Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Srosa And Others? Cannot Run Because Invalid Win 32 Applications


  • Please log in to reply
7 replies to this topic

#1 belzie

belzie

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 12 April 2008 - 11:05 AM

Hello

I hope somebody can help me...... I have srosa virus or trojan. Computer intermittently goes to BSOD with srosa message. I cannot delete srosa.sys, some other files like wintems and hlddr or simlar named files will not let me delete them. I cannot enter safe mode. I cannot run my usual spyware program spybot because invalid win32 application

I have logs from DSS as below

Deckard's System Scanner v20071014.68
Run by Nicky West on 2008-04-12 16:24:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-04-12 15:24:38 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 3.83 GiB (less than 15%) free.


-- HijackThis (run as Nicky West.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:37:36, on 12/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\spoolsv.exe
C:\Program Files\PrevxCSI\PrevxCSI.exe
C:\Windows\system32\RunDll32.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Windows\system32\rundll32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon06.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\IEInspector\HTTPAnalyzerFullV3\InjectWinSockServiceV3.exe
C:\Windows\system32\RUNDLL32.EXE
C:\Program Files\PokerOffice\bin\javaw.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Windows\System32\nvsvc32.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\PrevxCSI\PrevxCSI.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Executive Software\Diskeeper\DfrgNTFS.exe
C:\Program Files\Executive Software\Diskeeper\DkIcon.exe
C:\Download\dss\dss.exe
C:\MGTools\Nicky West.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: (no name) - {8F60F604-0C35-4AA8-BDD8-8A24E4081B3A} - (no file)
O2 - BHO: (no name) - {DD68BA3A-0C04-48A9-A828-F222E1A744Ba} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: (no name) - {4A9F59C8-FFAB-44F3-B681-392C04D44986} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\System32\hphmon06.exe
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\Windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [POEngine] "C:\Program Files\PokerOffice\POEngine.exe" C:\Program Files\PokerOffice
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Betfair enable instant betting - file://C:\Betfair Scripts\InstantBetting.htm
O8 - Extra context menu item: Betfair enable instant betting (set odds) - file://C:\Betfair Scripts\InstantBettingWithOdds.htm
O8 - Extra context menu item: Betfair lay field - file://C:\Betfair Scripts\LayField.htm
O8 - Extra context menu item: Betfair Refresh - file://C:\Betfair Scripts\BetfairRefresh.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Captain Cooks Poker - {3545A8F5-EE6B-4c4a-AD88-9C437639A73D} - C:\Program Files\captaincooksMPP\MPPoker.exe
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: IE HTTPAnalyzer V3 - {3B28142E-6D05-47AB-A263-0556C785EBB4} - C:\PROGRA~1\IEINSP~1\HTTPAN~1\IEHTTP~1.DLL
O9 - Extra 'Tools' menuitem: IE HTTPAnalyzer V3 - {3B28142E-6D05-47AB-A263-0556C785EBB4} - C:\PROGRA~1\IEINSP~1\HTTPAN~1\IEHTTP~1.DLL
O9 - Extra button: 32Red Poker - {437F7F6F-FFCC-47e1-8A4B-C992493CF6C3} - C:\Program Files\32RedMPP\MPPoker.exe
O9 - Extra button: Identities - {45DB34C3-955C-11D3-ABEF-444553540000} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O9 - Extra 'Tools' menuitem: Identities Editor - {45DB34C3-955C-11D3-ABEF-444553540000} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\Program Files\PartyGaming\PartyGammon\RunBackGammon.exe
O9 - Extra 'Tools' menuitem: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\Program Files\PartyGaming\PartyGammon\RunBackGammon.exe
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: The Gaming Club Poker - {A18AC347-2CA3-4e5d-AB86-33BFC7EEB931} - C:\Program Files\gamingclubMPP\MPPoker.exe
O9 - Extra button: bet365 Poker - {B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - C:\Program Files\bet365MPP\MPPoker.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Windows\System32\shdocvw.dll
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: 7Sultans Poker - {FD7CF1CF-331A-4d9e-A3D8-82BC1B1861DA} - C:\Program Files\7SultansMPP\MPPoker.exe
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} (EpsonObj Class) - http://esupport.epson-europe.com/ePC/activex/EpsonSetup.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{51460969-12A7-4B97-A76B-6BC9F3795DD7}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\GOOGLE\GOOGLE~2\GOEC62~1.DLL ,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\\PrevxCSI.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HttpAnalyzerV3 CodeHook service (HttpAnalyzerV3 DllInjectService) - Unknown owner - C:\Program Files\IEInspector\HTTPAnalyzerFullV3\InjectWinSockServiceV3.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\Windows\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe

--
End of file - 13841 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - shell\open\command - NOTEPAD.EXE %1
.vbs - VBSFile - shell\open\command - NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 pxark - c:\windows\system32\drivers\pxark.sys <Not Verified; ; Prevx CSI>
R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
R1 NetworkX - c:\windows\system32\ckldrv.sys
R1 srosa (Megadrv3) - c:\windows\system32\drivers\srosa.sys
R1 StarOpen - c:\windows\system32\drivers\staropen.sys
R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
R2 procguard - c:\windows\system32\drivers\procguard.sys <Not Verified; DiamondCS; DiamondCS ProcessGuard>
R2 wg3n (SyGate for NT, wg3n) - c:\windows\system32\drivers\wg3n.sys <Not Verified; Sygate Technologies, Inc.; Sygate WGXN>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S1 AEC671X - c:\windows\system32\drivers\aec671x.sys <Not Verified; Acard Technology Corp.; Acard® AEC-671X PCI Ultra/W SCSC-3 Controller>
S1 DMX3191 - c:\windows\system32\drivers\dmx3191.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
S2 P32LOAD (Intel® AnyPoint® 3240 USB Modem Firmware Loader) - c:\windows\system32\drivers\p31usbld.sys <Not Verified; Intel Inc.; Intel USB ADSL Firmware Loader>
S2 tmcomm - c:\windows\system32\drivers\tmcomm.sys <Not Verified; Trend Micro Inc.; ActiveClean>
S2 UDNT - c:\windows\system32\drivers\udnt.sys
S3 RT73 (Belkin Wireless G Plus MIMO USB Network Adapter Driver) - c:\windows\system32\drivers\rt73.sys <Not Verified; Ralink Technology, Corp.; Ralink 802.11 Wireless Adapters>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CSIScanner - "c:\program files\prevxcsi\\prevxcsi.exe" /service <Not Verified; Prevx; Prevx CSI>
R2 DCSPGSRV (DiamondCS Process Guard Service v3.000) - "c:\program files\processguard\dcsuserprot.exe" <Not Verified; DiamondCS; DiamondCS Usermode Aspect>
R2 Diskeeper - c:\program files\executive software\diskeeper\dkservice.exe <Not Verified; Executive Software International, Inc.; Diskeeper ™ Disk Defragmenter>

S3 SandraDataSrv (Sandra Data Service) - c:\program files\sisoftware\sisoftware sandra lite 2007\win32\rpcdatasrv.exe <Not Verified; SiSoftware; SiSoftware Sandra 2007 pre-SP1>
S3 SandraTheSrv (Sandra Service) - c:\program files\sisoftware\sisoftware sandra lite 2007\rpcsandrasrv.exe <Not Verified; SiSoftware; SiSoftware Sandra 2007 pre-SP1>
S4 nhksrv (Netropa NHK Server) - c:\program files\netropa\multimedia keyboard\nhksrv.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-12 13:37:17 326 --a------ C:\Windows\Tasks\HP Usg Daily.job
2005-09-26 00:33:25 310 --a------ C:\Windows\Tasks\XoftSpy.job


-- Files created between 2008-03-12 and 2008-04-12 -----------------------------

2008-04-11 22:54:19 10880 --a------ C:\Windows\system32\drivers\pxark.sys <Not Verified; ; Prevx CSI>
2008-04-11 22:54:19 0 d-------- C:\Program Files\PrevxCSI
2008-04-11 22:54:12 0 d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-03-25 02:00:21 0 d-------- C:\Documents and Settings\Nicky West\Application Data\Move Networks
2008-03-19 14:57:03 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-19 14:56:53 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-19 14:56:53 0 d-------- C:\Documents and Settings\Nicky West\Application Data\SUPERAntiSpyware.com
2008-03-19 14:50:27 11254 --a------ C:\Windows\system32\locate.com
2008-03-19 14:48:47 0 d-------- C:\MGtools
2008-03-19 14:47:39 0 d-------- C:\Windows\MGtools
2008-03-19 14:13:24 0 dr-h----- C:\Documents and Settings\Nicky West\Recent
2008-03-19 14:05:26 0 d-------- C:\Windows\pss
2008-03-19 14:04:01 0 d-------- C:\Program Files\InCode Solutions
2008-03-19 12:59:24 19248 --a------ C:\Windows\system32\drivers\rspsc32.sys <Not Verified; Resplendence Software Projects Sp.; RootKit Hook Analyzer>
2008-03-19 12:59:24 0 d-------- C:\Program Files\RootKit Hook Analyzer
2008-03-19 01:34:28 0 --a------ C:\Windows\system32\pguard.dat
2008-03-19 01:34:28 25976 --a------ C:\Windows\system32\pghash.dat
2008-03-19 01:29:36 106496 --a------ C:\Windows\system32\procguard.dll
2008-03-19 01:29:36 24911 --a------ C:\Windows\system32\drivers\procguard.sys <Not Verified; DiamondCS; DiamondCS ProcessGuard>
2008-03-19 01:29:34 0 d-------- C:\Program Files\ProcessGuard
2008-03-18 17:13:19 0 d-------- C:\Windows\BDOSCAN8
2008-03-17 14:15:41 0 d-------- C:\Program Files\Spyware Doctor
2008-03-17 14:15:41 0 d-------- C:\Documents and Settings\Nicky West\Application Data\PC Tools
2008-03-17 12:31:57 91700 --a------ C:\Windows\system32\drivers\klin.dat
2008-03-17 12:31:57 85860 --a------ C:\Windows\system32\drivers\klick.dat
2008-03-17 12:30:50 0 d-------- C:\Program Files\Kaspersky Lab
2008-03-17 12:09:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-03-16 13:57:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-16 13:57:32 0 d-------- C:\Windows\system32\Kaspersky Lab
2008-03-16 00:50:35 0 d-------- C:\Program Files\CopperheadAntiSpyware


-- Find3M Report ---------------------------------------------------------------

2008-04-12 16:32:46 0 d-------- C:\Documents and Settings\Nicky West\Application Data\Skype
2008-04-12 13:11:23 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-04-12 12:08:28 0 d-------- C:\Program Files\FreshDevices
2008-04-12 12:05:28 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-12 12:05:27 0 d-------- C:\Documents and Settings\Nicky West\Application Data\Adobe
2008-04-12 11:32:36 0 d-------- C:\Documents and Settings\Nicky West\Application Data\skypePM
2008-04-10 18:44:50 1056 --ahs---- C:\Windows\system32\KGyGaAvL.sys
2008-04-08 16:28:10 0 d-------- C:\Program Files\Dl_cats
2008-04-07 20:57:10 0 d-------- C:\Program Files\eMule
2008-03-31 12:09:09 0 d-------- C:\Program Files\PartyGaming
2008-03-31 11:20:51 0 d-------- C:\Documents and Settings\Nicky West\Application Data\Real
2008-03-28 19:04:46 71172 --a------ C:\Windows\system32\mdelk.exe
2008-03-19 17:10:09 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-19 14:01:02 0 d-------- C:\Program Files\Common Files
2008-03-19 13:58:39 0 d-------- C:\Program Files\Java
2008-03-19 13:09:58 0 d-------- C:\Program Files\Microsoft Money 2005
2008-03-19 12:02:44 0 d-------- C:\Program Files\BitTorrent
2008-03-19 11:41:36 0 d-------- C:\Program Files\Star Downloader
2008-03-19 11:41:11 0 d-------- C:\Program Files\SpywareBlaster
2008-03-18 18:40:17 0 d--h----- C:\Documents and Settings\Nicky West\Application Data\m
2008-03-14 18:57:52 0 d-------- C:\Program Files\Intuit
2008-03-14 18:56:40 0 d-------- C:\Program Files\Common Files\Intuit
2008-03-10 16:00:45 0 d-------- C:\Program Files\Mp3Doctor
2008-03-10 15:53:23 0 d-------- C:\Program Files\Bug Doctor
2008-03-10 15:13:07 0 d-------- C:\Documents and Settings\Nicky West\Application Data\MSN6
2008-03-09 23:44:10 0 d-------- C:\Documents and Settings\Nicky West\Application Data\uTorrent
2008-03-04 13:54:08 0 d-------- C:\Program Files\Picasa2
2008-02-24 18:42:10 0 d-------- C:\Program Files\Google
2008-02-23 15:41:09 0 d-------- C:\Program Files\Opera
2008-02-06 00:01:33 2085 ---hs---- C:\Windows\system32\elsbbtbr.ini2


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F60F604-0C35-4AA8-BDD8-8A24E4081B3A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DD68BA3A-0C04-48A9-A828-F222E1A744Ba}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [03/11/2003 03:09]
"nwiz"="nwiz.exe" [03/11/2003 03:09 C:\WINDOWS\system32\nwiz.exe]
"Cmaudio"="cmicnfg.cpl" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [17/05/2005 18:30]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [26/11/2006 14:36]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [22/04/2005 13:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/11/2005 20:53]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe" [07/01/2006 06:09]
"HPHUPD06"="C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [07/01/2006 06:09]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [12/02/2004 13:38]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [12/05/2004 15:18]
"HPHmon06"="C:\WINDOWS\System32\hphmon06.exe" [07/01/2006 06:09]
"DLBTCATS"="C:\Windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [09/11/2004 22:41]
"POEngine"="C:\Program Files\PokerOffice\POEngine.exe" [13/07/2005 15:17]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [12/04/2008 16:37]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\Windows\system32\ctfmon.exe" [04/08/2004 08:56]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" []
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [20/08/2004 11:47]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [04/08/2004 08:56]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [17/11/2007 09:51]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [07/12/2007 16:08]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [23/10/2007 22:18]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [29/02/2008 17:03]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [24/09/2005 07:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\digital imaging\bin\hpqtra08.exe [28/05/2004 22:31:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\GOOGLE\GOOGLE~2\GOEC62~1.DLL ,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"




-- Hosts -----------------------------------------------------------------------

127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.fastclick.net
127.0.0.1 ads.fastclick.net
127.0.0.1 ar.atwola.com
127.0.0.1 atdmt.com
127.0.0.1 banner.fastclick.net
127.0.0.1 banners.fastclick.net
127.0.0.1 click.atdmt.com
127.0.0.1 clicks.atdmt.com
127.0.0.1 fastclick.net

1 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-12 16:38:23 ------------

Attached Files



BC AdBot (Login to Remove)

 


m

#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:10 AM

Posted 14 April 2008 - 08:09 AM

Hello Belzie and welcome to BleepingComputer,

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3

Posted Image

Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.
Note:
Do not mouseclick ComboFix's window while it's running. That may cause it to stall


Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 belzie

belzie
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 14 April 2008 - 09:13 AM

Hi Thunder

Thanx for the help..... ran combofix and have attached the log file as it was too big to post direct in ths reply.

Belzie

Attached Files



#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:10 AM

Posted 14 April 2008 - 10:01 AM

Looking good, Belzie :thumbsup:

Scan with HijackThis and post a new log in your next reply, please.

Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 belzie

belzie
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 14 April 2008 - 01:34 PM

Hi Thunder

Mostly OK ...... much better than b4....... problems now seem to be programs I've got to try and rid me of the srosa and didn't work...... let you know when I've had a good look.

HJT log below.

Thanx

Belzie


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:29:15, on 14/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\PrevxCSI\PrevxCSI.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\IEInspector\HTTPAnalyzerFullV3\InjectWinSockServiceV3.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\System32\nvsvc32.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\wscntfy.exe
C:\Windows\system32\RunDll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\PrevxCSI\PrevxCSI.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon06.exe
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\RUNDLL32.EXE
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\PokerOffice\bin\javaw.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: (no name) - {8F60F604-0C35-4AA8-BDD8-8A24E4081B3A} - (no file)
O2 - BHO: (no name) - {DD68BA3A-0C04-48A9-A828-F222E1A744Ba} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: (no name) - {4A9F59C8-FFAB-44F3-B681-392C04D44986} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\System32\hphmon06.exe
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\Windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [POEngine] "C:\Program Files\PokerOffice\POEngine.exe" C:\Program Files\PokerOffice
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Betfair enable instant betting - file://C:\Betfair Scripts\InstantBetting.htm
O8 - Extra context menu item: Betfair enable instant betting (set odds) - file://C:\Betfair Scripts\InstantBettingWithOdds.htm
O8 - Extra context menu item: Betfair lay field - file://C:\Betfair Scripts\LayField.htm
O8 - Extra context menu item: Betfair Refresh - file://C:\Betfair Scripts\BetfairRefresh.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Captain Cooks Poker - {3545A8F5-EE6B-4c4a-AD88-9C437639A73D} - C:\Program Files\captaincooksMPP\MPPoker.exe
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: IE HTTPAnalyzer V3 - {3B28142E-6D05-47AB-A263-0556C785EBB4} - C:\PROGRA~1\IEINSP~1\HTTPAN~1\IEHTTP~1.DLL
O9 - Extra 'Tools' menuitem: IE HTTPAnalyzer V3 - {3B28142E-6D05-47AB-A263-0556C785EBB4} - C:\PROGRA~1\IEINSP~1\HTTPAN~1\IEHTTP~1.DLL
O9 - Extra button: 32Red Poker - {437F7F6F-FFCC-47e1-8A4B-C992493CF6C3} - C:\Program Files\32RedMPP\MPPoker.exe
O9 - Extra button: Identities - {45DB34C3-955C-11D3-ABEF-444553540000} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O9 - Extra 'Tools' menuitem: Identities Editor - {45DB34C3-955C-11D3-ABEF-444553540000} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\Program Files\PartyGaming\PartyGammon\RunBackGammon.exe
O9 - Extra 'Tools' menuitem: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\Program Files\PartyGaming\PartyGammon\RunBackGammon.exe
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: The Gaming Club Poker - {A18AC347-2CA3-4e5d-AB86-33BFC7EEB931} - C:\Program Files\gamingclubMPP\MPPoker.exe
O9 - Extra button: bet365 Poker - {B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - C:\Program Files\bet365MPP\MPPoker.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Windows\System32\shdocvw.dll
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: 7Sultans Poker - {FD7CF1CF-331A-4d9e-A3D8-82BC1B1861DA} - C:\Program Files\7SultansMPP\MPPoker.exe
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} (EpsonObj Class) - http://esupport.epson-europe.com/ePC/activex/EpsonSetup.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{51460969-12A7-4B97-A76B-6BC9F3795DD7}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\GOOGLE\GOOGLE~2\GOEC62~1.DLL ,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (file missing)
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\\PrevxCSI.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HttpAnalyzerV3 CodeHook service (HttpAnalyzerV3 DllInjectService) - Unknown owner - C:\Program Files\IEInspector\HTTPAnalyzerFullV3\InjectWinSockServiceV3.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\Windows\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe

--
End of file - 13969 bytes

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:10 AM

Posted 15 April 2008 - 03:26 AM

Hello Belzie,

Remove all other programs you downloaded on your own (delete any standalone tools and remove programs trough Control Panel > Software).

After reboot,
Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following, if still present :O2 - BHO: (no name) - {8F60F604-0C35-4AA8-BDD8-8A24E4081B3A} - (no file)
O2 - BHO: (no name) - {DD68BA3A-0C04-48A9-A828-F222E1A744Ba} - (no file)
O3 - Toolbar: (no name) - {4A9F59C8-FFAB-44F3-B681-392C04D44986} - (no file)

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Any problems left ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 belzie

belzie
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 15 April 2008 - 05:58 PM

hello Thunder

i'm not able to do anything right now as I am called away to work for the next 6 or 7 days........ i'll let you know how its going when I return.

anyways machie much better now faster and no BSOD also all the prgrams i've tried to run have been ok.

happiness

Belzie

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:10 AM

Posted 16 April 2008 - 02:23 AM

OK Belzie,

I'll be looking forward to your reply. :thumbsup:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users