Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Virus Detected On My Pc...


  • Please log in to reply
18 replies to this topic

#1 joanne_z

joanne_z

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Philippines
  • Local time:12:28 AM

Posted 11 July 2007 - 05:26 PM

Hi there,

I accidentally clicked on a link I was researching on, which were poesiasamizades. servebeer.com and h--p://loves-centralcards. servebeer.com ... I am not sure whether these links were the cause of the infection, but upon research I found out that they were malware infections. The thing is, all websites I come across with that knows how to handle the virus are all in Portuguese (so I couldn't understand...). I think this virus (or malware came from Brazil actually...) and I hope you amazing guys help me..thanks!

I scanned our computer with Kaspersky 7.0.0.119, it detected the following:
1.) Trojan program Trojan-Downloader.BAT.Ftp.ab
File: C:\WINDOWS\system32\i
When 'neutralizing' or disinfecting the file, an error comes up: "File contains Trojan program and cannot be disinfected". Options available are: delete and skip (File will not be changed or deleted).

2.) riskware Trojan.generic found on the following files: C:\WINDOWS\system32\ne1.exe and C:\WINDOWS\system32\ge1.exe. Files were put on Quarantine

3.) "Threat" has also "been detected" on the file C:\WINDOWS\system\msnntlp.exe...file was also put in Quarantine

Upon scanning the files in Quarantine, anew message says, "detected new variant of virus Trojan.Generic" for msnntlp.exe and ge1.exe

OS is Windows XP (SP1, i think). Are these files very essential in running Windows? Since I am not given an option to clean the files, can I delete them from my system without affecting the computer's performance?


I would appreciate any reply. I know how amazing you guys are. Thanks very much!!!
Life is simple. You make choices, and you never look back. ~Han, Tokyo Drift~

BC AdBot (Login to Remove)

 


#2 joanne_z

joanne_z
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Philippines
  • Local time:12:28 AM

Posted 11 July 2007 - 05:37 PM

uhm, i cannot post my most recent HiJack log because it says that mine is the Beta version...I will post the most recent log after downloading the other version when I get home... :thumbsup:
Life is simple. You make choices, and you never look back. ~Han, Tokyo Drift~

#3 joanne_z

joanne_z
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Philippines
  • Local time:12:28 AM

Posted 12 July 2007 - 07:22 PM

Hello again,

I reistalled HiJackThis and this is the most recent log I have (07/13/2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:10:20 AM, on 7/13/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\dllcache\ivchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\All Users\Documents\joanne\polder\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{EED1016C-2D18-4E55-88FF-1457222632B2}: NameServer = 202.124.128.2 202.124.128.3
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ms hexidecimal defx (mshexdefx) - Unknown owner - C:\WINDOWS\system32\dllcache\ivchost.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 4604 bytes




I'm sure you guys can help me here coz this site's amazing. One question...do I need to be a computer expert or some sort of computer engineer or programmer to be able to do the things you guys do here (spyware/malware/virus analysis)? I also want to help out those who are having the same problem as I do, although my knowledge in pc's is basic...

Thanks much in advance!!!
Life is simple. You make choices, and you never look back. ~Han, Tokyo Drift~

#4 Rorschach

Rorschach

  • Members
  • 523 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 20 July 2007 - 04:37 PM

Hello joanne_z, I'm just looking over your log and will get back to you soon.

#5 joanne_z

joanne_z
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Philippines
  • Local time:12:28 AM

Posted 20 July 2007 - 08:56 PM

ok thanks very much! i appreciate it
Life is simple. You make choices, and you never look back. ~Han, Tokyo Drift~

#6 Rorschach

Rorschach

  • Members
  • 523 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 22 July 2007 - 01:26 PM

Hello joanne

One or more of the items you need to remove is a backdoor application can allow attackers to access your computer,
stealing passwords, credit card info, and personal data. From a clean computer, change ALL your on-line passwords for
email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.
If you do any on-line banking, or store any financial information on this system, you should immediately call
your financial institution and advise them of the situation so you can secure your accounts. Do NOT change passwords
or do any transactions while using the infected computer because the attacker will get the new passwords and
transaction information.

The best course of action to take is to reformat your PC as there are a lot of nasty infections on it that we may not even
be able to fully get rid of for sure. The backdoor application has probably changed many settings and infected a lot of files.

Please read these topics before you make your decision

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall?

However if you want to go ahead and try clean up your PC, let me know and we will get started!

#7 joanne_z

joanne_z
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Philippines
  • Local time:12:28 AM

Posted 22 July 2007 - 04:20 PM

hello Rorschach,

For now I would prefer cleaning up the sytem. As much as possible I wouldn't want to reformat my hard drive since I don't really use the computer for online banking or any high-risk transactions. it is merely for basic word processing and lots of games and music... i would also like to try all means to clean the infection first...and for that I would need help from an expert like u to determine which files to delete or whatever. I don't want my pc crashing or becoming unstable because of deleting some critical component of Winows...

The situation now is this...the files I mentioned are still in quarantine, and yeah, some backdoor Trojans were detected on them. As of now, I have not noticed any major changes in the computer settings or any huge increase in outgoing activities when connecting to the internet. Infections found by Kaspersky Anti-virus 7.0: Backdoor.Win32.SdBot.aad & Backdoor.Win32.SdBot.xd ...files are still in quarantine..

So, yeah, I guess we should try and get started with cleaning up my PC!
Life is simple. You make choices, and you never look back. ~Han, Tokyo Drift~

#8 Rorschach

Rorschach

  • Members
  • 523 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 23 July 2007 - 05:58 AM

Hello joanne_z

do I need to be a computer expert or some sort of computer engineer or programmer to be able to do the things you guys do here

No you do not need have those skills to become a malware fighter. Speaking for myself, I got into malware fighting after
my original PC was attacked by a nasty virus. Removing that ignited an interest in all areas of PC security, and I
applied here to learn as much as I can and help out people. I'd say a lot of the helpers joined due to similar
circumstances. Have a read of this link here. As long
as you are willing to put in a little elbow grease I'm sure you will do a great job :thumbsup:


Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.



Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum



Please run HijackThis, click "Do a system scan only" and check these entries if present

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: ms hexidecimal defx (mshexdefx) - Unknown owner - C:\WINDOWS\system32\dllcache\ivchost.exe


Close all windows except for HijackThis and click "Fix checked".



Please download OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\web\related.htm
    C:\WINDOWS\system32\dllcache\ivchost.exe
    C:\WINDOWS\system32\i
    C:\WINDOWS\system32\ne1.exe
    C:\WINDOWS\system32\ge1.exe
    C:\WINDOWS\system\msnntlp.exe


  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.

Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.



Next

Now click on the attachment at the bottom of the page that is called FixService.bat and save it to your desktop. Double click it, a window will open and close, do not be concerned this is normal.



So in your next reply please post the following : the SDFix report, a new HijackThis log, and the OTMoveIt results. Also please tell me how your PC is running and if you had any problems.

Attached Files



#9 joanne_z

joanne_z
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Philippines
  • Local time:12:28 AM

Posted 24 July 2007 - 01:21 AM

Hi Rorschach,


I just have a queastion before I run the scans...The files C:\WINDOWS\system32\dllcache\ivchost.exe and C:\WINDOWS\system32\i were already deleted by another user of the computer, and are in the back-up folder of our anti-virus scanner. also, the other files are in quarantine. would the scanners be able to detect them or should i restore the files and then perform the scans?

thanks for all the advice!


Joanne
Life is simple. You make choices, and you never look back. ~Han, Tokyo Drift~

#10 Rorschach

Rorschach

  • Members
  • 523 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 24 July 2007 - 02:53 PM

Hello joanne

The files C:\WINDOWS\system32\dllcache\ivchost.exe and C:\WINDOWS\system32\i were already deleted by another user of the computer, and are in the back-up folder of our anti-virus scanner. also, the other files are in quarantine. would the scanners be able to detect them or should i restore the files and then perform the scans?

Yes the scanners will detect them so there is no need to restore the files, you can continue on with all the steps.

#11 joanne_z

joanne_z
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Philippines
  • Local time:12:28 AM

Posted 26 July 2007 - 03:12 AM

Hello Rorschach,

sorry for the slow repliy. here are the results:


SDFix: Version 1.94

Run by JZ on Thu 07/26/2007 at 03:46 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\.exe - Deleted
C:\WINDOWS\SYSTEM32\NE1.EXE - Deleted
C:\WINDOWS\system32\.exe - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:


Finished


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:03:30 PM, on 7/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\Documents and Settings\All Users\Documents\joanne\polder\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O15 - Trusted Zone: http://www.francswiss.biz
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 3771 bytes
Life is simple. You make choices, and you never look back. ~Han, Tokyo Drift~

#12 joanne_z

joanne_z
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Philippines
  • Local time:12:28 AM

Posted 26 July 2007 - 03:14 AM

C:\WINDOWS\web\related.htm moved successfully.
File/Folder C:\WINDOWS\system32\dllcache\ivchost.exe not found.
File/Folder C:\WINDOWS\system32\i not found.
File/Folder C:\WINDOWS\system32\ne1.exe not found.
File/Folder C:\WINDOWS\system32\ge1.exe not found.
File/Folder C:\WINDOWS\system\msnntlp.exe not found.

Created on 07/26/2007 15:59:32

======

posted them separately coz Im not sure if the all the text will fit into one reply. Hope this fresh HJT log will come out as clean now. Thanks for the help!


Joanne
Life is simple. You make choices, and you never look back. ~Han, Tokyo Drift~

#13 Rorschach

Rorschach

  • Members
  • 523 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 26 July 2007 - 02:19 PM

Hello joanne_z, we are making good progress.

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Reboot into Safe Mode by continuously tapping the F8 key as soon as the computer begins to boot. A menu should come up where you will be given the option to enter Safe Mode.

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

So in your next reply please post the following : the Dr. Web Cureit report, and tell me how your PC is running now and if you had any problems.

#14 joanne_z

joanne_z
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Philippines
  • Local time:12:28 AM

Posted 28 July 2007 - 04:53 AM

Hi Rorschach,

I'm not sure if this is related to what we are doing here...a software called Repair Registry Pro has detected some errors in Windows. Some files (COM/ActiveX Entries, Uninstall Entries, Application Paths, Windows Startup system, File/Path reference), it says, 'contain some valid entries, or referrs ro one or more missing files. This may be due to an application was installed or uninstalled correctly.' I'm not sure what it means so better ask first before I do anything else...or maybe u have some knowledge about it that u can share...but if this has nothing to do with the procedure we are doing then I'll do the next step right away. :thumbsup:

Again, thanks for the help!

Joanne
Life is simple. You make choices, and you never look back. ~Han, Tokyo Drift~

#15 Rorschach

Rorschach

  • Members
  • 523 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 28 July 2007 - 05:01 AM

Hello Joanne

I would not worry about that. It could be related to the SDFix we ran, it's hard to say for sure though. You can continue on with the rest of the steps though




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users