# Plz help me with trojan zlob.pornadvertiser.ba



## mand1 (Jul 3, 2008)

Hello friends, plz help me., my computer has a serious problem and am not able to do anything. i get an error saying that my computer has zlob.pornadvertiser.ba virus and nothing seems to be working. the alert keeps popping. browser is closing everytime I click on anything. i got this site by logging through a different login. plz help 

I saw a few responses on the site and i have got the log from hijack this. and remaining whatever was there in the post i was not able to understand.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:58:13 PM, on 7/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32krn.exe
D:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Eset\nod32kui.exe
D:\Program Files\BlazeVideo\BlazeDVD 5 Professional\MediaDetector.exe
D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Console Flash v.4.1 - {BCC8A4AB-C055-461E-B4B5-1B0EA8647897} - C:\WINDOWS\system32\confl.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdvnf.exe] C:\WINDOWS\system32\kdvnf.exe
O4 - HKCU\..\Run: [BlazeServoTool] "D:\Program Files\BlazeVideo\BlazeDVD 5 Professional\MediaDetector.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .MOV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7F78793-C4E9-43AC-B077-EC4B720BB791}: NameServer = 218.248.240.23,218.248.240.135
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - D:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

--
End of file - 6014 bytes


----------



## grk77536 (Jul 3, 2008)

do you have a spyware/adware blocker? I had a similar problem where a software title kept installing by itself and caused a huge memory dump.
I had to format my hdd and start over viruses suck!


----------



## mand1 (Jul 3, 2008)

i tried installing but currently no online tool is working here. i tried nod32 it did not work and i tried uniblue, even that did not show it up


----------



## Punk (Jul 3, 2008)

Hello,


Download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press *Enter*.
Choose your usual account.
 Open the extracted SDFix folder and double click *RunThis.bat* to start the script.
 Type *Y* to begin the cleanup process.
 It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
 Press any Key and it will restart the PC.
 When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
 Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt*
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
 Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* from one of the three below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open *Task Manager* then *Processes* tab (press ctrl, alt and del at the same time) and end any processes of *findstr, find, sed or swreg*, then combofix should continue.
If that happened we want to know, and also what process you had to end.


----------



## mand1 (Jul 3, 2008)

Thanks a ton for your quick solution to my problem. You were my savior today. I followed all the steps. Currently I am sending this from my login and its working, I dont know if the virus is deleted completely. But I dont have those icons on the desktop anymore. I dont even get pop ups. Does this mean that there is no more virus in my computer.

This is the report for sdfix


*SDFix: Version 1.201 *
Run by mand on Thu 07/03/2008 at 10:40 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

*Checking Services *:

*Name *: 
SysLibrary

*Path *:
\??\C:\WINDOWS\system32\DefLib.sys 

SysLibrary - Deleted



Restoring Default Security Values
Restoring Default Hosts File
-------

This is the log file of combifix

ComboFix 08-07-02.5 - mand 2008-07-03 22:49:14.1 - *FAT32*x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.79 [GMT 5.5:30]
Running from: C:\Documents and Settings\mand\Desktop\ComboFix.exe
 * Resident AV is active


*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\mand\Desktop\BDSM galleries.URL
C:\Documents and Settings\mand\Desktop\CP illegal content.URL
C:\Documents and Settings\mand\Desktop\Uncensored porn.URL
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\igfxhk.dll
C:\WINDOWS\system32\kdvnf.exe
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\ntload.dll
C:\WINDOWS\system32\sex1.ico
C:\WINDOWS\system32\sex2.ico
C:\WINDOWS\system32\sex3.ico
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\winupdate.exe
C:\WINDOWS\system32\wscmp.dll
C:\WINDOWS\system32\zlib.dll

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SysLibrary


(((((((((((((((((((((((((   Files Created from 2008-06-03 to 2008-07-03  )))))))))))))))))))))))))))))))
.

2008-07-03 22:36 . 2008-07-03 22:36	<DIR>	d--------	C:\WINDOWS\ERUNT
2008-07-03 22:31 . 2008-07-04 14:46	<DIR>	d--------	C:\SDFix
2008-07-03 22:26 . 2008-07-03 22:26	<DIR>	d--------	C:\Documents and Settings\neel\Phone Browser
2008-07-03 22:26 . 2008-07-03 22:26	<DIR>	d--------	C:\Documents and Settings\neel\Application Data\Datalayer
2008-07-03 20:46 . 2008-07-03 20:46	<DIR>	d--------	C:\Documents and Settings\neel\Application Data\Apple Computer
2008-07-03 19:55 . 2008-07-03 19:55	<DIR>	d--------	C:\Program Files\Trend Micro
2008-07-03 16:06 . 2008-07-03 16:06	<DIR>	d--------	C:\Program Files\SpyNoMore
2008-07-03 16:06 . 2008-07-03 16:06	1,152	--a------	C:\WINDOWS\system32\windrv.sys
2008-07-03 16:05 . 2008-07-03 16:05	<DIR>	d--------	C:\Program Files\Common Files\Download Manager
2008-07-03 15:45 . 2008-07-03 15:45	262,144	--a------	C:\WINDOWS\system32\wscmp.dll.tmp
2008-07-03 15:41 . 2008-07-03 15:41	0	--a------	C:\WINDOWS\system32\sex3.ico.tmp
2008-07-03 15:40 . 2008-07-03 15:40	0	--a------	C:\WINDOWS\system32\sex2.ico.tmp
2008-07-03 15:40 . 2008-07-03 15:40	0	--a------	C:\WINDOWS\system32\sex1.ico.tmp
2008-06-19 10:46 . 2008-06-19 10:46	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\InterVideo
2008-06-19 10:46 . 2002-09-27 07:53	9,856	---------	C:\WINDOWS\system32\drivers\pfc.sys
2008-06-19 10:45 . 2001-12-10 17:42	204,800	--a------	C:\WINDOWS\system32\IVIresizeW7.dll
2008-06-19 10:45 . 2001-12-10 17:42	200,704	--a------	C:\WINDOWS\system32\IVIresizeA6.dll
2008-06-19 10:45 . 2001-12-10 17:42	192,512	--a------	C:\WINDOWS\system32\IVIresizeP6.dll
2008-06-19 10:45 . 2001-12-10 17:42	192,512	--a------	C:\WINDOWS\system32\IVIresizeM6.dll
2008-06-19 10:45 . 2001-12-10 17:42	188,416	--a------	C:\WINDOWS\system32\IVIresizePX.dll
2008-06-19 10:45 . 2001-12-10 17:42	20,480	--a------	C:\WINDOWS\system32\IVIresize.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
1998-12-08 13:53	99,840	----a-w	C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-08 13:53	70,144	----a-w	C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-08 13:53	48,640	----a-w	C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-08 13:53	31,744	----a-w	C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-08 13:53	186,368	----a-w	C:\Program Files\Common Files\IRAREG.DLL
1998-12-08 13:53	17,920	----a-w	C:\Program Files\Common Files\IRASRIAL.DLL
2007-04-27 20:16	1,682	--sha-w	C:\WINDOWS\system32\KGyGaAvL.sys
2007-04-27 20:16	88	--sh--r	C:\WINDOWS\system32\0C448332F0.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCC8A4AB-C055-461E-B4B5-1B0EA8647897}]
2007-06-03 18:20	208384	--a------	C:\WINDOWS\system32\confl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2005-02-08 23:06 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2005-02-08 23:02 126976]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 03:10 49263]
"PCSuiteTrayApplication"="D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2005-12-13 08:49 217088]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-06-11 15:10 949376]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-04-13 11:51 14156800 C:\WINDOWS\RTHDCPL.EXE]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\mand\Start Menu\Programs\Startup\
REALHOUND IP Tune and Lube.LNK - C:\Program Files\REALHOUND IP Client\realhoundiptuneandlube.exe [2006-10-09 11:11:04 303104]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Symantec Fax Starter Edition Port.lnk - D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 14:21:54 45568]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^mand^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\mand\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^mand^Start Menu^Programs^Startup^REALHOUND IP Tune and Lube.LNK]
path=C:\Documents and Settings\mand\Start Menu\Programs\Startup\REALHOUND IP Tune and Lube.LNK
backup=C:\WINDOWS\pss\REALHOUND IP Tune and Lube.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-04-27 11:25 257088 D:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 21:49 4662776 D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\nsl_host_process.exe"=
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\HelpCtr.exe"=
"D:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\WINDOWS\\system32\\svchost.exe"=
"D:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 Prvflder;Prvflder;C:\WINDOWS\system32\DRIVERS\prvflder.sys [2006-04-21 08:22]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-10 10:54:18 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-QuickPhrase - D:\Program Files\TypingMaster\quickphrase\quickphrase.exe
HKCU-Run-DLD.EXE - D:\Program Files\Download Direct\DLD.exe
HKLM-Run-C:\WINDOWS\system32\kdvnf.exe - C:\WINDOWS\system32\kdvnf.exe
MSConfigStartUp-Act! Preloader - D:\Program Files\ACT\Act for Windows\ActSage.exe
MSConfigStartUp-Act.Outlook - D:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-03 22:53:26
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 


C:\sccfg.sys 8192 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\COMMON FILES\LIGHTSCRIBE\LSSRVC.EXE
C:\PROGRAM FILES\ESET\NOD32KRN.EXE
D:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\PROGRAM FILES\CANON\CAL\CALMAIN.EXE
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
.
**************************************************************************
.
Completion time: 2008-07-03 22:54:43 - machine was rebooted
ComboFix-quarantined-files.txt  2008-07-03 17:24:36

Pre-Run: 4,179,795,968 bytes free
Post-Run: 4,228,128,768 bytes free

157
---------

If this is fixed can I delete the files that I had downloaded. I have 2 files in my C drive with these names- SDfix and Qoobox(dont know what this is). Please let me know if I need to delete anything else.

And once thanks a lotttttttt


----------



## mand1 (Jul 3, 2008)

Forgot to mention one more thing. I dont find findstr, find, sed or swreg in processes


----------



## Respital (Jul 3, 2008)

Please post a fresh HiJackThis log.
Just to make sure you are no longer infected.


----------



## Punk (Jul 3, 2008)

mand1 said:


> If this is fixed can I delete the files that I had downloaded. I have 2 files in my C drive with these names- SDfix and Qoobox(dont know what this is). Please let me know if I need to delete anything else.
> 
> And once thanks a lotttttttt



We'll get rid of them when we're sure we're done.

I'm currently reading the log to make sure nothing is still on your computer.


----------



## mand1 (Jul 3, 2008)

This is the new hijack log. I also wanted to let you know that I ran Uniblue spyeraser and I found 3 spyware SearchExe Hijacker(severe) , Adware.BHO.t(high), Trojan-spy.BZub.hv(elevated). Dont know if it is related to the same problem.

Here is the hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:18 PM, on 7/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Eset\nod32krn.exe
D:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Eset\nod32kui.exe
D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Console Flash v.4.1 - {BCC8A4AB-C055-461E-B4B5-1B0EA8647897} - C:\WINDOWS\system32\confl.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdvnf.exe] C:\WINDOWS\system32\kdvnf.exe
O4 - Startup: REALHOUND IP Tune and Lube.LNK = C:\Program Files\REALHOUND IP Client\realhoundiptuneandlube.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .MOV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7F78793-C4E9-43AC-B077-EC4B720BB791}: NameServer = 218.248.240.23,218.248.240.135
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - D:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

--
End of file - 5549 bytes


----------



## Punk (Jul 3, 2008)

Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

This allows hackers to remotely control your computer, *steal critical system information* and *Download and Execute files*

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decide

If you wish to continue, do the following:

*Download Avenger, and unzip it to your desktop or somewhere you can find it.Â  (Do not run it yet).*

Note: This program is for use on Windows XP *32 bit* systems only, and must be run from an Administrator account.


Open a *Notepad* file by clicking *Start > Run*Â  and typing *Notepad.exe* in the box, click *OK*.
Click *Format*, and ensure *Word Wrap* is unchecked.
Copy and Paste the text in the box below into *Notepad*.
Now save the file as *RemoveFiles.txt* in a location where you can find it.



> Files to delete:
> C:\WINDOWS\system32\sex3.ico.tmp
> C:\WINDOWS\system32\sex2.ico.tmp
> C:\WINDOWS\system32\sex1.ico.tmp
> C:\WINDOWS\system32\perfc000.dat



Note: the above code was created specifically for this user. If you are not this user, do *NOT* follow these directions as they could damage the workings of your system.

Start *Avenger* by double clicking on *Avenger.exe*.

Check *Load script from file:*
Click on the *folder symbol* below and to the right, and browse to *RemoveFiles.txt*.
Double click it to enter it into Avenger.
Click the *green traffic light symbol*.
You will be asked if you want to execute the script, answer *Yes*.
At this point you may get prompts from your protection systems, allow them please.
Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
Answer *Yes*, and allow your computer to re-boot.
Upon re-boot a command window will briefly appear on screen (this is normal).
A Notepad text file will be created *C:\avenger.txt*.
*Copy and Paste it into your next post please.*

*Download and Run DSS*

Download *Deckard's System Scanner (DSS)* to your *Desktop*. You must be logged onto an account with administrator privileges.

*Close* all applications and windows.
*Double-click* on *dss.exe* to run it, and follow the prompts.
When the scan is complete, two text files will open - *main.txt* <- this one will be maximized and *extra.txt*<- this one will be minimized.
Copy *(Ctrl+A then Ctrl+C)* and paste *(Ctrl+V)* the contents of *main.txt* and the *extra.txt* in your reply.


----------



## mand1 (Jul 3, 2008)

Thanks Punk for offering to help me. I understand what you mean.

I do not do any financial transactions on my computer. The passwords would be of my e-mail addresses and of others who use this computer. I would like to format my computer. But I am not aware of how to do it and cannot take that chance with this as I am not sure if my windows xp cd is working too. The suggestion that you gave for me to contact a computer professional would be wise. But until I do that, I was just thinking if I can temporarily try your suggestions.

I am not an expert in technical field. The suggestions which you had given me till now were quite easy to follow. So plz suggest me if you think that it would be okay for us to try cleaning the machine. I would definitely try to do it for now and see if it can get fixed> if you feel its not going to be a very tough one plz let me know how to proceed.


----------



## adarsh (Jul 3, 2008)

Hi ,
Please follow Punk's earlier post to save time and attempt clearing the infection.
He has clearly mentioned that you may proceed the removal steps in case you wanted to continue with the fix.


----------



## Punk (Jul 3, 2008)

We can't be 100% sure the backdoor infection will be cleaned.

Here is a tutorial on how to format your HD:

http://www.ehow.com/how_6026_format-hard-drive.html

If you want to continu with the fix, just post the logs I'm asking from the other post.


----------



## mand1 (Jul 5, 2008)

Hi Punk, how are you

Today I followed the steps of running avenger and DSS. Here are the results

Avenger-

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\sex3.ico.tmp" deleted successfully.
File "C:\WINDOWS\system32\sex2.ico.tmp" deleted successfully.
File "C:\WINDOWS\system32\sex1.ico.tmp" deleted successfully.

Error:  file "C:\WINDOWS\system32\perfc000.dat" not found!
Deletion of file "C:\WINDOWS\system32\perfc000.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Completed script processing.

*******************

Finished!  Terminate.

--------

Main-

Deckard's System Scanner v20071014.68
Run by mand on 2008-07-05 16:38:02
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
18: 2008-07-05 11:08:09 UTC - RP321 - Deckard's System Scanner Restore Point
17: 2008-07-03 09:33:16 UTC - RP320 - System Checkpoint
16: 2008-07-02 08:44:34 UTC - RP319 - System Checkpoint
15: 2008-06-30 17:12:50 UTC - RP318 - System Checkpoint
14: 2008-06-29 15:30:05 UTC - RP317 - System Checkpoint


-- First Restore Point -- 
1: 2008-04-17 15:18:01 UTC - RP304 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 80% (more than 75%).
Total Physical Memory: 479 MiB (512 MiB recommended).


-- HijackThis (run as mand.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:39:00 PM, on 7/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Eset\nod32krn.exe
D:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\mand\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\mand.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Console Flash v.4.1 - {BCC8A4AB-C055-461E-B4B5-1B0EA8647897} - C:\WINDOWS\system32\confl.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdvnf.exe] C:\WINDOWS\system32\kdvnf.exe
O4 - Startup: REALHOUND IP Tune and Lube.LNK = C:\Program Files\REALHOUND IP Client\realhoundiptuneandlube.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .MOV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7F78793-C4E9-43AC-B077-EC4B720BB791}: NameServer = 218.248.240.23,218.248.240.135
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - D:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

--
End of file - 5218 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 windrvNT - c:\windows\system32\windrvnt.sys
R3 SMBios (Intel (R) System Management BIOS Service) - c:\windows\system32\drivers\smbios.sys <Not Verified; Intel Corporation; Intel (R) System Management BIOS Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
R2 prfldsvc (Private Folder Service) - d:\program files\microsoft private folder 1.0\prfldsvc.exe

S3 aspnet_state (ASP.NET State Service) - c:\windows\microsoft.net\framework\v2.0.50727\aspnet_state.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-02-10 16:24:18       338 --a------ C:\WINDOWS\Tasks\Uniblue SpyEraser.job


-- Files created between 2008-06-05 and 2008-07-05 -----------------------------

2008-07-03 22:48:01     68096 --a------ C:\WINDOWS\zip.exe
2008-07-03 22:48:01    161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-03 22:48:00     49152 --a------ C:\WINDOWS\VFind.exe
2008-07-03 22:48:00    212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-03 22:48:00    136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-03 22:48:00     80412 --a------ C:\WINDOWS\grep.exe
2008-07-03 22:48:00     89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-03 22:36:42         0 d-------- C:\WINDOWS\ERUNT
2008-07-03 22:26:15         0 d-------- C:\Documents and Settings\neel\Application Data\Datalayer
2008-07-03 22:26:13         0 d-------- C:\Documents and Settings\neel\Phone Browser
2008-07-03 20:46:14         0 d-------- C:\Documents and Settings\neel\Application Data\Apple Computer
2008-07-03 19:55:39         0 d-------- C:\Program Files\Trend Micro
2008-07-03 16:06:36      1152 --a------ C:\WINDOWS\system32\windrv.sys
2008-07-03 16:05:28         0 d-------- C:\Program Files\Common Files\Download Manager
2008-06-19 10:46:17         0 d-------- C:\Documents and Settings\All Users\Application Data\InterVideo
2008-06-19 10:46:02      9856 -----n--- C:\WINDOWS\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
2008-06-19 10:45:13    204800 --a------ C:\WINDOWS\system32\IVIresizeW7.dll
2008-06-19 10:45:13    188416 --a------ C:\WINDOWS\system32\IVIresizePX.dll
2008-06-19 10:45:13    192512 --a------ C:\WINDOWS\system32\IVIresizeP6.dll
2008-06-19 10:45:13    192512 --a------ C:\WINDOWS\system32\IVIresizeM6.dll
2008-06-19 10:45:13    200704 --a------ C:\WINDOWS\system32\IVIresizeA6.dll
2008-06-19 10:45:13     20480 --a------ C:\WINDOWS\system32\IVIresize.dll
2008-06-07 10:35:55         0 dr-h----- C:\Documents and Settings\mand\Recent


-- Find3M Report ---------------------------------------------------------------

2008-07-05 16:35:06        12 --a------ C:\WINDOWS\bthservsdp.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCC8A4AB-C055-461E-B4B5-1B0EA8647897}]
06/03/2007 06:20 PM	208384	--a------	C:\WINDOWS\system32\confl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [02/08/2005 11:06 PM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [02/08/2005 11:02 PM]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [01/07/2005 05:07 PM C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [04/13/2005 11:51 AM C:\WINDOWS\RTHDCPL.EXE]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/04/2004 12:56 AM C:\WINDOWS\system32\bthprops.cpl]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [10/12/2006 03:10 AM]
"PCSuiteTrayApplication"="D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [12/13/2005 08:49 AM]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [06/11/2007 03:10 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/2007 09:41 AM]
"C:\WINDOWS\system32\kdvnf.exe"="C:\WINDOWS\system32\kdvnf.exe" []

C:\Documents and Settings\mand\Start Menu\Programs\Startup\
REALHOUND IP Tune and Lube.LNK - C:\Program Files\REALHOUND IP Client\realhoundiptuneandlube.exe [10/9/2006 11:11:04 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Symantec Fax Starter Edition Port.lnk - D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE [12/23/1998 2:21:54 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^mand^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\mand\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^mand^Start Menu^Programs^Startup^REALHOUND IP Tune and Lube.LNK]
path=C:\Documents and Settings\mand\Start Menu\Programs\Startup\REALHOUND IP Tune and Lube.LNK
backup=C:\WINDOWS\pss\REALHOUND IP Tune and Lube.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"D:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs	BthServ




-- End of Deckard's System Scanner: finished at 2008-07-05 16:39:30 ------------

Extra-

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 3.06GHz
CPU 1: Intel(R) Pentium(R) 4 CPU 3.06GHz
Percentage of Memory in Use: 79%
Physical Memory (total/avail): 478.73 MiB / 98.27 MiB
Pagefile Memory (total/avail): 1426.36 MiB / 1109.7 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1912.75 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 9.76 GiB total, 3.89 GiB free. 
D: is Fixed (FAT32) - 9.76 GiB total, 1.12 GiB free. 
E: is Fixed (FAT32) - 9.75 GiB total, 1.59 GiB free. 
F: is Fixed (FAT32) - 7.94 GiB total, 1.22 GiB free. 
G: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST340014A - 37.27 GiB - 4 partitions
  \PARTITION0 (bootable) - Unknown - 9.77 GiB - C:
  \PARTITION1 - Extended w/Extended Int 13 - 27.49 GiB - D: - E: - F:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

UpdatesDisableNotify is set.

AV: ESET NOD32 antivirus system 2.70 v2.70 (ESET, spol. s r.o.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"="C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe:*:Enabled:Nokia Software Updater"
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\nsl_host_process.exe"="C:\\Program Files\\Common Files\\Nokia\\Service Layer\\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process "
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\HelpCtr.exe"="C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\HelpCtr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"D:\\Program Files\\iTunes\\iTunes.exe"="D:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\WINDOWS\\system32\\svchost.exe"="C:\\WINDOWS\\system32\\svchost.exe:*:Enabled:svchost"
"D:\\Program Files\\Skype\\Phone\\Skype.exe"="D:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\mand\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_09\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=COMPUTER
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\mand
LOGONSERVER=\\COMPUTER
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Intuwave\Shared\mRouterRuntime;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0409
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_09\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\mand\LOCALS~1\Temp
TMP=C:\DOCUME~1\mand\LOCALS~1\Temp
USERDOMAIN=COMPUTER
USERNAME=mand
USERPROFILE=C:\Documents and Settings\mand
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

mand _(admin)_
neel _(admin)_


-- Add/Remove Programs ---------------------------------------------------------

 --> d:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
 --> MsiExec.exe /X{09959E11-AD5D-408E-96AF-E3346954D6B8}
 --> MsiExec.exe /X{64F3B15C-24C7-4B2B-9B72-65CCBBD7F06B}
 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
BlazeDVD 5.0 Professional --> "D:\Program Files\BlazeVideo\BlazeDVD 5 Professional\unins000.exe"
Canon Camera Access Library --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon Camera Window DC_DV 5 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "D:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Camera Window DC_DV 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "D:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Camera Window MC 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "D:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini"
Canon G.726 WMP-Decoder --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "D:\Program Files\Canon\G726Decoder\G726DecUnInstall.ini"
Canon MovieEdit Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "D:\Program Files\Canon\ZoomBrowser EX\Program\MVWUninst.ini"
Canon RAW Image Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "D:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon RemoteCapture Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "D:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities EOS Utility --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "D:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities PhotoStitch --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "D:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon Utilities ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "D:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
FileZilla (remove only) --> "D:\Program Files\FileZilla\uninstall.exe"
Folder Lock --> D:\Program Files\Folder Lock\Uninstall.exe
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel(R) Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2782 PCI\VEN_8086&DEV_2582
Intel(R) PRO Network Adapters and Drivers --> Prounstl.exe
iTunes --> MsiExec.exe /I{3592F5CB-B524-43AA-92F2-2377268199CC}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
m-Router 3.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A2092B2A-A4FB-4464-A4C0-023D2C9993F8}\Setup.exe" -l0x9 
Megaupload Toolbar --> C:\Program Files\MegauploadToolbar\uninstall.exe
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Office Access 2003 Runtime --> MsiExec.exe /I{901C0409-6000-11D3-8CFE-0150048383C9}
Microsoft Private Folder 1.0 --> MsiExec.exe /I{644EA08F-87D2-48C0-AE94-B327D1C85A97}
Nero Suite --> C:\Program Files\Common Files\Nero\Uninstall\setupx.exe /uninstall ExtraUninstallID=""
NOD32 antivirus system --> C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
NOD32 FiX --> "C:\Program Files\Eset\unins000.exe"
Nokia Connectivity Cable Driver --> MsiExec.exe /X{B7757137-0A71-4A9F-8A82-1AE4A1B73420}
Nokia Multimedia Factory --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{BD72E64C-F0DB-40CB-846B-611C57D8AB0C} /l2057 
Nokia PC Suite --> MsiExec.exe /I{FF059F2A-62A7-4E6A-B305-559591D2769E}
Nokia Software Updater --> MsiExec.exe /X{447AC5D6-8520-4151-AECA-323C36507EFB}
QuickTime --> MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
REALHOUND IP --> D:\realhndip\Uninst_REALHOUND IP.exe /U "D:\realhndip\Uninst_REALHOUND IP.log"
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" REMOVE
RECIPE ORGANIZER DELUXE (S) --> MsiExec.exe /I{B5A9399E-A38F-489D-BAB5-A14EDBE55E1B}
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Skype 3.1 --> "D:\Program Files\Skype\Phone\unins000.exe"
Switch Off --> "D:\Program Files\Switch Off\uninstall.exe"
Uniblue PowerSuite --> "D:\Program Files\Uniblue\unins000.exe"
Unlocker 1.8.5 --> D:\Program Files\Unlocker\uninst.exe
VideoLAN VLC media player 0.8.5 --> D:\Program Files\VideoLAN\VLC\uninstall.exe
WinDVR --> "C:\Program Files\InstallShield Installation Information\{6BF4613C-0A46-43AA-8FA8-0CB9F2C1A548}\setup.exe" REMOVEALL
WinRAR archiver --> D:\Program Files\WinRAR\uninstall.exe
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Messenger --> D:\PROGRA~1\YAHOO!\MESSEN~1\UNWISE.EXE /U D:\PROGRA~1\YAHOO!\MESSEN~1\INSTALL.LOG
YoutubeGet 4 --> "D:\Program Files\YoutubeGet\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type14070 / Warning
Event Submitted/Written: 07/05/2008 04:34:30 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type14031 / Error
Event Submitted/Written: 07/03/2008 07:35:02 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module mshtml.dll, version 6.0.2900.2180, fault address 0x0012bd68.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type14030 / Error
Event Submitted/Written: 07/03/2008 07:34:39 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module mshtml.dll, version 6.0.2900.2180, fault address 0x0012bd68.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type14029 / Error
Event Submitted/Written: 07/03/2008 07:33:53 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module mshtml.dll, version 6.0.2900.2180, fault address 0x0012bd68.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type14024 / Error
Event Submitted/Written: 07/03/2008 04:12:45 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module kernel32.dll, version 5.1.2600.2180, fault address 0x0001eb33.
Processing media-specific event for [iexplore.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type30768 / Warning
Event Submitted/Written: 07/03/2008 11:43:34 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type30739 / Error
Event Submitted/Written: 07/03/2008 10:45:31 PM
Event ID/Source: 1003 / System Error
Event Description:
Error code 1000000a, parameter1 00000023, parameter2 00000002, parameter3 00000000, parameter4 804fccd6.

Event Record #/Type30724 / Error
Event Submitted/Written: 07/03/2008 10:36:40 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load: 
AFD
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
nod32drv
RasAcd
Rdbss
Tcpip
WS2IFSL

Event Record #/Type30723 / Error
Event Submitted/Written: 07/03/2008 10:36:40 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: 
%%31

Event Record #/Type30722 / Error
Event Submitted/Written: 07/03/2008 10:36:40 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: 
%%31



-- End of Deckard's System Scanner: finished at 2008-07-05 16:39:30 ------------

I just wanted to add 1 more query. I hope I am not troubling you too much with my questions. As soon as I switch on my computer I get a screen saying EPROM MISS. I have an external tv tuner card connected. After sometime it will start working if I try to check any connections or by itslf. But when that message is displayed I would not be able to do anything till it gets fixed. And when it works ,the whole screen monitor has the picture when I use TV. But when I change to computer mode, a very small part at the end of of the screen is not used. Is there any resolution problem. I have tried my best to explain the problem in words here. If you have any resolution, plz let me know. Thanks


----------



## Punk (Jul 6, 2008)

Hello,
Sorry for the late reply, had graduation day  
There is still a file I want to get rid of, then we'll start the registry cleaning and I will try to help you on your resolution problem.


Open a *Notepad* file by clicking *Start > Run*Â  and typing *Notepad.exe* in the box, click *OK*.
Click *Format*, and ensure *Word Wrap* is unchecked.
Copy and Paste the text in the box below into *Notepad*.
Now save the file as *RemoveFiles.txt* in a location where you can find it.



> Files to delete:
> C:\WINDOWS\system32\kdvnf.exe





Note: the above code was created specifically for this user. If you are not this user, do *NOT* follow these directions as they could damage the workings of your system.

Start *Avenger* by double clicking on *Avenger.exe*.

Check *Load script from file:*
Click on the *folder symbol* below and to the right, and browse to *RemoveFiles.txt*.
Double click it to enter it into Avenger.
Click the *green traffic light symbol*.
You will be asked if you want to execute the script, answer *Yes*.
At this point you may get prompts from your protection systems, allow them please.
Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
Answer *Yes*, and allow your computer to re-boot.
Upon re-boot a command window will briefly appear on screen (this is normal).
A Notepad text file will be created *C:\avenger.txt*.
*Copy and Paste it into your next post please.*



Please post a fresh Hijackthis log after you've done that 
Are you still having symptoms of the Trojan infection?


----------



## mand1 (Jul 7, 2008)

Hey Punk, you seem to be so knowledgeable that you would have had a great graduation day 

I do not have such symptoms as I had that day. But there are a few things I would let you know that has been happening from quite a few months which I did not bother much, but I dont think it would be a trojan. When I open a link from google search , sometimes a spyware called thermicosoft opens in IE. My uniblue spyeraser detects low threat viruses of the threat type Tracking Cookie, named Double click, mediaplex.com, stat counter, tribalfusion.com and few more. These had not caused any problem til now so I had just left it.

Here is the result of avenger

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error:  file "C:\WINDOWS\system32\kdvnf.exe" not found!
Deletion of file "C:\WINDOWS\system32\kdvnf.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Completed script processing.

*******************

Finished!  Terminate.

--------

Here is the hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:18 PM, on 7/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Eset\nod32kui.exe
D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Eset\nod32krn.exe
D:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Console Flash v.4.1 - {BCC8A4AB-C055-461E-B4B5-1B0EA8647897} - C:\WINDOWS\system32\confl.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdvnf.exe] C:\WINDOWS\system32\kdvnf.exe
O4 - Startup: REALHOUND IP Tune and Lube.LNK = C:\Program Files\REALHOUND IP Client\realhoundiptuneandlube.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .MOV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7F78793-C4E9-43AC-B077-EC4B720BB791}: NameServer = 218.248.240.23,218.248.240.135
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - D:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

--
End of file - 5221 bytes


----------



## Punk (Jul 7, 2008)

Ok the file was not deleted, let's try something else. I need another expert to create a combofix-script that will try to delete the file.

In the meantime, please post a Kapersky log:

*Run Kaspersky Online AV Scanner*
Using *Internet Explorer* Go to http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html and click the *Accept* button at the end of the page.

_Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%._

 Read the *Requirements and limitations* before you click *Accept*.
 Allow the ActiveX download if necessary.
 Once the database has downloaded, click *Next*.
 Click *Scan Settings* and change the "*Scan using the following antivirus database*" from *standard* to *extended* and then click *OK*.
 Click on "*My Computer*" and then put the kettle on!
When the scan has completed, click *Save Report As...*
 Enter a name for the file in the *Filename:* text box and then click the down arrow to the right of *Save as type:* and select *text file (*.txt)*
 Click *Save* - by default the file will be saved to your Desktop, but you can change this if you wish.
Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.


PS:


> Hey Punk, you seem to be so knowledgeable that you would have had a great graduation day



Thanks


----------



## Buzz1927 (Jul 7, 2008)

Punk said:


> Ok the file was not deleted,


It's already been deleted, just fix the Hijackthis entry


----------



## Punk (Jul 8, 2008)

Buzz1927 said:


> It's already been deleted, just fix the Hijackthis entry



Oh ok 

Please do the Kapersky log then this:

Open Hijackthis, this time *do a system scan only*

Place a checkmark next to this line:



> [C:\WINDOWS\system32\kdvnf.exe] C:\WINDOWS\system32\kdvnf.exe



Close all browsers and click on Fix.

Post a fresh Hijackthis log after you've done that along with Kapersky log.


----------



## mand1 (Jul 8, 2008)

This found so many viruses on my computer!!!!!!! :-(
My PC is behaving the same way as I had mentioned in my last reply, that is the results of spyeraser I had mentioned. I dont see any other issues. If you meant anything particular plz let me know

Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
 Tuesday, July 8, 2008
 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
 Kaspersky Online Scanner 7 version: 7.0.25.0
 Program database last update: Tuesday, July 08, 2008 14:13:44
 Records in database: 927382
--------------------------------------------------------------------------------

Scan settings:
	Scan using the following database: extended
	Scan archives: yes
	Scan mail databases: yes

Scan area - My Computer:
	A:\
	C:\
	D:\
	E:\
	F:\
	G:\

Scan statistics:
	Files scanned: 43969
	Threat name: 16
	Infected objects: 22
	Suspicious objects: 0
	Duration of the scan: 01:08:20


File name / Threat name / Threats count
C:\WINDOWS\system32\confl.dll//ASPack/C:\WINDOWS\system32\confl.dll//ASPack	Infected: not-a-virus:AdWare.Win32.Delf.l	2
C:\WINDOWS\system32\confl.dll	Infected: not-a-virus:AdWare.Win32.Delf.l	1
C:\Program Files\ESET\infected\4JAR3YDA.NQF	Infected: Trojan-Downloader.Win32.Firu.b	1
C:\Program Files\ESET\infected\LLC0SFCA.NQF	Infected: Trojan-Spy.Win32.Goldun.ms	1
C:\Program Files\ESET\infected\DKVJLLDA.NQF	Infected: Trojan-Spy.Win32.Goldun.ms	1
C:\Program Files\ESET\infected\3RQHMZBA.NQF	Infected: Trojan-Proxy.Win32.Xorpix.cs	1
C:\Program Files\ESET\infected\PQPESFDA.NQF	Infected: Packed.Win32.Tibs.gu	1
C:\Program Files\ESET\infected\WS2Z12DA.NQF	Infected: Trojan-Downloader.Win32.Injecter.dr	1
C:\Program Files\ESET\infected\SWL3EMAA.NQF	Infected: Trojan.Win32.Agent.dkw	1
C:\Program Files\ESET\infected\AZHCV2BA.NQF	Infected: Trojan.Win32.Agent.asu	1
C:\Program Files\ESET\infected\ZZPKQICA.NQF	Infected: Trojan-Dropper.Win32.Small.azk	1
C:\Program Files\ESET\infected\AIC3VTAA.NQF	Infected: Trojan.Win32.Pakes.brk	1
C:\Program Files\ESET\infected\03RLOHAA.NQF	Infected: Trojan.Win32.Pakes.cti	1
C:\Program Files\ESET\infected\RR0AMQDA.NQF	Infected: Trojan-Downloader.Win32.Cntr.ca	1
C:\Program Files\ESET\infected\GDTWT2AA.NQF	Infected: Rootkit.Win32.Clbd.dc	1
C:\Program Files\ESET\infected\GBZ4LFBA.NQF	Infected: Rootkit.Win32.Clbd.dc	1
C:\Program Files\REALHOUND IP Client\rhsupport.exe	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c	1
C:\System Volume Information\_restore{50688FD8-8D58-4111-A557-5142B85DC202}\RP320\A0106350.exe	Infected: Trojan-Proxy.Win32.Agent.arf	1
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\svchost.exe.vir	Infected: Trojan-Proxy.Win32.Agent.arf	1
D:\realhndip\40.txt	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c	1
F:\System Volume Information\_restore{50688FD8-8D58-4111-A557-5142B85DC202}\RP306\A0098875.exe	Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm	1

The selected area was scanned.
------

Hi jackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:39 PM, on 7/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Console Flash v.4.1 - {BCC8A4AB-C055-461E-B4B5-1B0EA8647897} - C:\WINDOWS\system32\confl.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: REALHOUND IP Tune and Lube.LNK = C:\Program Files\REALHOUND IP Client\realhoundiptuneandlube.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .MOV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7F78793-C4E9-43AC-B077-EC4B720BB791}: NameServer = 218.248.240.23,218.248.240.135
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - D:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

--
End of file - 5110 bytes


----------



## Punk (Jul 8, 2008)

Hello, half of the infections found were in the NOD32 quarantined folder.


Open a *Notepad* file by clicking *Start > Run*Â  and typing *Notepad.exe* in the box, click *OK*.
Click *Format*, and ensure *Word Wrap* is unchecked.
Copy and Paste the text in the box below into *Notepad*.
Now save the file as *RemoveFiles.txt* in a location where you can find it.



> Files to delete:
> C:\WINDOWS\system32\confl.dll
> C:\System Volume Information\_restore{50688FD8-8D58-4111-A557-5142B85DC202}\RP320\A0106350.exe
> D:\realhndip\40.txt
> F:\System Volume Information\_restore{50688FD8-8D58-4111-A557-5142B85DC202}\RP306\A0098875.exe



Note: the above code was created specifically for this user. If you are not this user, do *NOT* follow these directions as they could damage the workings of your system.

Start *Avenger* by double clicking on *Avenger.exe*.

Check *Load script from file:*
Click on the *folder symbol* below and to the right, and browse to *RemoveFiles.txt*.
Double click it to enter it into Avenger.
Click the *green traffic light symbol*.
You will be asked if you want to execute the script, answer *Yes*.
At this point you may get prompts from your protection systems, allow them please.
Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
Answer *Yes*, and allow your computer to re-boot.
Upon re-boot a command window will briefly appear on screen (this is normal).
A Notepad text file will be created *C:\avenger.txt*.
*Copy and Paste it into your next post please.*


----------



## mand1 (Jul 8, 2008)

Hello Punk,

Here are the results of the avenger test

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\confl.dll" deleted successfully.
File "C:\System Volume Information\_restore{50688FD8-8D58-4111-A557-5142B85DC202}\RP320\A0106350.exe" deleted successfully.
File "D:\realhndip\40.txt" deleted successfully.

Error:  could not open file "F:\System Volume Information\_restore{50688FD8-8D58-4111-A557-5142B85DC202}\RP306\A0098875.exe"
Deletion of file "F:\System Volume Information\_restore{50688FD8-8D58-4111-A557-5142B85DC202}\RP306\A0098875.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
  --> bad path / the parent directory does not exist


Completed script processing.

*******************

Finished!  Terminate.


----------



## Punk (Jul 8, 2008)

Ok let's get a log from Panda online scanners:

*Run Panda Online Scan*
Run *Panda's ActiveScan* from *here* and perform a full system scan.
- Once you are on the Panda site click the "*Scan your PC*" button
- A new window will open...click the big "*Check Now*" button
- Enter your *Country*
- Enter your *State/Province*
- Enter your *e-mail address* and click *send*
- Select either *Home User* or *Company*
- Click the big *Scan Now* button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan *(Note: It will take a couple minutes)*
- Click on "*Local Disks*" to start the scan
- Save the log file to your desktop


----------



## mand1 (Jul 9, 2008)

Hello Punk,

Panda Antivirus did not ask me for the state , province and e-mail address details. So I just scanned it and there was an option called Export to. On clicking it I got a text file. But I am not able to put the data here as it says that its a long file. I am not even able to attach it for the same reason.

Plz let me know if I can send it to you in any other way


----------



## Punk (Jul 9, 2008)

Upload it to mediafire.com and send me the download link.


----------



## mand1 (Jul 9, 2008)

Here is the link 

http://www.mediafire.com/?jzykl9zjj9b


----------



## Punk (Jul 10, 2008)

maxy21 said:


> hii,,
> I hav brought a new loptop and just after few weeks mine loptop down with
> trojan virus. how can i remove this virus from mine loptop i am very afraid for loptop.. every time i hav this problem .. so kindly suggest me .. idea or tips to remove virus from mine computer..
> thanx !!!!



Please start a new thread in the Security Section 

*Mand1*

I'm sure you already know but most of your infections are coming from cracked version of softwares/fonts you downloaded illegally. I'm not here to tell what to do or what not to do, but I suggest you stop those illegal downloads as it is what caused the infection.



Open a *Notepad* file by clicking *Start > Run*Â  and typing *Notepad.exe* in the box, click *OK*.
Click *Format*, and ensure *Word Wrap* is unchecked.
Copy and Paste the text in the box below into *Notepad*.
Now save the file as *RemoveFiles.txt* in a location where you can find it.



> Files to delete:
> D:\Program Files\Folder Lock\Scrambled\ASCII\D1\Softwares and files\N70\fonts remover & one sample font.rar
> D:\Program Files\Folder Lock\Scrambled\ASCII\D1\Data 4\Vids2new\IP frm\N7\N70\fonts remover & one sample font.rar
> C:\System Volume Information\_restore{50688FD8-8D58-4111-A557-5142B85DC202}\RP320\A0106364.SYS
> ...



Note: the above code was created specifically for this user. If you are not this user, do *NOT* follow these directions as they could damage the workings of your system.

Start *Avenger* by double clicking on *Avenger.exe*.

Check *Load script from file:*
Click on the *folder symbol* below and to the right, and browse to *RemoveFiles.txt*.
Double click it to enter it into Avenger.
Click the *green traffic light symbol*.
You will be asked if you want to execute the script, answer *Yes*.
At this point you may get prompts from your protection systems, allow them please.
Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
Answer *Yes*, and allow your computer to re-boot.
Upon re-boot a command window will briefly appear on screen (this is normal).
A Notepad text file will be created *C:\avenger.txt*.
*Copy and Paste it into your next post please.*



All of the files stated above where infected.

How is your system running now?


----------



## mand1 (Jul 10, 2008)

Ohh those were phone softwares that I got from a well known site. so they had virus!

My computer seems to be quite fine. Those low threat infections I had mentioned were there. When I open google links, it used to open some thermicosoft site,now when I try it did not happen-so this issue would have got resolved.

Here are the avenger results

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "D:\Program Files\Folder Lock\Scrambled\ASCII\D1\Softwares and files\N70\fonts remover & one sample font.rar" deleted successfully.
File "D:\Program Files\Folder Lock\Scrambled\ASCII\D1\Data 4\Vids2new\IP frm\N7\N70\fonts remover & one sample font.rar" deleted successfully.
File "C:\System Volume Information\_restore{50688FD8-8D58-4111-A557-5142B85DC202}\RP320\A0106364.SYS" deleted successfully.
File "D:\Program Files\Folder Lock\Scrambled\ASCII\D2\Mine\Mumcode[1].MumSMS.v4.16.S60.SymbianOS8.1.Cracked-SyMPDA.zip" deleted successfully.

Error:  file "D:\Program Files\Folder Lock\Scrambled\ASCII\D2\Mine\Mumcode.MumSMS.v4.16. S60.SymbianOS8.1.Cracked-SyMPDA.sis" not found!
Deletion of file "D:\Program Files\Folder Lock\Scrambled\ASCII\D2\Mine\Mumcode.MumSMS.v4.16. S60.SymbianOS8.1.Cracked-SyMPDA.sis" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Completed script processing.

*******************

Finished!  Terminate.


----------



## Punk (Jul 10, 2008)

Ok let's get a Kapersky result:

*Run Kaspersky Online AV Scanner*
Using *Internet Explorer* Go to http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html and click the *Accept* button at the end of the page.

_Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%._

 Read the *Requirements and limitations* before you click *Accept*.
 Allow the ActiveX download if necessary.
 Once the database has downloaded, click *Next*.
 Click *Scan Settings* and change the "*Scan using the following antivirus database*" from *standard* to *extended* and then click *OK*.
 Click on "*My Computer*" and then put the kettle on!
When the scan has completed, click *Save Report As...*
 Enter a name for the file in the *Filename:* text box and then click the down arrow to the right of *Save as type:* and select *text file (*.txt)*
 Click *Save* - by default the file will be saved to your Desktop, but you can change this if you wish.
Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.


----------



## mand1 (Jul 11, 2008)

Hi,

Here are the kaspersky results

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
 Friday, July 11, 2008
 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
 Kaspersky Online Scanner 7 version: 7.0.25.0
 Program database last update: Thursday, July 10, 2008 23:27:25
 Records in database: 937938
--------------------------------------------------------------------------------

Scan settings:
	Scan using the following database: extended
	Scan archives: yes
	Scan mail databases: yes

Scan area - My Computer:
	A:\
	C:\
	D:\
	E:\
	F:\
	G:\

Scan statistics:
	Files scanned: 43269
	Threat name: 4
	Infected objects: 4
	Suspicious objects: 0
	Duration of the scan: 01:01:29


File name / Threat name / Threats count
C:\Program Files\REALHOUND IP Client\rhsupport.exe	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c	1
C:\System Volume Information\_restore{50688FD8-8D58-4111-A557-5142B85DC202}\RP324\A0106668.dll	Infected: not-a-virus:AdWare.Win32.Delf.l	1
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\svchost.exe.vir	Infected: Trojan-Proxy.Win32.Agent.arf	1
D:\Program Files\Uniblue\unins000.exe	Infected: Trojan-Downloader.Win32.Agent.vuh	1

The selected area was scanned.


----------



## Punk (Jul 11, 2008)

Open a *Notepad* file by clicking *Start > Run*Â  and typing *Notepad.exe* in the box, click *OK*.
Click *Format*, and ensure *Word Wrap* is unchecked.
Copy and Paste the text in the box below into *Notepad*.
Now save the file as *RemoveFiles.txt* in a location where you can find it.



> Files to delete:
> D:\Program Files\Uniblue\unins000.exe
> C:\System Volume Information\_restore{50688FD8-8D58-4111-A557-5142B85DC202}\RP324\A0106668.dll
> C:\Program Files\REALHOUND IP Client\rhsupport.exe



Note: the above code was created specifically for this user. If you are not this user, do *NOT* follow these directions as they could damage the workings of your system.

Start *Avenger* by double clicking on *Avenger.exe*.

Check *Load script from file:*
Click on the *folder symbol* below and to the right, and browse to *RemoveFiles.txt*.
Double click it to enter it into Avenger.
Click the *green traffic light symbol*.
You will be asked if you want to execute the script, answer *Yes*.
At this point you may get prompts from your protection systems, allow them please.
Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
Answer *Yes*, and allow your computer to re-boot.
Upon re-boot a command window will briefly appear on screen (this is normal).
A Notepad text file will be created *C:\avenger.txt*.
*Copy and Paste it into your next post please.*

After that, please post a fresh Hijackthis log


----------



## mand1 (Jul 11, 2008)

Back with the results 

Avenger results:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "D:\Program Files\Uniblue\unins000.exe" deleted successfully.
File "C:\System Volume Information\_restore{50688FD8-8D58-4111-A557-5142B85DC202}\RP324\A0106668.dll" deleted successfully.
File "C:\Program Files\REALHOUND IP Client\rhsupport.exe" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.
-------

Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:51:56 PM, on 7/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Eset\nod32krn.exe
D:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Eset\nod32kui.exe
D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Console Flash v.4.1 - {BCC8A4AB-C055-461E-B4B5-1B0EA8647897} - C:\WINDOWS\system32\confl.dll (file missing)
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: REALHOUND IP Tune and Lube.LNK = C:\Program Files\REALHOUND IP Client\realhoundiptuneandlube.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .MOV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7F78793-C4E9-43AC-B077-EC4B720BB791}: NameServer = 218.248.240.23,218.248.240.135
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - D:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

--
End of file - 5300 bytes


----------



## Punk (Jul 11, 2008)

Looks like a clean log to me 

Although you have the MegaUpload toolbar which I don't recommend you keep. It's harmless but it usually adds adwares along with the installation.

Are you having any problems with your computer?


----------



## mand1 (Jul 11, 2008)

Oh finally my computer looks clean wow 

I had mentioned abt the tracking cookie low threat type(mediaplex, statcounter, and few more like this) that i found in uniblue spyeraser, this is the only thing i see. 

Other than that I had spoken about a resolution problem, thats it


----------



## Punk (Jul 11, 2008)

Download and run the free ad-aware from Lavasoft. That should get rid of your tracking cookies.

As for the resolution problem, post a new thread with your problem in the *Video Cards and Monitors* section of this forum.

*Let's clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.*

Please download *OTMoveIt2* and save it to desktop.

Double-click *OTMoveIt2.exe*.
Click the *CleanUp!* button.
Select *Yes* when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select *Yes*.
The tool will delete itself once it finishes, if not delete it by yourself.

Congratulations you are clean!  
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

*Disable and Enable System Restore-WINDOWS XP*
This is a good time to clear your existing system restore points and establish a new clean restore point:

*Turn off System Restore*

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
 Reboot.
*Turn ON System Restore*

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
This will remove all restore points except the new one you just created.

*Here are some free programs I recommend that could help you improve your computer's security.*

*Spybot Search and Destroy 1.5.2*
Download it from here. Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

*Install SpyWare Blaster 4.0*
Download it from here
Find here the tutorial on how to use Spyware Blaster here

 *Install WinPatrol*
Download it from here
Here you can find information about how WinPatrol works  here

*Install FireTrust SiteHound*
You can find information and download it from here

*Install MVPS Hosts File* *from here*
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
*Note 1:* If you are running Windows XP *SP2*, you should upgrade to *SP3*.
*Note 2:* Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.
The security suite can then be reinstalled afterwards.

*Please check out Tony Klein's article* "How did I get infected in the first place?"

*Read some information *here how to prevent Malware.

Happy safe surfing!


----------



## mand1 (Jul 11, 2008)

Ok thats great, the system restore and the remaining I think I will do some other time, because right now my computer seems to be realy good. I will post the resolution problem now to see whats happening there. 

Punk, thanks a ton for your patience and help. There were so many things I learnt from you and you have helped me so much including some issues which were coming up from many months . Please let me know if there is any option to repute so that I can add to your reputation


----------



## Punk (Jul 11, 2008)

mand1 said:


> Punk, thanks a ton for your patience and help. There were so many things I learnt from you and you have helped me so much including some issues which were coming up from many months . Please let me know if there is any option to repute so that I can add to your reputation



We don't have that reputation system but just the fact that your computer is clean is enough to me 

I'm always glad to help 

if you have any problems don't hesitate, we're all here to help


----------



## mand1 (Jul 11, 2008)

Thanks. Definitely I would not hesitate to post any problem after the help I received from you


----------

