Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus 2008


  • This topic is locked This topic is locked
11 replies to this topic

#1 cajunsaint

cajunsaint

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 28 November 2008 - 01:10 AM

My son brought his computer for repair. it turns out his problem was a bad HDrive (D). I removed the drive and discovered he had limewire installed so I uninstalled it. He had complained about pop up virus warnings. I found the program anti virus 2008 listed in his programs but could not find it in the add remove software applet of control panel to uninstall it. I also could not find any screensaver or desktop options in the display properties.
I've run HJT and rsitt. I did not scan with Kaspersky because I did not want to connect his computer to my network.
below are the scans:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:31 PM, on 11/27/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wwww.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ohb - {5ED7D3DE-6DBE-4516-8712-01B1B64B7057} - C:\WINNT\system32\UpMedia\ContentTool.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TBTray] acoustic.exe
O4 - HKLM\..\Run: [Launcher] aelaunch.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AXPFixer] C:\Program Files\AXPFixer\AXPFixer.exe
O4 - HKLM\..\Run: [SMrhcrlvj0elea] C:\Program Files\rhcrlvj0elea\rhcrlvj0elea.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM 2004\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download2.games.yahoo.com/games/clients/y/ct5_x.cab
O16 - DPF: Yahoo! Euchre - http://download2.games.yahoo.com/games/clients/y/et3_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: Yahoo! Spades - http://download2.games.yahoo.com/games/clients/y/st3_x.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1152276486781
O20 - Winlogon Notify: ATINotify - logonnfy.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe

--
End of file - 5755 bytes

Logfile of random's system information tool 1.04 (written by random/random)
Run by Michael Campora at 2008-11-27 23:34:37
Microsoft Windows 2000 Professional Service Pack 4
System drive C: has 20 GB (52%) free of 38 GB
Total RAM: 1535 MB (72% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:34:43 PM, on 11/27/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Documents and Settings\Michael Campora.MICHAEL\Application Data\U3\0000162B5372646F\LaunchPad.exe
C:\Documents and Settings\Michael Campora.MICHAEL\Application Data\U3\0000162B5372646F\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Exec\McVsUSB.exe
E:\Documents\Downloads\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Michael Campora.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wwww.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ohb - {5ED7D3DE-6DBE-4516-8712-01B1B64B7057} - C:\WINNT\system32\UpMedia\ContentTool.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TBTray] acoustic.exe
O4 - HKLM\..\Run: [Launcher] aelaunch.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AXPFixer] C:\Program Files\AXPFixer\AXPFixer.exe
O4 - HKLM\..\Run: [SMrhcrlvj0elea] C:\Program Files\rhcrlvj0elea\rhcrlvj0elea.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM 2004\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download2.games.yahoo.com/games/clients/y/ct5_x.cab
O16 - DPF: Yahoo! Euchre - http://download2.games.yahoo.com/games/clients/y/et3_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: Yahoo! Spades - http://download2.games.yahoo.com/games/clients/y/st3_x.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1152276486781
O20 - Winlogon Notify: ATINotify - logonnfy.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe

--
End of file - 6037 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 63128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5ED7D3DE-6DBE-4516-8712-01B1B64B7057}]
ohb Class - C:\WINNT\system32\UpMedia\ContentTool.dll [2007-06-13 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8E718888-423F-11D2-876E-00A0C9082467} - &Radio - C:\WINNT\System32\msdxm.ocx [2005-03-31 844560]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"=mobsync.exe /logon []
"SystemTray"=C:\WINNT\system32\SysTray.Exe [1999-12-07 3856]
"TBTray"=acoustic.exe []
"Launcher"=C:\WINNT\aelaunch.exe [2000-10-30 35328]
"ATICCC"=C:\Program Files\ATI Technologies\ATI.ACE\cli.exe [2005-04-14 32768]
"D-Link Air Utility"=C:\Program Files\D-Link\Air Utility\AirCFG.exe [2003-06-25 2695168]
"NeroFilterCheck"=C:\WINNT\system32\NeroCheck.exe [2001-07-09 155648]
"AXPFixer"=C:\Program Files\AXPFixer\AXPFixer.exe [2008-05-19 1564672]
"SMrhcrlvj0elea"=C:\Program Files\rhcrlvj0elea\rhcrlvj0elea.exe []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
""= []
"ATI Launchpad"=C:\Program Files\ATI Multimedia\main\launchpd.exe [2005-04-28 102400]
"ATI DeviceDetect"=C:\Program Files\ATI Multimedia\main\ATIDtct.EXE [2005-04-28 53248]
"ATI Remote Control"=C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe [2005-05-10 1482752]
"SMSystemAnalyzer"=C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe [2006-02-02 578048]

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
Kaspersky Anti-Hacker.lnk - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINNT\system32\Ati2evxx.dll [2005-04-14 46080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ATINotify]
logonnfy.dll []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispBackgroundPage"=1
"NoDispScrSavPage"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=149

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2008-11-27 23:34:37 ----D---- C:\rsit
2008-11-27 23:00:49 ----D---- C:\Documents and Settings\Michael Campora.MICHAEL\Application Data\U3
2008-11-27 22:51:44 ----D---- C:\Program Files\Trend Micro
2008-11-27 20:26:03 ----D---- C:\Program Files\Common Files\Kaspersky Lab
2008-11-27 20:26:01 ----D---- C:\Program Files\Kaspersky Lab
2008-11-27 20:25:02 ----A---- C:\WINNT\system32\smrgdf.exe
2008-11-27 20:25:02 ----A---- C:\WINNT\system32\iolobtdfg.exe
2008-11-27 20:25:02 ----A---- C:\WINNT\system32\Incinerator.dll
2008-11-27 20:24:58 ----AD---- C:\Program Files\iolo

======List of files/folders modified in the last 1 months======

2008-11-27 22:57:18 ----AD---- C:\WINNT\system32
2008-11-27 22:56:44 ----AD---- C:\WINNT
2008-11-27 22:51:44 ----RAD---- C:\Program Files
2008-11-27 21:14:59 ----AD---- C:\WINNT\Debug
2008-11-27 21:11:55 ----A---- C:\WINNT\SchedLgU.Txt
2008-11-27 20:49:12 ----D---- C:\Program Files\LimeWire
2008-11-27 20:26:03 ----AD---- C:\WINNT\system32\drivers
2008-11-27 20:26:03 ----AD---- C:\Program Files\Common Files
2008-11-27 20:14:34 ----SHD---- C:\WINNT\CSC

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 FileDisk;FileDisk; C:\WINNT\system32\drivers\FileDisk.sys [2006-01-18 9341]
R1 Klif;Klif; C:\WINNT\System32\drivers\klif.sys [2005-08-04 129808]
R2 NIOC;NIOC Service; \??\C:\WINNT\System32\NIOC.SYS []
R3 aeaudio;aeaudio; C:\WINNT\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 ATI Remote Wonder II;ATI Remote Wonder II; C:\WINNT\system32\drivers\ATIRWVD.SYS [2003-12-15 257872]
R3 ati2mtag;ati2mtag; C:\WINNT\System32\DRIVERS\ati2mtag.sys [2005-04-14 1130496]
R3 E1000;Intel® PRO/1000 Network Connection Driver; C:\WINNT\System32\DRIVERS\e1000nt5.sys [2005-06-29 157184]
R3 MVDCODEC;ATI WDM Specialized MVD Codec; C:\WINNT\System32\DRIVERS\atinmdxx.sys [2005-04-13 15360]
R3 NaiFiltr;NaiFiltr; \??\C:\Program Files\Common Files\Network Associates\McShield\NaiFiltr.sys []
R3 NETR33X;D-Link Air Wireless Adapter(RTL) NT Driver; C:\WINNT\System32\DRIVERS\NETR33X.SYS [2003-05-23 158976]
R3 PCDCODEC;ATI WDM Specialized PCD Codec; C:\WINNT\System32\DRIVERS\atinpdxx.sys [2005-04-13 14848]
R3 smwdm;smwdm; C:\WINNT\system32\drivers\smwdm.sys [2003-05-06 580992]
R3 uhcd;Microsoft USB Universal Host Controller Driver; C:\WINNT\System32\DRIVERS\uhcd.sys [2003-06-19 32848]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINNT\System32\DRIVERS\usbehci.sys [2003-06-19 19728]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINNT\System32\DRIVERS\usbhub.sys [2003-06-19 40176]
R3 usbhub20;USB 2.0 Root Hub Support; C:\WINNT\System32\DRIVERS\usbhub20.sys [2003-06-19 49776]
R3 USBSTOR;USB Mass Storage Driver; C:\WINNT\System32\DRIVERS\USBSTOR.SYS [2003-06-19 21552]
S2 HidUsb;Microsoft HID Class Driver; C:\WINNT\System32\DRIVERS\hidusb.sys [1999-10-04 13904]
S3 atinevxx;ATI WDM Rage Theater Video NSP; C:\WINNT\System32\DRIVERS\atinevxx.sys [2005-04-13 165888]
S3 ATITUNEP;ATI WDM TV Tuner; C:\WINNT\System32\DRIVERS\atineuxx.sys [2005-04-13 56320]
S3 ativraxx;ATI WDM Rage Theater Audio; C:\WINNT\System32\DRIVERS\atinraxx.sys [2005-04-13 55808]
S3 ATIXSAudio;ATI WDM TV Audio Crossbar; C:\WINNT\System32\DRIVERS\atinesxx.sys [2005-04-13 75776]
S3 CCDECODE;Closed Caption Decoder; C:\WINNT\System32\DRIVERS\CCDECODE.sys [2004-07-09 16384]
S3 mouhid;Mouse HID Driver; C:\WINNT\System32\DRIVERS\mouhid.sys [2003-06-19 11632]
S3 MPE;BDA MPE Filter; C:\WINNT\System32\DRIVERS\MPE.sys [2004-07-09 15104]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINNT\system32\drivers\MSTEE.sys [2002-12-11 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINNT\System32\DRIVERS\NABTSFEC.sys [2004-07-09 83968]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINNT\System32\DRIVERS\NdisIP.sys [2004-07-09 10112]
S3 SLIP;BDA Slip De-Framer; C:\WINNT\System32\DRIVERS\SLIP.sys [2004-07-09 10880]
S3 streamip;BDA IPSink; C:\WINNT\System32\DRIVERS\StreamIP.sys [2004-07-09 14976]
S3 sysrest.sys;sysrest.sys; \??\C:\WINNT\system32\sysrest.sys []
S3 tbHD;Philips Acoustic Edge WDM Driver; C:\WINNT\system32\drivers\TBirdHD.sys []
S3 TBhdgame;Philips Acoustic Edge GamePort; C:\WINNT\System32\DRIVERS\TBhdgame.sys []
S3 usbaudio;USB Audio Driver (WDM); C:\WINNT\system32\drivers\usbaudio.sys [1999-10-12 68912]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINNT\System32\DRIVERS\usbprint.sys [2003-06-19 21872]
S3 w810bus;Sony Ericsson W810 Driver driver (WDM); C:\WINNT\system32\DRIVERS\w810bus.sys [2006-02-20 58288]
S3 w810mdfl;Sony Ericsson W810 USB WMC Modem Filter; C:\WINNT\system32\DRIVERS\w810mdfl.sys [2006-02-20 8336]
S3 w810mdm;Sony Ericsson W810 USB WMC Modem Driver; C:\WINNT\system32\DRIVERS\w810mdm.sys [2006-02-20 94064]
S3 w810mgmt;Sony Ericsson W810 USB WMC Device Management Drivers (WDM); C:\WINNT\system32\DRIVERS\w810mgmt.sys [2006-02-20 85408]
S3 w810obex;Sony Ericsson W810 USB WMC OBEX Interface; C:\WINNT\system32\DRIVERS\w810obex.sys [2006-02-20 83344]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINNT\System32\DRIVERS\WSTCODEC.SYS [2004-07-09 18688]
S4 IntelIde;IntelIde; C:\WINNT\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINNT\System32\Ati2evxx.exe [2005-04-14 364544]
R2 AvSynMgr;AVSync Manager; C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe [2001-04-30 155665]
R2 LexBceS;LexBce Server; C:\WINNT\system32\LEXBCES.EXE [2003-11-06 307200]
R2 WMDM PMSP Service;WMDM PMSP Service; C:\WINNT\System32\MsPMSPSv.exe [2001-10-01 53248]
R2 WZCBDLService;WZCBDL Service; C:\Program Files\WZCBDL Service\WZCBDLS.exe [2002-03-19 36864]
R3 McShield;McShield; C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe [2001-04-30 229499]
S2 ATI Smart;ATI Smart; C:\WINNT\system32\ati2sgag.exe [2005-04-14 516096]
S3 aspnet_state;ASP.NET State Service; C:\WINNT\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 WmdmPmSN;Portable Media Serial Number Service; C:\WINNT\System32\svchost.exe [1999-12-07 7952]

-----------------EOF-----------------

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 29 November 2008 - 06:48 AM

Hello, my name is fenzodahl512 and welcome to BC.. Please do the following...


Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



NEXT


Download DDS and save it to your desktop.

Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
-----------------------------------------------------

Please include the following logs in your thread:
  • Contents of the DDS.txt posted as text in your reply
  • Attach the Attach.txt to your post by clicking the Manage Attachments button under Additonal Options>Attach Files on the composition page. Browse to where you saved the file, and click Upload.


Please post these logs in your next reply..

1. Malwarebytes'
2. DDS.txt
3. Attach.txt

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 cajunsaint

cajunsaint
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 29 November 2008 - 10:32 AM

Thank you, fenzodahl512
I had already run malewarebytes. In addition I ran Spybot S&D and Iolo System Mechanic. System Mechanic would not run before Maleware bytes quarantined the majority of the infected files. Each program detected different infected files.
System Mechanic made the following registry changes: SCR "%1" /S to notepad.exe %1 and (registry extension handler) regedit.exe %1 to notepad.exe %1.
I do have this computer connected to my network and connected to the internet now.
I thought you should know about the things I have done

The antivirus XP 2008 appears to be gone now but I will follow your directions and post the results.

Thanks again,

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 29 November 2008 - 10:49 AM

Ok.. waiting for your log :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 cajunsaint

cajunsaint
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 29 November 2008 - 11:09 AM

Malwarebytes' Anti-Malware 1.30
Database version: 1432
Windows 5.0.2195 Service Pack 4

11/28/2008 12:49:50 PM
mbam-log-2008-11-28 (12-49-50).txt

Scan type: Full Scan (C:\|)
Objects scanned: 127388
Time elapsed: 1 hour(s), 20 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 18
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 17
Files Infected: 87

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\fis.amo (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5015bf9d-173c-474b-9af3-77d4d23a4135} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5ed7d3de-6dbe-4516-8712-01b1b64b7057} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5ed7d3de-6dbe-4516-8712-01b1b64b7057} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{92c3f342-45da-4511-853a-b3836aaff5f5} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fis.amo.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fis.momo (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fis.momo.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fis.ohb (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fis.ohb.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85e0b171-04fa-11d1-b7da-00a0c90348a7} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85e0b171-04fa-11d1-b7da-00a0c90348d7} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\upmedia (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhcrlvj0elea (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AXPFixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AXPFixer (Rogue.AdvancedXPFixer) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\UpMedia (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\axpfixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhcrlvj0elea (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINNT\system32\UpMedia (Adware.SmartShopper) -> Quarantined and deleted successfully.
C:\Program Files\AXPFixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Program Files\rhcrlvj0elea (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Antivirus XP 2008 (Rogue.XPAntivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Advanced XP Fixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael Campora.MICHAEL\Application Data\AXPFixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael Campora.MICHAEL\Application Data\AXPFixer\AXPFixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael Campora.MICHAEL\Application Data\AXPFixer\AXPFixer\Quarantine (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael Campora.MICHAEL\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael Campora.MICHAEL\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKCU (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael Campora.MICHAEL\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKCU\RunOnce (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael Campora.MICHAEL\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKLM (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael Campora.MICHAEL\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKLM\RunOnce (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael Campora.MICHAEL\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\StartMenuAllUsers (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael Campora.MICHAEL\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\StartMenuCurrentUser (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael Campora.MICHAEL\Application Data\AXPFixer\AXPFixer\Quarantine\BrowserObjects (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael Campora.MICHAEL\Application Data\AXPFixer\AXPFixer\Quarantine\Packages (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\AXPFixer\AXPFixer.exe (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\WINNT\system32\UpMedia\ContentTool.dll (Adware.SmartShopper) -> Quarantined and deleted successfully.
C:\WINNT\system32\UpMedia\SearchTool.dll (Adware.SmartShopper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael Campora.MICHAEL\Local Settings\Temp\.tt199.tmp (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael Campora.MICHAEL\Local Settings\Temp\.tt24C.tmp (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael Campora.MICHAEL\Local Settings\Temp\.tt29.tmp (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\rhcrlvj0elea\rhcrlvj0eleaSkin.dll (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\WINNT\1-fe5e180d56ed9c233080898276c260cc.exe (Adware.SmartShopper) -> Quarantined and deleted successfully.
C:\WINNT\system32\102.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\1C9.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\1CF.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\25.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\2FD.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\32D.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\331.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\35A.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\35E.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\38A.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\38E.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\3BA.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\3BE.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\3EA.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\3EE.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\416.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\41A.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\446.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\BF.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\blphcvlvj0elea.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\C4.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\44A.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\FE.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\473.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\477.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\4B.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\69.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\93.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\97.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\AB.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\UpMedia\uninstallSE.exe (Adware.SmartShopper) -> Quarantined and deleted successfully.
C:\Program Files\AXPFixer\AXPFixer.exe.local (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Program Files\AXPFixer\database.dat (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Program Files\AXPFixer\license.txt (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Program Files\AXPFixer\MFC71.dll (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Program Files\AXPFixer\MFC71ENU.DLL (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Program Files\AXPFixer\msvcp71.dll (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Program Files\AXPFixer\msvcr71.dll (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Program Files\AXPFixer\Uninstall.exe (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Program Files\rhcrlvj0elea\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcrlvj0elea\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcrlvj0elea\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcrlvj0elea\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcrlvj0elea\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcrlvj0elea\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcrlvj0elea\rhcrlvj0elea.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.XPAntivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.XPAntivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.XPAntivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.XPAntivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.XPAntivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Advanced XP Fixer\Advanced XP Fixer.lnk (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Advanced XP Fixer\How to Register Advanced XP Fixer.lnk (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Advanced XP Fixer\License Agreement.lnk (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Advanced XP Fixer\Register Advanced XP Fixer.lnk (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Advanced XP Fixer\Uninstall.lnk (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\Security Troubleshooting.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\Online Security Guide.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael Campora.MICHAEL\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Advanced XP Fixer.lnk (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael Campora.MICHAEL\Application Data\Microsoft\Internet Explorer\Quick Launch\AXPFixer.lnk (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINNT\Desktop\AXPFixer.lnk (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael Campora.MICHAEL\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael Campora.MICHAEL\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael Campora.MICHAEL\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael Campora.MICHAEL\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael Campora.MICHAEL\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael Campora.MICHAEL\Local Settings\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael Campora.MICHAEL\Local Settings\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael Campora.MICHAEL\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael Campora.MICHAEL\Local Settings\Temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael Campora.MICHAEL\Local Settings\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael Campora.MICHAEL\Local Settings\Temp\.ttB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael Campora.MICHAEL\Local Settings\Temp\.ttC.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael Campora.MICHAEL\Local Settings\Temp\.ttD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael Campora.MICHAEL\Local Settings\Temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.



DDS (Version 1.0) - NTFSx86
Run by Michael Campora at 9:56:51.10 on Sat 11/29/2008
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1535.1245 [GMT -6:00]

============== Running Processes ===============

C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\acoustic.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\System32\rundll32.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\rundll32.exe
C:\DOCUME~1\MICHAE~1.MIC\Desktop\dds.scr

============== Psuedo HJT Report ===============

uStart Page = hxxp://wwww.yahoo.com/
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
TB: {8E718888-423F-11D2-876E-00A0C9082467} - c:\winnt\system32\msdxm.ocx
uRun: [<NO NAME>]
uRun: [ATI Launchpad] "c:\program files\ati multimedia\main\launchpd.exe"
uRun: [ATI DeviceDetect] c:\program files\ati multimedia\main\ATIDtct.EXE
uRun: [ATI Remote Control] c:\program files\ati multimedia\remctrl\ATIRW.exe
uRun: [SMSystemAnalyzer] "c:\program files\iolo\system mechanic professional 6\SMSystemAnalyzer.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [SystemTray] SysTray.Exe
mRun: [TBTray] acoustic.exe
mRun: [Launcher] aelaunch.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
mRun: [D-Link Air Utility] c:\program files\d-link\air utility\AirCFG.exe
mRun: [NeroFilterCheck] c:\winnt\system32\NeroCheck.exe
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\aticat~1.lnk - c:\program files\ati technologies\ati.ace\CLI.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\kasper~1.lnk - c:\program files\kaspersky lab\kaspersky anti-hacker\KAVPF.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-system: NoDispScrSavPage = 0 (0x0)
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim 2004\aim.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\partygaming\partypoker\RunApp.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\tv\EXPLBAR.DLL
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim 2004\aim.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\partygaming\partypoker\RunApp.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: %SystemRoot%\system32\msafd.dll
Handler: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - c:\winnt\system32\msdxm.ocx
Notify: AtiExtEvent - Ati2evxx.dll
Notify: ATINotify - logonnfy.dll
SSODL: Network.ConnectionTray - {7007ACCF-3202-11D1-AAD2-00805FC1270E} - c:\winnt\system32\NETSHELL.dll

============= SERVICES / DRIVERS ===============

R0 Klpf;Klpf;c:\winnt\system32\drivers\Klpf.sys [2005-8-4 25139]
R0 Klpid;Klpid;c:\winnt\system32\drivers\Klpid.sys [2005-8-4 31862]
R0 NaiFsRec;NaiFsRec;c:\winnt\system32\drivers\NaiFsRec.sys [2001-4-30 4512]
R2 AvSynMgr;AVSync Manager;"c:\program files\network associates\virusscan\Avsynmgr.exe" [2001-4-30 155665]
R2 NIOC;NIOC Service;\??\c:\winnt\system32\NIOC.SYS [2002-9-27 22912]
R2 WZCBDLService;WZCBDL Service;c:\program files\wzcbdl service\WZCBDLS.exe [2002-3-19 36864]
R3 NETR33X;D-Link Air Wireless Adapter(RTL) NT Driver;c:\winnt\system32\drivers\NETR33X.SYS [2006-7-7 158976]
R3 tbHD;Philips Acoustic Edge WDM Driver;c:\winnt\system32\drivers\TBirdHD.sys [2008-11-28 366987]
R3 TBhdgame;Philips Acoustic Edge GamePort;c:\winnt\system32\drivers\TBhdgame.sys [2008-11-28 11182]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2006-7-7 49776]
S1 sglfb;sglfb; []
S1 tga;tga; []
S3 sysrest.sys;sysrest.sys;\??\c:\winnt\system32\sysrest.sys []
S4 aic116x;aic116x; []
S4 ami0nt;ami0nt; []
S4 cpqarry2;cpqarry2; []
S4 cpqfcalm;cpqfcalm; []
S4 cpqfws2e;cpqfws2e; []
S4 deckzpsx;deckzpsx; []
S4 Fd16_700;Fd16_700; []
S4 fireport;fireport; []
S4 flashpnt;flashpnt; []
S4 ipsraidn;ipsraidn; []
S4 lp6nds35;lp6nds35; []
S4 Ncrc710;Ncrc710; []
S4 ql2100;ql2100; []
S4 ultra66;ultra66; []

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
regfile=NOTEPAD.EXE %1
scrfile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2008-11-29 09:42 16,384 a------t c:\winnt\system32\Perflib_Perfdata_30c.dat
2008-11-29 09:42 16,384 a------t c:\winnt\system32\Perflib_Perfdata_52c.dat
2008-11-29 09:42 16,384 a------t c:\winnt\system32\Perflib_Perfdata_464.dat
2008-11-28 16:03 16,384 a------t c:\winnt\system32\Perflib_Perfdata_164.dat
2008-11-28 14:54 <DIR> a-d----- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2008-11-28 14:32 11,182 a----r-- c:\winnt\system32\drivers\tbhdgame.sys
2008-11-28 14:32 3,988 a----r-- c:\winnt\system32\edcoinst.dll
2008-11-28 14:20 61,440 a----r-- c:\winnt\acoustic.exe
2008-11-28 14:20 36,864 a----r-- c:\winnt\system32\pkmeter.dll
2008-11-28 14:20 35,328 a----r-- c:\winnt\aelaunch.exe
2008-11-28 14:20 28,672 a----r-- c:\winnt\system32\drvtb32.dll
2008-11-28 14:20 10,047,488 a----r-- c:\winnt\system32\acoustic.cpl
2008-11-28 14:20 49,152 a----r-- c:\winnt\system32\hduninst.exe
2008-11-28 14:20 7,779 a----r-- c:\winnt\system32\tbirdhd.pch
2008-11-28 14:20 6,050,222 a----r-- c:\winnt\system32\tbirdHD.dls
2008-11-28 14:20 366,987 a----r-- c:\winnt\system32\drivers\TBirdHD.sys
2008-11-28 14:20 21,264 a------- c:\winnt\system32\wdmaud.drv
2008-11-28 14:20 148,208 ac------ c:\winnt\system32\dllcache\portcls.sys
2008-11-28 14:20 148,208 a------- c:\winnt\system32\drivers\portcls.sys
2008-11-28 11:12 <DIR> --d----- c:\docume~1\michae~1.mic\applic~1\Malwarebytes
2008-11-28 11:12 15,504 a------- c:\winnt\system32\drivers\mbam.sys
2008-11-28 11:12 38,496 a------- c:\winnt\system32\drivers\mbamswissarmy.sys
2008-11-28 11:12 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2008-11-28 11:12 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-11-28 11:02 1,433 a------- c:\winnt\SysMech6.INI
2008-11-27 22:51 <DIR> --d----- c:\program files\Trend Micro
2008-11-27 20:31 406 a------- c:\winnt\system32\ioloBootDefrag.cfg
2008-11-27 20:26 <DIR> --d----- c:\program files\common files\Kaspersky Lab
2008-11-27 20:26 <DIR> --d----- c:\program files\Kaspersky Lab
2008-11-27 20:25 9,341 a------- c:\winnt\system32\drivers\filedisk.sys
2008-11-27 20:25 1,211,904 a------- c:\winnt\system32\Incinerator.dll
2008-11-27 20:25 41,472 a------- c:\winnt\system32\iolobtdfg.exe
2008-11-27 20:25 25,264 a------- c:\winnt\system32\smrgdf.exe
2008-11-27 20:24 <DIR> a-d----- c:\program files\iolo

==================== Find3M ====================

2008-11-28 16:01 <DIR> a-d----- c:\program files\Spybot - Search & Destroy
2008-11-28 15:58 <DIR> a-d----- c:\program files\Security Toolbar
2008-11-27 20:49 <DIR> --d----- c:\program files\LimeWire
2008-09-14 23:13 1,644,432 a------- c:\winnt\system32\WIN32K.SYS
2008-09-08 02:14 1,121,280 a------- c:\winnt\system32\msxml3.dll
2008-06-10 17:28 <DIR> --d----- c:\docume~1\michae~1.mic\applic~1\Syntrillium
2006-12-27 02:10 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\ATI MMC
2006-07-07 18:41 <DIR> --d----- c:\docume~1\michae~1.mic\applic~1\ATI MMC
2006-07-06 23:58 <DIR> --d----- c:\docume~1\michae~1.mic\applic~1\InterTrust

============= FINISH: 9:57:06.95 ===============

Attached Files



#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 29 November 2008 - 11:45 AM

IMPORTANT!: Please create a fresh Restore Point before proceed with our fix. Please visit this webpage if you do not know how..

If you are using Windows Vista, please visit this webpage for more information.




NEXT


The steps that I am about to suggest involve modifying the registry. Modfying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot perform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry
  • Go HERE and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.
For detailed instruction on how to back-up registry via ERUNT, please visit HERE




NEXT


Please download the OTMoveIt3 by OldTimer
  • Save it to your Desktop.
  • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Let the Unregister Dll's and Ocx's remain ticked and Zip Files After Moves remain unticked..
  • Copy the codebox contents and paste it to the "Paste List of Files/Folders to Move" window (under the light Yellow bar)

    :processes
    explorer.exe
    
    :services
    sglfb
    tga
    sysrest.sys
    aic116x
    ami0nt
    cpqarry2
    cpqfcalm
    cpqfws2e
    deckzpsx
    Fd16_700
    fireport
    flashpnt
    ipsraidn
    lp6nds35
    Ncrc710
    ql2100
    ultra66
    
    :files
    c:\winnt\system32\sysrest.sys
    
    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




NEXT


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Run DDS once again.. Post me these logs in your next reply..

1. OTMoveIt3
2. ESET Online Scanner
3. A fresh DDS.txt

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 cajunsaint

cajunsaint
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 29 November 2008 - 02:44 PM

move it log:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
Service sglfb stopped successfully.
Service sglfb deleted successfully.
Service tga stopped successfully.
Service tga deleted successfully.
Service sysrest.sys stopped successfully.
Service sysrest.sys deleted successfully.
Service aic116x stopped successfully.
Service aic116x deleted successfully.
Service ami0nt stopped successfully.
Service ami0nt deleted successfully.
Service cpqarry2 stopped successfully.
Service cpqarry2 deleted successfully.
Service cpqfcalm stopped successfully.
Service cpqfcalm deleted successfully.
Service cpqfws2e stopped successfully.
Service cpqfws2e deleted successfully.
Service deckzpsx stopped successfully.
Service deckzpsx deleted successfully.
Service Fd16_700 stopped successfully.
Service Fd16_700 deleted successfully.
Service fireport stopped successfully.
Service fireport deleted successfully.
Service flashpnt stopped successfully.
Service flashpnt deleted successfully.
Service ipsraidn stopped successfully.
Service ipsraidn deleted successfully.
Service lp6nds35 stopped successfully.
Service lp6nds35 deleted successfully.
Service Ncrc710 stopped successfully.
Service Ncrc710 deleted successfully.
Service ql2100 stopped successfully.
Service ql2100 deleted successfully.
Service ultra66 stopped successfully.
Service ultra66 deleted successfully.
========== FILES ==========
File/Folder c:\winnt\system32\sysrest.sys not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\MICHAE~1.MIC\LOCALS~1\Temp\BCG3.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.1 log created on 11292008_123202

Files moved on Reboot...
File C:\DOCUME~1\MICHAE~1.MIC\LOCALS~1\Temp\BCG3.tmp not found!

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3650 (20081128)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=dff0b0c23d63cb499cd619daf3632c89
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-11-29 07:32:49
# local_time=2008-11-29 01:32:49 (-0600, Central Standard Time)
# country="United States"
# osver=5.0.2195 NT Service Pack 4
# scanned=164646
# found=8
# scan_time=2620
C:\Documents and Settings\Michael Campora\Local Settings\Temporary Internet Files\Content.IE5\0R2TCDSX\assisass[1].html JS/TrojanDownloader.Agent.AB trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\Michael Campora.MICHAEL\Shared\01 Track 1.wma WMA/TrojanDownloader.Wimad.K trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\AIM 2004\Install_AIM.exe Win32/Adware.WBug.A application (deleted) 00000000000000000000000000000000
C:\Program Files\AIM 2004\Install_AIM.exe »WISE »WxBug.EXE Win32/Adware.WBug.A application (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Program Files\AIM 2004\Install_AIM.exe »WISE »WxBug.EXE »WISE »MiniBugTransporter.dll Win32/Adware.WBug.A application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Program Files\AIM 2004\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application (deleted) 00000000000000000000000000000000
C:\Program Files\AIM 2004\Sysfiles\WxBug.EXE »WISE »MiniBugTransporter.dll Win32/Adware.WBug.A application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll Win32/Adware.WBug.A application (unable to clean - deleted) 00000000000000000000000000000000

DDS.txt:

DDS (Version 1.0) - NTFSx86
Run by Michael Campora at 13:39:00.04 on Sat 11/29/2008
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1535.979 [GMT -6:00]

============== Running Processes ===============

C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\notepad.exe
C:\WINNT\acoustic.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\System32\rundll32.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\rundll32.exe
C:\DOCUME~1\MICHAE~1.MIC\Desktop\dds.scr

============== Psuedo HJT Report ===============

uStart Page = hxxp://wwww.yahoo.com/
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
TB: {8E718888-423F-11D2-876E-00A0C9082467} - c:\winnt\system32\msdxm.ocx
uRun: [<NO NAME>]
uRun: [ATI Launchpad] "c:\program files\ati multimedia\main\launchpd.exe"
uRun: [ATI DeviceDetect] c:\program files\ati multimedia\main\ATIDtct.EXE
uRun: [ATI Remote Control] c:\program files\ati multimedia\remctrl\ATIRW.exe
uRun: [SMSystemAnalyzer] "c:\program files\iolo\system mechanic professional 6\SMSystemAnalyzer.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [SystemTray] SysTray.Exe
mRun: [TBTray] acoustic.exe
mRun: [Launcher] aelaunch.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
mRun: [D-Link Air Utility] c:\program files\d-link\air utility\AirCFG.exe
mRun: [NeroFilterCheck] c:\winnt\system32\NeroCheck.exe
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\aticat~1.lnk - c:\program files\ati technologies\ati.ace\CLI.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\kasper~1.lnk - c:\program files\kaspersky lab\kaspersky anti-hacker\KAVPF.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-system: NoDispScrSavPage = 0 (0x0)
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim 2004\aim.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\partygaming\partypoker\RunApp.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\tv\EXPLBAR.DLL
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim 2004\aim.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\partygaming\partypoker\RunApp.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: %SystemRoot%\system32\msafd.dll
Handler: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - c:\winnt\system32\msdxm.ocx
Notify: AtiExtEvent - Ati2evxx.dll
Notify: ATINotify - logonnfy.dll
SSODL: Network.ConnectionTray - {7007ACCF-3202-11D1-AAD2-00805FC1270E} - c:\winnt\system32\NETSHELL.dll

============= SERVICES / DRIVERS ===============

R0 Klpf;Klpf;c:\winnt\system32\drivers\Klpf.sys [2005-8-4 25139]
R0 Klpid;Klpid;c:\winnt\system32\drivers\Klpid.sys [2005-8-4 31862]
R0 NaiFsRec;NaiFsRec;c:\winnt\system32\drivers\NaiFsRec.sys [2001-4-30 4512]
R2 AvSynMgr;AVSync Manager;"c:\program files\network associates\virusscan\Avsynmgr.exe" [2001-4-30 155665]
R2 NIOC;NIOC Service;\??\c:\winnt\system32\NIOC.SYS [2002-9-27 22912]
R2 WZCBDLService;WZCBDL Service;c:\program files\wzcbdl service\WZCBDLS.exe [2002-3-19 36864]
R3 NETR33X;D-Link Air Wireless Adapter(RTL) NT Driver;c:\winnt\system32\drivers\NETR33X.SYS [2006-7-7 158976]
R3 tbHD;Philips Acoustic Edge WDM Driver;c:\winnt\system32\drivers\TBirdHD.sys [2008-11-28 366987]
R3 TBhdgame;Philips Acoustic Edge GamePort;c:\winnt\system32\drivers\TBhdgame.sys [2008-11-28 11182]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2006-7-7 49776]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
regfile=NOTEPAD.EXE %1
scrfile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2008-11-29 12:48 <DIR> --d----- c:\program files\EsetOnlineScanner
2008-11-29 12:37 16,384 a------t c:\winnt\system32\Perflib_Perfdata_318.dat
2008-11-29 12:37 16,384 a------t c:\winnt\system32\Perflib_Perfdata_52c.dat
2008-11-29 12:37 16,384 a------t c:\winnt\system32\Perflib_Perfdata_4e8.dat
2008-11-29 12:32 <DIR> --d----- C:\_OTMoveIt
2008-11-28 16:03 16,384 a------t c:\winnt\system32\Perflib_Perfdata_164.dat
2008-11-28 14:54 <DIR> a-d----- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2008-11-28 14:32 11,182 a----r-- c:\winnt\system32\drivers\tbhdgame.sys
2008-11-28 14:32 3,988 a----r-- c:\winnt\system32\edcoinst.dll
2008-11-28 14:20 61,440 a----r-- c:\winnt\acoustic.exe
2008-11-28 14:20 36,864 a----r-- c:\winnt\system32\pkmeter.dll
2008-11-28 14:20 35,328 a----r-- c:\winnt\aelaunch.exe
2008-11-28 14:20 28,672 a----r-- c:\winnt\system32\drvtb32.dll
2008-11-28 14:20 10,047,488 a----r-- c:\winnt\system32\acoustic.cpl
2008-11-28 14:20 49,152 a----r-- c:\winnt\system32\hduninst.exe
2008-11-28 14:20 7,779 a----r-- c:\winnt\system32\tbirdhd.pch
2008-11-28 14:20 6,050,222 a----r-- c:\winnt\system32\tbirdHD.dls
2008-11-28 14:20 366,987 a----r-- c:\winnt\system32\drivers\TBirdHD.sys
2008-11-28 14:20 21,264 a------- c:\winnt\system32\wdmaud.drv
2008-11-28 14:20 148,208 ac------ c:\winnt\system32\dllcache\portcls.sys
2008-11-28 14:20 148,208 a------- c:\winnt\system32\drivers\portcls.sys
2008-11-28 11:12 <DIR> --d----- c:\docume~1\michae~1.mic\applic~1\Malwarebytes
2008-11-28 11:12 15,504 a------- c:\winnt\system32\drivers\mbam.sys
2008-11-28 11:12 38,496 a------- c:\winnt\system32\drivers\mbamswissarmy.sys
2008-11-28 11:12 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2008-11-28 11:12 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-11-28 11:02 1,433 a------- c:\winnt\SysMech6.INI
2008-11-27 22:51 <DIR> --d----- c:\program files\Trend Micro
2008-11-27 20:31 406 a------- c:\winnt\system32\ioloBootDefrag.cfg
2008-11-27 20:26 <DIR> --d----- c:\program files\common files\Kaspersky Lab
2008-11-27 20:26 <DIR> --d----- c:\program files\Kaspersky Lab
2008-11-27 20:25 9,341 a------- c:\winnt\system32\drivers\filedisk.sys
2008-11-27 20:25 1,211,904 a------- c:\winnt\system32\Incinerator.dll
2008-11-27 20:25 41,472 a------- c:\winnt\system32\iolobtdfg.exe
2008-11-27 20:25 25,264 a------- c:\winnt\system32\smrgdf.exe
2008-11-27 20:24 <DIR> a-d----- c:\program files\iolo

==================== Find3M ====================

2008-11-29 13:00 <DIR> a-d----- c:\program files\AIM 2004
2008-11-28 16:01 <DIR> a-d----- c:\program files\Spybot - Search & Destroy
2008-11-28 15:58 <DIR> a-d----- c:\program files\Security Toolbar
2008-11-27 20:49 <DIR> --d----- c:\program files\LimeWire
2008-09-14 23:13 1,644,432 a------- c:\winnt\system32\WIN32K.SYS
2008-09-08 02:14 1,121,280 a------- c:\winnt\system32\msxml3.dll
2008-06-10 17:28 <DIR> --d----- c:\docume~1\michae~1.mic\applic~1\Syntrillium
2006-12-27 02:10 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\ATI MMC
2006-07-07 18:41 <DIR> --d----- c:\docume~1\michae~1.mic\applic~1\ATI MMC
2006-07-06 23:58 <DIR> --d----- c:\docume~1\michae~1.mic\applic~1\InterTrust

============= FINISH: 13:39:30.95 ===============

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 29 November 2008 - 06:48 PM

Looks good to me.. Just a little bit more..

Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.

O20 - Winlogon Notify: ATINotify - logonnfy.dll (file missing)

Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.


Then run HijackThis again and post me the log here.. How is your computer now? :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 cajunsaint

cajunsaint
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 29 November 2008 - 09:11 PM

I think everything is like it should be.
My son still wants to run Limewire so we're in a battle over all the time and effort it took to get it back to normal.
One question I did have is the maleware scan indicated that it quarantined and deleted the infected files. When I view the log it shows them as only being quarantined. There is a buttin to delete the checked files. Should I delete them?
I really appreciate your time and help.

Here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:02:45 PM, on 11/29/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\acoustic.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wwww.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TBTray] acoustic.exe
O4 - HKLM\..\Run: [Launcher] aelaunch.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM 2004\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download2.games.yahoo.com/games/clients/y/ct5_x.cab
O16 - DPF: Yahoo! Euchre - http://download2.games.yahoo.com/games/clients/y/et3_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: Yahoo! Spades - http://download2.games.yahoo.com/games/clients/y/st3_x.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1152276486781
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe

--
End of file - 6162 bytes

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 29 November 2008 - 09:26 PM

Err.. about your son and LimeWire, I just leave it to you.. :)



One question I did have is the maleware scan indicated that it quarantined and deleted the infected files. When I view the log it shows them as only being quarantined. There is a buttin to delete the checked files. Should I delete them?


What program do you use?. Is it Malwarebytes'? Well, yes, delete all malware that it found :thumbsup:


Lets do this....


Now for some cleanup..
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.



Lastly, to keep your operating system up to date please visit the link below monthlyPlease read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware

And another excellent article by CastleCops Malware Prevention: Prevent Re-infection

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :)



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 cajunsaint

cajunsaint
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 30 November 2008 - 04:15 PM

Thanks 512
I sent the computer back with my son. He is very happy to have it working again.
I also copied the links you referenced. As far as Limewire is concerned, I left him with this proposition. He should not ever use this computer for financial transactions and if he installs Limewire again and it becomes infected he can spend his weekend cleaning it.

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 30 November 2008 - 09:17 PM

You are very welcome, I'm glad that we could help.

I will now close this topic. If you need this topic to be re-open, please pm me or Moderators regarding the matter..

If you have any new malware related questions or issues in the future please start a new topic.

Cheers and Happy Computing !

fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users