Solved: Help : Trojan (s) trouble – HJT ++ log inside

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

munds

Thread Starter
Joined
Jul 5, 2007
Messages
12
I’m having this problem with my XP Pro (sp2), but it seems none give me a heads up on this.
I know my machine has Trojans, but I can’t seem to remove them .
(Explorer wont run on startup, but I work theough internet explorer offline.)

Other post here :
http://forums.techguy.org/windows-nt-2000-xp/592094-windows-no-disk-error-c0000013.html

Adaware found the problems below, and currently running SuperAntiSpyware in safemode.
(It has found so far Mezzia Trojan, Hiltquitlt, Winfixer, Downloader-Win/GH and Unknown Origin)
(EDIT: Maybe SAS will fix my problem, just started using it now..)

Anyway HijackTHis log below also.

Please help, I’ desperate.

scan 1

DWARE.YAZZLE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[22]=File : C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
obj[24]=File : C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe

PURITYSCAN
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[23]=File : C:\RECYCLER\S-1-5-21-1177238915-602609370-725345543-1003\Dc252.exe

OTHER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[25]=File : C:\WINDOWS\prefetch\YAZZLE1162OINADMIN.EXE-04B49B8B.pf
obj[26]=File : C:\WINDOWS\prefetch\YAZZLE1162OINUNINSTALLER.EXE-1CF2C10F.pf

scan 2

ADWARE.YAZZLE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[1]=File : C:\System Volume Information\_restore{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP314\A0049790.exe

PURITYSCAN
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[2]=File : C:\System Volume Information\_restore{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP314\A0049791.exe





Hijack THis :

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 12:03:55, on 06.07.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\UPHClean\uphclean.exe

C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Orjan K\Desktop\HiJackThis_v2.exe



R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.beyondjazz.net/

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {55FA8A6E-37E7-47C8-B280-E04A4D4D7BA2} - C:\WINDOWS\system32\pmkhf.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: (no name) - {8BF884A4-CF81-4E00-B7C1-076FCE6CFDD7} - C:\WINDOWS\system32\nnnlkhh.dll

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe

O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe

O4 - HKLM\..\Run: [Norton] C:\Program Files\ASUS\WLAN Card Utilities\NorExec.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe

O4 - HKLM\..\Run: [CtxfiReg] CTXFIREG.exe /FAIL2

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe

O4 - HKLM\..\Run: [smgr] mgrs.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')

O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab

O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab

O20 - Winlogon Notify: nnnlkhh - C:\WINDOWS\SYSTEM32\nnnlkhh.dll

O20 - Winlogon Notify: pmkhf - C:\WINDOWS\system32\pmkhf.dll

O20 - Winlogon Notify: winubg32 - C:\WINDOWS\SYSTEM32\winubg32.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

--

End of file - 7415 bytes


THanx so much..
 

munds

Thread Starter
Joined
Jul 5, 2007
Messages
12
Thanx for the reply cheesball81.

THe SuperAntiSpyware scan found the items listed, that being Mezzia Trojan, Hiltquitlt, Winfixer, Downloader-Win/GH and Unknown Origin Trojan.
I ran the scan i safemode, and fixed it with SAS. Then rebooted and ran the scan again in normal mode. Found no items on the second scan.

But Adaware , spybot and AVG Antispyware found some things, these problems where fixed as they didnt appear when i ran new scans yesterday.

Adaware found these items on that scan some days ago :
Adware.Tracking Cookie
C:\Documents and Settings\Orjan K\Cookies\orjan [email protected][2].txt
C:\Documents and Settings\Orjan K\Cookies\orjan [email protected][1].txt
C:\Documents and Settings\Orjan K\Cookies\orjan [email protected][1].txt

Trojan.Downloader-Gen/AVP
C:\SYSTEM VOLUME INFORMATION\_RESTORE{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP316\A0049962.EXE

Trojan.Downloader-Gen/HitItQuitIt
C:\SYSTEM VOLUME INFORMATION\_RESTORE{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP316\A0049963.DLL

Trojan.Downloader-NoName
C:\SYSTEM VOLUME INFORMATION\_RESTORE{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP316\A0049964.EXE

Adware.Vundo Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP316\A0051968.DLL

Adaware fixed those, and they didnt appear in the scan made today..


Although AVG found spyware galore again earlier today, se report below:


AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 21:40:39 10.07.2007

+ Scan result:



C:\System Volume Information\_restore{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP313\A0049581.exe/crack.exe -> Adware.Virtumonde : No action taken.
C:\System Volume Information\_restore{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP318\A0052053.exe -> Downloader.Alphabet : No action taken.
C:\WINDOWS\system32\syswin.exe -> Downloader.Alphabet.k : No action taken.
C:\WINDOWS\system32\syswin6000.exe -> Downloader.Alphabet.k : No action taken.
C:\System Volume Information\_restore{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP313\A0049581.exe/keygen.exe -> Downloader.LoadAdv : No action taken.
C:\System Volume Information\_restore{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP313\A0049583.exe -> Downloader.LoadAdv : No action taken.
C:\System Volume Information\_restore{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP313\A0049582.exe -> Downloader.Small.eqn : No action taken.
C:\System Volume Information\_restore{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP316\A0051971.exe -> Logger.Alexa.a : No action taken.
C:\System Volume Information\_restore{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP316\A0051972.exe -> Logger.Alexa.a : No action taken.
C:\System Volume Information\_restore{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP316\A0051967.dll -> Trojan.Dialer.qn : No action taken.


::Report end

Applied action "delete" just now. Will post another HJT log in a sec.

(Ps: tried running SAS earler today as well, but it after 8 hours it was still scanning, so i had to quit it...)
 

munds

Thread Starter
Joined
Jul 5, 2007
Messages
12
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22:38:34, on 10.07.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Documents and Settings\Orjan K\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.beyondjazz.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [Norton] C:\Program Files\ASUS\WLAN Card Utilities\NorExec.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

--
End of file - 7651 bytes


Hope you can help.
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
Run ActiveScan online virus scan:
http://www.pandasoftware.com/products/activescan.htm

Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
Enter your Country.
Enter your State/Province.
Enter your e-mail address and click send.
Select either Home User or Company.
Click the big Scan Now button.
If it wants to install an ActiveX component allow it.
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan.
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the ActiveScan report.
 

munds

Thread Starter
Joined
Jul 5, 2007
Messages
12
Heres the Activescan report.

Incident Status Location

Potentially unwanted tool:Application/Psshutdown.A Not disinfected C:\Documents and Settings\Orjan K\Desktop\Gammel PC - fonter + div\Ørjan\Desktop\font icon etc\design_icons Folder\misc\Power\shutdown.exe
Potentially unwanted tool:Application/Psshutdown.A Not disinfected C:\Documents and Settings\Orjan K\Desktop\Nye bilder and stuff\font icon etc\design_icons Folder\misc\Power\shutdown.exe
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
The log looks okay. Are you getting any other detections? Minus the tracking cookies from Ad-Aware which are harmless.
 

munds

Thread Starter
Joined
Jul 5, 2007
Messages
12
WEll, my antivirus programme Etrust found C:\SYSTEM VOLUME INFORMATION\_RESTORE{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP316\ just now, which is identified as a Vundo variant.
THe programme deleted it i think..

No sure im completely in the clear though...
 

munds

Thread Starter
Joined
Jul 5, 2007
Messages
12
It seems the trojans keep apearing in the "C:\SYSTEM VOLUME INFORMATION\_RESTORE" folder.
If u see my post#3 higher up on this page, Adaware also found trojans in this folder.

My point being, how come the trojans keep reappearing when the system seems safe, and the only pages on the internet i visit are the Techsupportguy and the online virusscan sites listed here?

Just wondering.
 

munds

Thread Starter
Joined
Jul 5, 2007
Messages
12
Kapersky found some more things :

Wednesday, July 11, 2007 5:41:45 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 11/07/2007
Kaspersky Anti-Virus database records: 360771
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
Scan Statistics
Total number of scanned objects 127414
Number of viruses found 2
Number of infected objects 3 / 0
Number of suspicious objects 0
Duration of the scan process 01:48:29

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12162006-233421.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Orjan K\Application Data\Mozilla\Firefox\Profiles\8rpflflp.default\cert8.db Object is locked skipped
C:\Documents and Settings\Orjan K\Application Data\Mozilla\Firefox\Profiles\8rpflflp.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Orjan K\Application Data\Mozilla\Firefox\Profiles\8rpflflp.default\history.dat Object is locked skipped
C:\Documents and Settings\Orjan K\Application Data\Mozilla\Firefox\Profiles\8rpflflp.default\key3.db Object is locked skipped
C:\Documents and Settings\Orjan K\Application Data\Mozilla\Firefox\Profiles\8rpflflp.default\parent.lock Object is locked skipped
C:\Documents and Settings\Orjan K\Application Data\Mozilla\Firefox\Profiles\8rpflflp.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Orjan K\Application Data\Mozilla\Firefox\Profiles\8rpflflp.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Orjan K\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Orjan K\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Orjan K\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Orjan K\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Orjan K\Local Settings\Application Data\Mozilla\Firefox\Profiles\8rpflflp.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Orjan K\Local Settings\Application Data\Mozilla\Firefox\Profiles\8rpflflp.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Orjan K\Local Settings\Application Data\Mozilla\Firefox\Profiles\8rpflflp.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Orjan K\Local Settings\Application Data\Mozilla\Firefox\Profiles\8rpflflp.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Orjan K\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Orjan K\Local Settings\History\History.IE5\MSHist012007071120070712\index.dat Object is locked skipped
C:\Documents and Settings\Orjan K\Local Settings\Temp\hsperfdata_Orjan K\2132 Object is locked skipped
C:\Documents and Settings\Orjan K\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Orjan K\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Orjan K\ntuser.dat.LOG Object is locked skipped
C:\itouch_crash_info.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP316\A0049826.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP321\A0052423.exe Infected: Trojan-Downloader.Win32.Alphabet.k skipped
C:\System Volume Information\_restore{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP321\A0052424.exe Infected: Trojan-Downloader.Win32.Alphabet.k skipped
C:\System Volume Information\_restore{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP322\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000000-00000000-00000009-00001102-00000004-10021102}.CDF Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP322\change.log Object is locked skipped
D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027343.exe Object is locked skipped
D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027344.dll Object is locked skipped
D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027345.dll Object is locked skipped
D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027346.exe Object is locked skipped
D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027347.dll Object is locked skipped
D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027348.exe Object is locked skipped
D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027349.dll Object is locked skipped
D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027350.exe Object is locked skipped
D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027351.dll Object is locked skipped
D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027352.dll Object is locked skipped
D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027353.dll Object is locked skipped
D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027354.exe Object is locked skipped
D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027355.dll Object is locked skipped
D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027356.inf Object is locked skipped
D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027357.inf Object is locked skipped
D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027358.cat Object is locked skipped
D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027359.cat Object is locked skipped
D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027360.exe Object is locked skipped
D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027361.exe Object is locked skipped
D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027362.ver Object is locked skipped
D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027363.ver Object is locked skipped


Still able to help mate?
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
C:\SYSTEM VOLUME INFORMATION\_RESTORE is System Restore.
Turning it off, then back on again should flush those out.
 

munds

Thread Starter
Joined
Jul 5, 2007
Messages
12
Seems it did the trick Cheeseball.
Thank u so much for your help.

I'll mark the posted solved.

Oh, and just a quicky at the end here:

Why do some of the files in the last kapersky scan appear as "locked skipped".
Are these potential trojan/virus hideouts?
I get the same message when i run other virus programmes as well.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top