Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected With Worm - Systemerrorfixer

  • Please log in to reply
1 reply to this topic

#1 willyob


  • Members
  • 1 posts
  • Local time:02:14 PM

Posted 12 April 2008 - 04:05 AM

During search, usually redirected or popup "NOTICE: Your system is not optimized and your computer performance is not at the highest level. Full system optimization will greatly increase your computer's performance and prevent data loss. Would you like to install SystemErrorFixer to optimize your computer's performance now for free? (Recommended)" When cancel out of some redirected sites, receive popup "SystemErrorFixer will scan your system for errors now. Please select "RUN" or "OPEN" when prompted to start the installation. This file has been digitally signed and independently certified as 100% free of viruses, adware and spyware." or the desktop goes completely away and have to cntl-alt-delete to restart.

Saturday, April 12, 2008 12:50:48 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version:
Kaspersky Anti-Virus database last update: 12/04/2008
Kaspersky Anti-Virus database records: 699068

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:

Scan Statistics:
Total number of scanned objects: 51891
Number of viruses found: 11
Number of infected objects: 30
Number of suspicious objects: 0
Duration of the scan process: 01:03:23

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\Linda O'Braitis\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Linda O'Braitis\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Linda O'Braitis\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Linda O'Braitis\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Linda O'Braitis\Local Settings\History\History.IE5\MSHist012008041120080412\index.dat Object is locked skipped
C:\Documents and Settings\Linda O'Braitis\Local Settings\Temp\~DF87EF.tmp Object is locked skipped
C:\Documents and Settings\Linda O'Braitis\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Linda O'Braitis\ntuser.dat Object is locked skipped
C:\Documents and Settings\Linda O'Braitis\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\Program Files\ESET\infected\CKXAKTBA.NQF Infected: not-a-virus:FraudTool.Win32.BraveSentry.b skipped
C:\Program Files\ESET\infected\GI4NLQAA.NQF Infected: not-a-virus:AdWare.Win32.BHO.zc skipped
C:\Program Files\ESET\infected\LQ4ZO2CA.NQF Infected: Trojan-Spy.Win32.Goldun.z skipped
C:\Program Files\ESET\infected\ONNLSFCA.NQF Infected: Trojan-Spy.Win32.Goldun.ms skipped
C:\Program Files\ESET\infected\PFAIQ4AA.NQF Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Program Files\ESET\infected\YG0BCQCA.NQF Infected: Trojan-Spy.Win32.Goldun.ms skipped
C:\Program Files\ESET\infected\ZHL21YDA.NQF/data0006 Infected: not-a-virus:FraudTool.Win32.VirusProtectPro.q skipped
C:\Program Files\ESET\infected\ZHL21YDA.NQF NSIS: infected - 1 skipped
C:\Program Files\ESET\infected\ZHL21YDA.NQF PE-Crypt.XorPE: infected - 1 skipped
C:\Program Files\ESET\infected\ZMIDETDA.NQF Infected: not-a-virus:FraudTool.Win32.BraveSentry.f skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\Program Files\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Program Files\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Program Files\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Program Files\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{C1CCD08C-8F31-41E2-AD90-3EC48D37B729}\RP165\A0195523.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{C1CCD08C-8F31-41E2-AD90-3EC48D37B729}\RP167\A0195567.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{C1CCD08C-8F31-41E2-AD90-3EC48D37B729}\RP168\A0195625.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{C1CCD08C-8F31-41E2-AD90-3EC48D37B729}\RP172\change.log Object is locked skipped
C:\WIN2000\inet\mail_in.bag\In_park.zip/f22-013.exe Infected: Email-Worm.Win32.Bagle.bq skipped
C:\WIN2000\inet\mail_in.bag\In_park.zip ZIP: infected - 1 skipped
C:\WIN2000\inet\mail_in.bag\setup.rar/SecurityEgold.EXE Infected: Trojan-Spy.Win32.Goldun.z skipped
C:\WIN2000\inet\mail_in.bag\setup.rar RAR: infected - 1 skipped
C:\WIN2000\inet\mail_in.bag\Taxes.rar/Taxes.exe Infected: Email-Worm.Win32.Bagle.cf skipped
C:\WIN2000\inet\mail_in.bag\Taxes.rar ZIP: infected - 1 skipped
C:\WIN2000\inet\mail_in.bag\The_reporting_of_taxes.rar/Taxes.exe Infected: Email-Worm.Win32.Bagle.cf skipped
C:\WIN2000\inet\mail_in.bag\The_reporting_of_taxes.rar ZIP: infected - 1 skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\awtsp.dll Infected: Packed.Win32.Monder.gen skipped
C:\WINDOWS\system32\bfvqrife.dll Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\ehwximfy.dll Infected: Packed.Win32.Monder.gen skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\nnnlmnl.dll Infected: Packed.Win32.Monder.gen skipped
C:\WINDOWS\system32\okaefwla.dll Object is locked skipped
C:\WINDOWS\system32\okkvmlgm.dll Object is locked skipped
C:\WINDOWS\system32\sdmmrpuf.dll Infected: Packed.Win32.Monder.gen skipped
C:\WINDOWS\system32\syvhrvlc.dll Infected: Packed.Win32.Monder.gen skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Deckard's System Scanner v20071014.68
Run by Linda O'Braitis on 2008-04-12 01:25:05
Computer is in Normal Mode.

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
24: 2008-04-12 08:25:12 UTC - RP173 - Deckard's System Scanner Restore Point
23: 2008-04-12 05:55:21 UTC - RP172 - Configured Quicken 2003 New User Edition
22: 2008-04-12 05:50:23 UTC - RP171 - Removed InstallShield Restore Point
21: 2008-04-12 05:46:51 UTC - RP170 - Uninstall 'Beauty or the Beast'
20: 2008-04-11 18:33:00 UTC - RP169 - System Checkpoint

-- First Restore Point --
1: 2008-03-09 19:32:34 UTC - RP150 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 495 MiB (512 MiB recommended).

-- HijackThis (run as Linda O'Braitis.exe) -------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:36 AM, on 4/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\PROGRA~1\Linda O'Braitis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5B663EFA-A2B8-489A-A39F-B235AAB99479} - C:\WINDOWS\System32\awtsp.dll
O2 - BHO: (no name) - {79AE735F-9663-4B92-9602-39EB563FA30C} - C:\WINDOWS\System32\nnnlmnl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: {0d45ced9-e3e9-94c9-c6e4-98ac5ea2974d} - {d4792ae5-ca89-4e6c-9c49-9e3e9dec54d0} - C:\WINDOWS\System32\syvhrvlc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [BM2f4d4170] Rundll32.exe "C:\WINDOWS\System32\wwbyfekx.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WinTOTAL Scheduler] C:\WIN2000\guru.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O20 - Winlogon Notify: nnnlmnl - C:\WINDOWS\SYSTEM32\nnnlmnl.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

End of file - 6353 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SrvcEKIOMngr - c:\windows\system32\drivers\ekiomngr.sys <Not Verified; COMPAL ELECTRONIC INC.; Compal IoManager Application>
R1 SrvcEPIOMngr - c:\windows\system32\drivers\epiomngr.sys <Not Verified; COMPAL ELECTRONIC INC.; Compal IoManager Application>
R1 SrvcSSIOMngr - c:\windows\system32\drivers\ssiomngr.sys <Not Verified; COMPAL ELECTRONIC INC.; Compal IoManager Application>
R1 SrvcTPIOMngr - c:\windows\system32\drivers\tpiomngr.sys
R2 LBeepKE - c:\windows\system32\drivers\lbeepke.sys <Not Verified; Logitech Inc.; Logitech SetPoint>
R2 LxrJD31d - c:\windows\system32\drivers\lxrjd31d.sys
R3 EPOWER (Compal E-POWER Driver) - c:\windows\system32\drivers\hkdrv.sys <Not Verified; Compal Electronic Inc.; EPOWER>

S3 TBiosDrv - c:\windows\system32\drivers\tbiosdrv.sys

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 LxrJD31s (Lexar JD31) - lxrjd31s.exe

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-02-18 10:00:00 304 --a------ C:\WINDOWS\Tasks\The Reader's Edge Updates.job

-- Files created between 2008-03-12 and 2008-04-12 -----------------------------

2008-04-11 13:38:08 3256 --a------ C:\WINDOWS\System32\tmp.reg
2008-04-11 13:37:38 0 d-------- C:\Program Files\SmitfraudFix
2008-04-11 13:36:58 1308030 --a------ C:\Program Files\SmitfraudFix.exe
2008-04-11 13:02:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-11 13:02:04 0 d-------- C:\WINDOWS\System32\Kaspersky Lab
2008-04-11 09:48:12 86080 --a------ C:\WINDOWS\System32\aubrorym.dll
2008-04-11 09:42:13 95808 --a------ C:\WINDOWS\System32\syvhrvlc.dll
2008-04-11 09:38:17 94784 --a------ C:\WINDOWS\System32\wwbyfekx.dll
2008-03-24 14:50:22 91200 --a------ C:\WINDOWS\System32\sdmmrpuf.dll
2008-03-20 15:40:25 89664 --a------ C:\WINDOWS\System32\bfvqrife.dll
2008-03-12 23:10:50 0 d-------- C:\Program Files\Lavasoft
2008-03-12 23:10:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-12 23:08:42 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-12 17:53:42 89152 --a------ C:\WINDOWS\System32\ehwximfy.dll

-- Find3M Report ---------------------------------------------------------------

2008-04-12 01:26:36 6354 --a------ C:\Program Files\hijackthis.log <HIJACK~1.LOG>
2008-04-12 01:26:08 289111 --ahs---- C:\WINDOWS\System32\pstwa.ini2
2008-04-11 22:58:10 0 d-------- C:\Program Files\Common Files\Real
2008-04-11 22:55:52 0 d-------- C:\Program Files\Quicken
2008-04-11 22:52:06 0 d-------- C:\Program Files\Blaster
2008-04-11 22:50:23 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-11 22:46:22 0 d-------- C:\Program Files\Common Files\aolshare
2008-04-11 21:19:26 44518 --a------ C:\Program Files\kaspersky linda.html
2008-04-11 13:40:03 4841 --a------ C:\Program Files\smitfraudfix rapport.txt
2008-03-12 23:08:42 0 d-------- C:\Program Files\Common Files
2008-03-09 12:32:21 293376 --a------ C:\WINDOWS\System32\awtsp.dll
2008-03-09 12:27:12 37888 --a------ C:\WINDOWS\System32\nnnlmnl.dll
2008-02-21 17:59:10 0 d-------- C:\Program Files\WinSpyKiller

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5B663EFA-A2B8-489A-A39F-B235AAB99479}]
03/09/2008 12:32 PM 293376 --a------ C:\WINDOWS\System32\awtsp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79AE735F-9663-4B92-9602-39EB563FA30C}]
03/09/2008 12:27 PM 37888 --a------ C:\WINDOWS\System32\nnnlmnl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d4792ae5-ca89-4e6c-9c49-9e3e9dec54d0}]
04/11/2008 09:42 AM 95808 --a------ C:\WINDOWS\System32\syvhrvlc.dll

"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [03/30/2002 07:40 AM]
"CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [01/15/2003 06:24 PM]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [01/14/2003 04:52 PM]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [11/25/2002 11:23 AM]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [01/22/2003 06:23 PM]
"@"="" []
"NDSTray.exe"="C:\Program Files\Toshiba\ConfigFree\NDSTray.exe" [01/17/2003 09:26 PM]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [10/17/2002 02:21 PM]
"TSysSMon"="c:\toshiba\sysstability\tsyssmon.exe" [12/17/2002 03:23 PM]
"WLANSTA.EXE"="WLANSTA.exe" [07/03/2002 10:52 PM C:\WINDOWS\system32\WLANSTA.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05/07/2004 01:26 PM]
"pdfSaver3"="" []
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [03/25/2007 11:32 AM]
"Logitech Hardware Abstraction Layer"="C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [07/19/2006 01:03 PM]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [07/19/2006 01:03 PM C:\WINDOWS\KHALMNPR.Exe]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [05/01/2007 11:08 PM]
"BM2f4d4170"="C:\WINDOWS\System32\wwbyfekx.dll" [04/11/2008 09:38 AM]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [08/20/2002 03:08 PM]
"WinTOTAL Scheduler"="C:\WIN2000\guru.exe" [04/11/2005 09:17 AM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [08/06/2004 03:33 PM]
"pdfSaver3"="C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe" [07/18/2004 10:43 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [05/23/2007 03:40 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [1/11/2007 9:17:00 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 1:05:56 PM]

"{79AE735F-9663-4B92-9602-39EB563FA30C}"= C:\WINDOWS\System32\nnnlmnl.dll [03/09/2008 12:27 PM 37888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnlmnl]
nnnlmnl.dll 03/09/2008 12:27 PM 37888 C:\WINDOWS\system32\nnnlmnl.dll

"Authentication Packages"= msv1_0 C:\WINDOWS\System32\awtsp.dll


-- End of Deckard's System Scanner: finished at 2008-04-12 01:27:32 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: Mobile Intel® Pentium® 4 - M CPU 2.00GHz
Percentage of Memory in Use: 59%
Physical Memory (total/avail): 494.42 MiB / 199.65 MiB
Pagefile Memory (total/avail): 1157.47 MiB / 917.92 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1941.99 MiB

C: is Fixed (NTFS) - 27.95 GiB total, 19.99 GiB free.
D: is CDROM (No Media)
E: is Removable (FAT)

\\.\PHYSICALDRIVE0 - TOSHIBA MK3021GAS - 27.95 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 27.95 GiB - C:

\\.\PHYSICALDRIVE1 - Kingston DataTraveler 2.0 USB Device - 486.34 MiB - 1 partition
\PARTITION0 (bootable) - Win95 w/Extended Int 13 - 489.98 MiB - E:

-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Linda O'Braitis\Application Data
CommonProgramFiles=C:\Program Files\Common Files
HOMEPATH=\Documents and Settings\Linda O'Braitis
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Ulead Systems\MPEG
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
ProgramFiles=C:\Program Files
USERNAME=Linda O'Braitis
USERPROFILE=C:\Documents and Settings\Linda O'Braitis

-- User Profiles ---------------------------------------------------------------

Linda O'Braitis (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 --> C:\WINDOWS\System32\Macromed\Flash\UninstFl.exe
ALPS Touch Pad Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
America Online --> C:\Program Files\Common Files\aolshare\Aolunins_us.exe
AT&T Connection Services Manager --> C:\WINDOWS\WNBackup\WnClient62\unwise32.exe /Z /U C:\WINDOWS\WNBackup\WnClient62\install.log "AT&T Connection Services Manager"
Avance AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Bicycle Board Games --> "C:\Program Files\Microsoft Games\Bicycle Board Games\UNINSTAL.EXE" /runtemp /addremove
CeQuadrat WinOnCD 5.05 Power Edition --> MsiExec.exe /I{DC88820C-64CB-40E9-AA77-E2ECC34368B3}
Dictionary --> C:\WINDOWS\uninst.exe -fC:\Dictionary\DeIsL1.isu -cC:\Dictionary\_ISREG32.DLL
Digital Photo Album 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{92042143-F0AC-4507-A68A-77D85F219B3D}\setup.exe" -l0x9
Drag'n Drop CD+DVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DDC146FA-73E0-4FA1-A353-841EA14BF600}\SETUP.EXE" -l0x9 deleteall
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar4.dll"
HijackThis 2.0.2 --> "C:\Program Files\HijackThis.exe" /uninstall
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582
InterVideo WinDVD 4 --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
JD Secure 3.1 --> C:\WINDOWS\System32\JDSecure31.exe /u
Kaspersky Online Scanner --> C:\WINDOWS\System32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
KhalSetup --> MsiExec.exe /I{EE7B9A8D-19F0-450D-8E94-3E391E6044CD}
Lernout & Hauspie TruVoice American English TTS Engine --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall
Lexmark Z600 Series --> C:\WINDOWS\System32\spool\drivers\w32x86\3\LXBCUN5C.EXE -dLexmark Z600 Series
Logitech SetPoint --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe" -l0x9 -removeonly
Microsoft Office 2000 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Project Standard 2002 --> MsiExec.exe /I{903A0409-6000-11D3-8CFE-0050048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
My Little Pony --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hasbro Interactive\My Little Pony\Uninst.isu"
NOD32 Antivirus System --> C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
PDF-XChange 3.0 --> "C:\Program Files\Tracker Software\PDF-XChange 3\unins000.exe"
Photo Explosion SE 2.0 --> MsiExec.exe /X{DD040AAA-F295-492B-AD91-C8DC24488273}
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
Realtek Fast Ethernet Adapter Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{97AA0C55-AFAD-4126-B21C-F1318FB6DADA}\Setup.exe" -l0x9 REMOVE
The Reader's Edge --> "C:\Documents and Settings\All Users\Application Data\{58725326-38D9-4D40-A287-54F8F0D0D410}\TheReadersEdgeSetup.exe" REMOVE=TRUE MODIFY=FALSE
The Reader's Edge --> C:\Documents and Settings\All Users\Application Data\{58725326-38D9-4D40-A287-54F8F0D0D410}\TheReadersEdgeSetup.exe
TOSHIBA ConfigFree --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}\Setup.exe"
TOSHIBA Console --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3CF0858D-1AC5-4308-9DE7-AD15288A8BDC}\Setup.exe" -l0x9
TOSHIBA Hotkey Utility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{19054939-DBF1-4ED9-B9EB-EF5EA725908F} /l1033
TOSHIBA Power Management Utility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{46463780-40FD-4929-BDE6-C32BEE15107E} /l1033
Toshiba Registration --> MsiExec.exe /X{F6C405D2-C50D-4D10-B89E-73A233A14D74}
TOSHIBA Software Modem --> Tosmreg -U
TOSHIBA Software Upgrades --> C:\TOSHIBA\ivp\swupdate\UNWISE.EXE C:\TOSHIBA\ivp\swupdate\INSTALL.LOG
Toshiba Tbiosdrv Driver --> C:\PROGRA~1\Toshiba\TOSHIB~1\UNWISE.EXE C:\PROGRA~1\Toshiba\TOSHIB~1\INSTALL.LOG
TouchPad On/Off Utility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{12408EED-3F86-4DDD-AE7D-78167031DFDF} /l1033
Viewpoint Media Player (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe

-- Application Event Log -------------------------------------------------------

Event Record #/Type3615 / Error
Event Submitted/Written: 04/11/2008 10:56:03 PM
Event ID/Source: 11905 / MsiInstaller
Event Description:
Product: Quicken 2003 New User Edition -- Error 1905.Module C:\Program Files\Quicken\bpbox.ocx failed to unregister. HRESULT . Contact your support personnel.

Event Record #/Type3495 / Error
Event Submitted/Written: 04/11/2008 01:44:16 PM
Event ID/Source: 8193 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

Event Record #/Type3494 / Error
Event Submitted/Written: 04/11/2008 01:44:16 PM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Event Record #/Type3386 / Error
Event Submitted/Written: 04/11/2008 09:57:29 AM
Event ID/Source: 485 / ESENT
Event Description:
wuauclt (2484) An attempt to delete the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edbtmp.log" failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The delete file operation will fail with error -1032 (0xfffffbf8).

Event Record #/Type3385 / Error
Event Submitted/Written: 04/11/2008 09:57:29 AM
Event ID/Source: 485 / ESENT
Event Description:
wuauclt (2484) An attempt to delete the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edbtmp.log" failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The delete file operation will fail with error -1032 (0xfffffbf8).

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type692 / Error
Event Submitted/Written: 04/11/2008 01:53:08 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:

Event Record #/Type691 / Error
Event Submitted/Written: 04/11/2008 01:52:31 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:

Event Record #/Type690 / Error
Event Submitted/Written: 04/11/2008 01:50:05 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:

Event Record #/Type689 / Error
Event Submitted/Written: 04/11/2008 01:45:24 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:

Event Record #/Type688 / Error
Event Submitted/Written: 04/11/2008 01:45:24 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:

-- End of Deckard's System Scanner: finished at 2008-04-12 01:27:32 ------------

BC AdBot (Login to Remove)


#2 SifuMike


    malware expert

  • Members
  • 15,385 posts
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:14 PM

Posted 13 April 2008 - 11:42 PM

Hello willyob,

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

You need to disable your Eset nod32 Antivirus and Spybot Teatimer before running ComboFix, as they will prevent it from running.

To disable NOD32 Antivirus:  
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • click it -> click on the Posted Image button.
  • a popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.
You succesfully disabled the NOD32 Guard.
Please visit this webpage for instructions for downloading and running ComboFix:

To work properly, you must install ComboFix on the Desktop.

 When following the instructions please install the Windows XP Recovery Console if you are using XP. <== IMPORTANT

You DO NOT need to have the Windows CD to install Recovery Console!

When Recovery Console installs correctly, ComboFix will give you a log like this:

[boot loader]
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read  here   what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Disconnect from the Internet.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log. Please DO NOT attach any logs, as that makes them hard to read.

Edited by SifuMike, 13 April 2008 - 11:44 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!

Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users