Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Solved: duplicating files virus?


(!)

kitten777's Avatar
kitten777 kitten777 is offline kitten777 has a Profile Picture
Computer Specs
Junior Member with 25 posts.
THREAD STARTER
 
Join Date: Jan 2009
Location: Melbourne Australia
Experience: Intermediate
02-Jan-2009, 08:00 AM #1
duplicating files virus?
A complete scan of my system with VET 7.0.8.1 (updated) did not detect
anything, but notwithstanding that the following looks as though it might
have been caused by a virus.

When backing up I noticed that the size of my system had increased from 54GB
to 73GB over four days. On closer examination I found that in a time span of
36 minutes shortly after midnight on 2008-12-30 about half my files had
mysteriously been exactly duplicated under a new name, being the old name
followed by a tilde and eight random letters or digits - for example:

02 01 15 00:33 2,107 watt.bat
08 12 31 00:34 2,107 watt.bat~MO5OP9NR
02 08 16 18:23 187 WW01.BAT
08 12 31 00:34 187 WW01.BAT~CSM946BE
04 12 07 20:55 144 XX.BAT
08 12 31 00:34 144 XX.BAT~IVLDB964

In some directories the duplications occurred over several consecutive
minutes. The directories affected all had names commencing with a to d.

In case it is relevant, my system is:

WinXP Home SP1
1.85 GHz AMD Athlon XP
1024 MB Installed Memory
VIA KM400-8235

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:36:17, on 09 01 02
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
E:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe
E:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
E:\Program Files\Armor2net\Armor2net Personal Firewall\Armor2net.exe
E:\Program Files\NetTime\NetTime.exe
E:\Program Files\Microsoft IntelliType Pro\itype.exe
E:\Program Files\SWF Printer Pro\swfpagent.exe
E:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
E:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
E:\Program Files\Microsoft IntelliPoint\ipoint.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Google\Google Talk\googletalk.exe
E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
E:\Program Files\Java\jre6\bin\jusched.exe
E:\WINDOWS\System32\ctfmon.exe
E:\Program Files\ControlSS\ControlSS.exe
E:\Program Files\X1\X1FileMonitor.exe
E:\Program Files\Skype\Phone\Skype.exe
E:\Program Files\System Explorer\SystemExplorer.exe
E:\Program Files\Logitech\SetPoint\SetPoint.exe
E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
E:\LS3\LS3EXEC.EXE
E:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
E:\Program Files\Executive Software\DiskeeperLite\DKService.exe
E:\Program Files\Macro Express\macexp.EXE
E:\Program Files\MozyHome\mozystat.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\1stClock\1stClock.exe
E:\LS3\LS3SVC.EXE
C:\df51\chimer.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Program Files\WordWeb\wweb32.exe
E:\Program Files\X1\X1Systray.exe
E:\Program Files\MozyHome\mozybackup.exe
E:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
E:\Program Files\X1\X1.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\Program Files\Sandboxie\SandboxieServer.exe
E:\Program Files\X1\X1Service.exe
E:\Program Files\Skype\Plugin Manager\SkypePM.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\System32\PAStiSvc.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
E:\WINDOWS\System32\BRMFRSMG.EXE
E:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
E:\Program Files\X1\textExtractor.exe
E:\WINDOWS\System32\dllhost.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
E:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Old%20Drive/Program%20Files/Netscape/Users/default/bookmark.htm
N1 - Netscape 4: user_pref("browser.startup.homepage", "file:///C:/Old%20Drive/Program%20Files/Netscape/Users/default/bookmark.htm"); (E:\Program Files\Netscape\Users\nrenton\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "file:///C:/Old%20Drive/Program%20Files/Netscape/Users/default/bookmark.htm"); (E:\Documents and Settings\NICK\Application Data\Mozilla\Profiles\default\98b1810q.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://E%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_UK. src"); (E:\Documents and Settings\NICK\Application Data\Mozilla\Profiles\default\98b1810q.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - E:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: (no name) - {6291957C-8CE9-4c90-BEFF-12D9E68CFF30} - E:\Program Files\LostGoggles\LGoggles.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: A2NPopUpKiller Class - {8A321C7D-9CED-45A8-870D-DAE843A45FD0} - E:\Program Files\Armor2net\Armor2net Personal Firewall\PopUpKiller.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - E:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: gPhotoShow Toolbar Helper - {B7E02222-F5F3-4581-BBF3-F071B9B5A2CC} - E:\Program Files\gPhotoShow Toolbar\v3.2.0.0\gPhotoShow_Toolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - E:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: gPhotoShow Toolbar - {08908347-2115-4D2C-95D6-FEFBDDB6EF7E} - E:\Program Files\gPhotoShow Toolbar\v3.2.0.0\gPhotoShow_Toolbar.dll
O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - E:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [CaAvTray] "E:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "E:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Armor2net] E:\Program Files\Armor2net\Armor2net Personal Firewall\Armor2net.exe
O4 - HKLM\..\Run: [NetTime] E:\Program Files\NetTime\NetTime.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [itype] "E:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SWF Printer Agent] "E:\Program Files\SWF Printer Pro\swfpagent.exe"
O4 - HKLM\..\Run: [Desktop-XP_WhenuSave_Installer] E:\Program Files\Desktop-XP_WhenUSave_Installer\Desktop-XP_WhenUSave_Installer.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] E:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] E:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [googletalk] E:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SoundMAXPnP] E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MyScreenCam] E:\Program Files\My Screen Cam\scrcam.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "E:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ControlSSaver] E:\Program Files\ControlSS\ControlSS.exe
O4 - HKCU\..\Run: [X1FileMonitor.exe] E:\Program Files\X1\X1FileMonitor.exe
O4 - HKCU\..\Run: [Skype] "E:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SystemExplorer] "E:\Program Files\System Explorer\SystemExplorer.exe" /TRAY
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: 1st Clock.lnk = E:\Program Files\1stClock\1stClock.exe
O4 - Startup: chimer.exe.lnk = C:\df51\chimer.exe
O4 - Startup: macexp.EXE.lnk = C:\Old Drive\Program Files\Macro Express\macexp.EXE
O4 - Startup: WordWeb.lnk = E:\Program Files\WordWeb\wweb32.exe
O4 - Startup: X1 System Tray.lnk = E:\Program Files\X1\X1Systray.exe
O4 - Startup: X1.lnk = E:\Program Files\X1\X1.exe
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: LSIII Executor.lnk = E:\LS3\LS3EXEC.EXE
O4 - Global Startup: Macro Express 2000.lnk = E:\Program Files\Macro Express\macexp.EXE
O4 - Global Startup: MozyHome Status.lnk = E:\Program Files\MozyHome\mozystat.exe
O8 - Extra context menu item: &WordWeb... - res://E:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://E:\WINDOWS\System32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Quintura - E:\Program Files\Quintura Inc\Quintura Search\Quintura.htm.ie
O8 - Extra context menu item: Search Using Copernic Agent - res://E:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - E:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - E:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - E:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Quintura Search - {F9341940-7640-4157-9C5C-7D86B7449E20} - E:\Program Files\Quintura Inc\Quintura Search\iereg.exe
O9 - Extra 'Tools' menuitem: Quintura - {F9341940-7640-4157-9C5C-7D86B7449E20} - E:\Program Files\Quintura Inc\Quintura Search\iereg.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: e:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: e:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: e:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: e:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: e:\program files\armor2net\armor2net personal firewall\netdog.dll
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1139293865664
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1229574390158
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - E:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LanSafe III Power Monitor (LanSafe III PM) - Unknown owner - E:\LS3\LS3SVC.EXE
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - E:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - E:\Program Files\MozyHome\mozybackup.exe
O23 - Service: NetTime (NetTimeSvc) - Subjective Software - E:\Program Files\NetTime\NeTmSvNT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandboxie Service (SandboxU) - tzuk - E:\Program Files\Sandboxie\SandboxieServer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: STI Simulator - Unknown owner - E:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - E:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe

--
End of file - 14229 bytes

cybertech's Avatar
Moderator with 69,340 posts.
 
Join Date: Apr 2002
Location: USA
05-Jan-2009, 10:03 AM #2
Please download this from Microsoft and run it on your computer
Filename = WGADiag2.exe
http://go.microsoft.com/fwlink/?linkid=52012

Press "Copy to clipboard" and then you can paste to Wordpad and post to this thread
kitten777's Avatar
kitten777 kitten777 is offline kitten777 has a Profile Picture
Computer Specs
Junior Member with 25 posts.
THREAD STARTER
 
Join Date: Jan 2009
Location: Melbourne Australia
Experience: Intermediate
06-Jan-2009, 04:56 AM #3
Thank you. Herewith.

Diagnostic Report (1.7.0110.1):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-QJCVG-HWPK2-96B9D
Windows Product Key Hash: Ts0PIuedyG/DsIwHUedC8pq3b30=
Windows Product ID: 55277-OEM-2149192-84149
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 5.1.2600.2.00010300.1.0.hom
ID: {E69EE5A7-1275-49CF-88C6-52F67FECFAD2}(1)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.5.530.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1_E2AD56EA-761-d003_E2AD56EA-762-0_E2AD56EA-134-80004005
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office XP Professional with FrontPage - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-171-1_E2AD56EA-761-d003_E2AD56EA-762-0_E2AD56EA-134-80004005_FA827CE6-153-8007007e_FA827CE6-180-8007007e

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: E:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: E:\WINDOWS\system32\winlogon.exe[5.1.2600.1557]
File Mismatch: E:\WINDOWS\system32\licdll.dll[5.1.2600.1106]
File Mismatch: E:\WINDOWS\system32\ntoskrnl.exe[5.1.2600.1634]
File Mismatch: E:\WINDOWS\system32\ntdll.dll[5.1.2600.1217]
File Mismatch: E:\WINDOWS\system32\kernel32.dll[5.1.2600.1869]
File Mismatch: E:\WINDOWS\system32\crypt32.dll[5.131.2600.1123]
File Mismatch: E:\WINDOWS\system32\advapi32.dll[5.1.2600.1106]
File Mismatch: E:\WINDOWS\system32\setupapi.dll[5.1.2600.1106]
File Mismatch: E:\WINDOWS\system32\oembios.bin[hr = 0x80070714]
File Mismatch: E:\WINDOWS\system32\oembios.dat[hr = 0x80070714]
File Mismatch: E:\WINDOWS\system32\oembios.sig[hr = 0x80070714]
File Mismatch: E:\WINDOWS\system32\syssetup.dll[5.1.2600.1106]

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{E69EE5A7-1275-49CF-88C6-52F67FECFAD2}</UGUID><Version>1.7.0110.1</Version><OS>5.1.2600.2.00010300.1.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-96B9D</PKey><PID>55277-OEM-2149192-84149</PID><PIDType>3</PIDType><SID>S-1-5-21-606747145-776561741-839522115</SID><SYSTEM><Manufacturer>VIA Technologies, Inc.</Manufacturer><Model>KM400-8235</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>1006 </Version><SMBIOSVersion major="2" minor="2"/><Date>20030915******.******+***</Date></BIOS><HWID>FE003B6F0184206F</HWID><UserLCID>0C09</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Pacific Standard Time(GMT+11:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><BRT/></MachineData> <Software><Office><Result>100</Result><Products><Product GUID="{90280409-6000-11D3-8CFE-0050048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office XP Professional with FrontPage</Name><Ver>10</Ver><Val>3CE06EBCC4BE042</Val><Hash>5tHplcouPYYqsYvimYEfCAbuzM8=</Hash><Pid>54185-640-0205133-17118</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="10" Result="100"/><App Id="16" Version="10" Result="100"/><App Id="17" Version="10" Result="100"/><App Id="18" Version="10" Result="100"/><App Id="1A" Version="10" Result="100"/><App Id="1B" Version="10" Result="100"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: no
Marker string from BIOS: N/A
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A
cybertech's Avatar
Moderator with 69,340 posts.
 
Join Date: Apr 2002
Location: USA
06-Jan-2009, 07:22 PM #4
Ok, thanks! I have to wonder why you have not installed sp2 or sp3 on this machine. You are wide open to all kinds of problems running only sp1.


Please download ATF Cleaner by Atribune.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

Click Exit on the Main menu to close the program.




Please download Malwarebytes Anti-Malware and save it to your desktop. alternate link 1 alternate link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply with a new hijackthis log.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.


Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 11.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u11-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u11-windows-i586-p.exe and select "Run as an Administrator".)
kitten777's Avatar
kitten777 kitten777 is offline kitten777 has a Profile Picture
Computer Specs
Junior Member with 25 posts.
THREAD STARTER
 
Join Date: Jan 2009
Location: Melbourne Australia
Experience: Intermediate
07-Jan-2009, 07:02 PM #5
Many thanks. The three logs are:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, January 8, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 1 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, January 07, 2009 10:17:18
Records in database: 1577031
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 244800
Threat name: 19
Infected objects: 39
Suspicious objects: 45
Duration of the scan: 09:36:09


File name / Threat name / Threats count
C:\dc40\callingidxp.exe Infected: Trojan-Downloader.Win32.Agent.wnh 1
C:\dg08\asbsetup.exe Infected: not-a-virus:AdWare.Win32.Mostofate.f 1
C:\dg78\install.exe Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1
C:\Documents and Settings\Owner\Application Data\Thunderbird\Copy of Profiles\yd5hqll7.default\Mail\Local Folders\yin02 Suspicious: Exploit.HTML.Iframe.FileDownload 2
C:\Documents and Settings\Owner\Application Data\Thunderbird\Copy of Profiles\yd5hqll7.default\Mail\Local Folders\yin0202 Suspicious: Exploit.HTML.Iframe.FileDownload 2
C:\Documents and Settings\Owner\Application Data\Thunderbird\Copy of Profiles\yd5hqll7.default\Mail\Local Folders\yin9906 Infected: Email-Worm.Win32.Happy 1
C:\Documents and Settings\Owner\Application Data\Thunderbird\Copy of Profiles\yd5hqll7.default\Mail\Local Folders\yout0301 Infected: EICAR-Test-File 1
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yd5hqll7.default\Mail\Local Folders\virus Infected: Email-Worm.Win32.Sober.p 1
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yd5hqll7.default\Mail\Local Folders\yin02 Suspicious: Exploit.HTML.Iframe.FileDownload 2
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yd5hqll7.default\Mail\Local Folders\yin0202 Suspicious: Exploit.HTML.Iframe.FileDownload 2
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yd5hqll7.default\Mail\Local Folders\yin9906 Infected: Email-Worm.Win32.Happy 1
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yd5hqll7.default\Mail\Local Folders\yout0301 Infected: EICAR-Test-File 1
C:\eudora\In.mbx Suspicious: Trojan-Spy.HTML.Fraud.gen 5
C:\eudora\In.mbx.002 Suspicious: Trojan-Spy.HTML.Fraud.gen 9
C:\eudora\Trash.mbx Suspicious: Trojan-Spy.HTML.Fraud.gen 6
C:\eudora\virus.mbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\eudora\yin02.mbx Suspicious: Exploit.HTML.Iframe.FileDownload 2
C:\eudora\yin0202.mbx Suspicious: Exploit.HTML.Iframe.FileDownload 2
C:\eudora\yin0501.mbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\eudora\yout0006.mbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\eudora\yout0301.mbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\eudoran\In.mbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\miscbu\BSM18.zip Infected: not-a-virus:NetTool.Win32.BSM.18 1
C:\miscbu\goz39zd.exe Infected: not-a-virus:AdWare.Win32.Aureate 2
C:\miscbu\goz39zd.exe Infected: not-a-virus:AdWare.Win32.Aureate.a 3
C:\miscbu\TWSK30D.EXE Infected: not-a-virus:NetTool.Win32.ICMPPing 1
C:\Old Drive\BSM18.EXE Infected: not-a-virus:NetTool.Win32.BSM.18 1
C:\Old Drive\OldC\DN96A\TRUMPING.EX_ Infected: not-a-virus:NetTool.Win32.ICMPPing 1
C:\Old Drive\OldC\TRUMPET\WINAPPS\TRUMPING.EXE Infected: not-a-virus:NetTool.Win32.ICMPPing 1
C:\Old Drive\Program Files\JavaScript Vault\scripts\crazy-window.htm Infected: Hoax.JS.BadJoke.RJump 1
C:\Old Drive\Program Files\JavaScript Vault\scripts\matrix.htm Infected: Trojan.JS.Tsumi.b 1
C:\Old Drive\Program Files\SpamWeasel\spamfltr\archive\Normal\SF031217.txt Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Old Drive\WINDOWS\Application Data\Identities\{6DFDD480-4759-11D4-B552-DF0DDCB57A11}\Microsoft\Outlook Express\Deleted Items.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 3
C:\Old Drive\WINDOWS\Application Data\Identities\{6DFDD480-4759-11D4-B552-DF0DDCB57A11}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.Lentin.g 4
C:\Old Drive\WINDOWS\Application Data\Identities\{6DFDD480-4759-11D4-B552-DF0DDCB57A11}\Microsoft\Outlook Express\Inbox.dbx Infected: Email-Worm.Win32.Sobig.f 9
E:\Documents and Settings\Nick\Application Data\Thunderbird\Profiles\yd5hqll7.default\Mail\Local Folders\virus Infected: Email-Worm.Win32.Sober.p 1
E:\Documents and Settings\Nick\Application Data\Thunderbird\Profiles\yd5hqll7.default\Mail\Local Folders\virus Infected: Trojan-Downloader.Win32.Osel.ae 1
E:\Documents and Settings\Nick\Application Data\Thunderbird\Profiles\yd5hqll7.default\Mail\Local Folders\yin02 Suspicious: Exploit.HTML.Iframe.FileDownload 2
E:\Documents and Settings\Nick\Application Data\Thunderbird\Profiles\yd5hqll7.default\Mail\Local Folders\yin0202 Suspicious: Exploit.HTML.Iframe.FileDownload 2
E:\Documents and Settings\Nick\Application Data\Thunderbird\Profiles\yd5hqll7.default\Mail\Local Folders\yin9906 Infected: Email-Worm.Win32.Happy 1
E:\Documents and Settings\Nick\Application Data\Thunderbird\Profiles\yd5hqll7.default\Mail\Local Folders\yout0301 Infected: EICAR-Test-File 1
E:\Documents and Settings\Nick\Application Data\Thunderbird\Profiles\yd5hqll7.default\Mail\pop-server.bigpond.net.au\yin0601 Infected: Email-Worm.Win32.Mydoom.m 1
E:\Documents and Settings\Nick\Application Data\Thunderbird\Profiles\yd5hqll7.default\Mail\pop-server.bigpond.net.au\zout0601 Infected: Trojan-Spy.HTML.Paylap.jj 1

The selected area was scanned.


Malwarebytes' Anti-Malware 1.32
Database version: 1627
Windows 5.1.2600 Service Pack 1

09 01 07 20:26:10
mbam-log-2009-01-07 (20-26-10).txt

Scan type: Quick Scan
Objects scanned: 60431
Time elapsed: 9 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:54:15, on 09 01 08
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe
E:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
E:\Program Files\Armor2net\Armor2net Personal Firewall\Armor2net.exe
E:\Program Files\NetTime\NetTime.exe
E:\Program Files\Microsoft IntelliType Pro\itype.exe
E:\Program Files\SWF Printer Pro\swfpagent.exe
E:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
E:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Microsoft IntelliPoint\ipoint.exe
E:\Program Files\Google\Google Talk\googletalk.exe
E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
E:\Program Files\Java\jre6\bin\jusched.exe
E:\WINDOWS\System32\ctfmon.exe
E:\Program Files\ControlSS\ControlSS.exe
E:\Program Files\X1\X1FileMonitor.exe
E:\Program Files\Skype\Phone\Skype.exe
E:\Program Files\System Explorer\SystemExplorer.exe
E:\Program Files\Logitech\SetPoint\SetPoint.exe
E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
E:\LS3\LS3EXEC.EXE
E:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
E:\Program Files\Macro Express\macexp.EXE
E:\Program Files\Executive Software\DiskeeperLite\DKService.exe
E:\Program Files\MozyHome\mozystat.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\1stClock\1stClock.exe
C:\df51\chimer.exe
E:\Program Files\WordWeb\wweb32.exe
E:\Program Files\X1\X1Systray.exe
E:\Program Files\X1\X1.exe
E:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
E:\LS3\LS3SVC.EXE
E:\Program Files\Skype\Plugin Manager\SkypePM.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Program Files\MozyHome\mozybackup.exe
E:\Program Files\X1\X1Service.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\Program Files\Sandboxie\SandboxieServer.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\System32\PAStiSvc.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
E:\WINDOWS\System32\BRMFRSMG.EXE
E:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
E:\Program Files\Mozilla Thunderbird\thunderbird.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Old%20Drive/Program%20Files/Netscape/Users/default/bookmark.htm
N1 - Netscape 4: user_pref("browser.startup.homepage", "file:///C:/Old%20Drive/Program%20Files/Netscape/Users/default/bookmark.htm"); (E:\Program Files\Netscape\Users\nrenton\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "file:///C:/Old%20Drive/Program%20Files/Netscape/Users/default/bookmark.htm"); (E:\Documents and Settings\NICK\Application Data\Mozilla\Profiles\default\98b1810q.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://E%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_UK. src"); (E:\Documents and Settings\NICK\Application Data\Mozilla\Profiles\default\98b1810q.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - E:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: (no name) - {6291957C-8CE9-4c90-BEFF-12D9E68CFF30} - E:\Program Files\LostGoggles\LGoggles.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: A2NPopUpKiller Class - {8A321C7D-9CED-45A8-870D-DAE843A45FD0} - E:\Program Files\Armor2net\Armor2net Personal Firewall\PopUpKiller.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - E:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: gPhotoShow Toolbar Helper - {B7E02222-F5F3-4581-BBF3-F071B9B5A2CC} - E:\Program Files\gPhotoShow Toolbar\v3.2.0.0\gPhotoShow_Toolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - E:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: gPhotoShow Toolbar - {08908347-2115-4D2C-95D6-FEFBDDB6EF7E} - E:\Program Files\gPhotoShow Toolbar\v3.2.0.0\gPhotoShow_Toolbar.dll
O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - E:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [CaAvTray] "E:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "E:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Armor2net] E:\Program Files\Armor2net\Armor2net Personal Firewall\Armor2net.exe
O4 - HKLM\..\Run: [NetTime] E:\Program Files\NetTime\NetTime.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [itype] "E:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SWF Printer Agent] "E:\Program Files\SWF Printer Pro\swfpagent.exe"
O4 - HKLM\..\Run: [Desktop-XP_WhenuSave_Installer] E:\Program Files\Desktop-XP_WhenUSave_Installer\Desktop-XP_WhenUSave_Installer.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] E:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] E:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [googletalk] E:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SoundMAXPnP] E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MyScreenCam] E:\Program Files\My Screen Cam\scrcam.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "E:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ControlSSaver] E:\Program Files\ControlSS\ControlSS.exe
O4 - HKCU\..\Run: [X1FileMonitor.exe] E:\Program Files\X1\X1FileMonitor.exe
O4 - HKCU\..\Run: [Skype] "E:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SystemExplorer] "E:\Program Files\System Explorer\SystemExplorer.exe" /TRAY
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: 1st Clock.lnk = E:\Program Files\1stClock\1stClock.exe
O4 - Startup: chimer.exe.lnk = C:\df51\chimer.exe
O4 - Startup: macexp.EXE.lnk = C:\Old Drive\Program Files\Macro Express\macexp.EXE
O4 - Startup: WordWeb.lnk = E:\Program Files\WordWeb\wweb32.exe
O4 - Startup: X1 System Tray.lnk = E:\Program Files\X1\X1Systray.exe
O4 - Startup: X1.lnk = E:\Program Files\X1\X1.exe
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: LSIII Executor.lnk = E:\LS3\LS3EXEC.EXE
O4 - Global Startup: Macro Express 2000.lnk = E:\Program Files\Macro Express\macexp.EXE
O4 - Global Startup: MozyHome Status.lnk = E:\Program Files\MozyHome\mozystat.exe
O8 - Extra context menu item: &WordWeb... - res://E:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://E:\WINDOWS\System32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Quintura - E:\Program Files\Quintura Inc\Quintura Search\Quintura.htm.ie
O8 - Extra context menu item: Search Using Copernic Agent - res://E:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - E:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - E:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - E:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Quintura Search - {F9341940-7640-4157-9C5C-7D86B7449E20} - E:\Program Files\Quintura Inc\Quintura Search\iereg.exe
O9 - Extra 'Tools' menuitem: Quintura - {F9341940-7640-4157-9C5C-7D86B7449E20} - E:\Program Files\Quintura Inc\Quintura Search\iereg.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: e:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: e:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: e:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: e:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: e:\program files\armor2net\armor2net personal firewall\netdog.dll
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1139293865664
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1229574390158
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - E:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LanSafe III Power Monitor (LanSafe III PM) - Unknown owner - E:\LS3\LS3SVC.EXE
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - E:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - E:\Program Files\MozyHome\mozybackup.exe
O23 - Service: NetTime (NetTimeSvc) - Subjective Software - E:\Program Files\NetTime\NeTmSvNT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandboxie Service (SandboxU) - tzuk - E:\Program Files\Sandboxie\SandboxieServer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: STI Simulator - Unknown owner - E:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - E:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe

--
End of file - 14165 bytes
cybertech's Avatar
Moderator with 69,340 posts.
 
Join Date: Apr 2002
Location: USA
07-Jan-2009, 07:35 PM #6
Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy all the lines in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Quote:
    :Files
    C:\dc40\callingidxp.exe
    C:\dg08\asbsetup.exe
    C:\dg78\install.exe
    C:\miscbu\BSM18.zip
    C:\miscbu\goz39zd.exe
    C:\miscbu\TWSK30D.EXE
    C:\Old Drive\BSM18.EXE
    C:\Old Drive\OldC\DN96A\TRUMPING.EX_
    C:\Old Drive\OldC\TRUMPET\WINAPPS\TRUMPING.EXE
    C:\Old Drive\Program Files\JavaScript Vault\scripts\crazy-window.htm
    C:\Old Drive\Program Files\JavaScript Vault\scripts\matrix.htm
    C:\Old Drive\Program Files\SpamWeasel\spamfltr\archive\Normal\SF031217.txt
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


What I did not select of the infected files is in your different e-mail programs. You will have to clean those up manually.


Let me know how things are going when you finish that up.
kitten777's Avatar
kitten777 kitten777 is offline kitten777 has a Profile Picture
Computer Specs
Junior Member with 25 posts.
THREAD STARTER
 
Join Date: Jan 2009
Location: Melbourne Australia
Experience: Intermediate
07-Jan-2009, 09:39 PM #7
Thank you. Your knowledge of malware programs is most impressive. The files below have been on my computer for years, so are we any closer to solving the current mystery?

========== FILES ==========
C:\dc40\callingidxp.exe moved successfully.
C:\dg08\asbsetup.exe moved successfully.
C:\dg78\install.exe moved successfully.
C:\miscbu\BSM18.zip moved successfully.
C:\miscbu\goz39zd.exe moved successfully.
C:\miscbu\TWSK30D.EXE moved successfully.
C:\Old Drive\BSM18.EXE moved successfully.
C:\Old Drive\OldC\DN96A\TRUMPING.EX_ moved successfully.
C:\Old Drive\OldC\TRUMPET\WINAPPS\TRUMPING.EXE moved successfully.
C:\Old Drive\Program Files\JavaScript Vault\scripts\crazy-window.htm moved successfully.
C:\Old Drive\Program Files\JavaScript Vault\scripts\matrix.htm moved successfully.
C:\Old Drive\Program Files\SpamWeasel\spamfltr\archive\Normal\SF031217.txt moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01082009_123123
cybertech's Avatar
Moderator with 69,340 posts.
 
Join Date: Apr 2002
Location: USA
08-Jan-2009, 06:11 PM #8
How is it running now? Any problems?
kitten777's Avatar
kitten777 kitten777 is offline kitten777 has a Profile Picture
Computer Specs
Junior Member with 25 posts.
THREAD STARTER
 
Join Date: Jan 2009
Location: Melbourne Australia
Experience: Intermediate
08-Jan-2009, 07:14 PM #9
Thank you - it is running fine.

But my worry is that without knowing what caused about 20,000 files totalling about 23 GB to be duplicated spontaneously in 36 minutes there must be a risk of recurrence or worse next time. It must be a very strange virus indeed to selectively attack only files in directories having names starting with a to the middle of d and to do so in strict alphabetical order.

Has nobody else in the whole world encountered anything similar?

Could I have accidentally pressed some combination of keys that caused the problem?

Does the fact that the names of the duplicated files were always the original name plus a tilde plus 8 random numbers/letters provide any clue?
cybertech's Avatar
Moderator with 69,340 posts.
 
Join Date: Apr 2002
Location: USA
08-Jan-2009, 07:23 PM #10
I have not heard of such a thing but that is not to say it does not exist.

In the copy or deletion of multiple files I often find I have created duplicates of them by doing just what you said, slip of the mouse, wrong key stroke or ???

Is this still happening?
Did you delete the files?
kitten777's Avatar
kitten777 kitten777 is offline kitten777 has a Profile Picture
Computer Specs
Junior Member with 25 posts.
THREAD STARTER
 
Join Date: Jan 2009
Location: Melbourne Australia
Experience: Intermediate
08-Jan-2009, 07:35 PM #11
Thank you again.

No, it only happed once, 10 days ago.

Yes, I managed to delete them - I did not want an unecessary 50% extra usage of my hard drive. I evolved a bulk way of removing them by using the del command in DOS with /s.
cybertech's Avatar
Moderator with 69,340 posts.
 
Join Date: Apr 2002
Location: USA
08-Jan-2009, 08:09 PM #12
Ok, sounds good.

If you have no other problems I can help you with feel free to use the Mark Solved button at the top of the page.
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


Tags
duplication_of_files

(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑