1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Help : Trojan (s) trouble – HJT ++ log inside

Discussion in 'Virus & Other Malware Removal' started by munds, Jul 6, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. munds

    munds Thread Starter

    Joined:
    Jul 5, 2007
    Messages:
    12
    I’m having this problem with my XP Pro (sp2), but it seems none give me a heads up on this.
    I know my machine has Trojans, but I can’t seem to remove them .
    (Explorer wont run on startup, but I work theough internet explorer offline.)

    Other post here :
    http://forums.techguy.org/windows-nt-2000-xp/592094-windows-no-disk-error-c0000013.html

    Adaware found the problems below, and currently running SuperAntiSpyware in safemode.
    (It has found so far Mezzia Trojan, Hiltquitlt, Winfixer, Downloader-Win/GH and Unknown Origin)
    (EDIT: Maybe SAS will fix my problem, just started using it now..)

    Anyway HijackTHis log below also.

    Please help, I’ desperate.

    scan 1

    DWARE.YAZZLE
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    obj[22]=File : C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
    obj[24]=File : C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe

    PURITYSCAN
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    obj[23]=File : C:\RECYCLER\S-1-5-21-1177238915-602609370-725345543-1003\Dc252.exe

    OTHER
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    obj[25]=File : C:\WINDOWS\prefetch\YAZZLE1162OINADMIN.EXE-04B49B8B.pf
    obj[26]=File : C:\WINDOWS\prefetch\YAZZLE1162OINUNINSTALLER.EXE-1CF2C10F.pf

    scan 2

    ADWARE.YAZZLE
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    obj[1]=File : C:\System Volume Information\_restore{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP314\A0049790.exe

    PURITYSCAN
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    obj[2]=File : C:\System Volume Information\_restore{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP314\A0049791.exe





    Hijack THis :

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)

    Scan saved at 12:03:55, on 06.07.2007

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    Boot mode: Normal



    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\Program Files\Windows Defender\MsMpEng.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe

    C:\WINDOWS\system32\CTsvcCDA.exe

    C:\WINDOWS\system32\nvsvc32.exe

    C:\Program Files\UPHClean\uphclean.exe

    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

    C:\WINDOWS\system32\MsPMSPSv.exe

    C:\WINDOWS\system32\wscntfy.exe

    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    C:\WINDOWS\system32\wuauclt.exe

    C:\Documents and Settings\Orjan K\Desktop\HiJackThis_v2.exe



    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.beyondjazz.net/

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

    O2 - BHO: (no name) - {55FA8A6E-37E7-47C8-B280-E04A4D4D7BA2} - C:\WINDOWS\system32\pmkhf.dll

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

    O2 - BHO: (no name) - {8BF884A4-CF81-4E00-B7C1-076FCE6CFDD7} - C:\WINDOWS\system32\nnnlkhh.dll

    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

    O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run

    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe

    O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe

    O4 - HKLM\..\Run: [Norton] C:\Program Files\ASUS\WLAN Card Utilities\NorExec.exe

    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"

    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"

    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe

    O4 - HKLM\..\Run: [CtxfiReg] CTXFIREG.exe /FAIL2

    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

    O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

    O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe

    O4 - HKLM\..\Run: [smgr] mgrs.exe

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

    O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')

    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

    O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')

    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

    O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

    O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

    O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

    O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

    O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

    O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab

    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab

    O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab

    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab

    O20 - Winlogon Notify: nnnlkhh - C:\WINDOWS\SYSTEM32\nnnlkhh.dll

    O20 - Winlogon Notify: pmkhf - C:\WINDOWS\system32\pmkhf.dll

    O20 - Winlogon Notify: winubg32 - C:\WINDOWS\SYSTEM32\winubg32.dll

    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe

    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

    O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

    --

    End of file - 7415 bytes


    THanx so much..
     
  2. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Did SuperAntiSpyware finish running?
     
  3. munds

    munds Thread Starter

    Joined:
    Jul 5, 2007
    Messages:
    12
    Thanx for the reply cheesball81.

    THe SuperAntiSpyware scan found the items listed, that being Mezzia Trojan, Hiltquitlt, Winfixer, Downloader-Win/GH and Unknown Origin Trojan.
    I ran the scan i safemode, and fixed it with SAS. Then rebooted and ran the scan again in normal mode. Found no items on the second scan.

    But Adaware , spybot and AVG Antispyware found some things, these problems where fixed as they didnt appear when i ran new scans yesterday.

    Adaware found these items on that scan some days ago :
    Adware.Tracking Cookie
    C:\Documents and Settings\Orjan K\Cookies\orjan [email protected][2].txt
    C:\Documents and Settings\Orjan K\Cookies\orjan [email protected][1].txt
    C:\Documents and Settings\Orjan K\Cookies\orjan [email protected][1].txt

    Trojan.Downloader-Gen/AVP
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP316\A0049962.EXE

    Trojan.Downloader-Gen/HitItQuitIt
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP316\A0049963.DLL

    Trojan.Downloader-NoName
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP316\A0049964.EXE

    Adware.Vundo Variant
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP316\A0051968.DLL

    Adaware fixed those, and they didnt appear in the scan made today..


    Although AVG found spyware galore again earlier today, se report below:


    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 21:40:39 10.07.2007

    + Scan result:



    C:\System Volume Information\_restore{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP313\A0049581.exe/crack.exe -> Adware.Virtumonde : No action taken.
    C:\System Volume Information\_restore{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP318\A0052053.exe -> Downloader.Alphabet : No action taken.
    C:\WINDOWS\system32\syswin.exe -> Downloader.Alphabet.k : No action taken.
    C:\WINDOWS\system32\syswin6000.exe -> Downloader.Alphabet.k : No action taken.
    C:\System Volume Information\_restore{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP313\A0049581.exe/keygen.exe -> Downloader.LoadAdv : No action taken.
    C:\System Volume Information\_restore{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP313\A0049583.exe -> Downloader.LoadAdv : No action taken.
    C:\System Volume Information\_restore{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP313\A0049582.exe -> Downloader.Small.eqn : No action taken.
    C:\System Volume Information\_restore{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP316\A0051971.exe -> Logger.Alexa.a : No action taken.
    C:\System Volume Information\_restore{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP316\A0051972.exe -> Logger.Alexa.a : No action taken.
    C:\System Volume Information\_restore{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP316\A0051967.dll -> Trojan.Dialer.qn : No action taken.


    ::Report end

    Applied action "delete" just now. Will post another HJT log in a sec.

    (Ps: tried running SAS earler today as well, but it after 8 hours it was still scanning, so i had to quit it...)
     
  4. munds

    munds Thread Starter

    Joined:
    Jul 5, 2007
    Messages:
    12
    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 22:38:34, on 10.07.2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\UPHClean\uphclean.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
    C:\WINDOWS\CTHELPER.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
    C:\Documents and Settings\Orjan K\Desktop\HiJackThis_v2.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.beyondjazz.net/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
    O4 - HKLM\..\Run: [Norton] C:\Program Files\ASUS\WLAN Card Utilities\NorExec.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
    O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
    O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
    O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

    --
    End of file - 7651 bytes


    Hope you can help.
     
  5. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Run ActiveScan online virus scan:
    http://www.pandasoftware.com/products/activescan.htm

    Once you are on the Panda site click the Scan your PC button.
    A new window will open...click the Check Now button.
    Enter your Country.
    Enter your State/Province.
    Enter your e-mail address and click send.
    Select either Home User or Company.
    Click the big Scan Now button.
    If it wants to install an ActiveX component allow it.
    It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    When download is complete, click on My Computer to start the scan.
    When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
    Post the contents of the ActiveScan report.
     
  6. munds

    munds Thread Starter

    Joined:
    Jul 5, 2007
    Messages:
    12
    Heres the Activescan report.

    Incident Status Location

    Potentially unwanted tool:Application/Psshutdown.A Not disinfected C:\Documents and Settings\Orjan K\Desktop\Gammel PC - fonter + div\Ørjan\Desktop\font icon etc\design_icons Folder\misc\Power\shutdown.exe
    Potentially unwanted tool:Application/Psshutdown.A Not disinfected C:\Documents and Settings\Orjan K\Desktop\Nye bilder and stuff\font icon etc\design_icons Folder\misc\Power\shutdown.exe
     
  7. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    The log looks okay. Are you getting any other detections? Minus the tracking cookies from Ad-Aware which are harmless.
     
  8. munds

    munds Thread Starter

    Joined:
    Jul 5, 2007
    Messages:
    12
    WEll, my antivirus programme Etrust found C:\SYSTEM VOLUME INFORMATION\_RESTORE{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP316\ just now, which is identified as a Vundo variant.
    THe programme deleted it i think..

    No sure im completely in the clear though...
     
  9. munds

    munds Thread Starter

    Joined:
    Jul 5, 2007
    Messages:
    12
    It seems the trojans keep apearing in the "C:\SYSTEM VOLUME INFORMATION\_RESTORE" folder.
    If u see my post#3 higher up on this page, Adaware also found trojans in this folder.

    My point being, how come the trojans keep reappearing when the system seems safe, and the only pages on the internet i visit are the Techsupportguy and the online virusscan sites listed here?

    Just wondering.
     
  10. munds

    munds Thread Starter

    Joined:
    Jul 5, 2007
    Messages:
    12
    Kapersky found some more things :

    Wednesday, July 11, 2007 5:41:45 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.83.0
    Kaspersky Anti-Virus database last update: 11/07/2007
    Kaspersky Anti-Virus database records: 360771
    Scan Settings
    Scan using the following antivirus database extended
    Scan Archives true
    Scan Mail Bases true
    Scan Target My Computer
    A:\
    C:\
    D:\
    E:\
    F:\
    Scan Statistics
    Total number of scanned objects 127414
    Number of viruses found 2
    Number of infected objects 3 / 0
    Number of suspicious objects 0
    Duration of the scan process 01:48:29

    Infected Object Name Virus Name Last Action
    C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12162006-233421.log Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\Orjan K\Application Data\Mozilla\Firefox\Profiles\8rpflflp.default\cert8.db Object is locked skipped
    C:\Documents and Settings\Orjan K\Application Data\Mozilla\Firefox\Profiles\8rpflflp.default\formhistory.dat Object is locked skipped
    C:\Documents and Settings\Orjan K\Application Data\Mozilla\Firefox\Profiles\8rpflflp.default\history.dat Object is locked skipped
    C:\Documents and Settings\Orjan K\Application Data\Mozilla\Firefox\Profiles\8rpflflp.default\key3.db Object is locked skipped
    C:\Documents and Settings\Orjan K\Application Data\Mozilla\Firefox\Profiles\8rpflflp.default\parent.lock Object is locked skipped
    C:\Documents and Settings\Orjan K\Application Data\Mozilla\Firefox\Profiles\8rpflflp.default\search.sqlite Object is locked skipped
    C:\Documents and Settings\Orjan K\Application Data\Mozilla\Firefox\Profiles\8rpflflp.default\urlclassifier2.sqlite Object is locked skipped
    C:\Documents and Settings\Orjan K\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
    C:\Documents and Settings\Orjan K\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Orjan K\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Orjan K\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Orjan K\Local Settings\Application Data\Mozilla\Firefox\Profiles\8rpflflp.default\Cache\_CACHE_001_ Object is locked skipped
    C:\Documents and Settings\Orjan K\Local Settings\Application Data\Mozilla\Firefox\Profiles\8rpflflp.default\Cache\_CACHE_002_ Object is locked skipped
    C:\Documents and Settings\Orjan K\Local Settings\Application Data\Mozilla\Firefox\Profiles\8rpflflp.default\Cache\_CACHE_003_ Object is locked skipped
    C:\Documents and Settings\Orjan K\Local Settings\Application Data\Mozilla\Firefox\Profiles\8rpflflp.default\Cache\_CACHE_MAP_ Object is locked skipped
    C:\Documents and Settings\Orjan K\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Orjan K\Local Settings\History\History.IE5\MSHist012007071120070712\index.dat Object is locked skipped
    C:\Documents and Settings\Orjan K\Local Settings\Temp\hsperfdata_Orjan K\2132 Object is locked skipped
    C:\Documents and Settings\Orjan K\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Orjan K\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\Orjan K\ntuser.dat.LOG Object is locked skipped
    C:\itouch_crash_info.txt Object is locked skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP316\A0049826.exe Infected: Trojan.Win32.Dialer.qn skipped
    C:\System Volume Information\_restore{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP321\A0052423.exe Infected: Trojan-Downloader.Win32.Alphabet.k skipped
    C:\System Volume Information\_restore{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP321\A0052424.exe Infected: Trojan-Downloader.Win32.Alphabet.k skipped
    C:\System Volume Information\_restore{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP322\change.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    C:\WINDOWS\{00000000-00000000-00000009-00001102-00000004-10021102}.CDF Object is locked skipped
    D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    D:\System Volume Information\_restore{29FAEDFF-1E98-4036-B206-A43A7AC0C6FB}\RP322\change.log Object is locked skipped
    D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027343.exe Object is locked skipped
    D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027344.dll Object is locked skipped
    D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027345.dll Object is locked skipped
    D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027346.exe Object is locked skipped
    D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027347.dll Object is locked skipped
    D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027348.exe Object is locked skipped
    D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027349.dll Object is locked skipped
    D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027350.exe Object is locked skipped
    D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027351.dll Object is locked skipped
    D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027352.dll Object is locked skipped
    D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027353.dll Object is locked skipped
    D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027354.exe Object is locked skipped
    D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027355.dll Object is locked skipped
    D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027356.inf Object is locked skipped
    D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027357.inf Object is locked skipped
    D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027358.cat Object is locked skipped
    D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027359.cat Object is locked skipped
    D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027360.exe Object is locked skipped
    D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027361.exe Object is locked skipped
    D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027362.ver Object is locked skipped
    D:\System Volume Information\_restore{5BCFC560-AE6E-4847-A9B2-080239E410BC}\RP228\A0027363.ver Object is locked skipped


    Still able to help mate?
     
  11. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    C:\SYSTEM VOLUME INFORMATION\_RESTORE is System Restore.
    Turning it off, then back on again should flush those out.
     
  12. munds

    munds Thread Starter

    Joined:
    Jul 5, 2007
    Messages:
    12
    Seems it did the trick Cheeseball.
    Thank u so much for your help.

    I'll mark the posted solved.

    Oh, and just a quicky at the end here:

    Why do some of the files in the last kapersky scan appear as "locked skipped".
    Are these potential trojan/virus hideouts?
    I get the same message when i run other virus programmes as well.
     
  13. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    No they arent harmful at all
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/592381

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice