12 replies to this topic

[dekete]

I just installed Avira Antivirus on my friends computer as she has not used this computer very much and never had a full virus program . Her computer is constantly getting error pop-ups and the internet would shut down. It was also very slow. I am not very familiar with removing trojans and other types of viruses. I had used your service a long time ago and received a lot of great info and help so I thought I would see if you guys can help me out again. Any advice would be greatly appreciated. THanks!

I keep seeing things like TR/Dldr.Bety.A , TR/Drop.Small.MR.1, and TR/Dldr.Apropo.R - Trojan

I am also being redirected to http://runonce.msn.com/runonce2.aspx each time I pull up explorer. TR/Dldr.Apropo.R - Trojan warning from my virus software pops up everytime I load the internet.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:24 PM, on 5/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avnotify.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find-on-the-net.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpe.dll/asst.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\plg0\cxtpls.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O8 - Extra context menu item: Add to AD Black List - E:\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - E:\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - E:\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - E:\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - E:\Avant Browser\Search.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097214079015
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weat...uginstaller.cab
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 5682 bytes

I can also provide the startup list if needed. Thanks!

Edited by dekete, 28 May 2008 - 11:18 PM.

[silver]

Hi dekete,

Please open this page in your browser:
http://www.bleepingc....php?channel=32

Fill in the link to topic field with a link to this topic
Copy/paste the following into the Browse to the file you want to submit field:

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\AutoPlay.exe

Then press Send File, this will upload the file for analysis

Download Deckard's System Scanner (DSS) to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)

• Close all applications and windows.
• Double-click on dss.exe to run it, and follow the prompts.
• When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
• Make sure Format->Word Wrap is unchecked
• Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your reply

Once complete, please post both DSS logs, you won't need to produce a new HijackThis log as DSS produces one for you.

[dekete]

Here is the result: (uploaded the file for analysis too)


Deckard's System Scanner v20071014.68
Run by Owner on 2008-05-31 17:38:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
44: 2008-05-31 22:38:58 UTC - RP434 - Deckard's System Scanner Restore Point
43: 2008-05-31 20:00:31 UTC - RP433 - System Checkpoint
42: 2008-05-30 08:00:47 UTC - RP432 - Software Distribution Service 3.0
41: 2008-05-30 02:34:47 UTC - RP431 - Software Distribution Service 3.0
40: 2008-05-29 06:25:02 UTC - RP430 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-03-10 07:40:50 UTC - RP391 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 254 MiB (512 MiB recommended).
System Drive C: has 4.42 GiB (less than 15%) free.


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:42:07 PM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find-on-the-net.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpe.dll/asst.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\plg0\cxtpls.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O8 - Extra context menu item: Add to AD Black List - E:\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - E:\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - E:\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - E:\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - E:\Avant Browser\Search.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097214079015
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weat...uginstaller.cab
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 5362 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S3 LHidUsbK (Logitech SetPoint USB Receiver Device Driver) - c:\windows\system32\drivers\lhidusbk.sys (file missing)
S3 LMouKE (Logitech SetPoint Mouse Filter Driver) - c:\windows\system32\drivers\lmouke.sys (file missing)
S3 LUsbKbd (Logitech SetPoint USB Keyboard Filter) - c:\windows\system32\drivers\lusbkbd.sys (file missing)
S3 PRISM_USB (IEEE 802.11 Wireless USB Driver) - c:\windows\system32\drivers\expsusb.sys <Not Verified; Intersil Americas Inc.; PRISM Wireless LAN>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirScheduler (Avira AntiVir Personal – Free Antivirus Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; AntiVir Workstation>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139 Family PCI Fast Ethernet NIC
Device ID: PCI\VEN_1186&DEV_1300&SUBSYS_13011186&REV_10\4&25296D99&0&58F0
Manufacturer: Realtek
Name: Realtek RTL8139 Family PCI Fast Ethernet NIC #2
PNP Device ID: PCI\VEN_1186&DEV_1300&SUBSYS_13011186&REV_10\4&25296D99&0&58F0
Service: rtl8139


-- Scheduled Tasks -------------------------------------------------------------

2008-05-31 17:09:12 364 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2008-04-30 and 2008-05-31 -----------------------------

2008-05-29 01:25:18 0 d-------- C:\WINDOWS\system32\PreInstall
2008-05-29 00:44:49 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-05-28 22:58:49 0 d-------- C:\Program Files\Trend Micro
2008-05-28 22:36:57 0 d-------- C:\Program Files\Avira
2008-05-28 22:36:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-05-18 12:14:29 0 d-------- C:\Documents and Settings\LocalService\Application Data\Mozilla
2008-05-17 14:07:20 0 d-------- C:\Drivers
2008-05-17 14:02:37 0 d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2008-05-17 01:48:35 0 d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2008-05-17 01:29:13 0 d-------- C:\WINDOWS\pss
2008-05-16 02:07:56 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-16 01:56:43 20480 --a------ C:\WINDOWS\system32\SysRestore.dll <Not Verified; Ascentive LLC; prjSysRestore>
2008-05-16 01:56:41 208896 --a------ C:\WINDOWS\system32\ConTest.dll <Not Verified; Ascentive; ConnectionTester>
2008-05-16 00:56:44 0 d-------- C:\Program Files\HP
2008-05-16 00:24:31 0 d--h----- C:\WINDOWS\msdownld.tmp
2008-05-16 00:12:20 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-05-16 00:10:14 0 d-------- C:\WINDOWS\Prefetch
2008-05-16 00:05:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-05-15 23:43:25 0 d-------- C:\WINDOWS\peernet
2008-05-15 23:43:23 0 d-------- C:\WINDOWS\provisioning
2008-05-15 23:40:00 0 d-------- C:\WINDOWS\ServicePackFiles
2008-05-15 23:29:13 0 d-------- C:\WINDOWS\EHome
2008-05-15 23:22:32 0 d-------- C:\Documents and Settings\All Users\Application Data\CCP
2008-05-15 22:58:34 0 d-------- C:\Program Files\CCP


-- Find3M Report ---------------------------------------------------------------

2008-05-30 04:01:51 0 d-------- C:\Program Files\Messenger
2008-05-29 00:08:54 0 d-------- C:\Program Files\RecordNow
2008-05-29 00:04:09 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-29 00:02:57 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-29 00:02:43 0 d-------- C:\Program Files\Common Files
2008-05-28 23:35:59 0 d-------- C:\Program Files\IESearchToolbar
2008-05-28 23:31:40 0 d--h----- C:\Program Files\CxtPls
2008-05-28 23:22:49 0 d-------- C:\Program Files\Common Files\Java
2008-05-28 23:20:53 0 d-------- C:\Program Files\AutoUpdate
2008-05-17 01:35:18 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-17 01:34:52 0 d-------- C:\Program Files\Symantec
2008-05-16 10:09:26 0 d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-05-15 23:43:27 0 d-------- C:\Program Files\Movie Maker
2008-05-15 23:39:34 0 d-------- C:\Program Files\Windows NT
2008-05-13 23:28:01 415 --a------ C:\WINDOWS\system32\moneyspj.exe
2008-05-13 21:10:13 0 d-------- C:\Program Files\AWS


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{016235BE-59D4-4CEB-ADD5-E2378282A1D9}]
C:\Program Files\CxtPls\plg0\cxtpls.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06 AM]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [08/04/2004 02:56 AM]
"AlcxMonitor"="ALCXMNTR.EXE" [09/07/2004 01:47 PM C:\WINDOWS\ALCXMNTR.EXE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center UI.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center UI.lnk
backup=C:\WINDOWS\pss\hp center UI.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center.lnk
backup=C:\WINDOWS\pss\hp center.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\7smU3te]
mf3g6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atiupdate]
C:\DOCUME~1\Owner\LOCALS~1\Temp\msshed32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoUpdater]
"C:\Program Files\AutoUpdate\AutoUpdate.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCActiveMenu]
"C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCM]
"C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fast start]
C:\WINDOWS\system32\ntnut.exe home

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
C:\Program Files\Kazaa\kazaa.exe /SYSTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kvern16.dll]
C:\WINDOWS\System32\regsvr32.exe /s C:\WINDOWS\System32\kvern16.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MB58RjK5l]
makrun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV Agent]
c:\PROGRA~1\NORTON~1\navapw32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Performance Center]
C:\Program Files\Ascentive\Performance Center\APCMain.exe -m

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
"C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vernn16.dll]
C:\WINDOWS\System32\regsvr32.exe /s C:\WINDOWS\System32\vernn16.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain




-- Hosts -----------------------------------------------------------------------

127.0.0.1 websearch.com
127.0.0.1 www.websearch.com
127.0.0.1 advnt01.com
127.0.0.1 www.advnt01.com
127.0.0.1 www.xzoomy.com
127.0.0.1 xzoomy.com
127.0.0.1 www.adwave.com
127.0.0.1 adwave.com
127.0.0.1 topconverting.com
127.0.0.1 www.topconverting.com

32 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-31 17:44:06 ------------

AND



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 1.80GHz
Percentage of Memory in Use: 69%
Physical Memory (total/avail): 253.98 MiB / 77.01 MiB
Pagefile Memory (total/avail): 625.01 MiB / 407.15 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1931.51 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 32.23 GiB total, 4.42 GiB free.
D: is Fixed (FAT32) - 5.02 GiB total, 1.22 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST340810A - 37.27 GiB - 2 partitions
\PARTITION0 - Unknown - 5.03 GiB - D:
\PARTITION1 (bootable) - Installable File System - 32.23 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AntivirusOverride is set.

AV: Avira AntiVir PersonalEdition v8.0.1.18 (Avira GmbH)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-US67PI6LUV
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\YOUR-US67PI6LUV
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22;C:\Program files\PC-Doctor for Windows XP\WINDSAPI
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0103
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=YOUR-US67PI6LUV
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\CxtPls\uninstaller.exe"
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {09DA4F91-2A09-4232-AB8C-6BC740096DE3}
--> C:\WINDOWS\System32\auto_update_uninstall.exe C:\WINDOWS\System32\auto_update_uninstall.log
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
ArcSoft Software Suite --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ArcSoft\Software Suite\Uninst.isu"
ArcSoft Software Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE7C3A14-1D20-49F6-B903-491561076F0F}\SETUP.EXE" -l0x9
Avira AntiVir Personal – Free Antivirus --> C:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
DelFin Media Viewer --> C:\WINDOWS\unvise32.exe C:\Program Files\DelFin\PromulGate\uninstal.log
Detto IntelliMover Demo --> MsiExec.exe /X{E62C706B-1352-4DCA-B4D4-81C24750B70F}
EVE-ONLINE (remove only) --> C:\Program Files\CCP\EVE\Uninstall.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
hp center --> C:\WINDOWS\BWUnin-6.1.0.153.exe -AppId 137903
HP Instant Support --> C:\PROGRA~1\HPINST~1\UNWISE.EXE C:\PROGRA~1\HPINST~1\INSTALL.LOG
HP Memories Disc --> MsiExec.exe /X{FF384BDE-429B-45AD-A0C6-E593393D9D1C}
HP Photo and Imaging 1.1 - Photosmart Cameras --> MsiExec.exe /X{1EEE2A9F-6471-42fa-8923-E8879168CE26}
HP Product Detection --> MsiExec.exe /X{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}
hp toolkit --> c:\Windows\HPTK\unhptkit.exe
Inactive HP Printer Drivers (Remove only) --> RunDll32 hpuninst.dll,InstallHinfSection UninstDefault 132 prntunin.inf
Intel® 845G Chipset Graphics Driver Software --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
iPod Updater 2004-11-15 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{06E73C0B-7DE7-4F41-860B-587033B75BD9} /l1033
iTunes --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{3CB41017-F5CA-4C56-934C-ED02156251E6}
Java 2 Runtime Environment Standard Edition v1.3.1_04 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\JavaSoft\JRE\1.3.1_04\Uninst.isu"
Kazaa Media Desktop 2.0.2 --> RunDll32 C:\WINDOWS\System32\cd_clint.dll,ServiceRunDll u_291 "{A2756524-E9F9-4AC1-AF4E-15F3460ACB3E}"
LAN-Express IEEE 802.11b WLAN --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3CC59E6A-C847-4D71-AD40-4906D3FE632A}\setup.exe" -l0x9
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 2.5 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
MediaLoads Installer --> "C:\Program Files\DownloadWare\dw.exe" /R
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvhp.inf
PC-Doctor for Windows --> C:\WINDOWS\UNWISE.EXE C:\PROGRA~1\PC-DOC~1\INSTALL.LOG
PodUtil 2.5.2 --> "C:\Program Files\PodUtil\unins000.exe"
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Recommended Hotfix - 421701D --> C:\Program Files\Recommended Hotfix - 421701D\v15\RH.EXE -Uninstall
RecordNow Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
S3Display --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Display'
S3Gamma2 --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Gamma2'
S3Info2 --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Info2'
S3Overlay --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Overlay'
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
WordPerfect Productivity Pack --> C:\WINDOWS\Corel\Uninst32.exe
WordPerfect Productivity Pack --> C:\WINDOWS\Corel\uninst32.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type3925 / Warning
Event Submitted/Written: 05/31/2008 03:43:03 PM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
TR/TwXLoader.BC:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP429\A0083174.exe

Event Record #/Type3923 / Warning
Event Submitted/Written: 05/30/2008 09:59:56 AM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
TR/TwXLoader.AC:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP429\A0083173.exe

Event Record #/Type3918 / Warning
Event Submitted/Written: 05/30/2008 09:45:18 AM
Event ID/Source: 32068 / Microsoft Fax
Event Description:
The outgoing routing rule is not valid because it cannot find a valid device. The outgoing faxes that use this rule will not be routed. Verify that the targeted device or devices (if routed to a group of devices) is connected and installed correctly, and turned on. If routed to a group, verify that the group is configured correctly.
Country/region code: '*'
Area code: '*'

Event Record #/Type3917 / Warning
Event Submitted/Written: 05/30/2008 09:45:18 AM
Event ID/Source: 32026 / Microsoft Fax
Event Description:
Fax Service failed to initialize any assigned fax devices (virtual or TAPI).
No faxes can be sent or received until a fax device is installed.

Event Record #/Type3916 / Warning
Event Submitted/Written: 05/30/2008 03:10:11 AM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
TR/TwXLoader.AC:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP429\A0083173.exe



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type28177 / Warning
Event Submitted/Written: 05/30/2008 11:24:20 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type28172 / Error
Event Submitted/Written: 05/30/2008 10:39:34 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The Avira AntiVir Personal – Free Antivirus Guard service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type27870 / Warning
Event Submitted/Written: 05/29/2008 09:46:52 PM
Event ID/Source: 256 / PlugPlayManager
Event Description:
Timed out sending notification of device interface change to window of "SAS window"

Event Record #/Type27721 / Error
Event Submitted/Written: 05/29/2008 00:24:38 AM
Event ID/Source: 10000 / DCOM
Event Description:
Unable to start a DCOM Server: {B5AB638F-D76C-415B-A8F2-F3CEAC502212}.
The error:
"%%2"
Happened while starting this command:
C:\Program Files\CxtPls\CxtPls.exe -Embedding

Event Record #/Type27719 / Error
Event Submitted/Written: 05/29/2008 00:09:03 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126



-- End of Deckard's System Scanner: finished at 2008-05-31 17:44:06 ------------

Thanks!

Edited by dekete, 31 May 2008 - 04:53 PM.

[silver]

Hi dekete,

Please open Start->Control Panel->Add/Remove Programs, and remove the following:

DelFin Media Viewer
Java 2 Runtime Environment Standard Edition v1.3.1_04
Kazaa Media Desktop 2.0.2

The Java installation is out of date and now a security risk, you can get the latest update (version 6 update 6) from here when the machine is clean. The other two programs contain malware

------------------------------------------------------------------------

Then, open HijackThis, choose Do a system scan only and place a checkmark next to the following lines:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find-on-the-net.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpe.dll/asst.htm
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\plg0\cxtpls.dll (file missing)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weat...uginstaller.cab

Then close all open windows apart from HijackThis, press Fix checked, OK the prompt and close HijackThis.

------------------------------------------------------------------------

Backup Your Registry:

• Download ERUNT to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)
• Right-click erunt.zip, choose Extract All... and follow the prompts to unzip the program
• Open the erunt folder on your Desktop and double-click ERUNT.exe to start the program
• OK all the prompts to back up your registry to the default location.

Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

------------------------------------------------------------------------

Please download OTMoveIt2 by OldTimer to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)

• Double-click OTMoveIt2.exe to start the program.
• Copy the lines in the OTMoveIt file list below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  OTMoveIt File List:

  C:\Program Files\CxtPls
  C:\Program Files\Ebates_MoeMoneyMaker
  C:\WINDOWS\system32\SysRestore.dll 
  C:\WINDOWS\system32\ConTest.dll
  C:\Program Files\IESearchToolbar
  C:\Program Files\AutoUpdate
  C:\WINDOWS\system32\moneyspj.exe
  C:\Program Files\DelFin
  C:\Program Files\AWS
  HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\7smU3te
  C:\mf3g6.exe /s
  HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atiupdate
  C:\DOCUME~1\Owner\LOCALS~1\Temp\msshed32.exe
  HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoUpdater
  HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fast start
  C:\WINDOWS\system32\ntnut.exe
  HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA
  C:\Program Files\Kazaa
  HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kvern16.dll
  C:\WINDOWS\System32\kvern16.dll
  HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MB58RjK5l
  C:\makrun.exe /s
  HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup
  C:\PROGRA~1\NEWDOT~1
  HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vernn16.dll
  C:\WINDOWS\System32\vernn16.dll
  HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Performance Center
  C:\Program Files\Ascentive
  C:\Program Files\Recommended Hotfix - 421701D
  C:\Program Files\DownloadWare

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
• Then click the red Moveit! button.
• It may take a few minutes to run because it will be searching your hard drive for a couple of files
• When it has finished, copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of it and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• If OTMoveIt asks to reboot your computer, allow it to do so. The report will appear in Notepad after the reboot.
• Close OTMoveIt2

------------------------------------------------------------------------

Now open HijackThis, select Open the Misc Tools section
Press the Open Uninstall Manager... button
Scroll down the list and find this entry:

Recommended Hotfix - 421701D

Click it to highlight it, then press Delete this entry
Repeat for this entry:

MediaLoads Installer

Then close HijackThis

------------------------------------------------------------------------

Clean with MalwareBytes' Anti-Malware

• Please download the Installer to your Desktop from here:
  http://www.besttechi.../mbam-setup.exe
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to both of these options:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform Quick Scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure everything is checked, and click Remove Selected.
• When finished, a log will open in Notepad. Please save it to your Desktop, and post the contents in your reply.
• The log can also be found here if you need it:
  • Start->All Programs->Malwarebytes' Anti-Malware->Logs

------------------------------------------------------------------------

Once complete, please post the OTMoveIt report, the MalwareBytes Antimalware report and a new HijackThis log.

[dekete]

When I tried to uninstall the following these are the error messages I received:


Delfin - the following file does not exist or is not a valid uninstallation log file.
C/ program files/delfin/promulgate/uninstal.log

LimeWire
Error loading C:\ windows/system32/cd_clint.dll
the specified module could not be found.

-----------------------------------------------------------------------------------------------------------------


OTMoveIt2 by OldTimer

C:\Program Files\CxtPls\pstub0 moved successfully.
C:\Program Files\CxtPls\plg0 moved successfully.
C:\Program Files\CxtPls moved successfully.
File/Folder C:\Program Files\Ebates_MoeMoneyMaker not found.
C:\WINDOWS\system32\SysRestore.dll unregistered successfully.
C:\WINDOWS\system32\SysRestore.dll moved successfully.
C:\WINDOWS\system32\ConTest.dll unregistered successfully.
C:\WINDOWS\system32\ConTest.dll moved successfully.
C:\Program Files\IESearchToolbar moved successfully.
C:\Program Files\AutoUpdate moved successfully.
C:\WINDOWS\system32\moneyspj.exe moved successfully.
File/Folder C:\Program Files\DelFin not found.
C:\Program Files\AWS moved successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\7smU3te >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\7smU3te\\ deleted successfully.
< C:\mf3g6.exe /s >
File/Folder C:\mf3g6.exe not found.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atiupdate >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atiupdate\\ deleted successfully.
File/Folder C:\DOCUME~1\Owner\LOCALS~1\Temp\msshed32.exe not found.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoUpdater >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoUpdater\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fast start >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fast start\\ deleted successfully.
File/Folder C:\WINDOWS\system32\ntnut.exe not found.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA\\ deleted successfully.
File/Folder C:\Program Files\Kazaa not found.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kvern16.dll >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kvern16.dll\\ deleted successfully.
File/Folder C:\WINDOWS\System32\kvern16.dll not found.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MB58RjK5l >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MB58RjK5l\\ deleted successfully.
< C:\makrun.exe /s >
File/Folder C:\makrun.exe not found.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup\\ deleted successfully.
File/Folder C:\PROGRA~1\NEWDOT~1 not found.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vernn16.dll >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vernn16.dll\\ deleted successfully.
File/Folder C:\WINDOWS\System32\vernn16.dll not found.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Performance Center >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Performance Center\\ deleted successfully.
File/Folder C:\Program Files\Ascentive not found.
File/Folder C:\Program Files\Recommended Hotfix - 421701D not found.
File/Folder C:\Program Files\DownloadWare not found.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06012008_132054


-------------------------------------------------------------------------------------------------------------------


MalWarByts


Malwarebytes' Anti-Malware 1.14
Database version: 812

1:39:05 PM 6/1/2008
mbam-log-6-1-2008 (13-39-05).txt

Scan type: Quick Scan
Objects scanned: 40589
Time elapsed: 11 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\xjado (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\180ax (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MediaLoads (Adware.Medload) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




-------------------------------------------------------------------------------------------------




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:41:08 PM, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O8 - Extra context menu item: Add to AD Black List - E:\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - E:\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - E:\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - E:\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - E:\Avant Browser\Search.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097214079015
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 4838 bytes




Thank you so much for your prompt replies and excellent information. I really appreciate you helping me out!

[silver]

You're welcome dekete

If those Add/Remove Programs entries which gave errors are still present we can remove them:

Now open HijackThis, select Open the Misc Tools section
Press the Open Uninstall Manager... button
Scroll down the list and find this entry:

DelFin Media Viewer

Click it to highlight it, then press Delete this entry
Repeat for this entry:

Kazaa Media Desktop 2.0.2

Then close HijackThis

Next, please do an online scan with Kaspersky:
Open Kaspersky Online Scanner in Internet Explorer using this link:
http://www.kaspersky...kavwebscan.html

• Click Accept and the web scanner will begin to load
• If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
• You will be prompted to install an ActiveX component from Kaspersky, click Install
• If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on Next and then Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• The program will start to scan your system.
• Once the scan is complete, click on the Save Report As... button, change Save as type: to Text file and save the file to your desktop as Kaspersky.txt

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

Once complete, please post the Kaspersky report and a new HijackThis log. Also, let me know how your computer is running now.

[dekete]

The computer is running much better now. I still get pop ups from antivirus about blocking a virus/trojan (thought its nots as bad as before). The computer is much faster thought. Thanks you!


Kasperskyshowed:
Number of viruses found: 17
Number of infected objects: 38
Here is the report
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, June 02, 2008 10:20:48 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/06/2008
Kaspersky Anti-Virus database records: 821574
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 85819
Number of viruses found: 17
Number of infected objects: 38
Number of suspicious objects: 0
Duration of the scan process: 02:08:53

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\bpc_inst_1006.exe/data0002 Infected: not-a-virus:AdWare.Win32.Broadcap.a skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\bpc_inst_1006.exe/data0004/data0002 Infected: not-a-virus:AdWare.Win32.Broadcap.a skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\bpc_inst_1006.exe/data0004 Infected: not-a-virus:AdWare.Win32.Broadcap.a skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\bpc_inst_1006.exe NSIS: infected - 3 skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\cxtpls_loader.exe Infected: not-a-virus:AdWare.Win32.Apropos.b skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\vern16.exe Infected: Trojan-Dropper.Win32.Miewer.d skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\zilla.exe Infected: not-a-virus:AdWare.Win32.AdURL.a skipped
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\SAHUninstall_.exe Infected: not-a-virus:AdWare.Win32.Sahat.j skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\Brilliant\b3dsetup.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1100 skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP412\A0080436.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP413\A0080442.dll Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP427\A0082795.dll Infected: not-a-virus:AdWare.Win32.NewDotNet.m skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP428\A0082870.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP428\A0083048.exe Infected: not-a-virus:AdWare.Win32.DownloadWare skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP429\A0083112.dll Infected: Trojan-Dropper.Win32.Miewer.a skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP429\A0083113.dll Infected: Trojan-Dropper.Win32.Miewer.a skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP429\A0083172.dll Infected: Trojan-Dropper.Win32.Miewer.a skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP429\A0083173.exe Infected: Trojan.Win32.Pakes skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP429\A0083175.exe Infected: Trojan-Downloader.Win32.Delf.ep skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP429\A0083176.dll Infected: Trojan-Dropper.Win32.Miewer.a skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP429\A0083177.dll Infected: Trojan-Dropper.Win32.Miewer.b skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP429\A0083178.exe/data0002 Infected: not-a-virus:AdWare.Win32.Perez.a skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP429\A0083178.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP429\A0083179.dll Infected: Trojan-Dropper.Win32.Miewer.a skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP429\A0083180.dll Infected: Trojan-Dropper.Win32.Miewer.a skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP429\A0083181.dll Infected: Trojan-Dropper.Win32.Miewer.d skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP429\A0083184.dll Infected: not-a-virus:AdWare.Win32.Apropos.e skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP435\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\NDNuninstall4_80.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\WINDOWS\NDNuninstall4_88.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\WINDOWS\NDNuninstall4_94.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\WINDOWS\NDNuninstall5_20.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\WINDOWS\NDNuninstall6_38.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\pop4.dll Infected: Trojan-Dropper.Win32.Miewer.a skipped
C:\WINDOWS\system32\pop5.dll Infected: Trojan-Dropper.Win32.Miewer.a skipped
C:\WINDOWS\system32\SplashSpot Games.exe Infected: not-a-virus:AdWare.Win32.AdURL.a skipped
C:\WINDOWS\system32\ss.dll Infected: Trojan-Dropper.Win32.Miewer.c skipped
C:\WINDOWS\system32\STOPzilla.exe Infected: not-a-virus:AdWare.Win32.AdURL.a skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\06012008_132054\Program Files\CxtPls\WinGenerics.dll Infected: not-a-virus:AdWare.Win32.Apropos.f skipped

Scan process completed.
--------------------------------------------------------------------------------------------------------------------------------------



Hijack this:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:23:45 PM, on 6/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O8 - Extra context menu item: Add to AD Black List - E:\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - E:\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - E:\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - E:\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - E:\Avant Browser\Search.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097214079015
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 4865 bytes

[silver]

Hi dekete,

Clean with OTMoveIt again:

• Double-click OTMoveIt2.exe to start the program.
• Copy the lines in the OTMoveIt file list below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  OTMoveIt File List:

  C:\WINDOWS\NDNuninstall4_80.exe
  C:\WINDOWS\NDNuninstall4_88.exe
  C:\WINDOWS\NDNuninstall4_94.exe
  C:\WINDOWS\NDNuninstall5_20.exe
  C:\WINDOWS\NDNuninstall6_38.exe
  C:\WINDOWS\system32\pop4.dll
  C:\WINDOWS\system32\pop5.dll
  C:\WINDOWS\system32\SplashSpot Games.exe
  C:\WINDOWS\system32\ss.dll
  C:\WINDOWS\system32\STOPzilla.exe
  EmptyTemp

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
• Then click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of it and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• If OTMoveIt asks to reboot your computer, allow it to do so. The report will appear in Notepad after the reboot. - save a copy of this report to your Desktop

Clean up with OTMoveIt2:

• Double-click OTMoveIt2.exe to start the program.
• Close all other programs apart from OTMoveIt2 as this step will require a reboot
• On the OTMoveIt main screen, press the CleanUp! button
• Say Yes to the prompt and then allow the program to reboot your computer.

Create a new, clean System Restore point which you can use in case of future system problems:
Press Start->All Programs->Accessories->System Tools->System Restore
Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close

Now remove old, infected System Restore points:
Next click Start->Run and type cleanmgr in the box and press OK
Ensure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
Press OK and Yes to confirm

Once complete, please post the new OTMoveIt report and a new HijackThis log.
Also, please tell me if you get any alerts from your antivirus after the above has been completed.

[dekete]

I have not seen any more ”Deny access to the {Trojans} pop up" from antivirus since doing this. Here are the reports from OT and Hijack this. You wanted the original OT I did before the system restore correct? Should I uninstall the virus detection programs that I have downloaded on my computer? The computer works great now anyhow and your steps were very easy to follow. I appreciate all of the help you have given me and my roommate is very happy to use her computer again! Its just like new

C:\WINDOWS\NDNuninstall4_80.exe moved successfully.
C:\WINDOWS\NDNuninstall4_88.exe moved successfully.
C:\WINDOWS\NDNuninstall4_94.exe moved successfully.
C:\WINDOWS\NDNuninstall5_20.exe moved successfully.
C:\WINDOWS\NDNuninstall6_38.exe moved successfully.
C:\WINDOWS\system32\pop4.dll unregistered successfully.
C:\WINDOWS\system32\pop4.dll moved successfully.
C:\WINDOWS\system32\pop5.dll unregistered successfully.
C:\WINDOWS\system32\pop5.dll moved successfully.
C:\WINDOWS\system32\SplashSpot Games.exe moved successfully.
C:\WINDOWS\system32\ss.dll unregistered successfully.
C:\WINDOWS\system32\ss.dll moved successfully.
C:\WINDOWS\system32\STOPzilla.exe moved successfully.
< EmptyTemp >
Temp folders emptied.
IE temp folders emptied.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06032008_011422




-------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:08:59 AM, on 6/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O8 - Extra context menu item: Add to AD Black List - E:\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - E:\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - E:\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - E:\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - E:\Avant Browser\Search.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097214079015
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 4834 bytes

Edited by dekete, 03 June 2008 - 01:15 AM.

[silver]

Hi dekete,

Sounds good, I think your machine is now clean of malware
If you followed all the instructions, the tools we have used to clean your machine have been removed. The Antivir antivirus package you have installed is a good product and should be left in place to protect the system. Here are some further tips to help you keep the machine clean:

You have a good antivirus program installed, however I recommend you install antispyware software with real-time capabilities - this means it protects you from system changes and spyware while you are working, not just removing malware after it has been installed. There are a range of paid-for and free packages available, a free one I can recommend is Windows Defender, available here:
http://www.microsoft...re/default.mspx

You should consider installing a Personal Firewall program. Even if you are behind a NAT router, I recommend you use firewall software as it will improve the security of your computer by monitoring and controlling outbound connections to the internet as well as inbound. There are various free packages available, one I can recommend is Online Armor
A tutorial on firewalls to help you get started:
http://www.bleepingc...tutorial60.html

I recommend you install a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.
Also: subscribe to the mailing list to get update notifications.

Please take care when downloading programs. One of the easiest ways to be infected is to download freeware/shareware programs which come laden with malware - this includes allowing websites to install browser plug-ins or ActiveX controls. Before downloading, it is crucial to check whether the source is reputable.
One way to check is to use McAfee SiteAdvisor. Copy the domain name into the space provided and SiteAdvisor will give you a report on the website which can help you decide if it is safe. They also have a toolbar for IE and Firefox which adds this functionality to your browser.

Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.

Find out more about how to prevent infection in the future
http://forum.malware...pic.php?p=33687

Please post back to let me know that you have read this, and if there are any further issues.

[dekete]

Everything is working great now. We have not noticed anymore unwanted pop up or notices from the virus software. I am going to look into the programs/sites you have listed and get some descent protection on this computer. I really appreciate your time and your easy instructions. I'm glad to find out whatthetech is still as awesome as Tom Coyote was.

[silver]

Thank you for your kind words and I'm very glad things are running better

[silver]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.