Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Torrent.exe And Wildtangent Wtvh.dll Plus Other Files


  • Please log in to reply
3 replies to this topic

#1 Psuf26

Psuf26

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 04 April 2007 - 07:24 AM

adaware and SandD keep finding items and removing them from system32 and system volume information

but they reappear on next start up.

when i open any internet browser Bitdefender blocks either torrent.exe or trojan.exe from connecting.

internet connection then goes down but actual connection in network settings is shown as connected.




Logfile of HijackThis v1.99.1
Scan saved at 21:12:18, on 03/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\exploror.exe
C:\WINDOWS\System32\UAService7.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\TV Capture Card\RecSche.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
C:\WINDOWS\system32\torrent.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F1 - win.ini: run=fntldr.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll (file missing)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [RecSche] C:\TV Capture Card\RecSche.exe /Startup
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\system32\msmc.exe
O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [System Support] torrent.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\RunServices: [System Support] torrent.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [System Support] torrent.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O4 - Global Startup: LG SyncManager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG311T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Checkers - http://download2.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! Chess - http://download2.games.yahoo.com/games/clients/y/ct5_x.cab
O16 - DPF: Yahoo! Dominoes - http://download2.games.yahoo.com/games/clients/y/dot9_x.cab
O16 - DPF: Yahoo! Spades - http://download2.games.yahoo.com/games/clients/y/st3_x.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37710.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio.com/core/player/abasetup141.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: System - Unknown owner - C:\WINDOWS\exploror.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

BC AdBot (Login to Remove)

 


#2 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:44 PM

Posted 05 April 2007 - 04:42 PM

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Greets Jürgenv

Donation: Click me.

#3 Psuf26

Psuf26
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 09 April 2007 - 11:45 AM

Done and my internet seems to be working. so firstly thankyou. is everything clean now?







Report

SDFix: Version 1.77

Run by Pumba - 09/04/2007 - 15:50:02.51

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
system
trojan.exe

ImagePath:
"C:\WINDOWS\exploror.exe"
"C:\WINDOWS\trojan.exe"

system - Deleted
trojan.exe - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\Yahoo! Poker.osd - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\0.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\1.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\10.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\100.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\101.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\102.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\103.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\104.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\105.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\106.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\107.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\108.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\109.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\11.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\110.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\111.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\112.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\113.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\114.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\115.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\116.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\117.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\118.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\119.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\12.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\120.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\121.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\122.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\123.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\124.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\125.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\126.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\127.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\128.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\129.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\13.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\130.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\131.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\132.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\133.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\134.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\135.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\136.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\137.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\138.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\139.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\14.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\15.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\16.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\17.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\18.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\19.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\2.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\20.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\21.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\22.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\23.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\24.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\25.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\26.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\27.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\28.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\29.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\3.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\30.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\31.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\32.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\33.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\34.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\35.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\36.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\37.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\38.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\39.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\4.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\40.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\41.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\42.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\43.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\44.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\45.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\46.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\47.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\48.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\49.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\5.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\50.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\51.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\52.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\53.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\54.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\55.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\56.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\57.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\58.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\59.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\6.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\60.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\61.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\62.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\63.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\64.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\65.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\66.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\67.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\68.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\69.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\7.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\70.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\71.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\72.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\73.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\74.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\75.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\76.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\77.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\78.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\79.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\8.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\80.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\81.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\82.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\83.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\84.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\85.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\86.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\87.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\88.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\89.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\9.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\90.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\91.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\92.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\93.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\94.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\95.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\96.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\97.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\98.class - Deleted
C:\DOCUME~1\Pumba\LOCALS~1\Temp\ICD1.tmp\y\p\99.class - Deleted
C:\U.exe - Deleted
C:\WINDOWS\exploror.exe - Deleted
C:\WINDOWS\system32\torrent.exe - Deleted



ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"="C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"="C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe:*:Enabled:Star Wars: Empire at War"
"C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat"="C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat:*:Enabled:The Battle for Middle-earth™ II"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Program Files\Canon\MP Navigator 2.0\uinstrsc.dll
C:\Program Files\Canon\MP Navigator 2.0\Maint.exe
C:\Program Files\InterActual\InterActual Player\iti13.tmp

Finished


















hijackthis log




Logfile of HijackThis v1.99.1
Scan saved at 17:43:03, on 09/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RunDll32.exe
C:\TV Capture Card\RecSche.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
c:\program files\softwin\bitdefender10\bdmcon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F1 - win.ini: run=fntldr.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll (file missing)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [RecSche] C:\TV Capture Card\RecSche.exe /Startup
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\system32\msmc.exe
O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O4 - Global Startup: LG SyncManager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG311T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Checkers - http://download2.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! Chess - http://download2.games.yahoo.com/games/clients/y/ct5_x.cab
O16 - DPF: Yahoo! Dominoes - http://download2.games.yahoo.com/games/clients/y/dot9_x.cab
O16 - DPF: Yahoo! Spades - http://download2.games.yahoo.com/games/clients/y/st3_x.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37710.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio.com/core/player/abasetup141.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#4 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:44 PM

Posted 09 April 2007 - 11:57 AM

* Please remove these entries from Add/Remove Programs in the Control Panel(if present):
To do this, click 'Start' then 'Control Panel', then double-click on Add/Remove Programs.
MediaGateway

* Please open hijackthis and put a check next to the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F1 - win.ini: run=fntldr.exe
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll (file missing)
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\system32\msmc.exe
O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe


* After you check the items you want to fix, close all browsers and windows, except for HijackThis, then click on the Fix Checked button on HijackThis.

* Please delete these folders using Windows Explorer(if present):* Click Start>>All Programs>>Accessories>>Windows Explorer
* Navigate to the listed folders, then right-click to select them and click delete
C:\Program Files\MediaGateway

* Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\msmc.exe


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.

Greets Jürgenv

Donation: Click me.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users