WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] Slow,slow,slow

Started by johnnykg , Sep 11 2007 10:18 AM

This topic is locked

12 replies to this topic

#1 johnnykg

Authentic Member

Authentic Member
22 posts

Posted 11 September 2007 - 10:18 AM

Hello,

I had some posts here last year,and I am back again now,because I need some help.My computer is running very slow lately.Opening programs is slow,surfing the net is also slow.I dont know what to do to get my PC run fast like before.Here is log file from hijackthis.I hope someone can help me with this.Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 6:12:31 PM, on 9/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\WebcamMax\CAMTHINS.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\aiej.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system\svchost32.exe
C:\WINDOWS\system\smss.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\totalcmd\TOTALCMD.EXE
C:\Program Files\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WebcamMaxMoniter] "C:\Program Files\WebcamMax\CAMTHINS.exe" /m
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [china] C:\aiej.exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\System32\hfefmhka.dll",forkonce
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\actdyqxs.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Windows Network Services (SvcHost32) - Unknown owner - C:\WINDOWS\system\svchost32.exe
O23 - Service: Windows NT Session Manager (WINNTSMSS) - Unknown owner - C:\WINDOWS\system\smss.exe

Advertisements

Register to Remove

#2 Trevuren

Teacher Emeritus

Authentic Member
8,632 posts

Interests:Woodworking

Posted 11 September 2007 - 01:08 PM

Hello johnnykg and welcome to the What the Tech Forums

My name is Trevuren and I will be helping you with your problem.

Please download this file - combofix.exe by sUBs

You must download it to and run it from your Desktop
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

Regards,

Trevuren

Microsoft MVP Consumer Security 2008 - 2009

Proud graduate of TC/WTT Classroom

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Posted Image

#3 johnnykg

Authentic Member

Authentic Member
22 posts

Posted 12 September 2007 - 12:24 PM

Hi Trevuren, and thanks for Your quick answer. I did what You asked me to do it. Here are the logs:

ComboFix 07-09-12.8 - "PC!" 2007-09-12 20:09:10.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.61 [GMT 2:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system\smss.exe
C:\WINDOWS\system\svchost32.exe
C:\WINDOWS\system32\crypts.dll
C:\WINDOWS\system32\dfhkj.bak1
C:\WINDOWS\system32\dfhkj.bak2
C:\WINDOWS\system32\dfhkj.ini
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\fccddbc.dll
C:\WINDOWS\system32\hgghgda.dll
C:\WINDOWS\system32\ijpwkwof.dll
C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\joqnqbhm.dll
C:\WINDOWS\system32\mhbqnqoj.ini
C:\WINDOWS\system32\nnnkife.dll
C:\WINDOWS\system32\opnkjhe.dll
C:\WINDOWS\system32\rqrpqon.dll
C:\WINDOWS\system32\ssqoonm.dll
C:\WINDOWS\system32\tuvsqpm.dll
C:\WINDOWS\system32\tuvvtuv.dll
C:\WINDOWS\system32\valplcep.dll
C:\WINDOWS\system32\yaywwxu.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DOMAINSERVICE
-------\LEGACY_YDRO42
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-08-12 to 2007-09-12 )))))))))))))))))))))))))))))))
.

2007-09-12 20:08 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-12 19:52 322 --a------ C:\mlw.exe
2007-09-12 10:34 178,176 --a------ C:\WINDOWS\system32\drivers\Mqew62.sys
2007-09-11 20:20 178,176 --a------ C:\WINDOWS\system32\drivers\Csn61.sys
2007-09-11 18:02 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-11 18:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-11 18:02 <DIR> d-------- C:\DOCUME~1\PC!\APPLIC~1\SUPERAntiSpyware.com
2007-09-11 18:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-11 18:01 178,176 --a------ C:\WINDOWS\system32\drivers\Nje32.sys
2007-09-11 16:46 178,176 --a------ C:\WINDOWS\system32\drivers\Sock40.sys
2007-09-11 12:25 178,176 --a------ C:\WINDOWS\system32\drivers\Suu54.sys
2007-09-11 11:07 178,176 --a------ C:\WINDOWS\system32\drivers\Qjs43.sys
2007-09-10 22:35 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-10 22:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-10 19:05 178,176 --a------ C:\WINDOWS\system32\drivers\Aohb54.sys
2007-09-10 16:18 178,176 --a------ C:\WINDOWS\system32\drivers\Ttsj59.sys
2007-09-09 15:11 178,176 --a------ C:\WINDOWS\system32\drivers\Ydro42.sys
2007-09-09 11:37 178,176 --a------ C:\WINDOWS\system32\drivers\Bcj42.sys
2007-09-08 09:39 7,168 --a------ C:\mlc.exe
2007-09-08 00:17 178,176 --a------ C:\WINDOWS\system32\drivers\Ceyp73.sys
2007-09-07 23:26 5,632 --a------ C:\aiej.exe
2007-09-07 20:29 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-09-07 20:29 150,528 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-09-06 18:49 8,192 --a------ C:\WINDOWS\system32\tsbyuv.dll
2007-09-06 18:49 8,192 --a------ C:\WINDOWS\system32\dllcache\tsbyuv.dll
2007-09-06 18:49 49,664 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-09-06 18:49 49,664 --a------ C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2007-09-06 18:49 45,568 --a------ C:\WINDOWS\system32\iyuv_32.dll
2007-09-06 18:49 45,568 --a------ C:\WINDOWS\system32\dllcache\iyuv_32.dll
2007-09-04 17:41 <DIR> d-------- C:\Program Files\WebcamMax
2007-09-04 11:48 <DIR> d-------- C:\DOCUME~1\PC!\APPLIC~1\HP
2007-09-04 11:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\HP
2007-09-04 11:45 <DIR> d-------- C:\Program Files\Common Files\HP
2007-09-04 11:44 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-09-04 11:44 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-09-04 11:43 77,824 -ra------ C:\WINDOWS\system32\HPZIDS01.dll
2007-09-04 11:43 49,664 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2007-09-04 11:43 48,128 --a------ C:\WINDOWS\system32\hpzll054.dll
2007-09-04 11:43 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2007-09-04 11:42 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2007-09-04 11:42 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2007-09-04 11:42 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe
2007-09-04 11:42 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2007-09-04 11:42 282,680 --a------ C:\WINDOWS\system32\HPZidr12.dll
2007-09-04 11:42 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2007-09-04 11:42 14,208 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-09-04 11:40 <DIR> d-------- C:\Program Files\HP
2007-09-04 11:39 21,760 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2007-09-04 11:38 117,673 --a------ C:\WINDOWS\hpoins11.dat
2007-09-04 11:34 24,960 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-09-04 11:34 24,960 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2007-09-04 11:34 182,880 --a------ C:\WINDOWS\system32\iuenginenew.dll
2007-09-04 11:33 28,160 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-09-04 11:33 28,160 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-08-28 16:20 <DIR> d--hs---- C:\FOUND.000
2007-08-25 23:12 <DIR> d-------- C:\DOCUME~1\PC!\APPLIC~1\AdobeUM
2007-08-21 20:54 <DIR> d-------- C:\Program Files\TechSmith
2007-08-20 20:19 <DIR> d-------- C:\DOCUME~1\PC!\APPLIC~1\Lavasoft
2007-08-19 23:00 <DIR> d-------- C:\DOCUME~1\PC!\APPLIC~1\uTorrent
2007-08-19 22:59 <DIR> d-------- C:\Program Files\uTorrent
2007-08-19 21:34 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-19 20:16 2,925 --a------ C:\WINDOWS\mozver.dat
2007-08-19 20:16 107,132 --a------ C:\WINDOWS\UninstallFirefox.exe
2007-08-19 20:02 102,400 --a------ C:\WINDOWS\system32\tsccvid.dll
2007-08-19 20:02 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-08-19 19:56 <DIR> d-------- C:\DOCUME~1\PC!\Contacts
2007-08-19 19:55 <DIR> d-------- C:\WINDOWS\system32\DRVSTORE
2007-08-19 19:55 <DIR> d-------- C:\Program Files\MSN Messenger
2007-08-19 19:17 0 --a------ C:\WINDOWS\nsreg.dat
2007-08-19 17:16 <DIR> d---s---- C:\DOCUME~1\PC!\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-10-08 11:41 C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2003-12-13 02:50]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 12:52]
"AGRSMMSG"="AGRSMMSG.exe" [2003-09-23 11:06 C:\WINDOWS\AGRSMMSG.exe]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-08-19 21:48]
"WebcamMaxMoniter"="C:\Program Files\WebcamMax\CAMTHINS.exe" [2006-07-20 15:25]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"china"="C:\aiej.exe" [2007-09-07 23:26]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 01:41]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-07-29 19:34]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-09-12 19:57]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-07-29 20:54:18]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-09-12 19:57 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\System32\\jkhfd

R3 axsaki;axsaki;C:\WINDOWS\System32\DRIVERS\axsaki.sys
R3 axskbus;axskbus;C:\WINDOWS\System32\DRIVERS\axskbus.sys
S2 CamthWDM;WebcamMax, WDM Video Capture;C:\WINDOWS\System32\DRIVERS\CamthWDM.sys
S2 SvcHost32;Windows Network Services;"C:\WINDOWS\system\svchost32.exe"
S2 WINNTSMSS;Windows NT Session Manager;"C:\WINDOWS\system\smss.exe"
S3 Intels51;Intel® 536EP Modem;C:\WINDOWS\System32\DRIVERS\Intels51.sys

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-12 20:12:43
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
china = C:\aiej.exe?Aaaa-LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32??w????;??w???w?????8=???"??$@?0?"??A?w????????????????????????aaaaaaaaaaAAAAaAaaAAAaaaAAAAAaaa?!@?????h?"????w)??p?Y?wE??w????????m??w????)??p????????0?????"?????????????????????D?????"????w????????????{@@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-12 20:13:58 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-12 20:13
.
--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 8:20:30 PM, on 9/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\WebcamMax\CAMTHINS.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\aiej.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\totalcmd\TOTALCMD.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WebcamMaxMoniter] "C:\Program Files\WebcamMax\CAMTHINS.exe" /m
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [china] C:\aiej.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Windows Network Services (SvcHost32) - Unknown owner - C:\WINDOWS\system\svchost32.exe (file missing)
O23 - Service: Windows NT Session Manager (WINNTSMSS) - Unknown owner - C:\WINDOWS\system\smss.exe (file missing)

#4 Trevuren

Teacher Emeritus

Authentic Member
8,632 posts

Interests:Woodworking

Posted 12 September 2007 - 01:24 PM

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://forums.whatthetech.com/Slowslowslow_t83152.html

Collect::(4)
C:\mlc.exe
C:\mlw.exe
C:\WINDOWS\system\svchost32.exe
C:\WINDOWS\system\smss.exe
C:\aiej.exe

File::
C:\WINDOWS\system32\drivers\Ceyp73.sys
C:\WINDOWS\system32\drivers\Mqew62.sys
C:\WINDOWS\system32\drivers\Csn61.sys
C:\WINDOWS\system32\drivers\Nje32.sys
C:\WINDOWS\system32\drivers\Sock40.sys
C:\WINDOWS\system32\drivers\Suu54.sys
C:\WINDOWS\system32\drivers\Qjs43.sys
C:\WINDOWS\system32\drivers\Aohb54.sys
C:\WINDOWS\system32\drivers\Ttsj59.sys
C:\WINDOWS\system32\drivers\Ydro42.sys
C:\WINDOWS\system32\drivers\Bcj42.sys

Driver::
SvcHost32
WINNTSMSS

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"china"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"=-
[-HKEY_CLASSES_ROOT\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93}]
[-HKEY_CLASSES_ROOT\TYPELIB\{04C567CB-A52F-41f4-9628-10CC965E7179}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. Additonally, ComboFix will generate the following files on your desktop

A zipped file on your desktop called Submit [Date Time].zip
And another file named - CF-Submit.htm

6. ComboFix may need to reboot to finish its work. Let it.

7. When CF has finished running, it will generate the ComboFix.log which will appear on your screen.

8. Next, a window will popup prompting you to "Submit Files for further analysis". Click "OK"

9. Your system's browser will automatically respond by loading the CF-Submit.htm file and open a window :

Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.
Click on the file to Select it.
Submit the file by clicking "OK"

10. Once the file has been submitted, you may DELETE both files on your desktop.

11. Post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

Microsoft MVP Consumer Security 2008 - 2009

Proud graduate of TC/WTT Classroom

#5 johnnykg

Authentic Member

Authentic Member
22 posts

Posted 12 September 2007 - 02:59 PM

OK, I did everything You told me to. I submitted that zip file(if I may ask.to whom,and should I expect some answer,or You maybe?), and then I did new combo and hijackthis log files. Here they are, and thanks a lot again.

ComboFix 07-09-13.1 - "PC!" 2007-09-13 22:47:43.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.65 [GMT 2:00]
.

((((((((((((((((((((((((( Files Created from 2007-08-13 to 2007-09-13 )))))))))))))))))))))))))))))))
.

2007-09-12 20:08 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-11 18:02 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-11 18:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-11 18:02 <DIR> d-------- C:\DOCUME~1\PC!\APPLIC~1\SUPERAntiSpyware.com
2007-09-11 18:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-10 22:35 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-10 22:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-07 20:29 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-09-07 20:29 150,528 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-09-06 18:49 8,192 --a------ C:\WINDOWS\system32\tsbyuv.dll
2007-09-06 18:49 8,192 --a------ C:\WINDOWS\system32\dllcache\tsbyuv.dll
2007-09-06 18:49 49,664 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-09-06 18:49 49,664 --a------ C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2007-09-06 18:49 45,568 --a------ C:\WINDOWS\system32\iyuv_32.dll
2007-09-06 18:49 45,568 --a------ C:\WINDOWS\system32\dllcache\iyuv_32.dll
2007-09-04 17:41 <DIR> d-------- C:\Program Files\WebcamMax
2007-09-04 11:48 <DIR> d-------- C:\DOCUME~1\PC!\APPLIC~1\HP
2007-09-04 11:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\HP
2007-09-04 11:45 <DIR> d-------- C:\Program Files\Common Files\HP
2007-09-04 11:44 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-09-04 11:44 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-09-04 11:43 77,824 -ra------ C:\WINDOWS\system32\HPZIDS01.dll
2007-09-04 11:43 49,664 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2007-09-04 11:43 48,128 --a------ C:\WINDOWS\system32\hpzll054.dll
2007-09-04 11:43 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2007-09-04 11:42 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2007-09-04 11:42 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2007-09-04 11:42 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe
2007-09-04 11:42 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2007-09-04 11:42 282,680 --a------ C:\WINDOWS\system32\HPZidr12.dll
2007-09-04 11:42 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2007-09-04 11:42 14,208 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-09-04 11:40 <DIR> d-------- C:\Program Files\HP
2007-09-04 11:39 21,760 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2007-09-04 11:38 117,673 --a------ C:\WINDOWS\hpoins11.dat
2007-09-04 11:34 24,960 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-09-04 11:34 24,960 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2007-09-04 11:34 182,880 --a------ C:\WINDOWS\system32\iuenginenew.dll
2007-09-04 11:33 28,160 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-09-04 11:33 28,160 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-08-28 16:20 <DIR> d--hs---- C:\FOUND.000
2007-08-25 23:12 <DIR> d-------- C:\DOCUME~1\PC!\APPLIC~1\AdobeUM
2007-08-21 20:54 <DIR> d-------- C:\Program Files\TechSmith
2007-08-20 20:19 <DIR> d-------- C:\DOCUME~1\PC!\APPLIC~1\Lavasoft
2007-08-19 23:00 <DIR> d-------- C:\DOCUME~1\PC!\APPLIC~1\uTorrent
2007-08-19 22:59 <DIR> d-------- C:\Program Files\uTorrent
2007-08-19 21:34 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-19 20:16 2,925 --a------ C:\WINDOWS\mozver.dat
2007-08-19 20:16 107,132 --a------ C:\WINDOWS\UninstallFirefox.exe
2007-08-19 20:02 102,400 --a------ C:\WINDOWS\system32\tsccvid.dll
2007-08-19 20:02 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-08-19 19:56 <DIR> d-------- C:\DOCUME~1\PC!\Contacts
2007-08-19 19:55 <DIR> d-------- C:\WINDOWS\system32\DRVSTORE
2007-08-19 19:55 <DIR> d-------- C:\Program Files\MSN Messenger
2007-08-19 19:17 0 --a------ C:\WINDOWS\nsreg.dat
2007-08-19 17:16 <DIR> d---s---- C:\DOCUME~1\PC!\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( snapshot_2007-09-12_201308.93 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 163,328 2007-03-13 08:57:12 C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-10-08 11:41 C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2003-12-13 02:50]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 12:52]
"AGRSMMSG"="AGRSMMSG.exe" [2003-09-23 11:06 C:\WINDOWS\AGRSMMSG.exe]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-08-19 21:48]
"WebcamMaxMoniter"="C:\Program Files\WebcamMax\CAMTHINS.exe" [2006-07-20 15:25]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 01:41]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-07-29 19:34]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-09-12 19:57]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-07-29 20:54:18]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-09-12 19:57 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

R3 axsaki;axsaki;C:\WINDOWS\System32\DRIVERS\axsaki.sys
R3 axskbus;axskbus;C:\WINDOWS\System32\DRIVERS\axskbus.sys
S2 CamthWDM;WebcamMax, WDM Video Capture;C:\WINDOWS\System32\DRIVERS\CamthWDM.sys
S3 Intels51;Intel® 536EP Modem;C:\WINDOWS\System32\DRIVERS\Intels51.sys

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-13 22:48:46
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-13 22:49:31
C:\ComboFix-quarantined-files.txt ... 2007-09-13 22:49
C:\ComboFix3.txt ... 2007-09-12 20:14
C:\ComboFix2.txt ... 2007-09-13 22:40
.
--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 10:55:49 PM, on 9/13/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\WebcamMax\CAMTHINS.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\totalcmd\TOTALCMD.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WebcamMaxMoniter] "C:\Program Files\WebcamMax\CAMTHINS.exe" /m
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

#6 Trevuren

Teacher Emeritus

Authentic Member
8,632 posts

Interests:Woodworking

Posted 12 September 2007 - 03:58 PM

I submitted that zip file(if I may ask.to whom,and should I expect some answer,or You maybe?

What you did is submit a list of files (That were deleted from your system at the same time) that have already been determined to be malware to the developer for future inclusion. The second list of files (File:

are essentially, random named trojans that just needed to be deleted.

Things are looking much better.

A. Please RUN HijackThis

Click the SCAN button to produce a log.
Place a check mark beside each one of the following items:

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

B. Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.

Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:Scan Archives
  Scan Mail Bases
Click OK and, under select a target to scan, select My Computer

When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image

To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply, along with a fresh HijackThis log

Trevuren

Microsoft MVP Consumer Security 2008 - 2009

Proud graduate of TC/WTT Classroom

#7 johnnykg

Authentic Member

Authentic Member
22 posts

Posted 13 September 2007 - 11:02 AM

Hi. Here is Kaspersky report and new HJT log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, September 14, 2007 6:48:52 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 13/09/2007
Kaspersky Anti-Virus database records: 418023
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 49345
Number of viruses found: 8
Number of infected objects: 62
Number of suspicious objects: 0
Duration of the scan process: 01:34:25

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\PC!\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\PC!\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\PC!\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\PC!\Local Settings\History\History.IE5\MSHist012007091420070915\index.dat Object is locked skipped
C:\Documents and Settings\PC!\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\PC!\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\PC!\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\PC!\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\PC!\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\PC!\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\PC!\UserData\index.dat Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP27\A0007269.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP27\A0007287.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP28\A0007305.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP28\A0007396.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP30\A0007458.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.ql skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP30\A0007459.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP30\A0008458.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP30\A0008468.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP31\A0008482.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP32\A0008508.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP32\A0008534.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP33\A0008581.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP33\A0008583.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP33\A0008584.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP33\A0008585.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP33\A0008586.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP33\A0008587.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP33\A0008588.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP33\A0008589.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP33\A0008592.dll Infected: Trojan-Clicker.Win32.Agent.jn skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP33\A0008593.exe Infected: Backdoor.Win32.SdBot.xd skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP33\A0008594.exe Infected: Backdoor.Win32.Aimbot.fu skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP33\A0008595.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP33\A0008604.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP34\A0008741.exe Infected: Trojan-Proxy.Win32.Agent.ka skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP34\A0008742.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP34\A0008743.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP34\A0008744.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP34\A0008745.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP34\A0008746.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP34\A0008747.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP34\A0008748.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP34\A0008749.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP34\A0008750.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP34\A0008751.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP34\A0008752.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP35\change.log Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\opnkjhe.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\tuvsqpm.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\rqrpqon.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ssqoonm.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\yaywwxu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\tuvvtuv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\hgghgda.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\nnnkife.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\crypts.dll.vir Infected: Trojan-Clicker.Win32.Agent.jn skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\symavc32.sys.vir Infected: Rootkit.Win32.Agent.ea skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\Ceyp73.sys.vir Infected: Rootkit.Win32.Agent.ea skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\Mqew62.sys.vir Infected: Rootkit.Win32.Agent.ea skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\Csn61.sys.vir Infected: Rootkit.Win32.Agent.ea skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\Nje32.sys.vir Infected: Rootkit.Win32.Agent.ea skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\Sock40.sys.vir Infected: Rootkit.Win32.Agent.ea skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\Suu54.sys.vir Infected: Rootkit.Win32.Agent.ea skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\Qjs43.sys.vir Infected: Rootkit.Win32.Agent.ea skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\Aohb54.sys.vir Infected: Rootkit.Win32.Agent.ea skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\Ttsj59.sys.vir Infected: Rootkit.Win32.Agent.ea skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\Ydro42.sys.vir Infected: Rootkit.Win32.Agent.ea skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\Bcj42.sys.vir Infected: Rootkit.Win32.Agent.ea skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\fccddbc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\qoobox\Quarantine\C\WINDOWS\system\smss.exe.vir Infected: Backdoor.Win32.SdBot.xd skipped
C:\qoobox\Quarantine\C\WINDOWS\system\svchost32.exe.vir Infected: Backdoor.Win32.Aimbot.fu skipped
C:\qoobox\Quarantine\C\aiej.exe.vir Infected: Trojan-Proxy.Win32.Agent.ka skipped
D:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP35\change.log Object is locked skipped
E:\System Volume Information\_restore{0B4F1EB6-5C98-472D-923C-A82885AE1FCF}\RP35\change.log Object is locked skipped

Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 6:57:42 PM, on 9/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\WebcamMax\CAMTHINS.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\totalcmd\TOTALCMD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WebcamMaxMoniter] "C:\Program Files\WebcamMax\CAMTHINS.exe" /m
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

#8 Trevuren

Teacher Emeritus

Authentic Member
8,632 posts

Interests:Woodworking

Posted 13 September 2007 - 11:16 AM

Everything looks quite good at this point. Most of the infections found by Kaspersky are safely located in Quarantine or in your System Restore cache. The others we will deal with now:

Using Windows Explorer (Windows Key + E), please locate and DELETE the following folders:

C:\Program Files\mIRC<==Folder and all its content

C:\Qoobox<==Folder and all its content.

Now with that out of the way, please tell me how your system is running. If all is well, just give me the OK and we will complete our little journey with the final cleanup procedures.

Regards,

Trevuren

Microsoft MVP Consumer Security 2008 - 2009

Proud graduate of TC/WTT Classroom

#9 johnnykg

Authentic Member

Authentic Member
22 posts

Posted 13 September 2007 - 12:21 PM

OK Trevuren, things are looking better now,although I am not sure if everything is as it was before. It is still a little bit slow when I open explorer,or Word,or Total Commander etc.But it is better,and I must thank You for that,and for Your help.Tell me now please what to do in the future?You saw trough these logs what I have on my computer,what anti virus programs,and anti spyware etc.But it didnt help me stop these viruses and infections.Can You tell me and recommend me something,because my knowledge on this matter is not"updated". Thanks a lot once again.

#10 Trevuren

Teacher Emeritus

Authentic Member
8,632 posts

Interests:Woodworking

Posted 13 September 2007 - 12:55 PM

You may have protection provided through your ISP but whatever you may be using is not doing the trick. Let us start here:

You don't appear to be running any anti-virus software

Anti-virus software are programs that detect, clean, and/or erase harmful virus files on a computer. Unchecked, virus files can unintentionally be forwarded to others, and thereby spread infection. Keeping your anti-virus updated is essential.

Please download a free anti-virus software from one these excellent vendors NOW:

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

You don't appear to have a software firewall running

It is important that you use a software firewall, to prevent unauthorized traffic both out of and into your computer.
If you have disabled it, please re-enable it.
If you do not have a firewall installed, please download and install one of these excellent (and free) products:

It is important to note that you should only have one firewall installed at a time.

Microsoft MVP Consumer Security 2008 - 2009

Proud graduate of TC/WTT Classroom

#11 johnnykg

Authentic Member

Authentic Member
22 posts

Posted 13 September 2007 - 02:47 PM

OK, I will do what u tell me.Although I already have AVG and i update it every day,plus I have Super anti-spyware free edition,Lavasoft Ad-Aware. All is updated regullary.Should I delete all of these,and install something different?And better,since I got all those viruses and infections.I dont have Zone alarm, and I wil install it later tonight. I guess this is the end for now, so,You were very kind and helpfull.Thank You very much for time You spent here with me.Take care. Johhnykg.

#12 Trevuren

Teacher Emeritus

Authentic Member
8,632 posts

Interests:Woodworking

Posted 13 September 2007 - 03:01 PM

Congratulations, your logs look CLEAN

There are a few things you must do once you system is completely clean:

1. Time for some housekeeping

Please DELETE the ComboFix tool

2. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

3. Now Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

Go to Start > Programs > Accessories > System Tools and click "System Restore".
Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Then go to Start > Run and type: Cleanmgr
Click "OK".
Click the "More Options" Tab.
Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Here are some tips to reduce the potential for spyware infection in the future:

Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

I strongly recommend installing the following applications:

Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar <= Get the free google toolbar to help stop pop up windows.

And also see TonyKlein's good advice
So how did I get infected in the first place?

Regards,

Trevuren

Microsoft MVP Consumer Security 2008 - 2009

Proud graduate of TC/WTT Classroom

#13 Trevuren

Teacher Emeritus

Authentic Member
8,632 posts

Interests:Woodworking

Posted 14 September 2007 - 09:21 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

Microsoft MVP Consumer Security 2008 - 2009

Proud graduate of TC/WTT Classroom

Body Background

skin color theme