Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Major Issue With Spyware And Viruses


  • Please log in to reply
31 replies to this topic

#1 hermanocleas

hermanocleas

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 26 October 2007 - 12:24 PM

Here's the scenario:

Using WinXP SP2 I am unable to do the following because of these issues:

1. Browse the internet
When I try to access the net to browse to a page it displays a window saying the following: "http://1/ - and doesn't display anything"
2. Install antimaleware/spyware apps unless in safemode (w/o network)
When I try to install apps in regular windows mode it say the following: "The Windows Istaller Service could not be accessed"
3. access control panel unless in safemode
When I try to access the control panel in regular windows mode I get a window that says the following: "This operation has been canceled due to restrictions in effect on this computer."

4. A window keeps popping up that says "Critical System Error" in the title are and then goes on to say "Warning!!! The system is restored after critical error".

I would have posted a hijackthis log but I am unable to easily copy and paste it to this post.

I have ran without success the following tools in safe mode to try to fix this issue.
AVG antvirus
HijackThis
Vundofix
VirtumundoBegone
Smitfraudfix
ComboFix

I appreciate any advice. For more information on the history of this issue click this link to go to veiw the original post:
http://www.bleepingcomputer.com/forums/ind...mp;#entry647053


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:22, on 2007-10-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\shell.exe
C:\WINNT\EXPLORER.EXE
D:\UTILITIES\SPYMALE\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\shell.exe
O4 - HKLM\..\Run: [Printer] C:\WINNT\system32\printer.exe
O4 - HKLM\..\Run: [combofix] C:\WINNT\system32\cmd.exe /c cd /d C:\ComboFix\ & Combobatch.bat
O4 - HKLM\..\Run: [zhosebmx] C:\WINNT\spvxkmrg.exe
O4 - HKLM\..\Run: [wpetox] c:\winnt\system32\joecfub.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\wiwpro.exe reg_run
O4 - HKLM\..\Run: [WinAVX] C:\WINNT\system32\WinAvXX.exe
O4 - HKLM\..\Run: [v78h32X] mlatus40.exe
O4 - HKLM\..\Run: [System32] C:\WINNT\system32\frmwrk.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [sjEbr5zAv] C:\documents and settings\jeffrey fleming\local settings\temp\sjEbr5zAv.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Mprx9Gd] C:\documents and settings\kay fleming\local settings\temp\Mprx9Gd.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINNT\system32\lsasss.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1126808973\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Eac_Download] C:\Program Files\Common Files\eAcceleration\download.exe -k
O4 - HKLM\..\Run: [Dynamic Link Loader Access Manager] C:\WINNT\SYSTEM32\dllhost32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AutoLoaderv0rH1MKTLPPP] "C:\WINNT\System32\mlatus40.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AKYFQ] C:\WINNT\AKYFQ.exe
O4 - HKLM\..\Run: [AHN] C:\WINNT\AHN.exe
O4 - HKCU\..\Run: [Spoolsv] C:\WINNT\system32\spoolvs.exe
O4 - HKCU\..\Run: [WinUpgrade] "C:\361101032252148093.exe "
O4 - HKCU\..\Run: [WinUpdate] "C:\361101032252149125.exe "
O4 - HKCU\..\Run: [winpack] C:\WINNT\System32\winpack.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [w32topl] "C:\WINNT\system32\w32topl.exe"
O4 - HKCU\..\Run: [shell32] "C:\WINNT\system32\shell32.exe"
O4 - HKCU\..\Run: [serwvdrv] "C:\WINNT\system32\serwvdrv.exe"
O4 - HKCU\..\Run: [routetab] "C:\WINNT\system32\routetab.exe"
O4 - HKCU\..\Run: [qmgr] "C:\WINNT\system32\qmgr.exe"
O4 - HKCU\..\Run: [pngfilt] "C:\WINNT\system32\pngfilt.exe"
O4 - HKCU\..\Run: [PestTrap] C:\Program Files\PestTrap\PestTrap.exe
O4 - HKCU\..\Run: [odbcjt32] "C:\WINNT\system32\odbcjt32.exe"
O4 - HKCU\..\Run: [ntshrui] "C:\WINNT\system32\ntshrui.exe"
O4 - HKCU\..\Run: [ntsdexts] "C:\WINNT\system32\ntsdexts.exe"
O4 - HKCU\..\Run: [ntmsdba] "C:\WINNT\system32\ntmsdba.exe"
O4 - HKCU\..\Run: [ntdll] "C:\WINNT\system32\ntdll.exe"
O4 - HKCU\..\Run: [netshell] "C:\WINNT\system32\netshell.exe"
O4 - HKCU\..\Run: [msv1_0] "C:\WINNT\system32\msv1_0.exe"
O4 - HKCU\..\Run: [msnsspc] "C:\WINNT\system32\msnsspc.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [mprdim] "C:\WINNT\system32\mprdim.exe"
O4 - HKCU\..\Run: [moricons] "C:\WINNT\system32\moricons.exe"
O4 - HKCU\..\Run: [ltdis11n] "C:\WINNT\system32\ltdis11n.exe"
O4 - HKCU\..\Run: [lffpx70n] "C:\WINNT\system32\lffpx70n.exe"
O4 - HKCU\..\Run: [lffpx7] "C:\WINNT\system32\lffpx7.exe"
O4 - HKCU\..\Run: [langwrbk] "C:\WINNT\system32\langwrbk.exe"
O4 - HKCU\..\Run: [kbdtat] "C:\WINNT\system32\kbdtat.exe"
O4 - HKCU\..\Run: [kbdsmsno] "C:\WINNT\system32\kbdsmsno.exe"
O4 - HKCU\..\Run: [kbdest] C:\WINNT\System32\kbdest.exe
O4 - HKCU\..\Run: [jgaw400] "C:\WINNT\system32\jgaw400.exe"
O4 - HKCU\..\Run: [iyuv_32] "C:\WINNT\system32\iyuv_32.exe"
O4 - HKCU\..\Run: [inetwh32] "C:\WINNT\system32\inetwh32.exe"
O4 - HKCU\..\Run: [hlink] "C:\WINNT\system32\hlink.exe"
O4 - HKCU\..\Run: [eal32] "C:\WINNT\system32\eal32.exe"
O4 - HKCU\..\Run: [dxdiagn] "C:\WINNT\system32\dxdiagn.exe"
O4 - HKCU\..\Run: [dpvvox] "C:\WINNT\system32\dpvvox.exe"
O4 - HKCU\..\Run: [crswpp] "C:\WINNT\system32\crswpp.exe"
O4 - HKCU\..\Run: [bootvid] "C:\WINNT\system32\bootvid.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRA~1\AMERIC~3.0\AOL.EXE" -b
O4 - HKCU\..\Run: [adsldp] "C:\WINNT\system32\adsldp.exe"
O4 - HKCU\..\Run: [196_150_ni] C:\WINNT\System32\196_150_ni.exe
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [] (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [WinUpgrade] "C:\361101032252148093.exe " (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [WinUpdate] "C:\361101032252149125.exe " (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [winpack] C:\WINNT\System32\winpack.exe (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [Windows installer] C:\winstall.exe (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [w32topl] "C:\WINNT\system32\w32topl.exe" (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [shell32] "C:\WINNT\system32\shell32.exe" (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [serwvdrv] "C:\WINNT\system32\serwvdrv.exe" (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [routetab] "C:\WINNT\system32\routetab.exe" (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [qmgr] "C:\WINNT\system32\qmgr.exe" (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [pngfilt] "C:\WINNT\system32\pngfilt.exe" (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [PestTrap] C:\Program Files\PestTrap\PestTrap.exe (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [odbcjt32] "C:\WINNT\system32\odbcjt32.exe" (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [ntshrui] "C:\WINNT\system32\ntshrui.exe" (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [ntsdexts] "C:\WINNT\system32\ntsdexts.exe" (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [ntmsdba] "C:\WINNT\system32\ntmsdba.exe" (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [ntdll] "C:\WINNT\system32\ntdll.exe" (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [netshell] "C:\WINNT\system32\netshell.exe" (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [msv1_0] "C:\WINNT\system32\msv1_0.exe" (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [msnsspc] "C:\WINNT\system32\msnsspc.exe" (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [mprdim] "C:\WINNT\system32\mprdim.exe" (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [moricons] "C:\WINNT\system32\moricons.exe" (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [ltdis11n] "C:\WINNT\system32\ltdis11n.exe" (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [lffpx70n] "C:\WINNT\system32\lffpx70n.exe" (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [lffpx7] "C:\WINNT\system32\lffpx7.exe" (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [langwrbk] "C:\WINNT\system32\langwrbk.exe" (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [kbdtat] "C:\WINNT\system32\kbdtat.exe" (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [kbdsmsno] "C:\WINNT\system32\kbdsmsno.exe" (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [kbdest] C:\WINNT\System32\kbdest.exe (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [jgaw400] "C:\WINNT\system32\jgaw400.exe" (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [iyuv_32] "C:\WINNT\system32\iyuv_32.exe" (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [inetwh32] "C:\WINNT\system32\inetwh32.exe" (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [hlink] "C:\WINNT\system32\hlink.exe" (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [eal32] "C:\WINNT\system32\eal32.exe" (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [dxdiagn] "C:\WINNT\system32\dxdiagn.exe" (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [dpvvox] "C:\WINNT\system32\dpvvox.exe" (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [crswpp] "C:\WINNT\system32\crswpp.exe" (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [bootvid] "C:\WINNT\system32\bootvid.exe" (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [AOL Fast Start] "C:\PROGRA~1\AMERIC~3.0\AOL.EXE" -b (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [adsldp] "C:\WINNT\system32\adsldp.exe" (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-500\..\Run: [196_150_ni] C:\WINNT\System32\196_150_ni.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-21-971929597-156640315-1538417202-500 Startup: findfast.exe (User '?')
O4 - Startup: findfast.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\SIERRA\CardStudio\PLNRnote.exe
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: xhxo.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINNT\System32\shdocvw.dll
O22 - SharedTaskScheduler: dfgjrtt3 - {7A81DF49-1DB8-4db4-B070-AD6758ECBA2A} - (no file)

--
End of file - 11402 bytes

BC AdBot (Login to Remove)

 


#2 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 01 November 2007 - 04:18 PM

hermanocleas

That's quite an infection you have there. It will take a few runs st this to completely remove it, and you may not see much improvement untill we are close to the end so please be patient.

1. Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
2. If you are unable to download this tool then please reply.

3. Do you still have combofix and Smitfraud fix on your PC?
Posted Image
Microsoft MVP - Windows Security

#3 hermanocleas

hermanocleas
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 04 November 2007 - 01:57 PM

Hey bamajim, thanks for the reply, I'll detail below everything I've done:

1. I was unable to install SDFix in Normal mode (everytime I tried the "critical system error" message I mentioned in my first post would pop up and effectively kill the install process) I rebooted and tryed in Safe mode and it kept freezing (It ran in Safe mode saying "please be patient this may take up to 10 minutes" let it run overnight, came back to it the next day still displayed this message. Rebooted into Safe mode tried running it again and it did the same thing).

2. I do still have those two apps (combofix and smitfraudfix on the PC.

Edited by hermanocleas, 04 November 2007 - 01:58 PM.


#4 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 05 November 2007 - 08:28 AM

hermanocleas

O.K. Let's run Combofix in Safe Mode, and reply with the results or the combofix.txt log. We need to get some things freed up enough to get the other tools we need.
Posted Image
Microsoft MVP - Windows Security

#5 hermanocleas

hermanocleas
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 05 November 2007 - 11:15 AM

I ran combofix (most recent version) in Safe mode and it came back with the following:

ComboFix 07-11-05.2 - Administrator 2007-11-05 9:52:52.2 - NTFSx86 MINIMAL
Running from: D:\UTILITIES\SPYMALE\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Documents and Settings\Jeffrey Fleming\Start Menu\Programs\Startup\findfast.exe
C:\WINNT\shell.exe
C:\WINNT\system32\printer.exe
C:\WINNT\system32\spoolvs.exe
.
---- Previous Run -------
.
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe
C:\Documents and Settings\Jeffrey Fleming\Desktop\Find Spyware Remover.lnk
C:\Documents and Settings\Jeffrey Fleming\Desktop\Free Online Dating.lnk
C:\Documents and Settings\Jeffrey Fleming\Desktop\Go to Casino.lnk
C:\Documents and Settings\Jeffrey Fleming\Start Menu\Programs\Startup\findfast.exe
C:\Documents and Settings\Kay Fleming\Application Data\SSTEM3~1
C:\Documents and Settings\Kay Fleming\My Documents\MANTEC~1
C:\Documents and Settings\Kay Fleming\My Documents\MBOLS~1
C:\Documents and Settings\Kay Fleming\My Documents\YSTEM3~1
C:\Documents and Settings\Kay Fleming\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Kay Fleming\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Kay Fleming\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\appatc~1
C:\Program Files\Common Files\pppatc~1
C:\Program Files\Common Files\ssembl~1
C:\Program Files\Common Files\ystem3~1
C:\Program Files\mcroso~1.net
C:\Program Files\ymbols~1
C:\Program Files\ymbols~1\svchost.exe
C:\WINNT\bar.exe
C:\WINNT\Casino.ico
C:\WINNT\dobe~1
C:\WINNT\Free Online Dating.ico
C:\WINNT\NDNuninstall4_34.exe
C:\WINNT\NDNuninstall4_50.exe
C:\WINNT\NDNuninstall4_80.exe
C:\WINNT\NDNuninstall4_88.exe
C:\WINNT\NDNuninstall4_94.exe
C:\WINNT\NDNuninstall5_20.exe
C:\WINNT\NDNuninstall5_40.exe
C:\WINNT\NDNuninstall5_48.exe
C:\WINNT\NDNuninstall5_64.exe
C:\WINNT\NDNuninstall6_10.exe
C:\WINNT\NDNuninstall6_22.exe
C:\WINNT\NDNuninstall6_30.exe
C:\WINNT\ppatch~1
C:\WINNT\shell.exe
C:\WINNT\Spyware Remover.ico
C:\WINNT\system32\printer.exe
C:\WINNT\system32\rndll3~1.exe
C:\WINNT\system32\sembly~1
C:\WINNT\system32\spoolvs.exe
C:\WINNT\system32\vgactl.cpl
C:\WINNT\system32\vtr.dll
C:\WINNT\system32\wnsapiisv.exe
C:\WINNT\system32\wnsapisv.exe
C:\WINNT\system32\wuauclt.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DRIVER
-------\LEGACY_EXAMPLE
-------\LEGACY_RUNTIME




((((((((((((((((((((((((( Files Created from 2007-10-05 to 2007-11-05 )))))))))))))))))))))))))))))))
.

2007-10-24 10:35 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-10-23 16:06 51,200 --a------ C:\WINNT\NirCmd.exe
2007-10-23 12:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-23 10:18 <DIR> d-------- C:\WINNT\ERUNT
2007-10-23 09:49 1,050 --a------ C:\WINNT\system32\tmp.reg
2007-10-22 15:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-10-22 15:36 <DIR> d-------- C:\VundoFix Backups
2007-10-22 13:10 <DIR> d-------- C:\Documents and Settings\Jeffrey Fleming\Application Data\AVG7
2007-10-22 13:07 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-22 13:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-22 13:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-10-22 09:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-10-22 09:22 <DIR> d-------- C:\WINNT\pss
2007-10-22 09:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-22 09:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-10-22 09:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-10-19 22:44 <DIR> d-------- C:\Program Files\Adsense Helper Object
2007-10-15 22:19 28,679 --------- C:\Program Files\c_setup.exe
2007-10-13 05:55 9,968 --a------ C:\sysvlse.exe
2007-10-13 05:55 7,712 --a------ C:\WINNT\system32\frmwrk.sys
2007-10-10 19:07 14,848 --a------ C:\Program Files\msc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-22 19:12 --------- d-----w C:\Program Files\America Online 9.0
2007-10-22 19:10 --------- d-----w C:\Program Files\Microsoft Works
2007-10-21 16:55 --------- d-----w C:\Program Files\America Online 8.0a
2007-10-21 04:41 9,728 ----a-w C:\Program Files\hlpsrv.exe
2006-09-22 00:52 21,290,704 ----a-w C:\Program Files\AdbeRdr708_en_US.exe
2005-08-07 03:50 894,976 -c--a-w C:\Program Files\Irfanview.exe
2004-07-05 23:28 47 -c--a-w C:\Documents and Settings\Jeffrey Fleming\Application Data\tvmuknwrd.dll
2004-07-05 23:28 26 -c--a-w C:\Documents and Settings\Jeffrey Fleming\Application Data\tvmcwrd.dll
2004-07-05 12:10 181,723 -c--a-w C:\Documents and Settings\Jeffrey Fleming\Application Data\tvmknwrd.dll
2004-06-29 03:51 186,476 -c--a-w C:\Documents and Settings\Kay Fleming\Application Data\tvmknwrd.dll
2004-05-20 18:58 27 -c--a-w C:\Documents and Settings\Robyn Fleming\Application Data\tvmcwrd.dll
2004-05-20 16:02 152,884 -c--a-w C:\Documents and Settings\Robyn Fleming\Application Data\tvmknwrd.dll
2003-10-27 22:54 134,520 -c--a-w C:\Documents and Settings\Robyn Fleming\Application Data\GDIPFONTCACHEV1.DAT
2004-08-08 04:41:49 499,722 --sh--w C:\WINNT\system32\Cjo9g.exe
2004-08-08 04:41:48 499,722 --sh--w C:\WINNT\system32\Dyf0o5.exe
2004-08-08 04:41:49 499,722 --sh--w C:\WINNT\system32\GmtmB.exe
2004-07-07 19:07:54 458,762 --sh--w C:\WINNT\system32\MliBY92.exe
2006-12-15 03:27:42 253,962 --sh--w C:\WINNT\system32\Nck5Fz9.exe
2006-12-15 03:27:41 253,962 --sh--w C:\WINNT\system32\Pyr0w1A.exe
2006-07-22 02:52:11 253,962 --sh--w C:\WINNT\system32\RbyNMH3.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zhosebmx"="C:\WINNT\spvxkmrg.exe" []
"wpetox"="c:\winnt\system32\joecfub.exe" []
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [2007-03-20 16:29]
"v78h32X"="mlatus40.exe" []
"sjEbr5zAv"="C:\documents and settings\jeffrey fleming\local settings\temp\sjEbr5zAv.exe" []
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2007-03-20 16:29]
"NvCplDaemon"="NvQTwk" []
"Mprx9Gd"="C:\documents and settings\kay fleming\local settings\temp\Mprx9Gd.exe" []
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" []
"Keyboard Preload Check"="C:\OEMDRVRS\KEYB\Preload.exe" []
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" []
"HostManager"="C:\Program Files\Common Files\AOL\1126808973\ee\AOLSoftware.exe" [2006-09-25 18:52]
"GWMDMpi"="C:\WINNT\GWMDMpi.exe" []
"GWMDMMSG"="GWMDMMSG.exe" []
"EPSON Stylus Photo R200 Series"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" []
"Eac_Download"="C:\Program Files\Common Files\eAcceleration\download.exe" []
"Dynamic Link Loader Access Manager"="C:\WINNT\SYSTEM32\dllhost32.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-22 13:06]
"AutoLoaderv0rH1MKTLPPP"="C:\WINNT\System32\mlatus40.exe" []
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2007-03-20 16:29]
"AKYFQ"="C:\WINNT\AKYFQ.exe" []
"AHN"="C:\WINNT\AHN.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinUpgrade"="C:\361101032252148093.exe" []
"winpack"="C:\WINNT\System32\winpack.exe" []
"w32topl"="C:\WINNT\system32\w32topl.exe" []
"shell32"="C:\WINNT\system32\shell32.exe" []
"serwvdrv"="C:\WINNT\system32\serwvdrv.exe" []
"routetab"="C:\WINNT\system32\routetab.exe" []
"qmgr"="C:\WINNT\system32\qmgr.exe" []
"pngfilt"="C:\WINNT\system32\pngfilt.exe" []
"PestTrap"="C:\Program Files\PestTrap\PestTrap.exe" []
"odbcjt32"="C:\WINNT\system32\odbcjt32.exe" []
"ntshrui"="C:\WINNT\system32\ntshrui.exe" []
"ntsdexts"="C:\WINNT\system32\ntsdexts.exe" []
"ntmsdba"="C:\WINNT\system32\ntmsdba.exe" []
"ntdll"="C:\WINNT\system32\ntdll.exe" []
"netshell"="C:\WINNT\system32\netshell.exe" []
"msv1_0"="C:\WINNT\system32\msv1_0.exe" []
"msnsspc"="C:\WINNT\system32\msnsspc.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"mprdim"="C:\WINNT\system32\mprdim.exe" []
"moricons"="C:\WINNT\system32\moricons.exe" []
"ltdis11n"="C:\WINNT\system32\ltdis11n.exe" []
"lffpx70n"="C:\WINNT\system32\lffpx70n.exe" []
"lffpx7"="C:\WINNT\system32\lffpx7.exe" []
"langwrbk"="C:\WINNT\system32\langwrbk.exe" []
"kbdtat"="C:\WINNT\system32\kbdtat.exe" []
"kbdsmsno"="C:\WINNT\system32\kbdsmsno.exe" []
"kbdest"="C:\WINNT\System32\kbdest.exe" []
"jgaw400"="C:\WINNT\system32\jgaw400.exe" []
"iyuv_32"="C:\WINNT\system32\iyuv_32.exe" []
"inetwh32"="C:\WINNT\system32\inetwh32.exe" []
"hlink"="C:\WINNT\system32\hlink.exe" []
"eal32"="C:\WINNT\system32\eal32.exe" []
"dxdiagn"="C:\WINNT\system32\dxdiagn.exe" []
"dpvvox"="C:\WINNT\system32\dpvvox.exe" []
"crswpp"="C:\WINNT\system32\crswpp.exe" []
"bootvid"="C:\WINNT\system32\bootvid.exe" []
"AOL Fast Start"="C:\PROGRA~1\AMERIC~3.0\AOL.exe" []
"adsldp"="C:\WINNT\system32\adsldp.exe" []
"196_150_ni"="C:\WINNT\System32\196_150_ni.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\OPLIMIT\ocraware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"WANMiniportService"=2 (0x2)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=2 (0x2)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"shellstyle"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"PlugPlay"=2 (0x2)
"PictureTaker"=3 (0x3)
"NVSvc"=2 (0x2)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Nla"=3 (0x3)
"Netman"=3 (0x3)
"Netlogon"=3 (0x3)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"LmHosts"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"helpsvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"EventSystem"=3 (0x3)
"ERSvc"=2 (0x2)
"Dnscache"=2 (0x2)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=2 (0x2)
"COMSysApp"=3 (0x3)
"cisvc"=3 (0x3)
"Browser"=2 (0x2)
"BITS"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"AudioSrv"=2 (0x2)
"AppMgmt"=3 (0x3)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
"ALG"=3 (0x3)


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\f7dcd08e-c5d2-432c-99c4-10f05bab2a66]
C:\WINNT\system32\bnbdrqc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\f7dcd08e-c5d2-432c-99c4-10f05bab2a66]
C:\WINNT\system32\bnbdrqc.exe
.
Contents of the 'Scheduled Tasks' folder
"2002-10-27 16:48:08 C:\WINNT\Tasks\Symantec NetDetect.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-05 10:04:48
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwQueryDirectoryFile, ZwQuerySystemInformation

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = \\?\C:\WINNT\nul.aov
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*ckj = rundll32 \\?\C:\WINNT\nul.aov,vdzynlqzvkxksm

scanning hidden files ...

C:\WINNT\nul.aov 145240 bytes executable
C:\WINNT\gevlh1.dll 94367 bytes executable
**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"*ckj"="rundll32 \\\\?\\C:\\WINNT\\nul.aov,vdzynlqzvkxksm"
.
Completion time: 2007-11-05 10:10:54
.
--- E O F ---

#6 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 05 November 2007 - 02:55 PM

hermanocleas

It would be preferible to run this in Normal Windows Mode, but if it will not run then use Safe Mode.

1. Open NotePad (not wordpad). Copy and paste the following into Notepad (not the word code)

File::
C:\Program Files\c_setup.exe
C:\sysvlse.exe
C:\Program Files\msc.exe
C:\Documents and Settings\Jeffrey Fleming\Application Data\tvmuknwrd.dll
C:\Documents and Settings\Jeffrey Fleming\Application Data\tvmcwrd.dll
C:\Documents and Settings\Jeffrey Fleming\Application Data\tvmknwrd.dll
C:\Documents and Settings\Kay Fleming\Application Data\tvmknwrd.dll
C:\Documents and Settings\Robyn Fleming\Application Data\tvmcwrd.dll
C:\Documents and Settings\Robyn Fleming\Application Data\tvmknwrd.dll
C:\WINNT\system32\Cjo9g.exe
C:\WINNT\system32\Dyf0o5.exe
C:\WINNT\system32\GmtmB.exe
C:\WINNT\system32\MliBY92.exe
C:\WINNT\system32\Nck5Fz9.exe
C:\WINNT\system32\Pyr0w1A.exe
C:\WINNT\system32\RbyNMH3.exe
C:\WINNT\nul.aov
C:\WINNT\gevlh1.dll

Folder::
C:\Program Files\Adsense Helper Object

Catch::
C:\WINNT\system32\frmwrk.sys

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zhosebmx"=-
"wpetox"=-
"v78h32X"=-
"sjEbr5zAv"=-
"Mprx9Gd"=-
"AutoLoaderv0rH1MKTLPPP"=-
"AKYFQ"=-
"AHN"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinUpgrade"=-
"winpack"=-
"w32topl"=-
"shell32"=-
"serwvdrv"=-
"routetab"=-
"qmgr"=-
"pngfilt"=-
"PestTrap"=-
"odbcjt32"=-
"ntshrui"=-
"ntsdexts"=-
"ntmsdba"=-
"ntdll"=-
"netshell"=-
"msv1_0"=-
"msnsspc"=-
"mprdim"=-
"moricons"=-
"ltdis11n"=-
"lffpx70n"=-
"lffpx7"=-
"langwrbk"=-
"kbdtat"=-
"kbdsmsno"=-
"kbdest"=-
"jgaw400"=-
"iyuv_32"=-
"inetwh32"=-
"hlink"=-
"eal32"=-
"dxdiagn"=-
"dpvvox"=-
"crswpp"=-
"bootvid"=-
"AOL Fast Start"=-
"adsldp"=-
"196_150_ni"=-
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" =- 
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"*ckj "=-

Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe

Posted ImageYou will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply

Posted Image
Microsoft MVP - Windows Security

#7 hermanocleas

hermanocleas
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 05 November 2007 - 05:36 PM

Ok, so I restarted the pc (during restart it ran diskcheck to check for inconsistancies) into Normal mode to drop the CFScript file onto the combofix.exe file and the combofix folder was empty. So I copied the CFScript file onto the desktop. Reinstalled Combofix.exe (cause it was missing) and dropped the CFScript file onto it. Combofix ran and here is that log:

ComboFix 07-11-05.2 - Jeffrey Fleming 2007-11-05 16:15:22.4 - NTFSx86
Running from: C:\Documents and Settings\Jeffrey Fleming\Desktop\ComboFix.exe
Command switches used :: A:\CFScript.txt

FILE::
C:\Documents and Settings\Jeffrey Fleming\Application Data\tvmcwrd.dll
C:\Documents and Settings\Jeffrey Fleming\Application Data\tvmknwrd.dll
C:\Documents and Settings\Jeffrey Fleming\Application Data\tvmuknwrd.dll
C:\Documents and Settings\Kay Fleming\Application Data\tvmknwrd.dll
C:\Documents and Settings\Robyn Fleming\Application Data\tvmcwrd.dll
C:\Documents and Settings\Robyn Fleming\Application Data\tvmknwrd.dll
C:\Program Files\c_setup.exe
C:\Program Files\msc.exe
C:\sysvlse.exe
C:\WINNT\gevlh1.dll
C:\WINNT\nul.aov
C:\WINNT\system32\Cjo9g.exe
C:\WINNT\system32\Dyf0o5.exe
C:\WINNT\system32\GmtmB.exe
C:\WINNT\system32\MliBY92.exe
C:\WINNT\system32\Nck5Fz9.exe
C:\WINNT\system32\Pyr0w1A.exe
C:\WINNT\system32\RbyNMH3.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Jeffrey Fleming\Application Data\tvmcwrd.dll
C:\Documents and Settings\Jeffrey Fleming\Application Data\tvmknwrd.dll
C:\Documents and Settings\Jeffrey Fleming\Application Data\tvmuknwrd.dll
C:\Documents and Settings\Kay Fleming\Application Data\tvmknwrd.dll
C:\Documents and Settings\Robyn Fleming\Application Data\tvmcwrd.dll
C:\Documents and Settings\Robyn Fleming\Application Data\tvmknwrd.dll
C:\Program Files\Adsense Helper Object
C:\Program Files\c_setup.exe
C:\Program Files\msc.exe
C:\sysvlse.exe
C:\WINNT\system32\Cjo9g.exe
C:\WINNT\system32\Dyf0o5.exe
C:\WINNT\system32\GmtmB.exe
C:\WINNT\system32\MliBY92.exe
C:\WINNT\system32\Nck5Fz9.exe
C:\WINNT\system32\Pyr0w1A.exe
C:\WINNT\system32\RbyNMH3.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-05 to 2007-11-05 )))))))))))))))))))))))))))))))
.

2007-10-24 10:35 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-10-23 16:06 51,200 --a------ C:\WINNT\NirCmd.exe
2007-10-23 12:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-23 10:18 <DIR> d-------- C:\WINNT\ERUNT
2007-10-23 09:49 1,050 --a------ C:\WINNT\system32\tmp.reg
2007-10-22 15:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-10-22 15:36 <DIR> d-------- C:\VundoFix Backups
2007-10-22 13:10 <DIR> d-------- C:\Documents and Settings\Jeffrey Fleming\Application Data\AVG7
2007-10-22 13:07 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-22 13:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-22 13:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-10-22 09:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-10-22 09:22 <DIR> d-------- C:\WINNT\pss
2007-10-22 09:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-22 09:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-10-22 09:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-10-13 05:55 7,712 --a------ C:\WINNT\system32\frmwrk.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-05 21:08 --------- d-----w C:\Program Files\Lavasoft
2007-11-05 21:08 --------- d-----w C:\Documents and Settings\Jeffrey Fleming\Application Data\Lavasoft
2007-10-22 19:12 --------- d-----w C:\Program Files\America Online 9.0
2007-10-22 19:10 --------- d-----w C:\Program Files\Microsoft Works
2007-10-21 16:55 --------- d-----w C:\Program Files\America Online 8.0a
2007-10-21 04:41 9,728 ----a-w C:\Program Files\hlpsrv.exe
2006-09-22 00:52 21,290,704 ----a-w C:\Program Files\AdbeRdr708_en_US.exe
2005-08-07 03:50 894,976 -c--a-w C:\Program Files\Irfanview.exe
2003-10-27 22:54 134,520 -c--a-w C:\Documents and Settings\Robyn Fleming\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" []
"Keyboard Preload Check"="C:\OEMDRVRS\KEYB\Preload.exe" []
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" []
"HostManager"="C:\Program Files\Common Files\AOL\1126808973\ee\AOLSoftware.exe" [2006-09-25 18:52]
"GWMDMpi"="C:\WINNT\GWMDMpi.exe" []
"GWMDMMSG"="GWMDMMSG.exe" []
"EPSON Stylus Photo R200 Series"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" []
"Eac_Download"="C:\Program Files\Common Files\eAcceleration\download.exe" []
"Dynamic Link Loader Access Manager"="C:\WINNT\SYSTEM32\dllhost32.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-22 13:06]
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" []
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" []
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{7A81DF49-1DB8-4db4-B070-AD6758ECBA2A}"= C:\WINNT\system32\qqwg.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\OPLIMIT\ocraware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"WANMiniportService"=2 (0x2)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=2 (0x2)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"shellstyle"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"PlugPlay"=2 (0x2)
"PictureTaker"=3 (0x3)
"NVSvc"=2 (0x2)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Nla"=3 (0x3)
"Netman"=3 (0x3)
"Netlogon"=3 (0x3)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"LmHosts"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"helpsvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"EventSystem"=3 (0x3)
"ERSvc"=2 (0x2)
"Dnscache"=2 (0x2)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=2 (0x2)
"COMSysApp"=3 (0x3)
"cisvc"=3 (0x3)
"Browser"=2 (0x2)
"BITS"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"AudioSrv"=2 (0x2)
"AppMgmt"=3 (0x3)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
"ALG"=3 (0x3)


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\f7dcd08e-c5d2-432c-99c4-10f05bab2a66]
C:\WINNT\system32\bnbdrqc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\f7dcd08e-c5d2-432c-99c4-10f05bab2a66]
C:\WINNT\system32\bnbdrqc.exe
.
Contents of the 'Scheduled Tasks' folder
"2002-10-27 16:48:08 C:\WINNT\Tasks\Symantec NetDetect.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-05 16:28:39
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwQueryDirectoryFile, ZwQuerySystemInformation

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = \\?\C:\WINNT\nul.aov

scanning hidden files ...

C:\WINNT\nul.aov 145240 bytes executable
C:\WINNT\gevlh1.dll 94367 bytes executable
IPC error: 2 The system cannot find the file specified.
scan completed successfully
hidden files: 2

**************************************************************************
.
Completion time: 2007-11-05 16:33:38
C:\ComboFix2.txt ... 2007-11-05 10:11
.
--- E O F ---

#8 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 06 November 2007 - 08:33 AM

hermanocleas

Better, we still have some work to do.

Ok, so I restarted the pc (during restart it ran diskcheck to check for inconsistancies)

Please hold off on running that until we make sure the PC is clean, as it may interfere with some of the fixes we are using.

1. You have a suspicious file I would like to take a look at

Please go HERE

Put Your Name, and Bleeping Computer HJT forum

and In the file to submit box, click Browse.Using Windows Explorer(Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate the fileC:\WINNT\system32\bnbdrqc.exe
In the comments tell them that I asked you to upload the file
Then Select Send File.
Posted Image
Microsoft MVP - Windows Security

#9 hermanocleas

hermanocleas
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 06 November 2007 - 09:24 AM

I am unable to access the internet from the problem machine. Would it be risky to copy this file in question onto a disk and put it on another machine to send from - like the one I'm using to communicate with you right now?

#10 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 06 November 2007 - 11:00 AM

hermanocleas

No, let's not do that since we don't know if the file is infected or not.

We will handle that another way.

I am unable to access the internet from the problem machine. Would it be risky to copy this file in question onto a disk and put it on another machine to send from - like the one I'm using to communicate with you right now?


We need to get you back online, I was unaware of that problem.

What happens when you try to access IE?

I have noticed that there are some items turned off in msconfig that may bee required to connect to IE.

You need to go into msconfig and turn everything back on and post a fresh Hijackthis log.
Posted Image
Microsoft MVP - Windows Security

#11 hermanocleas

hermanocleas
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 06 November 2007 - 11:07 AM

I checked the problem PC and I am unable to locate that file in the c:\WINNT\system32 directory. I ran a search for "bnb" on c:\ and all it came up with was a file in c:\WINNT\prefetch called "BNBDRQC.EXE-3442C56.pf"

#12 hermanocleas

hermanocleas
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 06 November 2007 - 11:39 AM

I Changed the startup to Normal mode in MSconfig, restarted and here's the latest Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:12 AM, on 11/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\AOL\1126808973\ee\AOLSoftware.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\SIERRA\CardStudio\PLNRnote.exe
c:\program files\common files\aol\1126808973\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
c:\program files\common files\aol\1126808973\ee\aolsoftware.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Documents and Settings\Jeffrey Fleming\Desktop\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1126808973\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Eac_Download] C:\Program Files\Common Files\eAcceleration\download.exe -k
O4 - HKLM\..\Run: [Dynamic Link Loader Access Manager] C:\WINNT\SYSTEM32\dllhost32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-1005\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\SIERRA\CardStudio\PLNRnote.exe
O4 - Global Startup: Event Reminder.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O15 - Trusted Zone: *.p0rt2.com
O22 - SharedTaskScheduler: dfgjrtt3 - {7A81DF49-1DB8-4db4-B070-AD6758ECBA2A} - C:\WINNT\system32\qqwg.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: shellstyle - Unknown owner - C:\WINNT\system32\shellstyle.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

--
End of file - 4406 bytes

#13 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 06 November 2007 - 12:15 PM

hermanocleas

First Copy and paste the following into NotePad (Not Wordpad)sc stop shellstyle
sc delete shellstyle

Click File ->>Save as ->>type in cmd.batUnder "Save as type" Select "all files" ->>Save it to your Desktop
Close Notepad
The cmd.bat file should now appear on your Desktop (if it saved properly it should appear as a blue box with a gear in the middle of it)
Double Click that file (It will appear that nothing has happened, but that's o.k.)
2. Rerun Hijackthis (scan only) and place checks beside the following entryO22 - SharedTaskScheduler: dfgjrtt3 - {7A81DF49-1DB8-4db4-B070-AD6758ECBA2A} - C:\WINNT\system32\qqwg.dll (file missing)
Close all other open windows except Hijackthis and Select "Fix checked"

Close Hijackthis ->> Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log

And let me know if you are able to access the internet on this PC
Posted Image
Microsoft MVP - Windows Security

#14 hermanocleas

hermanocleas
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 06 November 2007 - 12:58 PM

Hey Bamajim, I am now communicating using the problem PC. Whatever we did seem to have worked. Here is the latest Hijackthis scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:56:07 AM, on 11/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\AOL\1126808973\ee\AOLSoftware.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\SIERRA\CardStudio\PLNRnote.exe
c:\program files\common files\aol\1126808973\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
c:\program files\common files\aol\1126808973\ee\aolsoftware.exe
C:\Documents and Settings\Jeffrey Fleming\Desktop\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1126808973\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Eac_Download] C:\Program Files\Common Files\eAcceleration\download.exe -k
O4 - HKLM\..\Run: [Dynamic Link Loader Access Manager] C:\WINNT\SYSTEM32\dllhost32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-971929597-156640315-1538417202-1005\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\SIERRA\CardStudio\PLNRnote.exe
O4 - Global Startup: Event Reminder.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O15 - Trusted Zone: *.p0rt2.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{6FDAF100-9F80-4CBF-AF59-8DA41EC174B7}: NameServer = 192.168.1.9
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

--
End of file - 4262 bytes

#15 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 06 November 2007 - 02:20 PM

hermanocleas

That's good news

Run an online virus scan called Kaspersky from HERE.1. Click on "Kaspersky Online Scanner"
2. A new smaller window will pop up. Press on "Accept". After reading the contents.
3. Now Kaspersky will update the anti-virus database. Let it run.
4. Click on "Next"->>"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
5. Then click on "My Computer". And the scan will start.
6. When the scan is complete Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan
Posted Image
Microsoft MVP - Windows Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users