 3.12.2.4 2007.09.12 -
VirusBuster 4.3.26:9 2007.09.11 -
Webwasher-Gateway 6.0.1 2007.09.12 -
Additional information
File size: 143360 bytes
MD5: ba0870d00030195642a4371bfbb44600
SHA1: 7e5d1a6784b44ca3a7ef91de2faeb3e43e82f978

Best

David

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:34 PM

Posted 11 September 2007 - 10:38 PM

Hi David,

Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\system32\mkxmm.exe



Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt, a new HijackThis log and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 FunderDog

FunderDog
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:34 AM

Posted 12 September 2007 - 06:35 PM

Hi, I though i would wait a short while till i replied to acertain the overall condition of my machine and am glad to say it seems to be back to the good old days again yippee (unless you spot something on the reports below GULP!)

Thanks ever so much for taking the time and having the patience to talk (type?) me thru such an awful PC mess it was either you or a complete re-install which is something i dread as all my Pro software for video creation is all setup.

A million and 1 thanks

if something did pop back up say in about a week would i start a new thread or just reply to this?

Anyhow thanks millions

Best

David

logs below...

ComboFix 07-09-10.6 - "Administrator" 2007-09-12 11:06:49.7 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.647 [GMT 1:00]
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\mkxmm.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\mkxmm.exe


((((((((((((((((((((((((( Files Created from 2007-08-12 to 2007-09-12 )))))))))))))))))))))))))))))))
.

2007-09-12 03:56 <DIR> d--hs---- C:\FOUND.003
2007-09-12 02:38 507,392 -r-hs---- C:\WINDOWS\wuaurpl.exe
2007-09-12 02:06 <DIR> d--hs---- C:\FOUND.002
2007-09-12 01:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-09-12 01:35 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-09-11 23:36 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-11 21:17 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-09-10 21:09 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-09-10 21:09 <DIR> d-------- C:\WINDOWS\nview
2007-09-10 21:08 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-09-10 15:01 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Uniblue
2007-09-10 14:38 68,528 --a------ C:\WINDOWS\system32\msv.exe
2007-09-10 14:38 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-10 14:19 <DIR> d--hs---- C:\FOUND.001
2007-09-09 21:55 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-09 21:55 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-09 21:55 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-09 21:55 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-09 21:55 1,600 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-09 00:08 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-09 00:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-09 00:08 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-08 00:21 155,648 --a------ C:\WINDOWS\system32\adadix32.dll
2007-09-08 00:21 143,360 --a------ C:\WINDOWS\adiras.exe
2007-09-08 00:21 127,065 --a------ C:\WINDOWS\system32\drivers\adiusbaw.sys
2007-09-08 00:20 50,007 --a------ C:\WINDOWS\system32\drivers\adildr.sys
2007-09-08 00:20 46,892 --a------ C:\WINDOWS\system32\adadix16.dll
2007-09-08 00:20 4,981 --a------ C:\WINDOWS\system32\adadix2k.dll
2007-09-08 00:20 24,576 --a------ C:\WINDOWS\enddisk32.exe
2007-09-08 00:20 22,395 --a------ C:\WINDOWS\system32\drivers\fpga.bin
2007-09-08 00:20 143,360 --a------ C:\WINDOWS\system32\coclassfast.dll
2007-09-08 00:20 143,360 --a------ C:\WINDOWS\autoclk.exe
2007-09-08 00:20 127,456 --a------ C:\WINDOWS\system32\ipdetect.exe
2007-09-08 00:20 114,688 --a------ C:\WINDOWS\system32\unaddrv.exe
2007-09-08 00:20 <DIR> d-------- C:\Program Files\SAGEM
2007-09-08 00:16 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2007-09-05 00:59 <DIR> d-------- C:\MoTemp
2007-08-24 03:52 <DIR> d-------- C:\hed-fire
2007-08-24 01:45 <DIR> d-------- C:\fumer3
2007-08-24 01:22 <DIR> d-------- C:\FumeFX8098674
2007-08-18 03:09 <DIR> d-------- C:\Program Files\DCPFLICS
2007-08-18 01:08 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2007-08-18 01:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Autodesk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-12 01:36 75932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-09-12 01:36 74396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-09-12 01:36 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-09-12 01:36 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-09-12 01:36 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-09-12 01:36 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-09-08 00:21 23 --a------ C:\WINDOWS\system32\drivers\adidsl.cfg
2007-09-06 11:09 801144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-09-06 11:05 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 11:05 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 11:03 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 11:02 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 11:00 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-09-06 11:00 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-10 22:25 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-09 20:08 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Download Manager
2007-06-29 00:43 8466432 --------- C:\WINDOWS\system32\nvcpl.dll
2007-06-29 00:43 81920 --a------ C:\WINDOWS\system32\nvwddi.dll
2007-06-29 00:43 81920 --------- C:\WINDOWS\system32\nvmctray.dll
2007-06-29 00:43 753664 --a------ C:\WINDOWS\system32\nvcplui.exe
2007-06-29 00:43 6807328 --a------ C:\WINDOWS\system32\dllcache\nv4_mini.sys
2007-06-29 00:43 6729728 --a------ C:\WINDOWS\system32\nvoglnt.dll
2007-06-29 00:43 6234112 --a------ C:\WINDOWS\system32\nvdisps.dll
2007-06-29 00:43 5690624 --a------ C:\WINDOWS\system32\dllcache\nv4_disp.dll
2007-06-29 00:43 5690624 --------- C:\WINDOWS\system32\nv4_disp.dll
2007-06-29 00:43 5455872 --a------ C:\WINDOWS\system32\nvdispsr.dll
2007-06-29 00:43 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-06-29 00:43 458752 --a------ C:\WINDOWS\system32\nvmccssr.dll
2007-06-29 00:43 45056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2007-06-29 00:43 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-06-29 00:43 425984 --a------ C:\WINDOWS\system32\keystone.exe
2007-06-29 00:43 37376 --a------ C:\WINDOWS\system32\nvcodins.dll
2007-06-29 00:43 37376 --------- C:\WINDOWS\system32\nvcod.dll
2007-06-29 00:43 360448 --------- C:\WINDOWS\system32\nvapi.dll
2007-06-29 00:43 3600384 --a------ C:\WINDOWS\system32\nvvitvsr.dll
2007-06-29 00:43 3518464 --a------ C:\WINDOWS\system32\nvvitvs.dll
2007-06-29 00:43 335872 --a------ C:\WINDOWS\system32\nvwrses.dll
2007-06-29 00:43 335872 --a------ C:\WINDOWS\system32\nvwrsel.dll
2007-06-29 00:43 3321856 --a------ C:\WINDOWS\system32\nvgames.dll
2007-06-29 00:43 327680 --a------ C:\WINDOWS\system32\nvwrsfr.dll
2007-06-29 00:43 327680 --a------ C:\WINDOWS\system32\nvwrsesm.dll
2007-06-29 00:43 327680 --a------ C:\WINDOWS\system32\nvrshe.dll
2007-06-29 00:43 327680 --a------ C:\WINDOWS\system32\nvrsar.dll
2007-06-29 00:43 323584 --a------ C:\WINDOWS\system32\nvwrspt.dll
2007-06-29 00:43 323584 --a------ C:\WINDOWS\system32\nvwrsit.dll
2007-06-29 00:43 319488 --a------ C:\WINDOWS\system32\nvwrsptb.dll
2007-06-29 00:43 319488 --a------ C:\WINDOWS\system32\nvwrsnl.dll
2007-06-29 00:43 315392 --a------ C:\WINDOWS\system32\nvwrsru.dll
2007-06-29 00:43 315392 --a------ C:\WINDOWS\system32\nvwrshu.dll
2007-06-29 00:43 311296 --a------ C:\WINDOWS\system32\nvwrsde.dll
2007-06-29 00:43 3072000 --a------ C:\WINDOWS\system32\nvgamesr.dll
2007-06-29 00:43 307200 --a------ C:\WINDOWS\system32\nvexpbar.dll
2007-06-29 00:43 303104 --a------ C:\WINDOWS\system32\nvwrstr.dll
2007-06-29 00:43 303104 --a------ C:\WINDOWS\system32\nvwrssl.dll
2007-06-29 00:43 303104 --a------ C:\WINDOWS\system32\nvwrsfi.dll
2007-06-29 00:43 299008 --a------ C:\WINDOWS\system32\nvwrssk.dll
2007-06-29 00:43 299008 --a------ C:\WINDOWS\system32\nvwrsno.dll
2007-06-29 00:43 294912 --a------ C:\WINDOWS\system32\nvwrssv.dll
2007-06-29 00:43 294912 --a------ C:\WINDOWS\system32\nvwrspl.dll
2007-06-29 00:43 294912 --a------ C:\WINDOWS\system32\nvwrsda.dll
2007-06-29 00:43 286720 --a------ C:\WINDOWS\system32\nvwrseng.dll
2007-06-29 00:43 286720 --a------ C:\WINDOWS\system32\nvwrscs.dll
2007-06-29 00:43 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
2007-06-29 00:43 2854912 --a------ C:\WINDOWS\system32\nvmoblsr.dll
2007-06-29 00:43 282624 --a------ C:\WINDOWS\system32\nvwrsar.dll
2007-06-29 00:43 282624 --a------ C:\WINDOWS\system32\nvrsfr.dll
2007-06-29 00:43 282624 --a------ C:\WINDOWS\system32\nvrses.dll
2007-06-29 00:43 282624 --a------ C:\WINDOWS\system32\nvrsel.dll
2007-06-29 00:43 278528 --a------ C:\WINDOWS\system32\nvwrshe.dll
2007-06-29 00:43 278528 --a------ C:\WINDOWS\system32\nvrsit.dll
2007-06-29 00:43 278528 --a------ C:\WINDOWS\system32\nvrsde.dll
2007-06-29 00:43 274432 --a------ C:\WINDOWS\system32\nvrspt.dll
2007-06-29 00:43 274432 --a------ C:\WINDOWS\system32\nvrsnl.dll
2007-06-29 00:43 274432 --a------ C:\WINDOWS\system32\nvrsesm.dll
2007-06-29 00:43 270336 --a------ C:\WINDOWS\system32\nvrsru.dll
2007-06-29 00:43 266240 --a------ C:\WINDOWS\system32\nvrsptb.dll
2007-06-29 00:43 266240 --a------ C:\WINDOWS\system32\nvrsja.dll
2007-06-29 00:43 262144 --a------ C:\WINDOWS\system32\nvrsko.dll
2007-06-29 00:43 258048 --a------ C:\WINDOWS\system32\nvrstr.dll
2007-06-29 00:43 258048 --a------ C:\WINDOWS\system32\nvrssl.dll
2007-06-29 00:43 258048 --a------ C:\WINDOWS\system32\nvrssk.dll
2007-06-29 00:43 258048 --a------ C:\WINDOWS\system32\nvrshu.dll
2007-06-29 00:43 253952 --a------ C:\WINDOWS\system32\nvrssv.dll
2007-06-29 00:43 253952 --a------ C:\WINDOWS\system32\nvrspl.dll
2007-06-29 00:43 253952 --a------ C:\WINDOWS\system32\nvrsno.dll
2007-06-29 00:43 253952 --a------ C:\WINDOWS\system32\nvrsda.dll
2007-06-29 00:43 249856 --a------ C:\WINDOWS\system32\nvrsfi.dll
2007-06-29 00:43 249856 --a------ C:\WINDOWS\system32\nvrscs.dll
2007-06-29 00:43 245760 --a------ C:\WINDOWS\system32\nvrseng.dll
2007-06-29 00:43 2416640 --a------ C:\WINDOWS\system32\nvwssr.dll
2007-06-29 00:43 2330624 --a------ C:\WINDOWS\system32\nvwss.dll
2007-06-29 00:43 229376 --a------ C:\WINDOWS\system32\nvmccs.dll
2007-06-29 00:43 225280 --a------ C:\WINDOWS\system32\nvrszhc.dll
2007-06-29 00:43 212992 --a------ C:\WINDOWS\system32\nvwrsja.dll
2007-06-29 00:43 196608 --a------ C:\WINDOWS\system32\nvwrsko.dll
2007-06-29 00:43 188416 --a------ C:\WINDOWS\system32\nvmccss.dll
2007-06-29 00:43 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2007-06-29 00:43 167936 --a------ C:\WINDOWS\system32\nvwrszht.dll
2007-06-29 00:43 163840 --a------ C:\WINDOWS\system32\nvwrszhc.dll
2007-06-29 00:43 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
2006-05-03 09:06:54 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
.

((((((((((((((((((((((((((((( snapshot_2007-09-12_ 14907.71 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 16,384 2007-09-12 01:38:40 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 32,768 2007-09-12 01:38:40 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 16,384 2007-09-12 01:38:40 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 833,248 2007-09-12 00:58:08 C:\WINDOWS\system32\ZoneLabs\updating.dll
----a-w 16,384 2007-09-12 01:07:02 C:\WINDOWS\Temp\Perflib_Perfdata_5b8.dat
----a-w 16,384 2007-09-12 01:22:02 C:\WINDOWS\Temp\Perflib_Perfdata_5b4.dat
----a-w 16,384 2007-09-12 02:55:06 C:\WINDOWS\Temp\Perflib_Perfdata_574.dat
.
----a-w 16,384 2007-09-10 13:38:38 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 32,768 2007-09-10 13:38:38 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 16,384 2007-09-10 13:38:38 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 833,520 2006-10-28 02:03:16 C:\WINDOWS\system32\ZoneLabs\updating.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 17:16]
"ashMaiSv"="C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe" [2007-09-06 11:05]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 11:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 01:50]
"NexusServer"="C:\Program Files\Common Files\Canopus Shared\ProCoder 2\Kernel\PNXSERVR.exe" [2004-04-28 01:41]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [2006-12-21 13:24]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-06-29 00:43]
"nwiz"="nwiz.exe" [2007-06-29 00:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2007-06-29 00:43]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-09-08 23:27]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"Steam"="" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Network Security"=C:\WINDOWS\System32\NSecurity.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - E:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 02:48:20]
Adobe Reader Synchronizer.lnk - E:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 01:01:50]

C:\DOCUME~1\ADMINI~1\STARTM~1\PROGRAMS\STARTUP\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R2 Local Service;Local Service;"C:\WINDOWS\wuaurpl.exe"
S4 NOTEPAD;NOTEPAD;"C:\WINDOWS\system\NOTEPAD.exe"

*Newly Created Service* - LOCAL_SERVICE
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-12 11:07:56
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

C:\WINDOWS\wuaurpl.exe [1856] 0x8660ADA8


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-12 11:08:54
C:\ComboFix-quarantined-files.txt ... 2007-09-12 11:08
C:\ComboFix2.txt ... 2007-09-12 01:49
C:\ComboFix3.txt ... 2007-09-10 17:32
.
--- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:08, on 12/09/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
E:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Canopus Shared\ProCoder 2\Kernel\PNXSERVR.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///E:/Davideo-net/web-ot/test.htm
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Canopus Shared\ProCoder 2\Kernel\PNXSERVR.exe" -SelfLaunch
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = E:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - E:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 6335 bytes


:thumbsup:

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:34 PM

Posted 12 September 2007 - 08:31 PM

Hi David,

Your Hijackthis log looks clean, as does the ComboFix log! :thumbsup:

Good job on the cleanup!

Thanks ever so much for taking the time and having the patience to talk (type?) me thru such an awful PC mess it was either you or a complete re-install which is something i dread as all my Pro software for video creation is all setup.

A million and 1 thanks


Your welcome. :flowers:


Please find and delete the following:
SDFix
Combofix
C:\QOOBOX
C:\Combofix



Let's reset you files so they are hidden and protected.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading deselect Show hidden files and folders.
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK


Let's clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
NOTE: only do this ONCE, NOT on a regular basis

System Restore will now be active again.


Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.

Edited by SifuMike, 12 September 2007 - 08:36 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:34 PM

Posted 20 September 2007 - 04:08 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users