Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistanct Virus - Pws.ldpinchie And Win32.tiny.abk


  • Please log in to reply
6 replies to this topic

#1 CyberLost

CyberLost

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 06 June 2008 - 02:41 AM

Hello all, I am new to this sort of thing and new to this site.

I was impressed by what I read in your forums and figured I should ask for some specific help

my system: Dell Latitude C800, PIII-850MHz 256MB ram 32Gig (15.5 GIG used/ 14.2 GIG Free)

Running: Win 2000 Pro SP4

firewall: Zonealarm ver 4.5.538.001

Antivirus: AVG 7.5 Free
Antispy: AVG antispyware Free

Recently converted to a lite DSL connection (loggin req'd for access)

although it didn't dawn on me at the time, a lot of problems with the connection software may have been the tip off.

every time I reboot or shut down / start up the system I would have to reinstall the connection software.

In the couple of days prior to total meltdown, many programs were just not working right.

Finally got so bad the system would not start up.

Got some help from a pro, by getting into safe mode with command prompt it was possible to have access to the system.

The fellow installed ViRoot ver 4.0, and spybot S&D and seemed to get the thing fixed (many viruses caught and removed).

after several days of running all these scanners (individually) a pattern emerged.

AVG antivirus, AVG antispyware, ViRoot 4.0 would not find anything. Spybot S&D would occassionally find a couple of virus's and be able to fix them.

Then I noticed it was the same one's. (since by now the computer could not connect to the internet)

Spybot identified them as PWS.LDPinchIE and Win32.Tiny.abk

both affect the registry and since then I have discovered that they only come back on reboot or system shutdown/startup.


All I want to do is backup my data so I can reformat and do a fresh install but I have some challenges/fears.

FYI and some of my concerns:

1. I cannot install the internet connection software, for some reason the system won't let me (also some other programs cannot install).

2. I do have another system that does connect and can communicate with u this way. So I will need extra instructions on how to take off the logs you will require, move them to this system for uploading to you.

3. System is running very slow probably due to
(-A-) too many programs running
(-B-) damaged OS files
(-C-) Defrag is NOT an issue,
SO can I delete ALL the files in C:\Documents and Settings\Administrator\LocalSettings\Temp (approx 347MB used) and C:\Documents and Settings\Administrator\LocalSettings\Temporary Internet Files (approx 23 MB used) to get some speed increase, without affecting the operation of the system?

4. Is there anything else to do to quickly get a little more speed out of the system, just for now?

5. In transferring files from one system to the other (via flash drive) for communicating with u, will I not be risking infection on this system?


Okay, enough for now please tell me what to do next.

and thank you so much!!

Edited by CyberLost, 06 June 2008 - 02:48 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,920 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:45 PM

Posted 06 June 2008 - 11:57 AM

Download the following programs and save them to a flash (usb, pen, thumb, jump) drive or CD. Then transfer these programs directly to the infected computer where you can use them. If you cannot copy files to your usb drive, make sure its not "Write Protected". Hold down the Shift key when inserting the flash drive until Windows detects it to bypass autorun.inf from executing automatically if it is present.

ATF Cleaner
Malwarebytes Anti-Malware - Be sure to print out the "Scanning with MBAM Instructions".
SUPERAntiSpyware Free
SUPERAntiSpyware Free Definition files - (Be sure to download both the Core and Trace Definitions)

Scan with MBAM using the instructions you printed out earlier. When removal is completed, a log report will open in Notepad. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM. Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Now double-click SUPERAntiSypware.exe and use the default settings for installation.
  • Navigate to the SUPERAntiSpyware folder in C:\Program Files and unzip both the Core and Trace defintion files.
  • An icon will have been created on your desktop. Double-click that icon to launch the program.
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 CyberLost

CyberLost
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 07 June 2008 - 08:00 AM

Thank you Quietman7 for your help.

First roadblock; MBAM requires updating before using, unable to accomplish this as the infected system is not able to connect to the net.

I will attempt to scan without update, unless you have a way of updating via usb drive.

Thanks again

#4 CyberLost

CyberLost
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 07 June 2008 - 09:02 PM

Okay, Tried to follow instructions and here goes;

MBAM; unable to perform online update since the system is not online so ran the scan as per MBAM original install.

here is the result of that scan:

________________________________

Malwarebytes' Anti-Malware 1.14
Database version: 800

9:33:12 AM 07/06/2008
mbam-log-6-7-2008 (09-32-34).txt

Scan type: Full Scan (C:\|)
Objects scanned: 97570
Time elapsed: 35 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{33331111-1111-1111-1111-615111193427} (Trojan.Clicker) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Google Online Services (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ICF (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\runtime (Rootkit.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\UpdateWin (Worm.Sdbot) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\UpdateWin (Worm.Sdbot) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\OLE\UpdateWin (Worm.Sdbot) -> No action taken.
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\asasa.exe (Trojan.Agent) -> No action taken.

_____________________________________________

Ran ATF- cleaner

Next; Rebooted into safe mode and started SUPERAntispyware but too large for the screen.

Re-booted into Safe mode with command prompt
searched for and found explorer.exe and ran it

It too did not allow repositioning the window to view what I needed to view, including "buttons"

I cannot confirm that :


not sure - On the left, make sure you check C:\Fixed Drive.
not sure - Make sure everything has a checkmark next to it and click "Next".
not sure - A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.

were followed as instructed since I could not see what was hidden beyond the screen size


following is the SUPERAntiSpyware scan result:

------------------------------------------------------------
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/07/2008 at 08:22 PM

Application Version : 4.15.1000

Core Rules Database Version : 3469
Trace Rules Database Version: 1460

Scan type : Complete Scan
Total Scan Time : 02:01:06

Memory items scanned : 122
Memory threats detected : 0
Registry items scanned : 3452
Registry threats detected : 11
File items scanned : 58762
File threats detected : 12

Trojan.Unknown Origin
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GOOGLE_ONLINE_SERVICES
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GOOGLE_ONLINE_SERVICES#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GOOGLE_ONLINE_SERVICES\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GOOGLE_ONLINE_SERVICES\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GOOGLE_ONLINE_SERVICES\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GOOGLE_ONLINE_SERVICES\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GOOGLE_ONLINE_SERVICES\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GOOGLE_ONLINE_SERVICES\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GOOGLE_ONLINE_SERVICES\0000#DeviceDesc

Browser Hijacker.Internet Explorer Settings Hijack
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main#Start Page [ C:\WINNT\system32\spywarewarning.mht ]
HKU\S-1-5-21-1993962763-746137067-1708537768-500_Classes\Software\Microsoft\Internet Explorer\Main#Start Page [ C:\WINNT\system32\spywarewarning.mht ]

Trojan.Fake-Drop/Gen
C:\WINNT\SYSTEM32\VRD.EXE

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@findaperson.canada411[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@kanoodle[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@findaperson.canada-411[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@fr-audio-multimedia[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@insightexpressai[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@findaperson.canada411[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@kontera[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@findaperson.canada-411[3].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@clicktoconvert[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@insightexpressai[2].txt

Trojan.Unclassified-Packed/Suspicious
C:\PROGRAM FILES\_3WEB\AFE.DLL

---------------------------------------------------------------------------------------

NOTE: the last item "C:\PROGRAM FILES\_3WEB\AFE.DLL" (date June 15, 2006) is a file from my ISP used for internet access

I was shocked to find that MBAM found 10 items and SUPERAntiSpyware found 23

You guys really know your stuff, hope some of it will rub off.

will await your next instructions.

thank you again!

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,920 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:45 PM

Posted 08 June 2008 - 07:16 AM

Your MBAM log shows "No action taken". This usually occurs if you forget to click "Remove Selected" and instead just click "Save Logfile". Please review these instructions (scroll down) and rescan. After performing a new scan, post the log results in your next reply.

Also know that your MBAB log indicated evidence of backdoors and rootkit agent components. backdoor Trojans and rootkit components are very dangerous because they use advanced techniques as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the backdoor Trojan and rootkit were identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read "When should I re-format? How should I reinstall?", "Help: I Got Hacked. Now What Do I Do?" and "Reformatting the computer or troubleshooting; which is best?".

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Let me know how you wish to proceed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 CyberLost

CyberLost
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 12 June 2008 - 10:12 PM

Sorry it took so long to get back; internet problems.

OK here goes,

First thing I did was the following:


---------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.14
Database version: 800

9:38:37 AM 07/06/2008
mbam-log-6-7-2008 (09-38-37).txt

Scan type: Full Scan (C:\|)
Objects scanned: 97570
Time elapsed: 35 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{33331111-1111-1111-1111-615111193427} (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ICF (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Google Online Services (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\runtime (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\OLE\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\asasa.exe (Trojan.Agent) -> Quarantined and deleted successfully.

------------------------------------------------------------------------------------------------

Next , I ran Spybot S&D with the following findings

Note: That computer has not been on the internet since very early in May and SMitfraud-C has not shown up since late in April lWin32.lTiny.abk keeps coming back after every reboot


-------------------------------------------------------------------------------------------

--- Report generated: 2008-06-08 18:27 ---

Smitfraud-C.: [SBI $924FA7AF] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\IEUpdate

Win32.Tiny.abk: [SBI $FB04C55B] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Microsoft Inet Service


--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-04-29 unins000.exe (51.41.0.0)
2008-04-29 unins001.exe (51.49.0.0)
2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDMain.exe (1.0.0.5)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-01-28 Update.exe (1.4.0.6)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2008-01-28 advcheck.dll (1.5.4.5)
2008-01-28 SDFiles.dll (1.5.1.19)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2007-04-02 aports.dll (2.1.0.0)
2007-12-26 Includes\Dialer.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-04-22 Includes\Malware.sbi (*)
2008-03-26 Includes\PUPS.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-04-16 Includes\Spybots.sbi (*)
2008-04-16 Includes\Spyware.sbi (*)
2008-04-16 Includes\Adware.sbi (*)
2008-04-30 Includes\Hijackers.sbi (*)
2008-04-30 Includes\Keyloggers.sbi (*)
2008-04-30 Includes\Trojans.sbi (*)
2008-05-07 Includes\Cookies.sbi (*)
2008-05-07 Includes\Revision.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-05-07 Includes\TrojansC.sbi (*)
2008-05-07 Includes\SpybotsC.sbi (*)
2008-05-07 Includes\SecurityC.sbi (*)
2008-05-07 Includes\PUPSC.sbi (*)
2008-05-07 Includes\MalwareC.sbi (*)
2008-05-07 Includes\KeyloggersC.sbi (*)
2008-05-07 Includes\HijackersC.sbi (*)
2008-05-07 Includes\DialerC.sbi (*)
2008-05-07 Includes\HeavyDuty.sbi (*)
2008-05-07 Includes\AdwareC.sbi (*)
2008-05-07 Includes\SpywareC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
-----------------------------------------------------------------------

Rebooted and ran Spybot S&D again with more report info as below:

------------------------------------------------------------------------------

--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-04-29 unins000.exe (51.41.0.0)
2008-04-29 unins001.exe (51.49.0.0)
2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDMain.exe (1.0.0.5)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-01-28 Update.exe (1.4.0.6)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2008-01-28 advcheck.dll (1.5.4.5)
2008-01-28 SDFiles.dll (1.5.1.19)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2007-04-02 aports.dll (2.1.0.0)
2007-12-26 Includes\Dialer.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-04-22 Includes\Malware.sbi (*)
2008-03-26 Includes\PUPS.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-04-16 Includes\Spybots.sbi (*)
2008-04-16 Includes\Spyware.sbi (*)
2008-04-16 Includes\Adware.sbi (*)
2008-04-30 Includes\Hijackers.sbi (*)
2008-04-30 Includes\Keyloggers.sbi (*)
2008-04-30 Includes\Trojans.sbi (*)
2008-05-07 Includes\Cookies.sbi (*)
2008-05-07 Includes\Revision.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-05-07 Includes\TrojansC.sbi (*)
2008-05-07 Includes\SpybotsC.sbi (*)
2008-05-07 Includes\SecurityC.sbi (*)
2008-05-07 Includes\PUPSC.sbi (*)
2008-05-07 Includes\MalwareC.sbi (*)
2008-05-07 Includes\KeyloggersC.sbi (*)
2008-05-07 Includes\HijackersC.sbi (*)
2008-05-07 Includes\DialerC.sbi (*)
2008-05-07 Includes\HeavyDuty.sbi (*)
2008-05-07 Includes\AdwareC.sbi (*)
2008-05-07 Includes\SpywareC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll



--- System information ---
Windows 2000 (Build: 2195) Service Pack 4 (5.0.2195)
/ Windows 2000 / SP4: Windows 2000 Service Pack 4
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB842773
/ Windows 2000 / SP5: Windows Installer 3.1 (KB893803)


--- Startup entries list ---
Located: HK_LM:Run, !AVG Anti-Spyware
command: "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
file: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
size: 6731312
MD5: CC6BC45DD5A58158645E7FB2953604FE

Located: HK_LM:Run, AtiPTA
command: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
file: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
size: 294912
MD5: 18B45E48A518E13DF60200F2431E0A47

Located: HK_LM:Run, AVG7_CC
command: "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
file: C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
size: 579584
MD5: 25A49E5BFF4E6424FA5E27C81269041D

Located: HK_LM:Run, IndexSearch
command: "C:\Program Files\Scansoft\PaperPort\IndexSearch.exe"
file: C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
size: 36864
MD5: EE0D774FCF0C75F043D96ED34FC45441

Located: HK_LM:Run, NPS Event Checker
command: C:\PROGRA~1\NORTON~1\NORTON~3\npscheck.exe
file: C:\PROGRA~1\NORTON~1\NORTON~3\npscheck.exe
size: 29184
MD5: 31F9066CE7DB3281FD6637139CD4FCED

Located: HK_LM:Run, PRPCMonitor
command: PRPCUI.exe
file: C:\WINNT\system32\PRPCUI.exe
size: 41472
MD5: 3AC333686D6734E77EFCEC275EDA4DC9

Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
file: C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
size: 132496
MD5: 896E712A34D654A337C8CBB9DEB07200

Located: HK_LM:Run, SymTray - Norton SystemWorks
command: "C:\Program Files\Common Files\Symantec Shared\SymTray.exe" "Norton SystemWorks"
file: C:\Program Files\Common Files\Symantec Shared\SymTray.exe
size: 73808
MD5: 343548E4397918AD77042048967AAE12

Located: HK_LM:Run, Synchronization Manager
command: mobsync.exe /logon
file: C:\WINNT\system32\mobsync.exe
size: 111376
MD5: 9B2F5B9E745DEAAA57FB78329ED03061

Located: HK_LM:Run, SynTPEnh
command: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
file: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
size: 249856
MD5: D80D4B1970B3DDCF0E1ADEB2B9B5CE74

Located: HK_LM:Run, SynTPLpr
command: C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
file: C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
size: 94208
MD5: BA1E076D0673A01DB828D05E5FB8DBFF

Located: HK_LM:Run, Vrmon
command: C:\Program Files\ViRobotXP\vrmonnt.exe Main
file: C:\Program Files\ViRobotXP\vrmonnt.exe
size: 249916
MD5: 925F176C576179E33A2219F64A7ACEEC

Located: HK_LM:Run, VrSchedule
command: C:\Program Files\ViRobotXP\Vrres.exe
file: C:\Program Files\ViRobotXP\Vrres.exe
size: 266304
MD5: 52A546963C1ACEC186D9DA106EA4E2EF

Located: HK_LM:Run, WinFaxAppPortStarter
command: wfxsnt40.exe
file: C:\WINNT\system32\wfxsnt40.exe
size: 43008
MD5: 7A9DB3D93C96B678548E8FCF2ACD3799

Located: HK_LM:Run, Zone Labs Client
command: C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
file: C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
size: 693528
MD5: DB4320BC99A37A6F4934A826976DED57

Located: HK_CU:Run, AVG7_Run
where: .DEFAULT...
command: C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
file: C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
size: 219136
MD5: B331EF4C7437F5093D703340678469EB

Located: HK_CU:Run, MSN Protocol XP (DISABLED)
where: .DEFAULT...
command: mcmp386.exe
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:RunOnce, ^SetupICWDesktop (DISABLED)
where: .DEFAULT...
command: C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
file: C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe
size: 186640
MD5: 76D94AF73FB4C5361239782170592C4E

Located: HK_CU:Run, HDDHealth
where: S-1-5-21-1993962763-746137067-1708537768-500...
command: C:\Program Files\HDD Health\HDDHealth.exe -wl
file: C:\Program Files\HDD Health\HDDHealth.exe
size: 692736
MD5: 21051AF95328D5DB6BC4BC70090E8CEC

Located: HK_CU:Run, Skype
where: S-1-5-21-1993962763-746137067-1708537768-500...
command: "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
file: C:\Program Files\Skype\Phone\Skype.exe
size: 25370152
MD5: 23E79AF5BACD142F5479477EE12517B3

Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-1993962763-746137067-1708537768-500...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2097488
MD5: A9A5DB6AC3721BE698B996913693D73F

Located: HK_CU:Run, MSN Protocol XP (DISABLED)
where: S-1-5-21-1993962763-746137067-1708537768-500...
command: mcmp386.exe
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, swg (DISABLED)
where: S-1-5-21-1993962763-746137067-1708537768-500...
command: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
file: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 68856
MD5: E616A6A6E91B0A86F2F6217CDE835FFE

Located: Startup (common), WinZip Quick Pick.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\WinZip\WZQKPICK.EXE
file: C:\Program Files\WinZip\WZQKPICK.EXE
size: 118784
MD5: 67B2E7B6AE3B400D832F0456068EA83D

Located: WinLogon, !SASWinLogon
command: C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
file: C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wzcnotif
command: wzcdlg.dll
file: wzcdlg.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!



--- Browser helper object list ---
{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name: SDHELPER.DLL
Date (created): 29/04/2008 4:41:38 PM
Date (last access): 08/06/2008
Date (last write): 28/01/2008 11:43:28 AM
Filesize: 1554256
Attributes: archive
MD5: 5248E02EFBCB64D328647CD00E384B85
CRC32: C1B426A9
Version: 1.5.0.11



--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
Installer:
Codebase: file://C:\WINNT\Java\classes\dajava.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla

Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINNT\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)
DPF name:
CLSID name: Windows Genuine Advantage Validation Tool
Installer: C:\WINNT\Downloaded Program Files\LegitCheckControl.inf
Codebase: http://go.microsoft.com/fwlink/?linkid=39204
description:
classification: Legitimate
known filename: LegitCheckControl.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINNT\system32\
Long name: LegitCheckControl.DLL
Short name: LEGITC~1.DLL
Date (created): 20/03/2008 6:06:36 PM
Date (last access): 08/06/2008
Date (last write): 20/03/2008 6:06:36 PM
Filesize: 1480232
Attributes: archive
MD5: E058C4821D48E0A67F6069CB50818D44
CRC32: 3513AE02
Version: 1.7.69.2

{21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control)
DPF name:
CLSID name: ChartFX Internet Control
Installer: C:\WINNT\Downloaded Program Files\CfxIEAx.inf
Codebase: http://www.schaeffersresearch.com/download/CfxIEAx.cab
description:
classification: Legitimate
known filename: CfxIEAx.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINNT\DOWNLO~1\
Long name: CfxIEAx.ocx
Short name: CFXIEAX.OCX
Date (created): 16/03/2004 12:35:14 PM
Date (last access): 08/06/2008
Date (last write): 16/03/2004 12:35:14 PM
Filesize: 590848
Attributes: archive
MD5: 37FE0218E237110FFBB546FAC05BEE05
CRC32: 14F40882
Version: 5.5.14.0

{24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0)
DPF name:
CLSID name: ChartFX Internet Financial Client 4.0
Installer:
Codebase: http://www.schaeffersresearch.com/Download/Cfx4Financial.cab
Path: C:\WINNT\Downloaded Program Files\
Long name: Cfx4FCli.dll
Short name: CFX4FCLI.DLL
Date (created): 26/08/2002 3:58:58 PM
Date (last access): 08/06/2008
Date (last write): 26/08/2002 3:58:58 PM
Filesize: 561225
Attributes: archive
MD5: 15D735D9CAE5E53ED93F8D5524746CA6
CRC32: 38D57C5C
Version: 4.0.30.0

{2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class)
DPF name:
CLSID name: ActiveScan 2.0 Installer Class
Installer: C:\WINNT\Downloaded Program Files\as2stubie.inf
Codebase: http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
Path: C:\WINNT\Downloaded Program Files\
Long name: as2stubie.dll
Short name: AS2STU~1.DLL
Date (created): 25/03/2008 6:13:04 PM
Date (last access): 08/06/2008
Date (last write): 25/03/2008 6:13:04 PM
Filesize: 124208
Attributes: archive
MD5: AD19F92B3F0E64C3E0F927D8EA64C199
CRC32: 5C3BB03F
Version: 1.0.0.7

{33564D57-0000-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINNT\Downloaded Program Files\WMV9VCM.inf
Codebase: http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.

{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name:
CLSID name: WUWebControl Class
Installer: C:\WINNT\Downloaded Program Files\wuweb.inf
Codebase: http://www.update.microsoft.com/windowsupd...b?1194324295327
description:
classification: Legitimate
known filename: wuweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINNT\system32\
Long name: wuweb.dll
Short name:
Date (created): 30/07/2007 7:19:46 PM
Date (last access): 08/06/2008
Date (last write): 30/07/2007 7:19:46 PM
Filesize: 203096
Attributes: archive
MD5: FD984F9BFC9C62BD6546BD183CE5ADE7
CRC32: 8092F837
Version: 7.0.6000.381

{82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43)
DPF name:
CLSID name: Driver_Detective_v43_Non_Member.DD_v43
Installer: C:\WINNT\Downloaded Program Files\Driver_Detective_v43_Non_Member.INF
Codebase: http://www.drivershq.com/cab/prod/Driver_D..._Non_Member.CAB
description:
classification: Open for discussion
known filename: Driver_Detective_v43_Non_Member.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINNT\Downloaded Program Files\
Long name: Driver_Detective_v43_Non_Member.ocx
Short name: DRIVER~1.OCX
Date (created): 11/05/2005 3:43:20 PM
Date (last access): 08/06/2008
Date (last write): 11/05/2005 3:43:20 PM
Filesize: 71864
Attributes: archive
MD5: 996B881E26914AFCC7FCE05B4F23AA8B
CRC32: CECC09FA
Version: 4.3.0.1

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_02
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.6.0_02\bin\
Long name: npjpi160_02.dll
Short name: NPJPI1~1.DLL
Date (created): 12/07/2007 2:22:38 AM
Date (last access): 08/06/2008
Date (last write): 12/07/2007 4:00:36 AM
Filesize: 132496
Attributes: archive
MD5: E3811F1A1C5063C941EC0E2766C3EA39
CRC32: AEFD3747
Version: 6.0.20.6

{B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class)
DPF name:
CLSID name: CentraDownloaderCtl Class
Installer: C:\WINNT\Downloaded Program Files\CentraDownloader.inf
Codebase: http://asp17.centra.com/SiteRoots/main/Ins...aDownloader.cab
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.
Path: C:\WINNT\Downloaded Program Files\
Long name: CentraDownloader.dll
Short name: CENTRA~1.DLL
Date (created): 05/05/2005 5:17:48 PM
Date (last access): 08/06/2008
Date (last write): 05/05/2005 5:17:48 PM
Filesize: 172032
Attributes: archive
MD5: 932CE81D3CA8A9BADEE8DD47467FA11F
CRC32: 7B987403
Version: 7.2.1.33

{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_02
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
description:
classification: Legitimate
known filename: npjpi160_02.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.6.0_02\bin\
Long name: npjpi160_02.dll
Short name: NPJPI1~1.DLL
Date (created): 12/07/2007 2:22:38 AM
Date (last access): 08/06/2008
Date (last write): 12/07/2007 4:00:36 AM
Filesize: 132496
Attributes: archive
MD5: E3811F1A1C5063C941EC0E2766C3EA39
CRC32: AEFD3747
Version: 6.0.20.6

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_02
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.6.0_02\bin\
Long name: npjpi160_02.dll
Short name: NPJPI1~1.DLL
Date (created): 12/07/2007 2:22:38 AM
Date (last access): 08/06/2008
Date (last write): 12/07/2007 4:00:36 AM
Filesize: 132496
Attributes: archive
MD5: E3811F1A1C5063C941EC0E2766C3EA39
CRC32: AEFD3747
Version: 6.0.20.6

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINNT\Downloaded Program Files\swflash.inf
Codebase: http://download.macromedia.com/pub/shockwa...ash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINNT\system32\Macromed\Flash\
Long name: Flash9c.ocx
Short name: FLASH9C.OCX
Date (created): 27/03/2007 4:04:00 PM
Date (last access): 08/06/2008
Date (last write): 27/03/2007 4:04:00 PM
Filesize: 2267368
Attributes: readonly archive
MD5: D7E66E0215341B9950FAB1D749F9F692
CRC32: 65E35770
Version: 9.0.45.0



--- Process list ---
PID: 0 ( 0) [System]
PID: 140 ( 8) \SystemRoot\System32\smss.exe
size: 45840
PID: 164 ( 140) \??\C:\WINNT\system32\csrss.exe
size: 5392
PID: 160 ( 140) \??\C:\WINNT\system32\winlogon.exe
size: 181008
PID: 212 ( 160) C:\WINNT\system32\services.exe
size: 89360
MD5: CFED2D28F5B8A24127E9E06043070643
PID: 224 ( 160) C:\WINNT\system32\lsass.exe
size: 33552
MD5: 271229760CCED993E9E7CAB1C7274134
PID: 404 ( 212) C:\WINNT\system32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 432 ( 212) C:\WINNT\system32\spoolsv.exe
size: 45328
MD5: 987DAF317B917CFC973DE8364D62A76C
PID: 460 ( 212) C:\WINNT\system32\Ati2evxx.exe
size: 147456
MD5: 79C43543A43166C1CA98517B2349293F
PID: 476 ( 212) C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
size: 312880
MD5: 5DCD235C061022BCDA9AA48670B64211
PID: 500 ( 212) C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
size: 418816
MD5: 3C7B93F947355E374A49564D0D017B7B
PID: 556 ( 212) C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
size: 49664
MD5: 30A14F65DB477DC00A64A5A24E96919C
PID: 584 ( 212) C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
size: 406528
MD5: FC0B2AE890BB0DC8C2306DABEDC8A4BA
PID: 632 ( 212) C:\WINNT\System32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 660 ( 212) C:\PROGRA~1\NORTON~1\NORTON~3\navapsvc.exe
size: 90112
MD5: 95410DE0C4A5DB47591EA06A0AC3C5E5
PID: 724 ( 212) C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
size: 126976
MD5: 15CB0BDABB8695B9CCCFBDAB2016C7D8
PID: 768 ( 212) C:\WINNT\system32\regsvc.exe
size: 68368
MD5: 250C4CE389783FA2398E3AFA4317008C
PID: 792 ( 212) C:\WINNT\system32\MSTask.exe
size: 119568
MD5: 00D8C428B2D6DFFCABEB859BC69F632B
PID: 836 ( 212) C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
size: 172065
MD5: DF206C99A5735BC6955F1EE5108F21B8
PID: 916 ( 212) C:\WINNT\system32\stisvc.exe
size: 61712
MD5: B75235626B950FF821146555C612F814
PID: 976 ( 212) C:\WINNT\system32\mspmspsv.exe
size: 53248
MD5: AF619B3908BB1C9336FB6981609018FE
PID: 988 ( 212) C:\WINNT\system32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 1068 (1056) C:\WINNT\Explorer.EXE
size: 243472
MD5: 59CF2B7DCED9111F48F51B4B570E672D
PID: 1176 (1068) C:\WINNT\system32\PRPCUI.exe
size: 41472
MD5: 3AC333686D6734E77EFCEC275EDA4DC9
PID: 1184 (1068) C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
size: 294912
MD5: 18B45E48A518E13DF60200F2431E0A47
PID: 1196 (1068) C:\Program Files\Common Files\Symantec Shared\SymTray.exe
size: 73808
MD5: 343548E4397918AD77042048967AAE12
PID: 1236 (1068) C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
size: 132496
MD5: 896E712A34D654A337C8CBB9DEB07200
PID: 1296 (1068) C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
size: 94208
MD5: BA1E076D0673A01DB828D05E5FB8DBFF
PID: 1312 (1068) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
size: 249856
MD5: D80D4B1970B3DDCF0E1ADEB2B9B5CE74
PID: 1328 (1068) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2097488
MD5: A9A5DB6AC3721BE698B996913693D73F
PID: 1032 ( 212) C:\PROGRA~1\NORTON~1\NORTON~3\alertsvc.exe
size: 81920
MD5: 0AD3E4DE8240202B9B983F1C9E5E1455
PID: 1240 (1328) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5146448
MD5: 2ECA8CDEED7C82F879E766DA92A3561A
PID: 8 ( 0) System


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 08/06/2008 9:32:09 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINNT\System32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.my3web.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://www.google.com/search?q=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.google.com/ie
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.google.com/ie
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{8044DE08-3E74-4C8E-B3C8-16D5015C87F5}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{8044DE08-3E74-4C8E-B3C8-16D5015C87F5}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{72310F7D-7A90-46F4-BE59-E36BBD0CDD45}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{72310F7D-7A90-46F4-BE59-E36BBD0CDD45}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2A457DDF-9961-4C3B-A847-B3B8FB73B2DB}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2A457DDF-9961-4C3B-A847-B3B8FB73B2DB}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{350C9999-7A5C-43FD-81C5-F6D6938623D6}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{350C9999-7A5C-43FD-81C5-F6D6938623D6}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EBD5C550-42D3-47F6-A6BB-B674473DC2C8}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EBD5C550-42D3-47F6-A6BB-B674473DC2C8}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{19AC3740-0C4E-4A00-93C7-A9E5894E294B}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{19AC3740-0C4E-4A00-93C7-A9E5894E294B}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\rnr20.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
------------------------------------------------------------------------------

Next I ran SUPER Antispyware again from safe mode; but because i was unable to see the "check boxes" and the "next" button I had to run the software from full normal boot mode and close as many programs as possible

---------------------------------------------------------------------------------------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/08/2008 at 02:36 PM

Application Version : 4.15.1000

Core Rules Database Version : 3469
Trace Rules Database Version: 1460

Scan type : Complete Scan
Total Scan Time : 02:00:22

Memory items scanned : 133
Memory threats detected : 0
Registry items scanned : 3453
Registry threats detected : 2
File items scanned : 58586
File threats detected : 1

Browser Hijacker.Internet Explorer Settings Hijack
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main#Start Page [ C:\WINNT\system32\spywarewarning.mht ]
HKU\S-1-5-21-1993962763-746137067-1708537768-500_Classes\Software\Microsoft\Internet Explorer\Main#Start Page [ C:\WINNT\system32\spywarewarning.mht ]

Trojan.Unclassified-Packed/Suspicious
C:\PROGRAM FILES\_3WEB\AFE.DLL
------------------------------------------------------------------------------------------

Scan was run a second time on 06/08/2008 completed at 5:04:17 PM with the exact same result

In scan mode I do not know how to navigate the window so I can "see" the check boxes, and the "next" box

So I had to run the scan again in normal boot up mode and the result from that post is below

NOTE: the next post doesn't state it but I was able to select the threats and delete them

------------------------------------------------------------------------------------------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/09/2008 at 06:32 AM

Application Version : 4.15.1000

Core Rules Database Version : 3469
Trace Rules Database Version: 1460

Scan type : Complete Scan
Total Scan Time : 01:45:07

Memory items scanned : 279
Memory threats detected : 0
Registry items scanned : 3234
Registry threats detected : 2
File items scanned : 55220
File threats detected : 1

Browser Hijacker.Internet Explorer Settings Hijack
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main#Start Page [ C:\WINNT\system32\spywarewarning.mht ]
HKU\S-1-5-21-1993962763-746137067-1708537768-500_Classes\Software\Microsoft\Internet Explorer\Main#Start Page [ C:\WINNT\system32\spywarewarning.mht ]

Trojan.Unclassified-Packed/Suspicious
C:\PROGRAM FILES\_3WEB\AFE.DLL

----------------------------------------------------------------------------------------------

Although deleted how can I be sure that they won't come back?

After all this I ran another MBAM scan just to see - results follow


--------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.14
Database version: 800

7:10:28 AM 09/06/2008
mbam-log-6-9-2008 (07-10-28).txt

Scan type: Full Scan (C:\|)
Objects scanned: 85483
Time elapsed: 32 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
-------------------------------------------------------------------------------

After another reboot I ran another SUPERAntispyware scan with following results

-------------------------------------------------------------------------------------
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/09/2008 at 06:55 PM

Application Version : 4.15.1000

Core Rules Database Version : 3469
Trace Rules Database Version: 1460

Scan type : Complete Scan
Total Scan Time : 01:36:28

Memory items scanned : 283
Memory threats detected : 0
Registry items scanned : 3235
Registry threats detected : 2
File items scanned : 55235
File threats detected : 0

Browser Hijacker.Internet Explorer Settings Hijack
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main#Start Page [ C:\WINNT\system32\spywarewarning.mht ]
HKU\S-1-5-21-1993962763-746137067-1708537768-500_Classes\Software\Microsoft\Internet Explorer\Main#Start Page [ C:\WINNT\system32\spywarewarning.mht ]

----------------------------------------------------------------------------------------------

Finally one more scan with Sybot S & D with the following results;

---------------------------------------------------------------------------------------------


--- Report generated: 2008-06-09 21:00 ---

Win32.Tiny.abk: [SBI $FB04C55B] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Microsoft Inet Service


--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-04-29 unins000.exe (51.41.0.0)
2008-04-29 unins001.exe (51.49.0.0)
2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDMain.exe (1.0.0.5)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-01-28 Update.exe (1.4.0.6)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2008-01-28 advcheck.dll (1.5.4.5)
2008-01-28 SDFiles.dll (1.5.1.19)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2007-04-02 aports.dll (2.1.0.0)
2007-12-26 Includes\Dialer.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-04-22 Includes\Malware.sbi (*)
2008-03-26 Includes\PUPS.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-04-16 Includes\Spybots.sbi (*)
2008-04-16 Includes\Spyware.sbi (*)
2008-04-16 Includes\Adware.sbi (*)
2008-04-30 Includes\Hijackers.sbi (*)
2008-04-30 Includes\Keyloggers.sbi (*)
2008-04-30 Includes\Trojans.sbi (*)
2008-05-07 Includes\Cookies.sbi (*)
2008-05-07 Includes\Revision.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-05-07 Includes\TrojansC.sbi (*)
2008-05-07 Includes\SpybotsC.sbi (*)
2008-05-07 Includes\SecurityC.sbi (*)
2008-05-07 Includes\PUPSC.sbi (*)
2008-05-07 Includes\MalwareC.sbi (*)
2008-05-07 Includes\KeyloggersC.sbi (*)
2008-05-07 Includes\HijackersC.sbi (*)
2008-05-07 Includes\DialerC.sbi (*)
2008-05-07 Includes\HeavyDuty.sbi (*)
2008-05-07 Includes\AdwareC.sbi (*)
2008-05-07 Includes\SpywareC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
----------------------------------------------------------------------------------------------------

As in my first post I want to remove the threats so I can backup my data to another external drive/cd/dvd and then reformat the computer with fresh installs of all the software

This has been a long post, I hope it tells you everything you need. please let me know if there is anything else, and / or how to remove the threats that come back on reboot - Is there anything that gets rid of those?

Thanks again


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,920 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:45 PM

Posted 12 June 2008 - 10:31 PM

I want to remove the threats so I can backup my data to another external drive/cd/dvd and then reformat the computer with fresh installs of all the software

That's the decision I would have made if this were my system.

Some types of malware can result in a system so badly damaged that a Repair Install will NOT help!. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Starting over by wiping your drive, reformatting, and performing a clean install of the OS removes everything and is the safest action.

In your scan logs there was evidence that one or more of the identified infections was a backdoor Trojan. Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge. Read Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the backdoor Trojan was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read "When should I re-format? How should I reinstall?" and "Help: I Got Hacked. Now What Do I Do?".

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, please do the following.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log" and complete all the steps. There are instructions for downloading and running Deckard's System Scanner (DSS) which will create a hijackthis log for you, or automatically download and install the most current version of HijackThis if it's not already installed on your computer.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users