Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved]Got Some Bugs That I Need Help With

Started by Hokuten , Aug 10 2007 08:47 PM

  • This topic is locked This topic is locked
9 replies to this topic

#1 Hokuten

Hokuten

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 10 August 2007 - 08:47 PM

I have an HP pavilion a230n running windows XP.

I've gone through a few online help pages to remove malware, but I don't think I got it all. Just hoping someone here can help me make sure our system is clean.

I've ran Spybot Search and Destroy, Ad-Aware SE Personal. Downloaded and ran AVG Anti-Spyware. I ESET NOD32 running on my machine and its found a few things. And I just got done running a Kaspersky Online Scanner that found some things, but doesn't delete them.

I just downloaded Hijackthis and will provide a log, and I thought I should include the log from Kaspersky Online Scanner.

Any help is greatly appreciated....


Scan saved at 9:44:50 PM, on 8/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA098C38-E6D2-4D57-B4BF-1C8E0F7013F2}: NameServer = 192.168.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    Advertisements

Register to Remove

#2 Hokuten

Hokuten

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 10 August 2007 - 08:49 PM

Here is the Kaspersky report Infected Object Name Virus Name Last Action C:\Documents and Settings\xxxxxxApplication Data\Mozilla\Firefox\Profiles\bm7jeg9i.default\cert8.db Object is locked skipped C:\Documents and Settings\xxxxxx\Application Data\Mozilla\Firefox\Profiles\bm7jeg9i.default\formhistory.dat Object is locked skipped C:\Documents and Settings\xxxxxx\Application Data\Mozilla\Firefox\Profiles\bm7jeg9i.default\history.dat Object is locked skipped C:\Documents and Settings\xxxxxx\Application Data\Mozilla\Firefox\Profiles\bm7jeg9i.default\key3.db Object is locked skipped C:\Documents and Settings\xxxxxx\Application Data\Mozilla\Firefox\Profiles\bm7jeg9i.default\parent.lock Object is locked skipped C:\Documents and Settings\xxxxxx\Application Data\Mozilla\Firefox\Profiles\bm7jeg9i.default\search.sqlite Object is locked skipped C:\Documents and Settings\xxxxxxx\Application Data\Mozilla\Firefox\Profiles\bm7jeg9i.default\urlclassifier2.sqlite Object is locked skipped C:\Documents and Settings\xxxxxxx\Cookies\index.dat Object is locked skipped C:\Documents and Settings\xxxxxxx\Desktop\SmitfraudFix\Process.exe Object is locked skipped C:\Documents and Settings\xxxxxx\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\xxxxxxx\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\xxxxxxx\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\xxxxxxx\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped C:\Documents and Settings\xxxxxx\Desktop\smitfraudfix_v2.210rr.zip/SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\xxxxxxx\Desktop\smitfraudfix_v2.210rr.zip/SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\xxxxxxx\Desktop\smitfraudfix_v2.210rr.zip/SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\xxxxxxx\Desktop\smitfraudfix_v2.210rr.zip ZIP: infected - 3 skipped C:\Documents and Settings\xxxxxxx\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\xxxxxxx\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\xxxxxxx\Local Settings\Application Data\Mozilla\Firefox\Profiles\bm7jeg9i.default\Cache\_CACHE_001_ Object is locked skipped C:\Documents and Settings\xxxxxxx\Local Settings\Application Data\Mozilla\Firefox\Profiles\bm7jeg9i.default\Cache\_CACHE_002_ Object is locked skipped C:\Documents and Settings\xxxxxxx\Local Settings\Application Data\Mozilla\Firefox\Profiles\bm7jeg9i.default\Cache\_CACHE_003_ Object is locked skipped C:\Documents and Settings\xxxxxxx\Local Settings\Application Data\Mozilla\Firefox\Profiles\bm7jeg9i.default\Cache\_CACHE_MAP_ Object is locked skipped C:\Documents and Settings\xxxxxxx\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\xxxxxxx\Local Settings\Temp\Perflib_Perfdata_9a8.dat Object is locked skipped C:\Documents and Settings\xxxxxxx\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\xxxxxxx\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\xxxxxxx\NTUSER.DAT Object is locked skipped C:\Documents and Settings\xxxxxxx\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_340.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped C:\Program Files\ESET\infected\CTKTG4DA.NQF/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.byn skipped C:\Program Files\ESET\infected\CTKTG4DA.NQF/stream Infected: Trojan-Downloader.Win32.Zlob.byn skipped C:\Program Files\ESET\infected\CTKTG4DA.NQF NSIS: infected - 2 skipped C:\Program Files\ESET\infected\CTKTG4DA.NQF PE-Crypt.XorPE: infected - 2 skipped C:\Program Files\ESET\infected\S23XRECA.NQF/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Program Files\ESET\infected\S23XRECA.NQF/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Program Files\ESET\infected\S23XRECA.NQF RarSFX: infected - 2 skipped C:\Program Files\ESET\infected\S23XRECA.NQF PE-Crypt.XorPE: infected - 2 skipped C:\Program Files\ESET\infected\YB4TSUCA.NQF/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Program Files\ESET\infected\YB4TSUCA.NQF/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Program Files\ESET\infected\YB4TSUCA.NQF RarSFX: infected - 2 skipped C:\Program Files\ESET\infected\YB4TSUCA.NQF PE-Crypt.XorPE: infected - 2 skipped C:\Program Files\ESET\logs\virlog.dat Object is locked skipped C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_117.trc Object is locked skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{46705CDE-E4EA-422B-A5A7-9070787DBB17}\RP347\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped C:\WINDOWS\system32\drivers\sptd6557.sys Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed.

#3 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 15 August 2007 - 07:25 AM

Hi Hokuten,

I can help you look over your machine :)

The logs don't look too bad, I think you've got rid of most of whatever was on the machine, however please tell me how your machine is running and if you are experiencing any symptoms.

Then, open HijackThis, choose Do a system scan only and place a checkmark next to the following line:

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab


Then close all open windows apart from HijackThis, press Fix checked, OK the prompt and close HijackThis.

Download Deckard's System Scanner (DSS)
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Make sure Format->Word Wrap is unchecked
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your reply
Once complete, please post both DSS logs, you won't need to produce a new HijackThis log as DSS produces one for you. Also, tell me how your machine is running at the moment.
ASAP & UNITE Member

#4 Hokuten

Hokuten

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 15 August 2007 - 05:59 PM

Sorry, was at work all day. My machine is running considerably better than it was... I think I did get rid of most of the stuff, but I just wanted to make sure. The only thing that I can really notice that is acting a little differently is that Web-browsing is slower than it normally was. I also get more "Page cannot load" screens that I did before. Other than that everything seems to be running well.

here is the main.txt:

Deckard's System Scanner v20070809.63
Run by xxxxxx on 2007-08-15 at 18:48:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as xxxxxxx.exe) ----------------------------------


Scan saved at 6:48:22 PM, on 8/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\xxxxxxxDesktop\dss.exe
C:\PROGRA~1\HIJACK~1\KELLYG~1.EXE

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA098C38-E6D2-4D57-B4BF-1C8E0F7013F2}: NameServer = 192.168.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


-- Files created between 2007-07-15 and 2007-08-15 -----------------------------

2007-08-12 21:44:17 0 d-------- C:\WINDOWS\system32\LogFiles
2007-08-11 20:18:53 0 dr-h----- C:\Documents and Settings\xxxxxxx\Recent
2007-08-11 19:37:17 0 d-------- C:\Program Files\RogueRemover FREE
2007-08-11 19:10:14 0 d-------- C:\Program Files\Windows Defender
2007-08-11 18:57:00 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-08-10 17:45:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-08-10 17:45:02 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-08 21:53:24 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-08-08 21:53:24 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-08-08 21:53:24 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-08-08 21:53:24 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-08-08 21:53:24 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-08-08 21:53:24 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-08-08 21:53:24 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-08-08 21:53:24 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-08-08 21:53:24 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-08-08 21:53:24 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-08-08 21:53:24 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-08-08 21:53:24 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-08-08 21:53:24 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-08-08 21:53:23 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-08-08 21:39:02 0 d-------- C:\Documents and Settings\xxxxxxx\Application Data\Grisoft
2007-08-08 21:38:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-08-08 21:29:38 2108 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-08 20:52:51 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP


-- Find3M Report ---------------------------------------------------------------

2007-08-14 18:58:40 0 d-------- C:\Program Files\SpeedFan
2007-08-13 20:06:27 0 d-------- C:\Documents and Settings\xxxxxxxx\Application Data\BitTorrent
2007-08-08 20:56:04 0 d-------- C:\Program Files\StealthBot
2007-08-02 21:49:53 0 d-------- C:\Program Files\ArtMoney
2007-07-20 19:48:51 0 d-------- C:\Program Files\Java
2007-06-29 00:43:00 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
2007-06-29 00:43:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2007-06-29 00:43:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2007-06-29 00:43:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-06-29 00:43:00 1474560 --a------ C:\WINDOWS\system32\nview.dll
2007-06-29 00:43:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-06-29 00:43:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-06-29 00:43:00 425984 --a------ C:\WINDOWS\system32\keystone.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [10/09/2006 02:30 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [06/29/2007 12:43 AM]
"nwiz"="nwiz.exe" [06/29/2007 12:43 AM C:\WINDOWS\system32\nwiz.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/19/2006 06:49 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [06/29/2007 12:43 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/12/2004 08:56 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless-B PCI Adapter Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless-B PCI Adapter Utility.lnk
backup=C:\WINDOWS\pss\Wireless-B PCI Adapter Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RunDLL32.exe NvMCTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray]
"C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Omnipage]
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AlcxMonitor"=ALCXMNTR.EXE
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 -noicon
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"KBD"=C:\HP\KBD\KBD.EXE
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SoundMan"=SOUNDMAN.EXE
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RunDLL32.exe NvMCTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
AutoRun\command- I:\Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
AutoRun\command- L:\SETUP.EXE




-- End of Deckard's System Scanner: finished at 2007-08-15 at 18:48:36 ---------





Here is extra.txt:

Deckard's System Scanner v20070809.63
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP 2800+
Percentage of Memory in Use: 63%
Physical Memory (total/avail): 511.36 MiB / 187.38 MiB
Pagefile Memory (total/avail): 1250.16 MiB / 913.74 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1963.5 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 107.34 GiB total, 75.04 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Fixed (FAT32) - 4.43 GiB total, 0.67 GiB free.
J: is Removable (No Media)
K: is Removable (No Media)
L: is CDROM (CDFS)


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: Eset NOD32 antivirus system 2.51 v2.51 (Eset)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"="C:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe:*:Enabled:PlayOnline Viewer"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Documents and Settings\\xxxxxx\\Local Settings\\Temp\\java_ee_sdk-5-windows.exe2\\package\\jre\\bin\\javaw.exe"="C:\\Documents and Settings\\xxxxxxx\\Local Settings\\Temp\\java_ee_sdk-5-windows.exe2\\package\\jre\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\Program Files\\Teamspeak2_RC2\\server_windows.exe"="C:\\Program Files\\Teamspeak2_RC2\\server_windows.exe:*:Enabled:Server"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\ScanSoft\\OmniPageSE\\EregEng\\NAVBrowser.exe"="C:\\Program Files\\ScanSoft\\OmniPageSE\\EregEng\\NAVBrowser.exe:*:Enabled:NAVBrowser"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\xxxxxxx\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=xxxxxx
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\xxxxxxx
LOGONSERVER=\\xxxxxxx
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;c:\Program Files\Microsoft SQL Server\90\Tools\binn\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\xxxxxxx~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\xxxxxxx~1\LOCALS~1\Temp
USERDOMAIN=xxxxxx
USERNAME=xxxxxxx
USERPROFILE=C:\Documents and Settings\xxxxxxx
VS80COMNTOOLS=C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

xxxxxxx (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.42 --> "C:\Program Files\7-Zip\Uninstall.exe"
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
AMD AGP Driver --> C:\PROGRA~1\AMDAGP\UNWISE.EXE /A C:\PROGRA~1\AMDAGP\INSTALL.LOG
AMD CPUInfo --> MsiExec.exe /X{D5E9BD3A-F817-4D07-91CB-8E09A93C8723}
ArtMoney SE v7.22 --> "C:\Program Files\ArtMoney\Uninstall\unins000.exe"
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
BitTorrent 5.0.7 --> "C:\Program Files\BitTorrent\uninstall.exe"
Canon CanoScan Toolbox 4.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BCE46757-7674-4416-BEDB-68205A60409E}\setup.exe" -l0x9
CanoScan LiDE20,30 Manual --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B360A8E5-C171-4AAE-9777-65B3CDB0072C}\setup.exe" -l0x9
Disciples 2 Gold Gallean --> C:\PROGRA~1\STRATE~1\DISCIP~1\UNWISE.EXE C:\PROGRA~1\STRATE~1\DISCIP~1\INSTALL.LOG
FFXI Parser --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\FFXIParser\ST6UNST.LOG"
FINAL FANTASY XI --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{678F6475-D227-432A-94FF-806178A34520}
FINAL FANTASY XI: Chains of Promathia --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{3C0619B4-4A2C-4244-8077-488E420DF907}
FINAL FANTASY XI: Rise of the Zilart --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{6FC76C41-8C1D-4B43-85E7-0BAA2002F1BE}
FINAL FANTASY XI: Treasures of Aht Urhgan --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{A606C6FF-12E7-40BE-B777-D8F360FF00CD}
Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe"
HijackThis 1.99.1 --> C:\Program Files\Hijackthis\HijackThis.exe /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
iPod for Windows 2006-06-28 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BD57EA4D-026E-4F08-9B93-080E282B81FE} /l1033
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{54C0D94A-F467-4ABC-9D02-6E58748668D4} /l1033
J2SE Development Kit 5.0 Update 8 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0150080}
J2SE Runtime Environment 5.0 Update 8 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150080}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ SE Development Kit 6 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160000}
Java™ SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
KBD --> C:\HP\KBD\KBD.EXE uninstalled
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft MSDN 2005 Express Edition - ENU --> C:\Program Files\Microsoft Visual Studio 8\Microsoft MSDN 2005 Express Edition - ENU\install.exe
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Platform SDK (R2) (3790.2075) --> MsiExec.exe /I{9A0ED01E-FD18-457A-AB9C-0835DCDB17BB}
Microsoft SQL Server 2005 --> "c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS) --> MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server 2005 Tools Express Edition --> MsiExec.exe /I{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}
Microsoft SQL Server Native Client --> MsiExec.exe /I{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer --> MsiExec.exe /I{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Express Edition - ENU --> C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual C++ 2005 Express Edition - ENU\setup.exe
Microsoft Visual C++ 2005 Express Edition - ENU --> MsiExec.exe /X{AB6F4AB9-AC85-4002-9829-B6EEA55AE3A5}
MinGW 5.1.3 --> C:\MinGW\uninst.exe
Mozilla Firefox (2.0.0.6) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
NOD32 antivirus system --> C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
NOD32 FiX v2.1 --> "C:\Program Files\Eset\unins000.exe"
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
NvMixer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D7A6C517-11F2-419F-B5BB-27772B939698}\Setup.exe" -uninstall
OmniPage SE --> MsiExec.exe /I{6249C22D-E6A8-407B-BA8B-40298848ED94}
PlayOnline Viewer and Tetra Master --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{47004155-7376-403E-89E9-4C9F44AAF0D0}
PS2 --> C:\WINDOWS\system32\ps2.exe uninstall
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} /l1033
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
SpeedFan (remove only) --> "C:\Program Files\SpeedFan\uninstall.exe"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Starcraft --> C:\WINDOWS\SCunin.exe C:\WINDOWS\SCunin.dat
TeamSpeak 2 RC2 --> "C:\Program Files\Teamspeak2_RC2\unins000.exe"
TeamSpeak 2 Server RC2 --> "C:\Program Files\Teamspeak2_RC2\unins001.exe"
URGE --> MsiExec.exe /X{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AE}
Version 6.7.1 --> "C:\Program Files\FFXIP\unins000.exe"
Warcraft II BNE --> C:\WINDOWS\W2BNEUnin.exe C:\WINDOWS\W2BNEUnin.dat
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Live Messenger --> MsiExec.exe /I{7A837109-E671-470D-B489-F1EBE471D220}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Wireless-B PCI Adapter WLAN Monitor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C6956F3-B586-4674-BCD0-CCF7EC1DF766}\Setup.exe" -l0x9
XviD 1.1 final uninstall --> "C:\Program Files\XviD\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event ID #1414: Error
Event Submitted/Written: 08/13/2007 07:35:31 PM
Event Source: Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20070.6982, faulting module quicktime.qts, version 7.1.0.210, fault address 0x0006f1d4.
Processing media-specific event for [firefox.exe!ws!]

Event ID #1413: Error
Event Submitted/Written: 08/13/2007 07:18:30 PM
Event Source: nview_info
Event Description:
NVIEW : firefox: WAIT_TIMEOUT, while waiting for a read to clear - resetting read event

Event ID #1307: Warning
Event Submitted/Written: 08/11/2007 07:40:14 PM
Event Source: Userenv
Event Description:
Windows saved user xxxxxx\xxxxxxx registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Event ID #1306: Warning
Event Submitted/Written: 08/11/2007 07:40:11 PM
Event Source: Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event ID #1304: Error
Event Submitted/Written: 08/11/2007 06:17:52 PM
Event Source: nview_info
Event Description:
NVIEW : firefox: WAIT_TIMEOUT, while waiting for a read to clear - resetting read event



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event ID #47640: Warning
Event Submitted/Written: 08/15/2007 06:42:54 PM
Event Source: WinDefend
Event Description:
%xxxxxx27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %xxxxxx27 can't undo changes that you allow.

For more information please see the following:
%xxxxxxx275

Scan ID: {262A5586-5A1D-423C-9B3D-08195F575ED5}

User: xxxxxx\xxxxxxx

Name: %xxxxxxx271

ID: %xxxxxxx272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %xxxxxxx276

Alert Type: %xxxxxxx278

Detection Type: 1.1.1593.02

Event ID #47639: Warning
Event Submitted/Written: 08/15/2007 06:42:54 PM
Event Source: WinDefend
Event Description:
%xxxxxx27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %xxxxxxx27 can't undo changes that you allow.

For more information please see the following:
%KELLY275

Scan ID: {09684435-1681-4C45-A3AB-A28A50D307EF}

User: xxxxxxx\xxxxxxx
Name: %xxxxxx271

ID: %xxxxxxx272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %xxxxxxx276

Alert Type: %xxxxxxxY278

Detection Type: 1.1.1593.02

Event ID #47638: Warning
Event Submitted/Written: 08/15/2007 06:42:54 PM
Event Source: WinDefend
Event Description:
%xxxxxx27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %xxxxxxx27 can't undo changes that you allow.

For more information please see the following:
%xxxxxx275

Scan ID: {63A54E42-900A-43E0-98CF-7E295049D375}

User: xxxxxxx\xxxxxxx

Name: %xxxxxx271

ID: %xxxxxxx272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %xxxxxx276

Alert Type: %xxxxxxx278

Detection Type: 1.1.1593.02

Event ID #47637: Warning
Event Submitted/Written: 08/15/2007 06:42:51 PM
Event Source: WinDefend
Event Description:
%xxxxxxx you can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %xxxxxxx27 can't undo changes that you allow.

For more information please see the following:
%KELLY275

Scan ID: {59A8D214-B88C-4D5C-8DB6-D7ABDA5C31DF}

User: xxxxxxx\xxxxxxx
Name: %xxxxxxx271

ID: %xxxxxxx272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %xxxxxx276

Alert Type: %xxxxxxx278

Detection Type: 1.1.1593.02

Event ID #47636: Warning
Event Submitted/Written: 08/15/2007 06:42:51 PM
Event Source: WinDefend
Event Description:
%xxxxxxx27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %xxxxxx27 can't undo changes that you allow.

For more information please see the following:
%xxxxxx275

Scan ID: {3FDEB2D7-32F0-429D-BFE4-617527303475}

User: xxxxxxx\xxxxxxx

Name: %xxxxxxx271

ID: %xxxxxxx272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %xxxxxxx276

Alert Type: %xxxxxxx278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2007-08-15 at 18:44:15 ---------

#5 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 15 August 2007 - 08:10 PM

Hi Hokuten,

You have outdated Java installed which is now a security risk
Go to Start » Control Panel » Add/Remove Programs
Search all previous installed versions of Java. (J2SE Runtime Environment.... )
(They should have this icon next to it: Posted Image)
Remove all versions of Java apart from Java 6 update 2
You appear to have the latest Java Runtime installed (Java 6 update 2), however you can download all the latest packages from here:
http://java.sun.com/...loads/index.jsp

I know you have done a lot of scans, but please do one more:

Download Dr.WEB CureIt to your desktop from here:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
  • Double-click cureit.exe to start the program.
  • Press Start and then OK to start the Express scan
  • The Express scan takes just a few moments to finish, if something is found, click Yes to cure it
  • Once the short scan has finished, Click Options->Change settings
  • Choose the Scan tab and remove the check mark from Heuristic analysis
  • Choose the Actions tab and next to Infected objects select Move, then press OK to close the settings box.
  • Note: These settings changes are IMPORTANT, please ensure you have made them before scanning
  • Select all hard drives to be scanned by clicking on them - choose all drives - a red dot confirms they will be scanned
  • Click the green arrow on the right to start the scan
  • Click Yes to all if it asks if you want to move a file
  • Click File-> Save report list and save the report to your desktop
  • Close Dr.Web Cureit and reboot your computer (this is important as files may be moved/deleted during reboot)
Once complete, please post the Dr Web scan log and a new HijackThis log.
ASAP & UNITE Member

#6 Hokuten

Hokuten

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 17 August 2007 - 08:09 PM

Dr Web scan log:

A0024008.exe;C:\System Volume Information\_restore{46705CDE-E4EA-422B-A5A7-9070787DBB17}\RP348;Tool.ShutDown.11;Moved.;
A0024213.exe;C:\System Volume Information\_restore{46705CDE-E4EA-422B-A5A7-9070787DBB17}\RP351;Tool.ShutDown.11;Moved.;
A0024225.exe;C:\System Volume Information\_restore{46705CDE-E4EA-422B-A5A7-9070787DBB17}\RP351;Program.PrcView.3741;Moved.;
test.exe;C:\XUnleashedTest\XUnleashedTest;Trojan.Classic;Moved.;


Hijackthis:



Scan saved at 9:07:24 PM, on 8/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA098C38-E6D2-4D57-B4BF-1C8E0F7013F2}: NameServer = 192.168.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

#7 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 17 August 2007 - 09:04 PM

Hi Hokuten,

Dr Web has detected a file associated with XUnleashedTest as a trojan, what do you know about this program?

If you think this is a legitimate program, please let me know and we'll double-check the detection.
If you aren't concerned with the program you may want to delete the folder as it probably won't work properly any more.

We still need to clean System Restore, but otherwise your machine looks pretty good, how is it running now?
ASAP & UNITE Member

#8 Hokuten

Hokuten

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 18 August 2007 - 11:46 AM

As far as I know it was a program for one of the computer games we had on the computer. I think it let you run faster than normal and various other little cheat things. I'm not entirely sure which game it was for...my little brothers were playing a lot of diablo for a while there. Whatever it is I deleted it. Better safe than sorry. My computer is running better. Explorer and Firefox both seem to be loading pages better and faster. Haven't gotten that "Cannot show page" page in about a day now. how do we clean system restore? Thanks for the help :)

#9 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 18 August 2007 - 06:19 PM

Hi Hokuten,

Glad to hear things are running better and I think your machine is now clean.

Some important final steps:

Please delete cureit.exe, SmitfraudFix.exe and the SmitfraudFix folder from your Desktop
Also, open NOD32 and empty quarantined files.

Create a new, clean System Restore point which you can use in case of future system problems:
Press Start->All Programs->Accessories->System Tools->System Restore
Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close

Now remove old, infected System Restore points:
Next click Start->Run and type cleanmgr in the box and press OK
Ensure the boxes for Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
Press OK and Yes to confirm

Here are some tips to help you keep your machine clean:

Operating system vulnerabilities can easily be exploited by malware so please ensure your operating system is automatically kept up to date by using Windows Update:
Go to Start->Control Panel->Automatic Updates
Select Automatic and select a suitable schedule
Also, check that your antivirus and antispyware programs are set to automatically update daily.

You should consider installing a Personal Firewall program. Even if you are behind a NAT router, I recommend you use firewall software as it will improve the security of your computer by monitoring and controlling outbound connections to the internet as well as inbound. There are various free packages available, such as Sunbelt Personal Firewall and Zone Alarm:
http://www.sunbelt-s...sonal-Firewall/
http://www.zonelabs.com/

Spywareblaster is a free program which prevents the download and installation of Internet Explorer ActiveX based malware by immunizing your system against it. You can download Spywareblaster from here and a tutorial to help you get started is available here.

Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

Please take care when downloading programs. One of the easiest ways to be infected is to download freeware/shareware programs which come laden with malware - this includes allowing websites to install browser plug-ins orActiveX controls. Before downloading, it is crucial to check whether the source is reputable.
One way to check is to use McAfee SiteAdvisor. Copy the domain name into the space provided and SiteAdvisor will give you a report on the website which can help you decide if it is safe. They also have a toolbar for IE and Firefox which adds this functionality to your browser.

Find out more about how to prevent infection in the future
http://forum.malware...pic.php?p=33687

Please post back to let me know that you have read this, and if there are any further issues.
ASAP & UNITE Member

#10 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 24 August 2007 - 02:14 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.
ASAP & UNITE Member

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·