| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 78579 | 2007-04-21 02:01:00 | help needed with Tjns and viruses | DT33 (12171) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 543005 | 2007-04-21 02:01:00 | Hi there, My apologies upfront that my first post is one asking for help. Lately this machine is coming up with warning bells and sirens that it is infected with viruses and trojans. I have looked around at some sites looking to try and cure these ills myself but i admit defeat. Of all the sites this looked the mostly likely for a response that i could understand. The machine is simple and we are running XP home. the kids use it mainly for messaging, low level gaming. While reading on the forum i loaded Trojan Remover and have run this. I have pasted the log view thinking it may help. Appreciate any responses. ***** TROJAN REMOVER HAS RESTARTED THE SYSTEM ***** 21/04/2007 12:54:30 p.m.: Trojan Remover has been restarted Trojan Remover forced a System Restart by terminating WINLOGON.EXE. The Cleanup Utility was used to remove locked registry keys. Unable to rename C:\WINDOWS\system32\awtqp.dll to C:\WINDOWS\system32\awtqp.dll.ren Unable to rename C:\WINDOWS\system32\awtqp.dll to C:\WINDOWS\system32\awtqp.dll.ren You may want to run a new scan with Trojan Remover in SAFE mode. 21/04/2007 12:54:37 p.m.: Trojan Remover closed ************************************************** ********** ***** NORMAL SCAN FOR ACTIVE MALWARE ***** Trojan Remover Ver 6.5.9, Build 2462. For information, email simplysupsupport@aol.com [Unregistered version] Scan started at: 21/04/2007 12:50:40 p.m. Using Database v6779 Operating System: Windows XP Home Edition Service Pack 2 (Build 2600) Using data directory: C:\Documents and Settings\Owner\Application Data\Simply Super Software\Trojan Remover\ Logfile directory: C:\Documents and Settings\Owner\My Documents\Simply Super Software\Trojan Remover Logfiles\ Running with Administrator privileges ************************************************** Checking Registry exefile command for modifications Checking Registry comfile command for modifications Checking Registry piffile command for modifications Checking Registry batfile command for modifications Checking Registry regfile command for modifications Checking Registry cmdfile command for modifications Checking Registry scrfile command for modifications ****************************** 12:50:40 p.m.: Scanning ----------WIN.INI----------- WIN.INI found in C:\WINDOWS ****************************** 12:50:40 p.m.: Scanning --------SYSTEM.INI--------- SYSTEM.INI found in C:\WINDOWS ****************************** 12:50:41 p.m.: ----- SCANNING FOR ROOTKIT SERVICES ----- No hidden Services were detected. ****************************** 12:50:41 p.m.: Scanning -----WINDOWS REGISTRY----- -------------------- Checking HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon -------------------- Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon This key's "Shell" value calls the following program(s): Explorer.exe - this entry has been left in place ---------- This key's "Userinit" value calls the following program(s): C:\WINDOWS\system32\userinit.exe - this entry has been left in place ---------- This key's "System" value appears to be blank ---------- -------------------- Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows -------------------- Checking HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Value Name = load The Data Value for this entry appears to be blank -------------------- -------------------- Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run This Registry Key attempts to run the following program(s): Value Name = NvCplDaemon Value Data = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup - this command has been left in place -------------------- Value Name = nwiz Value Data = nwiz.exe /install - this command has been left in place -------------------- Value Name = NvMediaCenter Value Data = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit - this command has been left in place -------------------- Value Name = High Definition Audio Property Page Shortcut Value Data = HDAShCut.exe - this command has been left in place -------------------- Value Name = SoundMAXPnP Value Data = C:\Program Files\Analog Devices\Core\smax4pnp.exe - this command has been left in place -------------------- Value Name = SoundMAX Value Data = C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray - this command has been left in place -------------------- Value Name = SunJavaUpdateSched Value Data = C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe - this command has been left in place -------------------- Value Name = NeroFilterCheck Value Data = C:\WINDOWS\system32\NeroCheck.exe - this command has been left in place -------------------- Value Name = avast! Value Data = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe - this command has been left in place -------------------- Value Name = QuickTime Task Value Data = C:\Program Files\QuickTime\qttask.exe" -atboottime - this command has been left in place -------------------- Value Name = iTunesHelper Value Data = C:\Program Files\iTunes\iTunesHelper.exe - this command has been left in place -------------------- Value Name = SpywareBot Value Data = C:\Program Files\SpywareBot\SpywareBot.exe -boot - this command has been left in place [file not found to scan] -------------------- Value Name = TrojanScanner Value Data = C:\Program Files\Trojan Remover\Trjscan.exe - this program is Trojan Remover's own scan file -------------------- Value Name = PrintDrive Value Data = rundll32.exe "C:\WINDOWS\system32\mxmryfre.dll",setvm - appears to contain ADWARE.VIRTUMONDE (HEURISTIC DETECTION) Value Data = rundll32.exe "C:\WINDOWS\system32\mxmryfre.dll",setvm - this command has been removed C:\WINDOWS\system32\mxmryfre.dll has been renamed to: C:\WINDOWS\system32\mxmryfre.dll.ren -------------------- erfyrmxm.ini, associated with Adware.VirtuMonde, found in C:\WINDOWS\system32\ C:\WINDOWS\system32\erfyrmxm.ini - has HIDDEN attribute set C:\WINDOWS\system32\erfyrmxm.ini - HIDDEN attribute removed C:\WINDOWS\system32\erfyrmxm.ini - has SYSTEM attribute set C:\WINDOWS\system32\erfyrmxm.ini - SYSTEM attribute removed C:\WINDOWS\system32\erfyrmxm.ini has been renamed to: C:\WINDOWS\system32\erfyrmxm.ini.ren -------------------- Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce This Registry Key appears to be empty -------------------- Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnceEx This Registry Key appears to be empty -------------------- Checking HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run This Registry Key attempts to run the following program(s): Value Name = CTFMON.EXE Value Data = C:\WINDOWS\system32\ctfmon.exe - this command has been left in place -------------------- Value Name = MsnMsgr Value Data = C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background - this command has been left in place -------------------- Value Name = BitTorrent Value Data = C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized - this command has been left in place [file not found to scan] -------------------- Value Name = spywarebot Value Data = C:\Program Files\spywarebot\spywarebot.exe" -boot - this command has been left in place [file not found to scan] -------------------- -------------------- Checking HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunOnce This Registry Key appears to be empty ****************************** 12:50:48 p.m.: Scanning -----SHELLEXECUTEHOOKS----- ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972} File: shell32.dll - this file is expected and has been left in place ---------- ValueName: {A2A61D92-555E-4E4D-A877-DE105D95AB90} File: C:\WINDOWS\system32\tuvtqnl.dll C:\WINDOWS\system32\tuvtqnl.dll - this ShellExecuteHook has been left in place ---------- ****************************** 12:50:49 p.m.: Scanning -----HIDDEN REGISTRY ENTRIES----- Taskdir check completed ---------- No Registry Run Keys Hidden Entries found ---------- ****************************** 12:50:49 p.m.: Scanning -----ACTIVE SCREENSAVER----- ScreenSaver=C:\WINDOWS\system32\sspipes.scr - this command has been left in place -------------------- ****************************** 12:50:49 p.m.: Scanning ----- REGISTRY ACTIVE SETUP KEYS ----- Checking the StubPath calls in the Active Setup\Installed Components registry keys: Key=>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} StubPath=C:\WINDOWS\inf\unregmp2.exe - this reference has been left in place ---------- Key=>{26923b43-4d38-484f-9b9e-de460746276c} StubPath=C:\WINDOWS\system32\shmgrate.exe - this reference has been left in place ---------- Key=>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} StubPath=C:\WINDOWS\system32\shmgrate.exe - this reference has been left in place ---------- Key={2C7339CF-2B09-4501-B3F3-F3508C9228ED} StubPath=C:\WINDOWS\system32\regsvr32.exe - this reference has been left in place ---------- Key={44BBA840-CC51-11CF-AAFA-00AA00B6015C} StubPath=C:\Program Files\Outlook Express\setup50.exe - this reference has been left in place ---------- Key={7790769C-0471-11d2-AF11-00C04FA35D02} StubPath=C:\Program Files\Outlook Express\setup50.exe - this reference has been left in place ---------- Key={89820200-ECBD-11cf-8B85-00AA005B4340} StubPath=regsvr32.exe - this reference has been left in place ---------- Key={89820200-ECBD-11cf-8B85-00AA005B4383} StubPath=C:\WINDOWS\system32\ie4uinit.exe - this reference has been left in place ---------- ****************************** 12:50:50 p.m.: Scanning ----- SERVICEDLL REGISTRY KEYS ----- Checking DLL files called from the CurrentControlSet\Services Keys: -------------------- Key=Alerter ServiceDLL=%SystemRoot%\system32\alrsvc.dll - this reference has been left in place -------------------- Key=AppMgmt ServiceDLL=%SystemRoot%\System32\appmgmts.dll - this file is globally excluded (file cannot be found) -------------------- Key=AudioSrv ServiceDLL=%SystemRoot%\System32\audiosrv.dll - this reference has been left in place -------------------- Key=BITS ServiceDLL=C:\WINDOWS\system32\qmgr.dll - this reference has been left in place -------------------- Key=Browser ServiceDLL=%SystemRoot%\System32\browser.dll - this reference has been left in place -------------------- Key=CryptSvc ServiceDLL=%SystemRoot%\System32\cryptsvc.dll - this reference has been left in place -------------------- Key=DcomLaunch ServiceDLL=%SystemRoot%\system32\rpcss.dll - this reference has been left in place -------------------- Key=Dhcp ServiceDLL=%SystemRoot%\System32\dhcpcsvc.dll - this reference has been left in place -------------------- Key=dmserver ServiceDLL=%SystemRoot%\System32\dmserver.dll - this reference has been left in place -------------------- Key=Dnscache ServiceDLL=%SystemRoot%\System32\dnsrslvr.dll - this reference has been left in place -------------------- Key=ERSvc ServiceDLL=%SystemRoot%\System32\ersvc.dll - this reference has been left in place -------------------- Key=EventSystem ServiceDLL=C:\WINDOWS\system32\es.dll - this reference has been left in place -------------------- Key=FastUserSwitchingCompatibility ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place -------------------- Key=helpsvc ServiceDLL=%WINDIR%\PCHealth\HelpCtr\Binaries\pchs vc.dll - this reference has been left in place -------------------- Key=HidServ ServiceDLL=%SystemRoot%\System32\hidserv.dll - this file is globally excluded (file cannot be found) -------------------- Key=HTTPFilter ServiceDLL=%SystemRoot%\System32\w3ssl.dll - this reference has been left in place -------------------- Key=lanmanserver ServiceDLL=%SystemRoot%\System32\srvsvc.dll - this reference has been left in place -------------------- Key=lanmanworkstation ServiceDLL=%SystemRoot%\System32\wkssvc.dll - this reference has been left in place -------------------- Key=LmHosts ServiceDLL=%SystemRoot%\System32\lmhsvc.dll - this reference has been left in place -------------------- Key=Messenger ServiceDLL=%SystemRoot%\System32\msgsvc.dll - this reference has been left in place -------------------- Key=Netman ServiceDLL=%SystemRoot%\System32\netman.dll - this reference has been left in place -------------------- Key=Nla ServiceDLL=%SystemRoot%\System32\mswsock.dll - this reference has been left in place -------------------- Key=NtmsSvc ServiceDLL=%SystemRoot%\system32\ntmssvc.dll - this reference has been left in place -------------------- Key=RasAuto ServiceDLL=%SystemRoot%\System32\rasauto.dll - this reference has been left in place -------------------- Key=RasMan ServiceDLL=%SystemRoot%\System32\rasmans.dll - this reference has been left in place -------------------- Key=RemoteAccess ServiceDLL=%SystemRoot%\System32\mprdim.dll - this reference has been left in place -------------------- Key=RpcSs ServiceDLL=%SystemRoot%\system32\rpcss.dll - this reference has been left in place -------------------- Key=Schedule ServiceDLL=%SystemRoot%\system32\schedsvc.dll - this reference has been left in place -------------------- Key=seclogon ServiceDLL=%SystemRoot%\System32\seclogon.dll - this reference has been left in place -------------------- Key=SENS ServiceDLL=%SystemRoot%\system32\sens.dll - this reference has been left in place -------------------- Key=SharedAccess ServiceDLL=%SystemRoot%\System32\ipnathlp.dll - this reference has been left in place -------------------- Key=ShellHWDetection ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place -------------------- Key=srservice ServiceDLL=C:\WINDOWS\system32\srsvc.dll - this reference has been left in place -------------------- Key=SSDPSRV ServiceDLL=%SystemRoot%\System32\ssdpsrv.dll - this reference has been left in place -------------------- Key=stisvc ServiceDLL=%SystemRoot%\system32\wiaservc.dll - this reference has been left in place -------------------- Key=TapiSrv ServiceDLL=%SystemRoot%\System32\tapisrv.dll - this reference has been left in place -------------------- Key=TermService ServiceDLL=%SystemRoot%\System32\termsrv.dll - this reference has been left in place -------------------- Key=Themes ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place -------------------- Key=TrkWks ServiceDLL=%SystemRoot%\system32\trkwks.dll - this reference has been left in place -------------------- Key=upnphost ServiceDLL=%SystemRoot%\System32\upnphost.dll - this reference has been left in place -------------------- Key=W32Time ServiceDLL=C:\WINDOWS\system32\w32time.dll - this reference has been left in place -------------------- Key=WebClient ServiceDLL=%SystemRoot%\System32\webclnt.dll - this reference has been left in place -------------------- Key=winmgmt ServiceDLL=%SystemRoot%\system32\wbem\WMIsvc.dll - this reference has been left in place -------------------- Key=WmdmPmSN ServiceDLL=C:\WINDOWS\system32\MsPMSNSv.dll - this reference has been left in place -------------------- Key=wscsvc ServiceDLL=%SYSTEMROOT%\system32\wscsvc.dll - this reference has been left in place -------------------- Key=wuauserv ServiceDLL=C:\WINDOWS\system32\wuauserv.dll - this reference has been left in place -------------------- Key=WZCSVC ServiceDLL=%SystemRoot%\System32\wzcsvc.dll - this reference has been left in place -------------------- Key=xmlprov ServiceDLL=%SystemRoot%\System32\xmlprov.dll - this reference has been left in place ****************************** 12:50:53 p.m.: Scanning ----- SERVICES REGISTRY KEYS ----- Checking files called from the CurrentControlSet\Services Keys: Key=ACPI ImagePath=system32\DRIVERS\ACPI.sys - this reference has been left in place ---------- Key=ADIHdAudAddService ImagePath=system32\drivers\ADIHdAud.sys - this reference has been left in place ---------- Key=AEAudioService ImagePath=system32\drivers\AEAudio.sys - this reference has been left in place ---------- Key=aec ImagePath=system32\drivers\aec.sys - this reference has been left in place ---------- Key=AFD ImagePath=\SystemRoot\System32\drivers\afd.sys - this reference has been left in place ---------- Key=ALG ImagePath=%SystemRoot%\System32\alg.exe - this reference has been left in place ---------- Key=AmdK8 ImagePath=system32\DRIVERS\AmdK8.sys - this reference has been left in place ---------- Key=Arp1394 ImagePath=system32\DRIVERS\arp1394.sys - this reference has been left in place ---------- Key=aspnet_state ImagePath=%SystemRoot%\Microsoft.NET\Framework\v2. 0.50727\aspnet_state.exe - this reference has been left in place ---------- Key=aswUpdSv ImagePath="C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" - this reference has been left in place ---------- Key=AsyncMac ImagePath=system32\DRIVERS\asyncmac.sys - this reference has been left in place ---------- Key=atapi ImagePath=system32\DRIVERS\atapi.sys - this reference has been left in place ---------- Key=Atmarpc ImagePath=system32\DRIVERS\atmarpc.sys - this reference has been left in place ---------- Key=audstub ImagePath=system32\DRIVERS\audstub.sys - this reference has been left in place ---------- Key=avast! Antivirus ImagePath="C:\Program Files\Alwil Software\Avast4\ashServ.exe" - this reference has been left in place ---------- Key=avast! Mail Scanner ImagePath="C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service - this reference has been left in place ---------- Key=avast! Web Scanner ImagePath="C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service - this reference has been left in place ---------- Key=Cdrom ImagePath=system32\DRIVERS\cdrom.sys - this reference has been left in place ---------- Key=CiSvc ImagePath=%SystemRoot%\system32\cisvc.exe - this reference has been left in place ---------- Key=ClipSrv ImagePath=%SystemRoot%\system32\clipsrv.exe - this reference has been left in place ---------- Key=clr_optimization_v2.0.50727_32 ImagePath=C:\WINDOWS\Microsoft.NET\Framework\v2.0. 50727\mscorsvw.exe - this reference has been left in place ---------- Key=COMSysApp ImagePath=C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} - this reference has been left in place ---------- Key=Disk ImagePath=system32\DRIVERS\disk.sys - this reference has been left in place ---------- Key=dmadmin ImagePath=%SystemRoot%\System32\dmadmin.exe /com - this reference has been left in place ---------- Key=dmboot ImagePath=System32\drivers\dmboot.sys - this reference has been left in place ---------- Key=dmio ImagePath=System32\drivers\dmio.sys - this reference has been left in place ---------- Key=dmload ImagePath=System32\drivers\dmload.sys - this reference has been left in place ---------- Key=DMusic ImagePath=system32\drivers\DMusic.sys - this reference has been left in place ---------- Key=drmkaud ImagePath=system32\drivers\drmkaud.sys - this reference has been left in place ---------- Key=Eventlog ImagePath=%SystemRoot%\system32\services.exe - this reference has been left in place ---------- Key=FltMgr ImagePath=system32\DRIVERS\fltMgr.sys - this reference has been left in place ---------- Key=Ftdisk ImagePath=system32\DRIVERS\ftdisk.sys - this reference has been left in place ---------- Key=GEARAspiWDM ImagePath=System32\Drivers\GEARAspiWDM.sys - this reference has been left in place ---------- Key=Gpc ImagePath=system32\DRIVERS\msgpc.sys - this reference has been left in place ---------- Key=HdAudAddService ImagePath=system32\drivers\HdAudio.sys - this reference has been left in place ---------- Key=HDAudBus ImagePath=system32\DRIVERS\HDAudBus.sys - this reference has been left in place ---------- Key=HTTP ImagePath=System32\Drivers\HTTP.sys - this reference has been left in place ---------- Key=i8042prt ImagePath=system32\DRIVERS\i8042prt.sys - this reference has been left in place ---------- Key=Imapi ImagePath=system32\DRIVERS\imapi.sys - this reference has been left in place ---------- Key=ImapiService ImagePath=C:\WINDOWS\system32\imapi.exe - this reference has been left in place ---------- Key=IntelS51 ImagePath=system32\DRIVERS\IntelS51.sys - this reference has been left in place ---------- Key=Ip6Fw ImagePath=system32\DRIVERS\Ip6Fw.sys - this reference has been left in place ---------- Key=IpFilterDriver ImagePath=system32\DRIVERS\ipfltdrv.sys - this reference has been left in place ---------- Key=IpInIp ImagePath=system32\DRIVERS\ipinip.sys - this reference has been left in place ---------- Key=IpNat ImagePath=system32\DRIVERS\ipnat.sys - this reference has been left in place ---------- Key=iPod Service ImagePath="C:\Program Files\iPod\bin\iPodService.exe" - this reference has been left in place ---------- Key=IPSec ImagePath=system32\DRIVERS\ipsec.sys - this reference has been left in place ---------- Key=IRENUM ImagePath=system32\DRIVERS\irenum.sys - this reference has been left in place ---------- Key=isapnp ImagePath=system32\DRIVERS\isapnp.sys - this reference has been left in place ---------- Key=Kbdclass ImagePath=system32\DRIVERS\kbdclass.sys - this reference has been left in place ---------- Key=kmixer ImagePath=system32\drivers\kmixer.sys - this reference has been left in place ---------- Key=mnmsrvc ImagePath=C:\WINDOWS\system32\mnmsrvc.exe - this reference has been left in place ---------- Key=MODEMCSA ImagePath=system32\drivers\MODEMCSA.sys - this reference has been left in place ---------- Key=Mouclass ImagePath=system32\DRIVERS\mouclass.sys - this reference has been left in place ---------- Key=MRxDAV ImagePath=system32\DRIVERS\mrxdav.sys - this reference has been left in place ---------- Key=MRxSmb ImagePath=system32\DRIVERS\mrxsmb.sys - this reference has been left in place ---------- Key=MSDTC ImagePath=C:\WINDOWS\system32\msdtc.exe - this reference has been left in place ---------- Key=MSIServer ImagePath=C:\WINDOWS\system32\msiexec.exe /V - this reference has been left in place ---------- Key=MSKSSRV ImagePath=system32\drivers\MSKSSRV.sys - this reference has been left in place ---------- Key=MSPCLOCK ImagePath=system32\drivers\MSPCLOCK.sys - this reference has been left in place ---------- Key=MSPQM ImagePath=system32\drivers\MSPQM.sys - this reference has been left in place ---------- Key=mssmbios ImagePath=system32\DRIVERS\mssmbios.sys - this reference has been left in place ---------- Key=MTsensor ImagePath=system32\DRIVERS\ASACPI.sys - this reference has been left in place ---------- Key=NdisTapi ImagePath=system32\DRIVERS\ndistapi.sys - this reference has been left in place ---------- Key=Ndisuio ImagePath=system32\DRIVERS\ndisuio.sys - this reference has been left in place ---------- Key=NdisWan ImagePath=system32\DRIVERS\ndiswan.sys - this reference has been left in place ---------- Key=NetBIOS ImagePath=system32\DRIVERS\netbios.sys - this reference has been left in place ---------- Key=NetBT ImagePath=system32\DRIVERS\netbt.sys - this reference has been left in place ---------- Key=NetDDE ImagePath=%SystemRoot%\system32\netdde.exe - this reference has been left in place ---------- Key=NetDDEdsdm ImagePath=%SystemRoot%\system32\netdde.exe - this reference has been left in place ---------- Key=Netlogon ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place ---------- Key=NIC1394 ImagePath=system32\DRIVERS\nic1394.sys - this reference has been left in place ---------- Key=NtLmSsp ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place ---------- Key=nv ImagePath=system32\DRIVERS\nv4_mini.sys - this reference has been left in place ---------- Key=nvata ImagePath=system32\DRIVERS\nvata.sys - this reference has been left in place ---------- Key=NVENETFD ImagePath=system32\DRIVERS\NVENETFD.sys - this reference has been left in place ---------- Key=nvnetbus ImagePath=system32\DRIVERS\nvnetbus.sys - this reference has been left in place ---------- Key=NVSvc ImagePath=%SystemRoot%\system32\nvsvc32.exe - this reference has been left in place ---------- Key=NwlnkFlt ImagePath=system32\DRIVERS\nwlnkflt.sys - this reference has been left in place ---------- Key=NwlnkFwd ImagePath=system32\DRIVERS\nwlnkfwd.sys - this reference has been left in place ---------- Key=ohci1394 ImagePath=system32\DRIVERS\ohci1394.sys - this reference has been left in place ---------- Key=ose ImagePath="C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" - this reference has been left in place ---------- Key=Parport ImagePath=system32\DRIVERS\parport.sys - this reference has been left in place ---------- Key=PCI ImagePath=system32\DRIVERS\pci.sys - this reference has been left in place ---------- Key=PCIIde ImagePath=system32\DRIVERS\pciide.sys - this reference has been left in place ---------- Key=PlugPlay ImagePath=%SystemRoot%\system32\services.exe - this reference has been left in place ---------- Key=PolicyAgent ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place ---------- Key=PptpMiniport ImagePath=system32\DRIVERS\raspptp.sys - this reference has been left in place ---------- Key=Processor ImagePath=system32\DRIVERS\processr.sys - this reference has been left in place ---------- Key=ProtectedStorage ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place ---------- Key=PSched ImagePath=system32\DRIVERS\psched.sys - this reference has been left in place ---------- Key=Ptilink ImagePath=system32\DRIVERS\ptilink.sys - this reference has been left in place ---------- Key=RasAcd ImagePath=system32\DRIVERS\rasacd.sys - this reference has been left in place ---------- Key=Rasl2tp ImagePath=system32\DRIVERS\rasl2tp.sys - this reference has been left in place ---------- Key=RasPppoe ImagePath=system32\DRIVERS\raspppoe.sys - this reference has been left in place ---------- Key=Raspti ImagePath=system32\DRIVERS\raspti.sys - this reference has been left in place ---------- Key=Rdbss ImagePath=system32\DRIVERS\rdbss.sys - this reference has been left in place ---------- Key=RDPCDD ImagePath=System32\DRIVERS\RDPCDD.sys - this reference has been left in place ---------- Key=RDSessMgr ImagePath=C:\WINDOWS\system32\sessmgr.exe - this reference has been left in place ---------- Key=redbook ImagePath=system32\DRIVERS\redbook.sys - this reference has been left in place ---------- Key=RpcLocator ImagePath=%SystemRoot%\system32\locator.exe - this reference has been left in place ---------- Key=RSVP ImagePath=%SystemRoot%\system32\rsvp.exe - this reference has been left in place ---------- Key=SamSs ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place ---------- Key=SCardSvr ImagePath=%SystemRoot%\System32\SCardSvr.exe - this reference has been left in place ---------- Key=Secdrv ImagePath=system32\DRIVERS\secdrv.sys - this reference has been left in place ---------- Key=SenFiltService ImagePath=system32\drivers\Senfilt.sys - this reference has been left in place ---------- Key=serenum ImagePath=system32\DRIVERS\serenum.sys - this reference has been left in place ---------- Key=Serial ImagePath=system32\DRIVERS\serial.sys - this reference has been left in place ---------- Key=splitter ImagePath=system32\drivers\splitter.sys - this reference has been left in place ---------- Key=Spooler ImagePath=%SystemRoot%\system32\spoolsv.exe - this reference has been left in place ---------- Key=sr ImagePath=system32\DRIVERS\sr.sys - this reference has been left in place ---------- Key=Srv ImagePath=system32\DRIVERS\srv.sys - this reference has been left in place ---------- Key=swenum ImagePath=system32\DRIVERS\swenum.sys - this reference has been left in place ---------- Key=swmidi ImagePath=system32\drivers\swmidi.sys - this reference has been left in place ---------- Key=SwPrv ImagePath=C:\WINDOWS\system32\dllhost.exe /Processid:{A5F665DF-5ECC-4CB6-BFC8-215C4C329FCD} - this reference has been left in place ---------- Key=sysaudio ImagePath=system32\drivers\sysaudio.sys - this reference has been left in place ---------- Key=SysmonLog ImagePath=%SystemRoot%\system32\smlogsvc.exe - this reference has been left in place ---------- Key=Tcpip ImagePath=system32\DRIVERS\tcpip.sys - this reference has been left in place ---------- Key=TermDD ImagePath=system32\DRIVERS\termdd.sys - this reference has been left in place ---------- Key=UMWdf ImagePath=C:\WINDOWS\system32\wdfmgr.exe - this reference has been left in place ---------- Key=Update ImagePath=system32\DRIVERS\update.sys - this reference has been left in place ---------- Key=UPS ImagePath=%SystemRoot%\System32\ups.exe - this reference has been left in place ---------- Key=usbehci ImagePath=system32\DRIVERS\usbehci.sys - this reference has been left in place ---------- Key=usbhub ImagePath=system32\DRIVERS\usbhub.sys - this reference has been left in place ---------- Key=usbohci ImagePath=system32\DRIVERS\usbohci.sys - this reference has been left in place ---------- Key=USBSTOR ImagePath=system32\DRIVERS\USBSTOR.SYS - this reference has been left in place ---------- Key=usnjsvc ImagePath="C:\Program Files\MSN Messenger\usnsvc.exe" - this reference has been left in place ---------- Key=VgaSave ImagePath=\SystemRoot\System32\drivers\vga.sys - this reference has been left in place ---------- Key=VSS ImagePath=%SystemRoot%\System32\vssvc.exe - this reference has been left in place ---------- Key=Wanarp ImagePath=system32\DRIVERS\wanarp.sys - this reference has been left in place ---------- Key=wdmaud ImagePath=system32\drivers\wdmaud.sys - this reference has been left in place ---------- Key=WMConnectCDS ImagePath=C:\Program Files\Windows Media Connect 2\wmccds.exe - this reference has been left in place ---------- Key=WmiApSrv ImagePath=C:\WINDOWS\system32\wbem\wmiapsrv.exe - this reference has been left in place ---------- ****************************** 12:51:09 p.m.: Scanning -----VXD ENTRIES----- Checking VMM32 VxD files being loaded ****************************** 12:51:09 p.m.: Scanning ----- WINLOGON\NOTIFY DLLS ----- Checking DLLs called from the Winlogon\Notify key: Key=awtqp DLLName=C:\WINDOWS\system32\awtqp.dll - appears to contain ADWARE.VIRTUMONDE (HEURISTIC DETECTION) DLLName=C:\WINDOWS\system32\awtqp.dll - this call has been removed C:\WINDOWS\system32\awtqp.dll - has HIDDEN attribute set C:\WINDOWS\system32\awtqp.dll - HIDDEN attribute removed C:\WINDOWS\system32\awtqp.dll - has SYSTEM attribute set C:\WINDOWS\system32\awtqp.dll - SYSTEM attribute removed C:\WINDOWS\system32\awtqp.dll has been marked for renaming when the PC is restarted (if it exists) ---------- pqtwa.ini, associated with Adware.VirtuMonde, found in C:\WINDOWS\system32\ C:\WINDOWS\system32\pqtwa.ini - has HIDDEN attribute set C:\WINDOWS\system32\pqtwa.ini - HIDDEN attribute removed C:\WINDOWS\system32\pqtwa.ini - has SYSTEM attribute set C:\WINDOWS\system32\pqtwa.ini - SYSTEM attribute removed C:\WINDOWS\system32\pqtwa.ini has been renamed to: C:\WINDOWS\system32\pqtwa.ini.ren pqtwa.bak1, associated with Adware.VirtuMonde, found in C:\WINDOWS\system32\ C:\WINDOWS\system32\pqtwa.bak1 - has HIDDEN attribute set C:\WINDOWS\system32\pqtwa.bak1 - HIDDEN attribute removed C:\WINDOWS\system32\pqtwa.bak1 - has SYSTEM attribute set C:\WINDOWS\system32\pqtwa.bak1 - SYSTEM attribute removed C:\WINDOWS\system32\pqtwa.bak1 has been renamed to: C:\WINDOWS\system32\pqtwa.bak1.ren pqtwa.bak2, associated with Adware.VirtuMonde, found in C:\WINDOWS\system32\ C:\WINDOWS\system32\pqtwa.bak2 - has HIDDEN attribute set C:\WINDOWS\system32\pqtwa.bak2 - HIDDEN attribute removed C:\WINDOWS\system32\pqtwa.bak2 - has SYSTEM attribute set C:\WINDOWS\system32\pqtwa.bak2 - SYSTEM attribute removed C:\WINDOWS\system32\pqtwa.bak2 has been renamed to: C:\WINDOWS\system32\pqtwa.bak2.ren Key=crypt32chain DLLName=crypt32.dll - this reference has been left in place ---------- Key=cryptnet DLLName=cryptnet.dll - this reference has been left in place ---------- Key=cscdll DLLName=cscdll.dll - this reference has been left in place ---------- Key=ScCertProp DLLName=wlnotify.dll - this reference has been left in place ---------- Key=Schedule DLLName=wlnotify.dll - this reference has been left in place ---------- Key=sclgntfy DLLName=sclgntfy.dll - this reference has been left in place ---------- Key=SensLogn DLLName=WlNotify.dll - this reference has been left in place ---------- Key=termsrv DLLName=wlnotify.dll - this reference has been left in place ---------- Key=tuvtqnl DLLName=tuvtqnl.dll - this reference has been left in place ---------- Key=WgaLogon DLLName=WgaLogon.dll - this reference has been left in place ---------- Key=wlballoon DLLName=wlnotify.dll - this reference has been left in place ---------- ****************************** 12:51:16 p.m.: Scanning ----- CONTEXTMENUHANDLERS ----- Key = avast CLSID = {472083B0-C522-11CF-8763-00608CC02F24} C:\Program Files\Alwil Software\Avast4\ashShell.dll - this ContextMenuHandler has been left in place ---------- Key = Offline Files CLSID = {750fdf0e-2a26-11d1-a3ea-080036587f03} %SystemRoot%\System32\cscui.dll - this ContextMenuHandler has been left in place ---------- Key = Open With CLSID = {09799AFB-AD67-11d1-ABCD-00C04FC30936} %SystemRoot%\system32\SHELL32.dll - this ContextMenuHandler has been left in place ---------- Key = Open With EncryptionMenu CLSID = {A470F8CF-A1E8-4f65-8335-227475AA5C46} %SystemRoot%\system32\SHELL32.dll - this ContextMenuHandler has been left in place ---------- Key = Trojan Remover CLSID = {52B87208-9CCF-42C9-B88E-069281105805} C:\PROGRA~1\TROJAN~1\Trshlex.dll - this ContextMenuHandler has been left in place ---------- Key = {a2a9545d-a0c2-42b4-9708-a0b2badd77c8} %SystemRoot%\system32\SHELL32.dll - this ContextMenuHandler has been left in place ---------- ****************************** 12:51:16 p.m.: Scanning ----- FOLDER\COLUMNHANDLERS ----- Key = {0D2E74C4-3C34-11d2-A27E-00C04FC30871} %SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place ---------- Key = {24F14F01-7B1C-11d1-838f-0000F80461CF} %SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place ---------- Key = {24F14F02-7B1C-11d1-838f-0000F80461CF} %SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place ---------- Key = {66742402-F9B9-11D1-A202-0000F81FEDEE} %SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place ---------- Key = {7D4D6379-F301-4311-BEBA-E26EB0561882} C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll - this Folder\ColumnHandler has been left in place ---------- Key = {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" - this Folder\ColumnHandler has been left in place ---------- Key = {F9DB5320-233E-11D1-9F84-707F02C10627} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll - this Folder\ColumnHandler has been left in place ---------- ****************************** 12:51:17 p.m.: Scanning ----- BROWSER HELPER OBJECTS ----- Key = {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - this Browser Helper Object has been left in place ---------- Key = {13D60298-FC74-47DA-9638-10A4EB0FCDA8} C:\WINDOWS\system32\mchncejh.dll - this Browser Helper Object has been left in place ---------- Key = {1557B435-8242-4686-9AA3-9265BF7525A4} C:\WINDOWS\system32\asnkhwkp.dll - this Browser Helper Object has been left in place ---------- Key = {2A16EC02-ED45-4936-9590-51CBEAC20B29} C:\WINDOWS\system32\mljjh.dll - this Browser Helper Object has been left in place [file not found to scan] ---------- Key = {5AF96A08-5257-4258-809B-4B88E7314B9e} C:\WINDOWS\system32\mchncejh.dll - this Browser Helper Object has been left in place ---------- Key = {70D4613E-DCBB-4E42-9073-D5087F3519BB} C:\WINDOWS\system32\awtqp.dll - this Browser Helper Object has been left in place ---------- Key = {715E62E4-63D4-4CB5-95EE-8388696FAEEA} C:\WINDOWS\system32\pmnnk.dll - this Browser Helper Object has been left in place [file not found to scan] ---------- Key = {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll - this Browser Helper Object has been left in place ---------- Key = {9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - this Browser Helper Object has been left in place ---------- Key = {A2A61D92-555E-4E4D-A877-DE105D95AB90} C:\WINDOWS\system32\tuvtqnl.dll - this Browser Helper Object has been left in place ---------- Key = {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} C:\Program Files\Windows Live Toolbar\msntb.dll - this Browser Helper Object has been left in place ---------- C:\WINDOWS\system32\awtqp.dll - appears to contain ADWARE.VIRTUMONDE (HEURISTIC DETECTION) C:\WINDOWS\system32\awtqp.dll - this Browser Helper Object was being loaded by the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{FA939146-FD15-4837-8D5D-1D0A539E9DBD} - this key has been removed C:\WINDOWS\system32\awtqp.dll - this Browser Helper Object was referenced by the following key: HKEY_CLASSES_ROOT\CLSID\{FA939146-FD15-4837-8D5D-1D0A539E9DBD} - this key has been removed C:\WINDOWS\system32\awtqp.dll has been marked for renaming when the PC is restarted (if it exists) pqtwa.ini, associated with Adware.VirtuMonde, found in C:\WINDOWS\system32\ C:\WINDOWS\system32\pqtwa.ini - has HIDDEN attribute set C:\WINDOWS\system32\pqtwa.ini - HIDDEN attribute removed C:\WINDOWS\system32\pqtwa.ini - has SYSTEM attribute set C:\WINDOWS\system32\pqtwa.ini - SYSTEM attribute removed C:\WINDOWS\system32\pqtwa.ini has been renamed to: C:\WINDOWS\system32\pqtwa.ini.ren ---------- ****************************** 12:51:26 p.m.: Scanning ----- SHELLSERVICEOBJECTS ----- Key = PostBootReminder %SystemRoot%\system32\SHELL32.dll - this ShellServiceObject has been left in place ---------- Key = CDBurn %SystemRoot%\system32\SHELL32.dll - this ShellServiceObject has been left in place ---------- Key = WebCheck %SystemRoot%\system32\webcheck.dll - this ShellServiceObject has been left in place ---------- Key = SysTray C:\WINDOWS\system32\stobject.dll - this ShellServiceObject has been left in place ---------- ****************************** 12:51:26 p.m.: Scanning ----- SHAREDTASKSCHEDULER ENTRIES ----- Value = {438755C2-A8BA-11D1-B96B-00A0C90312E1} Comment = Browseui preloader File: %SystemRoot%\system32\browseui.dll - this SharedTaskScheduler entry has been left in place ---------- Value = {8C7461EF-2B13-11d2-BE35-3078302C2030} Comment = Component Categories cache daemon File: %SystemRoot%\system32\browseui.dll - this SharedTaskScheduler entry has been left in place ---------- ****************************** 12:51:26 p.m.: Scanning ----- IMAGEFILE DEBUGGERS ----- No "Debugger" entries found. ****************************** 12:51:26 p.m.: Scanning ----- APPINIT_DLLS ----- The AppInit_DLLs value is blank ****************************** 12:51:26 p.m.: Scanning ------ COMMON STARTUP GROUP ------ [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] The Common Startup Group attempts to load the following file(s) at boot time: Adobe Reader Speed Launch.lnk - this links to C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe and has been left in place -------------------- desktop.ini - this file is expected and has been left in place -------------------- ****************************** 12:51:26 p.m.: Scanning ------ USER STARTUP GROUPS ------ -------------------- Checking Startup Group for Min Noah1 [C:\Documents and Settings\Min Noah1\START MENU\PROGRAMS\STARTUP] The Startup Group for Min Noah1 attempts to load the following file(s): desktop.ini - this file is expected and has been left in place -------------------- Checking Startup Group for Owner [C:\Documents and Settings\Owner\START MENU\PROGRAMS\STARTUP] The Startup Group for Owner attempts to load the following file(s): desktop.ini - this file is expected and has been left in place OpenOffice.org 2.0.lnk - this links to C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe and has been left in place -------------------- Checking Startup Group for sammi [C:\Documents and Settings\sammi\START MENU\PROGRAMS\STARTUP] The Startup Group for sammi attempts to load the following file(s): desktop.ini - this file is expected and has been left in place ****************************** 12:51:26 p.m.: Scanning ----- SCHEDULED TASKS ----- ****************************** 12:51:26 p.m.: ----- EXTRA CHECKS ----- PE386 rootkit checks completed ---------- Winlogon registry rootkit checks completed ---------- Heuristic checks for hidden files/drivers completed ---------- ****************************** 12:51:26 p.m.: Scanning ------ DOWNLOADED PROGRAM FILES ------ The following files are located in the DOWNLOADED PROGRAM FILES directory: C:\WINDOWS\Downloaded Program Files\CONFLICT.1\msgrchkr.dll - this file has been left in place C:\WINDOWS\Downloaded Program Files\desktop.ini - this file is expected and has been left in place C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll - this file has been left in place C:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll - this file has been left in place C:\WINDOWS\Downloaded Program Files\minesweeper.dll - this file has been left in place C:\WINDOWS\Downloaded Program Files\msgrchkr.dll - this file has been left in place C:\WINDOWS\Downloaded Program Files\swflash.inf - this file has been left in place ****************************** 12:51:27 p.m.: Scanning ----- RUNNING PROCESSES ----- C:\WINDOWS\System32\smss.exe -------------------- C:\WINDOWS\system32\csrss.exe -------------------- C:\WINDOWS\system32\winlogon.exe -------------------- C:\WINDOWS\system32\services.exe -------------------- C:\WINDOWS\system32\lsass.exe -------------------- C:\WINDOWS\system32\svchost.exe -------------------- C:\WINDOWS\system32\svchost.exe -------------------- C:\WINDOWS\System32\svchost.exe -------------------- C:\WINDOWS\system32\svchost.exe -------------------- C:\WINDOWS\system32\svchost.exe -------------------- C:\WINDOWS\system32\spoolsv.exe -------------------- C:\WINDOWS\Explorer.EXE -------------------- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -------------------- C:\WINDOWS\system32\RUNDLL32.EXE -------------------- C:\Program Files\Analog Devices\Core\smax4pnp.exe -------------------- C:\Program Files\Analog Devices\SoundMAX\Smax4.exe -------------------- C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe -------------------- C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe -------------------- C:\Program Files\QuickTime\qttask.exe -------------------- C:\Program Files\iTunes\iTunesHelper.exe -------------------- C:\WINDOWS\system32\ctfmon.exe -------------------- C:\Program Files\Alwil Software\Avast4\ashServ.exe -------------------- C:\WINDOWS\system32\nvsvc32.exe -------------------- C:\WINDOWS\system32\wdfmgr.exe -------------------- C:\Program Files\iPod\bin\iPodService.exe -------------------- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -------------------- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -------------------- C:\WINDOWS\System32\alg.exe -------------------- C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe -------------------- C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe -------------------- C:\WINDOWS\system32\csrss.exe -------------------- C:\WINDOWS\system32\winlogon.exe -------------------- C:\WINDOWS\Explorer.EXE -------------------- C:\WINDOWS\system32\RUNDLL32.EXE -------------------- C:\Program Files\Analog Devices\Core\smax4pnp.exe -------------------- C:\Program Files\Analog Devices\SoundMAX\Smax4.exe -------------------- C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe -------------------- C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe -------------------- C:\Program Files\QuickTime\qttask.exe -------------------- C:\Program Files\iTunes\iTunesHelper.exe -------------------- C:\WINDOWS\system32\ctfmon.exe -------------------- C:\WINDOWS\system32\wuauclt.exe -------------------- C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe -------------------- C:\Program Files\OpenOffice.org 2.0\program\soffice.exe -------------------- C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN -------------------- C:\Documents and Settings\Owner\Application Data\Simply Super Software\Trojan Remover\mbt2.exe FileSize: 1,782,336 [This is a Trojan Remover component] -------------------- ****************************** 12:51:33 p.m.: Checking AUTOEXEC.BAT file AUTOEXEC.BAT found in C:\ No malicious entries were found in the AUTOEXEC.BAT file ****************************** 12:51:33 p.m.: Checking AUTOEXEC.NT file AUTOEXEC.NT found in C:\WINDOWS\system32 No malicious entries were found in the AUTOEXEC.NT file ****************************** ------ INTERNET EXPLORER HOME/START/SEARCH SETTINGS ------ HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Start Page": www.microsoft.com HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Local Page": %SystemRoot%\system32\blank.htm HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Search Page": www.microsoft.com HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL": www.microsoft.com HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL": www.google.com HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\"CustomizeSearch": ie.search.msn.com HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\"SearchAssistant": www.google.com HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page": http://xtra.co.nz/ HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Local Page": C:\WINDOWS\system32\blank.htm HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Search Page": http://www.google.com ****************************** === CHANGES WERE MADE TO THE WINDOWS REGISTRY === Scan completed at: 21/04/2007 12:51:33 p.m. ------------------------------------------------------------------------- One or more files could not be moved or renamed as requested. They may be in use by Windows, so Trojan Remover needs to restart the system in order to deal with these files. 21/04/2007 12:51:40 p.m.: restart commenced ************************************************** ********** ***** INDIVIDUAL FILE SCAN ***** Trojan Remover Ver 6.5.9, Build 2462. For information, email simplysupsupport@aol.com [Unregistered version] Scan started at: 19/04/2007 8:33:49 p.m. Using Database v6779 Operating System: Windows XP Home Edition Service Pack 2 (Build 2600) Using data directory: C:\Documents and Settings\Owner\Application Data\Simply Super Software\Trojan Remover\ Logfile directory: C:\Documents and Settings\Owner\My Documents\Simply Super Software\Trojan Remover Logfiles\ Running with Administrator privileges ************************************************** Carrying out individual file scan on C:\Documents and Settings\Owner\Desktop\us.exe This file appears to be OK ************************************************** ********** ***** TROJAN REMOVER HAS RESTARTED THE SYSTEM ***** 19/04/2007 8:29:39 p.m.: Trojan Remover has been restarted Trojan Remover forced a System Restart by terminating WINLOGON.EXE. The Cleanup Utility was used to remove locked registry keys. C:\WINDOWS\system32\mljjh.dll has been renamed to C:\WINDOWS\system32\mljjh.dll.ren C:\WINDOWS\system32\mljjh.dll has been renamed to C:\WINDOWS\system32\mljjh.dll.ren 19/04/2007 8:29:39 p.m.: Trojan Remover closed ************************************************** ********** ***** NORMAL SCAN FOR ACTIVE MALWARE ***** Trojan Remover Ver 6.5.9, Build 2462. For information, email simplysupsupport@aol.com [Unregistered version] Scan started at: 19/04/2007 8:26:47 p.m. Using Database v6779 Operating System: Windows XP Home Edition Service Pack 2 (Build 2600) Using data directory: C:\Documents and Settings\Owner\Application Data\Simply Super Software\Trojan Remover\ Logfile directory: C:\Documents and Settings\Owner\My Documents\Simply Super Software\Trojan Remover Logfiles\ Running with Administrator privileges ************************************************** Checking Registry exefile command for modifications Checking Registry comfile command for modifications Checking Registry piffile command for modifications Checking Registry batfile command for modifications Checking Registry regfile command for modifications Checking Registry cmdfile command for modifications Checking Registry scrfile command for modifications ****************************** 8:26:47 p.m.: Scanning ----------WIN.INI----------- WIN.INI found in C:\WINDOWS ****************************** 8:26:47 p.m.: Scanning --------SYSTEM.INI--------- SYSTEM.INI found in C:\WINDOWS ****************************** 8:26:47 p.m.: ----- SCANNING FOR ROOTKIT SERVICES ----- No hidden Services were detected. ****************************** 8:26:47 p.m.: Scanning -----WINDOWS REGISTRY----- -------------------- Checking HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon -------------------- Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon This key's "Shell" value calls the following program(s): Explorer.exe - this entry has been left in place ---------- This key's "Userinit" value calls the following program(s): C:\WINDOWS\system32\userinit.exe - this entry has been left in place ---------- This key's "System" value appears to be blank ---------- -------------------- Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows -------------------- Checking HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Value Name = load The Data Value for this entry appears to be blank -------------------- -------------------- Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run This Registry Key attempts to run the following program(s): Value Name = NvCplDaemon Value Data = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup - this command has been left in place -------------------- Value Name = nwiz Value Data = nwiz.exe /install - this command has been left in place -------------------- Value Name = NvMediaCenter Value Data = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit - this command has been left in place -------------------- Value Name = High Definition Audio Property Page Shortcut Value Data = HDAShCut.exe - this command has been left in place -------------------- Value Name = SoundMAXPnP Value Data = C:\Program Files\Analog Devices\Core\smax4pnp.exe - this command has been left in place -------------------- Value Name = SoundMAX Value Data = C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray - this command has been left in place -------------------- Value Name = SunJavaUpdateSched Value Data = C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe - this command has been left in place -------------------- Value Name = NeroFilterCheck Value Data = C:\WINDOWS\system32\NeroCheck.exe - this command has been left in place -------------------- Value Name = avast! Value Data = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe - this command has been left in place -------------------- Value Name = QuickTime Task Value Data = C:\Program Files\QuickTime\qttask.exe" -atboottime - this command has been left in place -------------------- Value Name = iTunesHelper Value Data = C:\Program Files\iTunes\iTunesHelper.exe - this command has been left in place -------------------- Value Name = SpywareBot Value Data = C:\Program Files\SpywareBot\SpywareBot.exe -boot - this command has been left in place [file not found to scan] -------------------- Value Name = TrojanScanner Value Data = C:\Program Files\Trojan Remover\Trjscan.exe - this program is Trojan Remover's own scan file -------------------- -------------------- Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce This Registry Key appears to be empty -------------------- Checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnceEx This Registry Key appears to be empty -------------------- Checking HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run This Registry Key attempts to run the following program(s): Value Name = CTFMON.EXE Value Data = C:\WINDOWS\system32\ctfmon.exe - this command has been left in place -------------------- Value Name = MsnMsgr Value Data = C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background - this command has been left in place -------------------- Value Name = BitTorrent Value Data = C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized - this command has been left in place [file not found to scan] -------------------- Value Name = spywarebot Value Data = C:\Program Files\spywarebot\spywarebot.exe" -boot - this command has been left in place [file not found to scan] -------------------- -------------------- Checking HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunOnce This Registry Key appears to be empty ****************************** 8:26:48 p.m.: Scanning -----SHELLEXECUTEHOOKS----- ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972} File: shell32.dll - this file is expected and has been left in place ---------- ValueName: {7D064D71-DD76-4596-90C0-921766AD560A} File: C:\WINDOWS\system32\efcabxy.dll {7D064D71-DD76-4596-90C0-921766AD560A} - this registry value has been removed [file not found to scan] HKCR\CLSID\{7D064D71-DD76-4596-90C0-921766AD560A} - this key has been removed ---------- ValueName: {A2A61D92-555E-4E4D-A877-DE105D95AB90} File: C:\WINDOWS\system32\tuvtqnl.dll C:\WINDOWS\system32\tuvtqnl.dll - this ShellExecuteHook has been left in place ---------- ****************************** 8:26:59 p.m.: Scanning -----HIDDEN REGISTRY ENTRIES----- Taskdir check completed ---------- No Registry Run Keys Hidden Entries found ---------- ****************************** 8:26:59 p.m.: Scanning -----ACTIVE SCREENSAVER----- ScreenSaver=C:\WINDOWS\system32\sspipes.scr - this command has been left in place -------------------- ****************************** 8:26:59 p.m.: Scanning ----- REGISTRY ACTIVE SETUP KEYS ----- Checking the StubPath calls in the Active Setup\Installed Components registry keys: Key=>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} StubPath=C:\WINDOWS\inf\unregmp2.exe - this reference has been left in place ---------- Key=>{26923b43-4d38-484f-9b9e-de460746276c} StubPath=C:\WINDOWS\system32\shmgrate.exe - this reference has been left in place ---------- Key=>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} StubPath=C:\WINDOWS\system32\shmgrate.exe - this reference has been left in place ---------- Key={2C7339CF-2B09-4501-B3F3-F3508C9228ED} StubPath=C:\WINDOWS\system32\regsvr32.exe - this reference has been left in place ---------- Key={44BBA840-CC51-11CF-AAFA-00AA00B6015C} StubPath=C:\Program Files\Outlook Express\setup50.exe - this reference has been left in place ---------- Key={7790769C-0471-11d2-AF11-00C04FA35D02} StubPath=C:\Program Files\Outlook Express\setup50.exe - this reference has been left in place ---------- Key={89820200-ECBD-11cf-8B85-00AA005B4340} StubPath=regsvr32.exe - this reference has been left in place ---------- Key={89820200-ECBD-11cf-8B85-00AA005B4383} StubPath=C:\WINDOWS\system32\ie4uinit.exe - this reference has been left in place ---------- ****************************** 8:27:00 p.m.: Scanning ----- SERVICEDLL REGISTRY KEYS ----- Checking DLL files called from the CurrentControlSet\Services Keys: -------------------- Key=Alerter ServiceDLL=%SystemRoot%\system32\alrsvc.dll - this reference has been left in place -------------------- Key=AppMgmt ServiceDLL=%SystemRoot%\System32\appmgmts.dll - this file is globally excluded (file cannot be found) -------------------- Key=AudioSrv ServiceDLL=%SystemRoot%\System32\audiosrv.dll - this reference has been left in place -------------------- Key=BITS ServiceDLL=C:\WINDOWS\system32\qmgr.dll - this reference has been left in place -------------------- Key=Browser ServiceDLL=%SystemRoot%\System32\browser.dll - this reference has been left in place -------------------- Key=CryptSvc ServiceDLL=%SystemRoot%\System32\cryptsvc.dll - this reference has been left in place -------------------- Key=DcomLaunch ServiceDLL=%SystemRoot%\system32\rpcss.dll - this reference has been left in place -------------------- Key=Dhcp ServiceDLL=%SystemRoot%\System32\dhcpcsvc.dll - this reference has been left in place -------------------- Key=dmserver ServiceDLL=%SystemRoot%\System32\dmserver.dll - this reference has been left in place -------------------- Key=Dnscache ServiceDLL=%SystemRoot%\System32\dnsrslvr.dll - this reference has been left in place -------------------- Key=ERSvc ServiceDLL=%SystemRoot%\System32\ersvc.dll - this reference has been left in place -------------------- Key=EventSystem ServiceDLL=C:\WINDOWS\system32\es.dll - this reference has been left in place -------------------- Key=FastUserSwitchingCompatibility ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place -------------------- Key=helpsvc ServiceDLL=%WINDIR%\PCHealth\HelpCtr\Binaries\pchs vc.dll - this reference has been left in place -------------------- Key=HidServ ServiceDLL=%SystemRoot%\System32\hidserv.dll - this file is globally excluded (file cannot be found) -------------------- Key=HTTPFilter ServiceDLL=%SystemRoot%\System32\w3ssl.dll - this reference has been left in place -------------------- Key=lanmanserver ServiceDLL=%SystemRoot%\System32\srvsvc.dll - this reference has been left in place -------------------- Key=lanmanworkstation ServiceDLL=%SystemRoot%\System32\wkssvc.dll - this reference has been left in place -------------------- Key=LmHosts ServiceDLL=%SystemRoot%\System32\lmhsvc.dll - this reference has been left in place -------------------- Key=Messenger ServiceDLL=%SystemRoot%\System32\msgsvc.dll - this reference has been left in place -------------------- | DT33 (12171) | ||
| 543006 | 2007-04-21 02:12:00 | So, did trojan remover remove anything at all? When u clicked on scan? It looks like it. I would also update TR, it was updated the other day to 6.6.0. It looks like it removed/renamed files relating to Virtumonde. And Spywarebot, which looks like adware. Update trojan remover thru its update option (did u reboot after trojan detected/removed the above files)? I would also get Rogueremover in my sig, and hijackthis. Put Hijackthis in its own folder run then click on scan and save a log. Copy and paste the log here. |
Speedy Gonzales (78) | ||
| 543007 | 2007-04-21 02:44:00 | Hi, I have updated Trojan remover. I did restart the machine when i did the TR scan. It does a quick scan and picks up more problems. I installed Hijackthis and below is the log file. Appreciate your help... Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 1:51:14 p.m., on 21/04/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe C:\Program Files\LimeWire\LimeWire.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\explorer.exe C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis_v2.zip\HiJackThis_v2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xtra.co.nz/ O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {13D60298-FC74-47DA-9638-10A4EB0FCDA8} - C:\WINDOWS\system32\mchncejh.dll O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\asnkhwkp.dll O2 - BHO: (no name) - {1E0634B3-94E0-4DEF-963C-DA05EAC258B4} - C:\WINDOWS\system32\awtqp.dll O2 - BHO: (no name) - {2A16EC02-ED45-4936-9590-51CBEAC20B29} - C:\WINDOWS\system32\mljjh.dll (file missing) O2 - BHO: (no name) - {5AF96A08-5257-4258-809B-4B88E7314B9e} - C:\WINDOWS\system32\mchncejh.dll O2 - BHO: (no name) - {715E62E4-63D4-4CB5-95EE-8388696FAEEA} - C:\WINDOWS\system32\pmnnk.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: (no name) - {7D064D71-DD76-4596-90C0-921766AD560A} - (no file) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {A2A61D92-555E-4E4D-A877-DE105D95AB90} - C:\WINDOWS\system32\tuvtqnl.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ avast! ] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized O4 - HKCU\..\Run: [spywarebot] "C:\Program Files\spywarebot\spywarebot.exe" -boot O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-nz\msntabres.dll.mui/229?a5f0caab2cc649f4b87297c7a508a22f O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-nz\msntabres.dll.mui/230?a5f0caab2cc649f4b87297c7a508a22f O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\Games\IMVU\Run IMVU.lnk O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - messenger.zone.msn.com O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - messenger.zone.msn.com O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - messenger.zone.msn.com O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - messenger.zone.msn.com O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - messenger.zone.msn.com O17 - HKLM\System\CCS\Services\Tcpip\..\{20A5DCB0-F597-4D8D-8A2C-D8F377CDBA8F}: NameServer = 202.27.158.40,202.27.156.72 O20 - Winlogon Notify: awtqp - C:\WINDOWS\system32\awtqp.dll O20 - Winlogon Notify: tuvtqnl - C:\WINDOWS\SYSTEM32\tuvtqnl.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 8011 bytes |
DT33 (12171) | ||
| 543008 | 2007-04-21 03:17:00 | Ok put hijackthis in its own folder before u run it again, tick these entries and tick fix checked. Close browser/s. [B][U]Find and delete the files in the entries below later, |
Speedy Gonzales (78) | ||
| 543009 | 2007-04-21 03:24:00 | I have a feeling this forum is going to cut 1/2 of my post again, its so slow. So, just in case. Ok put hijackthis in its own folder before u run it again, tick these entries and tick fix checked. Close browser/s. Find and delete the files in the entries below later, either in XP or safe mode. ************************************************** ******* O2 - BHO: (no name) - {2A16EC02-ED45-4936-9590-51CBEAC20B29} - C:\WINDOWS\system32\mljjh.dll (file missing) 02 - BHO: (no name) - {5AF96A08-5257-4258-809B-4B88E7314B9e delete this file later too. O2 - BHO: (no name) - {715E62E4-63D4-4CB5-95EE-8388696FAEEA} - C:\WINDOWS\system32\pmnnk.dll (file missing) O2 - BHO: (no name) - {7D064D71-DD76-4596-90C0-921766AD560A} - (no file) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {A2A61D92-555E-4E4D-A877-DE105D95AB90} - C:\WINDOWS\system32\tuvtqnl.dll ************************************************** ******** O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot O4 - HKCU\..\Run: [spywarebot] "C:\Program Files\spywarebot\spywarebot.exe" -boot Find and delete the files in the entries below later, either in XP or safe mode. ************************************************** ****** O20 - Winlogon Notify: awtqp - C:\WINDOWS\system32\awtqp.dll O20 - Winlogon Notify: tuvtqnl - C:\WINDOWS\SYSTEM32\tuvtqnl.dll ************************************************** ******* Then reboot, after that run trojan remover again, select the 3rd to 7th option under the utilities menu. See if Spywarebot appears in add/remove programs. If it does uninstall it. I would also uninstall all versions of Sun Java. Update is in my sig below. 6 Update 1. I would also install a firewall. |
Speedy Gonzales (78) | ||
| 543010 | 2007-04-21 06:21:00 | can i just clarify: "Ok put hijackthis in its own folder before u run it again" How do i do this. I downloaded and saved it in my docs? again thanks for your help. |
DT33 (12171) | ||
| 543011 | 2007-04-21 06:41:00 | can i just clarify: "Ok put hijackthis in its own folder before u run it again" How do i do this. I downloaded and saved it in my docs? again thanks for your help. Make a new folder on C. Just call it HJT, then whatever folder u downloaded HJT to cut and paste it to the HJT folder, then run it again. Then tick the entries I posted above. Then tick fix checked. |
Speedy Gonzales (78) | ||
| 543012 | 2007-04-21 11:41:00 | Thanks for the reply. I have covered off what you recommended. I couldn't find the 2 files that you listed to delete. They are below. O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot O4 - HKCU\..\Run: [spywarebot] "C:\Program Files\spywarebot\spywarebot.exe" -boot Spywarebot was not in the add/remove programs. Do you reccomend a firewall? i did think that this already came with one. again i appreciate your help. |
DT33 (12171) | ||
| 543013 | 2007-04-21 20:05:00 | XP does come with a firewall, but its limited in what it can do. It'll stop incoming nasties, but it doesnt block outgoing nasties. ie: If you have a trojan or something nasty, XP's firewall wont stop it, it'll connect to whatever. Try Comodo (http://www.personalfirewall.comodo.com/) Is the Spywarebot folder still in C:\program files? |
Speedy Gonzales (78) | ||
| 543014 | 2007-04-21 21:22:00 | Hi there, My apologies upfront that my first post is one asking for help. Don't worry about it: so was mine. |
pcuser42 (130) | ||
| 1 2 | |||||