outbenchthis Posted September 7, 2008 Report Share Posted September 7, 2008 Hi,On my Windows Xp PC, every time I open it I receive a window with this message:"the application or dll c:\windows\system32\wowfx.dll is not a validWindows image. Please verify with the installation disk."I have AVG FREE installed and have performed a scan but still recieve the wowfx.dll message. I also have Smitfraud and have scanned which I was able to do but then I restarted in safemode to do the 'clean' process but it was unable to do the 'clean' because wowfx.dll window message would not go away, so I still keep getting this message On my Windows Xp PC, every time I open it I receive a windows with this message:"the application or dll c:\windows\system32\wowfx.dll is not a valid Windows image. Please verify with the installation disk."After reading a number of forums I noticed they all suggest the best way of dealingwith the problem is to post a log.Below you can find my HijackThis log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 23:07:16, on 7/09/2008Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\PROGRA~1\Grisoft\AVG7\avgemc.exeC:\windows\system\hpsysdrv.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\USB Storage RW\shwicon.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\HP\KBD\KBD.EXEC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\Program Files\QuickTime\qttask.exeC:\WINDOWS\ALCXMNTR.EXEC:\Program Files\ScanSoft\PaperPort\pptd40nt.exeC:\Program Files\Brother\Brmfcmon\BrMfcWnd.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\Brother\ControlCenter3\brccMCtl.exeC:\Program Files\Panasonic\Panasonic X700 PC Software Suite\connmngmntbox.exeC:\Program Files\Panasonic\Panasonic X700 PC Software Suite\ectaskscheduler.exeC:\PROGRA~1\PANASO~1\PANASO~2\Elogerr.exeC:\Program Files\Intuwave Ltd\Shared\mRouterRunTime\mRouterRuntime.exeC:\PROGRA~1\PANASO~1\PANASO~2\BROADC~1.EXEC:\PROGRA~1\PANASO~1\PANASO~2\SCRFS.exeC:\WINDOWS\System32\wuauclt.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllF2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exeO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXEO4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initializeO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUPO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXEO4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -bootO4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exeO4 - HKLM\..\Run: [indexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exeO4 - HKLM\..\Run: [brMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUNO4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exeO4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorunO4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"O4 - HKCU\..\Run: [braviax] C:\WINDOWS\System32\braviax.exeO4 - HKCU\..\Run: [spoolsv] C:\WINDOWS\System32\spoolvs.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')O4 - Global Startup: PanasonicX700PCSoftwareSuite Detect.lnk = ?O4 - Global Startup: PanasonicX700PCSoftwareSuite TS.lnk = ?O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO17 - HKLM\System\CCS\Services\Tcpip\..\{127B6989-7FC9-4963-84A5-8AB81D0D6FCD}: NameServer = 85.255.115.42,85.255.112.170O17 - HKLM\System\CCS\Services\Tcpip\..\{41BE3759-F7F4-4BCE-969F-6F86E114A44B}: NameServer = 85.255.115.42,85.255.112.170O17 - HKLM\System\CCS\Services\Tcpip\..\{C8F42016-28FF-4C04-84C9-E535E54047E5}: NameServer = 85.255.115.42,85.255.112.170O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.42 85.255.112.170O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.42 85.255.112.170O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dllO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe--End of file - 7039 bytesI would greatly appreciate any assistance. thanks in advance. Link to post Share on other sites
sarahw Posted September 7, 2008 Report Share Posted September 7, 2008 Hi,Welcome to the siteI will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.I want you to show hidden files. There are instructions HERE to help you do this.You should have Administrator rights to perform the fixes. Some of the instructions I give may need to be printed or saved for reference during the fix. Some of the fix will be done in Safe Mode so you will be unable to access this thread at that time. Please dont use any of the tools without specific instructions. Some of them are dangerous (and could leave your computer in worse condition that it is when infected) if used incorrectly.These instructions should be read first, then followed. If you do not understand something, don't be afraid to ask, or see if I'm on chat. Link to post Share on other sites
sarahw Posted September 7, 2008 Report Share Posted September 7, 2008 1.Registry edits can be potentially dangerous; we can revert to the backup if needed.Go to Start » Run » type: regedit » OK.On the leftside, click to highlight My Computer at the top. Go up to File » Export Make sure in that window there is a tick next to "All" under Export Branch.Leave the "Save As Type" as "Registration Files".Under "Filename" put RegBackup.[*]Choose to save it to C:\ [*]Click save and then go to File » Exit.Launch Notepad, and copy/paste everything in the codebox below into the new document, including the word REGEDIT4. Go up to "File Save As" and click the drop-down box to change the "Save As Type" to "All Files" and save it to your desktop as fixme.regREGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]"AppInit_DLLs"=-Locate fixme.reg on your Desktop. It should look like this --> Double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?" Answer Yes and wait for a message to appear similar to Merged Successfully.2.Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below: O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXEO4 - HKCU\..\Run: [braviax] C:\WINDOWS\System32\braviax.exeO4 - HKCU\..\Run: [spoolsv] C:\WINDOWS\System32\spoolvs.exeO9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis3.Please download the OTMoveIt2 by OldTimer. Save it to your desktop. Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):C:\WINDOWS\System32\ntos.exeC:\WINDOWS\system32\wowfx.dllC:\WINDOWS\system32\ALCXMNTR.EXEC:\WINDOWS\System32\braviax.exeC:\WINDOWS\System32\spoolvs.exeC:\WINDOWS\web Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.Click the red Moveit! button.A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.Close OTMoveIt2If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.4.Download SDFix and save it to your Desktop.Double click SDFix.exe and it will extract the files to %systemdrive%(Drive that contains the Windows Directory, typically C:\SDFix)Please then reboot your computer in Safe Mode by doing the following :Restart your computerAfter hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;Instead of Windows loading as normal, the Advanced Options Menu should appear;Select the first option, to run Windows in Safe Mode, then press Enter.Choose your usual account. Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt(Report.txt will also be copied to Clipboard ready for posting back on the forum). Finally paste the contents of the Report.txt back on the forum with a new HijackThis log Link to post Share on other sites
outbenchthis Posted September 8, 2008 Author Report Share Posted September 8, 2008 Hi sarahw!thanks for your help.I have gone through step-by-step your list of instructions below I have posted my new hijackthis log and the SDfix report (report.txt). I also have a log from OTMoveIt2 that I can post for your analysis if you would like.The window with the error message "the application or dll c:\windows\system32\wowfx.dll is not a validWindows image. Please verify with the installation disk." has stopped popping up after following your directions!Based on the new logs, what else needs to be done now?Thanks in advance for your help.------------------------------------------------------------------------Hijackthis logLogfile of Trend Micro HijackThis v2.0.2Scan saved at 10:01:17, on 8/09/2008Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\PROGRA~1\Grisoft\AVG7\avgemc.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\wuauclt.exeC:\windows\system\hpsysdrv.exeC:\Program Files\USB Storage RW\shwicon.exeC:\HP\KBD\KBD.EXEC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\ScanSoft\PaperPort\pptd40nt.exeC:\Program Files\Brother\Brmfcmon\BrMfcWnd.exeC:\Program Files\Brother\ControlCenter3\brccMCtl.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\Panasonic\Panasonic X700 PC Software Suite\connmngmntbox.exeC:\Program Files\Panasonic\Panasonic X700 PC Software Suite\ectaskscheduler.exeC:\PROGRA~1\PANASO~1\PANASO~2\Elogerr.exeC:\Program Files\Intuwave Ltd\Shared\mRouterRunTime\mRouterRuntime.exeC:\PROGRA~1\PANASO~1\PANASO~2\BROADC~1.EXEC:\PROGRA~1\PANASO~1\PANASO~2\SCRFS.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exeO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXEO4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initializeO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUPO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -bootO4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exeO4 - HKLM\..\Run: [indexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exeO4 - HKLM\..\Run: [brMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUNO4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exeO4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorunO4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')O4 - Global Startup: PanasonicX700PCSoftwareSuite Detect.lnk = ?O4 - Global Startup: PanasonicX700PCSoftwareSuite TS.lnk = ?O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO17 - HKLM\System\CCS\Services\Tcpip\..\{41BE3759-F7F4-4BCE-969F-6F86E114A44B}: NameServer = 85.255.115.42,85.255.112.170O17 - HKLM\System\CCS\Services\Tcpip\..\{C8F42016-28FF-4C04-84C9-E535E54047E5}: NameServer = 85.255.115.42,85.255.112.170O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.42 85.255.112.170O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.42 85.255.112.170O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe--End of file - 6311 bytes---------------------------------------------------------------------------------------------------------------------------------SDfix report SDFix: Version 1.222 Run by Administrator on Mon 08/09/2008 at 09:34Microsoft Windows XP [Version 5.1.2600]Running From: C:\SDFixChecking Services :Restoring Default Security ValuesRestoring Default Hosts FileResetting SecurityProviders Value [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]"aux1"="wdmaud.drv"Restoring aux1 registry value to wdmaud.drvResetting AppInit_DLLs value RebootingChecking Files : Trojan Files Found:C:\WINDOWS\SYSTEM32\KERNEL32.EXE - DeletedC:\Program Files\altcmd\altcmd.inf - DeletedC:\Program Files\altcmd\uninstall.bat - DeletedC:\WINDOWS\rasqervy.dll - DeletedC:\WINDOWS\sdfinacs.dll - DeletedC:\WINDOWS\system32\Kernel32.exe - DeletedC:\WINDOWS\wuasirvy.dll - DeletedC:\WINDOWS\system32\41893321731.CPX - DeletedC:\WINDOWS\system32\418933217312.CPX - DeletedC:\WINDOWS\system32\418933217321.CPX - DeletedC:\WINDOWS\system32\418933217331.CPX - DeletedC:\WINDOWS\system32\418933217351.CPX - DeletedC:\WINDOWS\system32\wowfx.dll - DeletedFolder C:\Program Files\altcmd - RemovedRemoving Temp FilesADS Check : Final Check :catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-09-08 09:44:11Windows 5.1.2600 Service Pack 1 NTFSscanning hidden processes ...scanning hidden services & system hive ...scanning hidden registry entries ...scanning hidden files ...scan completed successfullyhidden processes: 0hidden services: 0hidden files: 0Remaining Services :Authorized Application Key Export:[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]"C:\\Documents and Settings\\Owner\\Application Data\\printer.exe"="C:\\Documents and Settings\\Owner\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019""C:\\WINDOWS\\System32\\printer.exe"="C:\\WINDOWS\\System32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019""C:\\WINDOWS\\System32\\spoolvs.exe"="C:\\WINDOWS\\System32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019""C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019""C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019""C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019""%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019""C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019""C:\\Documents and Settings\\Owner\\Application Data\\62203.exe"="C:\\Documents and Settings\\Owner\\Application Data\\62203.exe:*:Enabled:@xpsp2res.dll,-22019""C:\\Documents and Settings\\Owner\\Application Data\\64355.exe"="C:\\Documents and Settings\\Owner\\Application Data\\64355.exe:*:Enabled:@xpsp2res.dll,-22019""C:\\Documents and Settings\\Owner\\Application Data\\14991.exe"="C:\\Documents and Settings\\Owner\\Application Data\\14991.exe:*:Enabled:@xpsp2res.dll,-22019"[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]"C:\\Documents and Settings\\Owner\\Application Data\\printer.exe"="C:\\Documents and Settings\\Owner\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019""C:\\WINDOWS\\System32\\printer.exe"="C:\\WINDOWS\\System32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019""C:\\WINDOWS\\System32\\spoolvs.exe"="C:\\WINDOWS\\System32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019""C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019""C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019""C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019""%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019""C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019""C:\\Documents and Settings\\Owner\\Application Data\\62203.exe"="C:\\Documents and Settings\\Owner\\Application Data\\62203.exe:*:Enabled:@xpsp2res.dll,-22019""C:\\Documents and Settings\\Owner\\Application Data\\64355.exe"="C:\\Documents and Settings\\Owner\\Application Data\\64355.exe:*:Enabled:@xpsp2res.dll,-22019""C:\\Documents and Settings\\Owner\\Application Data\\14991.exe"="C:\\Documents and Settings\\Owner\\Application Data\\14991.exe:*:Enabled:@xpsp2res.dll,-22019"Remaining Files :File Backups: - C:\SDFix\backups\backups.zipFiles with Hidden Attributes :Wed 4 Jun 2008 37,888 ...H. --- "C:\Seabrook\~WRL1868.tmp"Fri 14 Mar 2008 92,160 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc157.tmp"Thu 17 Apr 2008 80,896 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc158.tmp"Mon 5 Nov 2007 32,256 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc61.tmp"Mon 5 Nov 2007 29,184 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc62.tmp"Mon 5 Nov 2007 31,232 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc63.tmp"Mon 5 Nov 2007 32,256 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc64.tmp"Mon 5 Nov 2007 39,936 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc65.tmp"Mon 5 Nov 2007 36,352 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc66.tmp"Mon 5 Nov 2007 29,184 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc67.tmp"Mon 5 Nov 2007 30,208 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc68.tmp"Mon 5 Nov 2007 33,280 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc69.tmp"Mon 5 Nov 2007 26,624 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc70.tmp"Mon 5 Nov 2007 40,960 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc71.tmp"Mon 5 Nov 2007 37,888 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc72.tmp"Mon 5 Nov 2007 40,960 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc73.tmp"Mon 5 Nov 2007 37,888 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc74.tmp"Mon 5 Nov 2007 36,352 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc75.tmp"Mon 5 Nov 2007 29,184 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc76.tmp"Mon 5 Nov 2007 26,112 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc77.tmp"Mon 5 Nov 2007 41,472 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc78.tmp"Mon 5 Nov 2007 39,936 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc79.tmp"Mon 5 Nov 2007 40,960 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc80.tmp"Mon 5 Nov 2007 40,960 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc81.tmp"Mon 5 Nov 2007 37,888 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc82.tmp"Mon 5 Nov 2007 29,184 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc84.tmp"Tue 24 Aug 2004 21,504 A..H. --- "C:\OLD C\Uni Stuff\Legal Theory\~WRL2803.tmp"Sun 29 Aug 2004 65,536 ...H. --- "C:\Program Files\Panasonic\Panasonic X700\MCCIUSBUninstall.exe"Fri 5 Sep 2003 25,088 A..H. --- "C:\Documents and Settings\Owner\My Documents\unistuff\~WRL2657.tmp"Fri 5 Sep 2003 29,696 A..H. --- "C:\Documents and Settings\Owner\My Documents\unistuff\~WRL2700.tmp"Sun 13 Nov 2005 20,480 A..H. --- "C:\OLD C\Uni Stuff\corporations\Exam\~WRL0216.tmp"Sun 13 Nov 2005 20,480 A..H. --- "C:\OLD C\Uni Stuff\corporations\Exam\~WRL1427.tmp"Sun 13 Nov 2005 19,968 A..H. --- "C:\OLD C\Uni Stuff\corporations\Exam\~WRL3371.tmp"Fri 7 Oct 2005 24,064 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL0023.tmp"Fri 7 Oct 2005 42,496 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL0114.tmp"Fri 7 Oct 2005 39,424 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL0248.tmp"Fri 7 Oct 2005 21,504 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL0321.tmp"Fri 7 Oct 2005 29,696 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL0328.tmp"Fri 7 Oct 2005 26,624 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL0385.tmp"Fri 7 Oct 2005 43,520 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL0406.tmp"Fri 7 Oct 2005 46,080 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL0494.tmp"Fri 7 Oct 2005 31,744 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL0502.tmp"Thu 6 Oct 2005 23,552 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL0557.tmp"Fri 7 Oct 2005 38,912 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL0580.tmp"Thu 29 Sep 2005 23,552 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL0803.tmp"Fri 7 Oct 2005 46,592 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL1028.tmp"Mon 24 Oct 2005 22,016 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL1074.tmp"Fri 7 Oct 2005 24,576 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL1159.tmp"Fri 7 Oct 2005 48,128 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL1348.tmp"Mon 24 Oct 2005 22,016 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL1578.tmp"Fri 7 Oct 2005 79,872 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL1586.tmp"Fri 7 Oct 2005 48,640 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL1688.tmp"Fri 7 Oct 2005 78,848 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL1807.tmp"Fri 7 Oct 2005 28,672 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL1844.tmp"Fri 7 Oct 2005 78,336 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL1845.tmp"Fri 7 Oct 2005 50,176 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL2157.tmp"Fri 7 Oct 2005 37,376 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL2285.tmp"Fri 7 Oct 2005 80,384 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL2329.tmp"Fri 7 Oct 2005 38,400 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL2339.tmp"Fri 7 Oct 2005 41,472 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL2465.tmp"Fri 7 Oct 2005 38,912 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL2503.tmp"Fri 7 Oct 2005 37,888 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL2685.tmp"Fri 7 Oct 2005 33,280 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL2780.tmp"Fri 7 Oct 2005 44,544 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL2877.tmp"Mon 24 Oct 2005 22,016 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL3024.tmp"Thu 29 Sep 2005 23,040 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL3679.tmp"Fri 7 Oct 2005 38,912 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL3958.tmp"Mon 24 Jul 2006 23,040 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL0014.tmp"Mon 24 Jul 2006 23,040 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL0140.tmp"Tue 8 Aug 2006 23,040 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL0476.tmp"Mon 24 Jul 2006 22,528 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL0824.tmp"Mon 24 Jul 2006 23,552 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL0965.tmp"Mon 24 Jul 2006 24,064 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL1384.tmp"Mon 24 Jul 2006 26,112 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL1429.tmp"Mon 24 Jul 2006 29,696 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL1507.tmp"Mon 24 Jul 2006 22,528 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL1710.tmp"Mon 24 Jul 2006 22,016 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL1969.tmp"Mon 24 Jul 2006 24,064 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL2107.tmp"Mon 24 Jul 2006 28,160 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL2232.tmp"Tue 8 Aug 2006 24,064 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL2257.tmp"Mon 24 Jul 2006 27,648 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL2347.tmp"Mon 24 Jul 2006 21,504 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL2684.tmp"Tue 8 Aug 2006 21,504 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL2697.tmp"Mon 24 Jul 2006 29,184 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL2726.tmp"Mon 24 Jul 2006 22,528 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL3008.tmp"Mon 24 Jul 2006 23,552 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL3255.tmp"Tue 8 Aug 2006 22,528 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL3491.tmp"Mon 24 Jul 2006 25,088 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL3543.tmp"Mon 24 Jul 2006 22,528 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL3962.tmp"Mon 24 Jul 2006 20,992 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL4080.tmp"Wed 5 Apr 2006 25,600 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\internet Marketing\~WRL0645.tmp"Tue 2 May 2006 65,536 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\InternationalAcc\~WRL2853.tmp"Tue 2 May 2006 44,544 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\InternationalAcc\~WRL3836.tmp"Thu 4 May 2006 25,088 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL0023.tmp"Thu 4 May 2006 45,568 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL0505.tmp"Thu 4 May 2006 31,232 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL0798.tmp"Thu 4 May 2006 26,112 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL0907.tmp"Thu 4 May 2006 28,672 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL1027.tmp"Thu 4 May 2006 27,648 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL1387.tmp"Thu 4 May 2006 28,672 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL1573.tmp"Thu 4 May 2006 31,744 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL1938.tmp"Thu 4 May 2006 29,696 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL1940.tmp"Thu 4 May 2006 44,032 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL1948.tmp"Thu 4 May 2006 21,504 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL2048.tmp"Thu 4 May 2006 26,112 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL2110.tmp"Thu 4 May 2006 29,184 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL2273.tmp"Wed 14 Jun 2006 35,328 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL2470.tmp"Thu 4 May 2006 25,600 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL2494.tmp"Thu 4 May 2006 25,600 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL2516.tmp"Thu 4 May 2006 26,112 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL2553.tmp"Thu 4 May 2006 21,504 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL2602.tmp"Thu 4 May 2006 23,552 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL2633.tmp"Wed 3 May 2006 24,064 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL2785.tmp"Thu 4 May 2006 25,088 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL2929.tmp"Thu 4 May 2006 24,064 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL2936.tmp"Thu 4 May 2006 24,576 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL2960.tmp"Thu 4 May 2006 24,576 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL2986.tmp"Thu 4 May 2006 43,008 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL2987.tmp"Thu 4 May 2006 29,184 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL3184.tmp"Thu 4 May 2006 25,600 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL3323.tmp"Thu 4 May 2006 47,616 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL3373.tmp"Thu 4 May 2006 30,208 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL3393.tmp"Thu 4 May 2006 27,136 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL3411.tmp"Wed 14 Jun 2006 42,496 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL3420.tmp"Thu 4 May 2006 27,136 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL3526.tmp"Thu 4 May 2006 30,208 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL3606.tmp"Thu 4 May 2006 45,568 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL3752.tmp"Thu 4 May 2006 25,088 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL3950.tmp"Thu 4 May 2006 29,184 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL3984.tmp"Wed 14 Jun 2006 34,304 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL3997.tmp"Sun 9 Dec 2007 69,632 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Templates\~WRL2327.tmp"Tue 5 Jun 2007 50,176 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Templates\~WRL2844.tmp"Mon 17 Sep 2007 48,128 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL0051.tmp"Mon 21 May 2007 46,080 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL0193.tmp"Thu 11 Oct 2007 59,392 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL0531.tmp"Wed 10 Oct 2007 58,368 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL0597.tmp"Sun 5 Aug 2007 39,936 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL0964.tmp"Tue 13 Nov 2007 63,488 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL1166.tmp"Sun 4 Nov 2007 64,512 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL1572.tmp"Fri 2 Nov 2007 64,512 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL1698.tmp"Thu 30 Aug 2007 44,544 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL2707.tmp"Sun 20 May 2007 46,080 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL2882.tmp"Fri 14 Sep 2007 47,616 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL3182.tmp"Fri 31 Aug 2007 49,152 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL3242.tmp"Mon 17 Sep 2007 48,128 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL3246.tmp"Tue 9 Oct 2007 53,760 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL3510.tmp"Wed 6 Sep 2006 29,184 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7010GSM Leadership Comm\~WRL0610.tmp"Wed 6 Sep 2006 30,720 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7010GSM Leadership Comm\~WRL1224.tmp"Wed 6 Sep 2006 31,232 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7010GSM Leadership Comm\~WRL2218.tmp"Wed 6 Sep 2006 31,232 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7010GSM Leadership Comm\~WRL3408.tmp"Wed 6 Sep 2006 29,184 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7010GSM Leadership Comm\~WRL3889.tmp"Mon 25 Sep 2006 24,064 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7028GSM Cross-Cultural Mgt\~WRL0246.tmp"Mon 25 Sep 2006 22,528 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7028GSM Cross-Cultural Mgt\~WRL0370.tmp"Mon 25 Sep 2006 20,480 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7028GSM Cross-Cultural Mgt\~WRL0548.tmp"Mon 25 Sep 2006 23,552 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7028GSM Cross-Cultural Mgt\~WRL0736.tmp"Mon 25 Sep 2006 21,504 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7028GSM Cross-Cultural Mgt\~WRL0813.tmp"Mon 25 Sep 2006 23,040 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7028GSM Cross-Cultural Mgt\~WRL1091.tmp"Mon 25 Sep 2006 19,456 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7028GSM Cross-Cultural Mgt\~WRL1153.tmp"Mon 25 Sep 2006 19,456 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7028GSM Cross-Cultural Mgt\~WRL1731.tmp"Mon 25 Sep 2006 21,504 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7028GSM Cross-Cultural Mgt\~WRL2666.tmp"Mon 25 Sep 2006 20,992 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7028GSM Cross-Cultural Mgt\~WRL2922.tmp"Mon 25 Sep 2006 22,528 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7028GSM Cross-Cultural Mgt\~WRL3526.tmp"Mon 25 Sep 2006 25,088 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7028GSM Cross-Cultural Mgt\~WRL3619.tmp"Thu 9 Nov 2006 37,888 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\Property law\exams\~WRL1105.tmp"Thu 2 Nov 2006 37,888 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\Property law\exams\~WRL2981.tmp"Thu 9 Nov 2006 37,376 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\Property law\exams\~WRL3159.tmp"Tue 11 Apr 2006 22,016 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL0291.tmp"Tue 11 Apr 2006 20,992 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL0311.tmp"Tue 11 Apr 2006 33,280 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL0531.tmp"Tue 11 Apr 2006 21,504 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL0641.tmp"Tue 11 Apr 2006 22,528 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL0765.tmp"Tue 11 Apr 2006 19,456 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL0784.tmp"Tue 11 Apr 2006 23,040 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL0895.tmp"Tue 11 Apr 2006 20,480 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL1257.tmp"Tue 11 Apr 2006 33,280 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL1360.tmp"Tue 11 Apr 2006 22,528 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL1385.tmp"Tue 11 Apr 2006 20,992 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL1595.tmp"Tue 11 Apr 2006 20,992 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL1707.tmp"Tue 11 Apr 2006 22,016 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL2111.tmp"Tue 11 Apr 2006 33,280 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL2612.tmp"Tue 11 Apr 2006 23,552 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL2685.tmp"Tue 11 Apr 2006 33,280 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL2759.tmp"Tue 11 Apr 2006 22,528 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL2827.tmp"Tue 11 Apr 2006 19,968 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL3080.tmp"Tue 11 Apr 2006 22,016 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL3601.tmp"Tue 11 Apr 2006 35,840 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL3657.tmp"Mon 10 Apr 2006 19,968 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL3694.tmp"Tue 11 Apr 2006 19,456 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL3721.tmp"Tue 11 Apr 2006 20,992 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL3992.tmp"Tue 11 Apr 2006 21,504 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL3999.tmp"Tue 11 Apr 2006 22,016 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL4046.tmp"Sun 24 Sep 2006 2,159,104 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7028GSM Cross-Cultural Mgt\New Folder\~WRL0618.tmp"Sun 24 Sep 2006 26,112 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7028GSM Cross-Cultural Mgt\New Folder\~WRL2537.tmp"Finished! Link to post Share on other sites
sarahw Posted September 8, 2008 Report Share Posted September 8, 2008 yes I would like the OTMoveIT2 log. Link to post Share on other sites
outbenchthis Posted September 8, 2008 Author Report Share Posted September 8, 2008 Hi Sarahhere is the OTMoveit2 logthanks----------------------File/Folder C:\WINDOWS\System32\ntos.exe not found.LoadLibrary failed for C:\WINDOWS\system32\wowfx.dllC:\WINDOWS\system32\wowfx.dll NOT unregistered.C:\WINDOWS\system32\wowfx.dll moved successfully.File/Folder C:\WINDOWS\system32\ALCXMNTR.EXE not found.File/Folder C:\WINDOWS\System32\braviax.exe not found.File/Folder C:\WINDOWS\System32\spoolvs.exe not found.C:\WINDOWS\web\Wallpaper moved successfully.C:\WINDOWS\web\printers\images moved successfully.C:\WINDOWS\web\printers moved successfully.C:\WINDOWS\web moved successfully.OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09082008_091946 Link to post Share on other sites
sarahw Posted September 8, 2008 Report Share Posted September 8, 2008 Can you please go to C:\_OTMoveIt\MovedFilesand look for a folder called: 09082008_091946can you please zip\rar that folder and upload it here:http://www.uploadmalware.com Link to post Share on other sites
outbenchthis Posted September 8, 2008 Author Report Share Posted September 8, 2008 Hi Sarahthe OTMoveIt2 folder has been zipped and uploaded to uploadmalware.com as (09082008_091946.zip).Thanks Link to post Share on other sites
sarahw Posted September 8, 2008 Report Share Posted September 8, 2008 Please download Malwarebytes' Anti-Malware to your desktop.Double-click mbam-setup.exe and follow the prompts to install the program.At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select Perform full scan (Full scan is optional. According to the program's creator Quick Scan will do just fine.).Click Scan.When the scan is complete, click OK, then Show Results to view the results.If Malware is found...Be sure that everything is checked, and click Remove Selected.When completed, a log will open in Notepad. Please save it to your desktop.NOTE: Logs can be retrieved at a later date from the Malwarebytes' Anti-Malware main screen:Launch Malwarebytes' Anti-Malware.Click the Logs tab.Double-click log-mm.dd.yyyy [xxxxxx].txt.In your next reply post the Malwarebytes' Anti-Malware log. Link to post Share on other sites
outbenchthis Posted September 8, 2008 Author Report Share Posted September 8, 2008 I ran Malwarebytes Anti-Malware and it found 28 objects infected, which I checked and removed successfully.here is the log file belowThanks-------------------------------------------------------------------Malwarebytes' Anti-Malware 1.26Database version: 1127Windows 5.1.2600 Service Pack 18/09/2008 3:59:15 PMmbam-log-2008-09-08 (15-59-15).txtScan type: Full Scan (C:\|D:\|)Objects scanned: 122455Time elapsed: 2 hour(s), 11 minute(s), 51 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 3Registry Values Infected: 1Registry Data Items Infected: 15Folders Infected: 3Files Infected: 6Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\secdrv (Rootkit.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\secdrv (Rootkit.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\secdrv (Rootkit.Agent) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.42 85.255.112.170 -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{127b6989-7fc9-4963-84a5-8ab81d0d6fcd}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.42,85.255.112.170 -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{41be3759-f7f4-4bce-969f-6f86e114a44b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.42,85.255.112.170 -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{41be3759-f7f4-4bce-969f-6f86e114a44b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.42,85.255.112.170 -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c8f42016-28ff-4c04-84c9-e535e54047e5}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.42,85.255.112.170 -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.42 85.255.112.170 -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{127b6989-7fc9-4963-84a5-8ab81d0d6fcd}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.42,85.255.112.170 -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{41be3759-f7f4-4bce-969f-6f86e114a44b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.42,85.255.112.170 -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{41be3759-f7f4-4bce-969f-6f86e114a44b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.42,85.255.112.170 -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c8f42016-28ff-4c04-84c9-e535e54047e5}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.42,85.255.112.170 -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.42 85.255.112.170 -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{127b6989-7fc9-4963-84a5-8ab81d0d6fcd}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.42,85.255.112.170 -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{41be3759-f7f4-4bce-969f-6f86e114a44b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.42,85.255.112.170 -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{41be3759-f7f4-4bce-969f-6f86e114a44b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.42,85.255.112.170 -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{c8f42016-28ff-4c04-84c9-e535e54047e5}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.42,85.255.112.170 -> Quarantined and deleted successfully.Folders Infected:C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\append.dll (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\xlib254.dll (Trojan.Agent) -> Quarantined and deleted successfully.Files Infected:C:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\msacm32.drv (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\drivers\secdrv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.C:\EndNote X Introductory.pdf (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\Documents and Settings\Owner\Application Data\temp.dll (Trojan.Agent) -> Quarantined and deleted successfully. Link to post Share on other sites
sarahw Posted September 8, 2008 Report Share Posted September 8, 2008 Please open the OTMoveIt2 by OldTimer. Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):C:\Program Files\rhcp2pj0e7bvC:\Documents and Settings\Clementi\Application Data\rhcp2pj0e7bvC:\WINDOWS\system32\kdizk.exe Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.Click the red Moveit! button.A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.Close OTMoveIt2If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.Post a Hijack This log with the OTMoveIt2 log in your reply. Link to post Share on other sites
outbenchthis Posted September 9, 2008 Author Report Share Posted September 9, 2008 Hi Sarahwbelow is the OTMoveIt2 log and the Hijackthis logthanksOTMoveIt2File/Folder C:\Program Files\rhcp2pj0e7bv not found.File/Folder C:\Documents and Settings\Clementi\Application Data\rhcp2pj0e7bv not found.File/Folder C:\WINDOWS\system32\kdizk.exe not found.OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09092008_110907-------------------------------------------------------------------------Hijackthis logLogfile of Trend Micro HijackThis v2.0.2Scan saved at 11:11:11, on 9/09/2008Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\PROGRA~1\Grisoft\AVG7\avgemc.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\windows\system\hpsysdrv.exeC:\Program Files\USB Storage RW\shwicon.exeC:\HP\KBD\KBD.EXEC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\ScanSoft\PaperPort\pptd40nt.exeC:\Program Files\Brother\Brmfcmon\BrMfcWnd.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeC:\Program Files\Brother\ControlCenter3\brccMCtl.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\Panasonic\Panasonic X700 PC Software Suite\connmngmntbox.exeC:\Program Files\Panasonic\Panasonic X700 PC Software Suite\ectaskscheduler.exeC:\PROGRA~1\PANASO~1\PANASO~2\Elogerr.exeC:\Program Files\Intuwave Ltd\Shared\mRouterRunTime\mRouterRuntime.exeC:\PROGRA~1\PANASO~1\PANASO~2\BROADC~1.EXEC:\PROGRA~1\PANASO~1\PANASO~2\SCRFS.exeC:\WINDOWS\System32\wuauclt.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Documents and Settings\Owner\Desktop\OTMoveIt2.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exeO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXEO4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initializeO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUPO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -bootO4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exeO4 - HKLM\..\Run: [indexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exeO4 - HKLM\..\Run: [brMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUNO4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exeO4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorunO4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')O4 - Global Startup: PanasonicX700PCSoftwareSuite Detect.lnk = ?O4 - Global Startup: PanasonicX700PCSoftwareSuite TS.lnk = ?O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe--End of file - 6018 bytes Link to post Share on other sites
sarahw Posted September 9, 2008 Report Share Posted September 9, 2008 There was a problem with Mbam definitions.These were deleted:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\secdrv (Rootkit.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\secdrv (Rootkit.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\secdrv (Rootkit.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\drivers\secdrv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.Open Mbam, click the Quarantine tab, and search for these entries.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\secdrvHKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\secdrvHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\secdrvC:\WINDOWS\system32\drivers\secdrv.sysSelect them, then click the Restore button.Let me know when you have done this. Link to post Share on other sites
outbenchthis Posted September 9, 2008 Author Report Share Posted September 9, 2008 I have restored the four entries from the Quarantine tab in mbam.do you require another log?thanks Link to post Share on other sites
sarahw Posted September 10, 2008 Report Share Posted September 10, 2008 Hi,Can you please uninstall Malware Bytes Anti Malware. If you wish to keep it you can reinstall it from the above link.Please run a free online scan with the ESET Online ScannerNote: You will need to use Internet Explorer for this scanTick the box next to YES, I accept the Terms of UseClick StartWhen asked, allow the ActiveX control to installClick StartMake sure that the options Remove found threats and the option Scan unwanted applications is checkedClick Scan (This scan can take several hours, so please be patient)Once the scan is completed, you may close the windowUse Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txtCopy and paste that log as a reply to this topic Link to post Share on other sites
outbenchthis Posted September 10, 2008 Author Report Share Posted September 10, 2008 Hi Sarah,Below is the ESET Online Scanner logThanks--------------------------------------------------------------------# version=4# OnlineScanner.ocx=1.0.0.635# OnlineScannerDLLA.dll=1, 0, 0, 79# OnlineScannerDLLW.dll=1, 0, 0, 78# OnlineScannerUninstaller.exe=1, 0, 0, 49# vers_standard_module=3430 (20080910)# vers_arch_module=1.064 (20080214)# vers_adv_heur_module=1.064 (20070717)# EOSSerial=16abe310adb8b84088d22846f792c154# end=finished# remove_checked=true# unwanted_checked=true# utc_time=2008-09-10 12:29:36# local_time=2008-09-10 10:29:36 (+1000, E. Australia Standard Time)# country="Australia"# osver=5.1.2600 NT Service Pack 1# scanned=492160# found=2# scan_time=14204C:\Documents and Settings\Administrator\Desktop\catchme.zip a variant of Win32/Spy.Silentbanker trojan (deleted) 00000000000000000000000000000000C:\Documents and Settings\Administrator\Desktop\catchme.zip »ZIP »41893321731.CPX a variant of Win32/Spy.Silentbanker trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000 Link to post Share on other sites
sarahw Posted September 11, 2008 Report Share Posted September 11, 2008 How is the computer running? Link to post Share on other sites
outbenchthis Posted September 13, 2008 Author Report Share Posted September 13, 2008 Hi Sarahw,Sorry for my late reply. The computer is running much quicker now. Thank you very much for all your help!I wanted to know a few things to ensure the computer will remain trojan and malware free. Can you tell me (or how can I tell) if I have a firewall? I currently have AVG 7.5 Free installed which scans periodically but I wanted to know your expert opinion on whether to use an alternative or continue with this scanning program. Should I uninstall the programs HiJackThis, SDFix and OTMoveIT2 now that I've finished with them?Thanks again for all your help, Sarah.Regards,Sean Link to post Share on other sites
sarahw Posted September 14, 2008 Report Share Posted September 14, 2008 To find out if you have a firewall installed, go into Control Panel and open Security Center. You should be able to find information on all of your security products in there.Please download OTCleanIt from HERE to your desktop.Double click to run it. It will clean up the assortment of tools used during malware removal. When it has finnished, it will ask you to reboot so it can remove itself.You can now Rehide your system files by using the reversal of these instructions HERECongratulations, your log is now clean. A well protected computer should have at least an Anti Virus and Firewall, an Anti Spyware is also great addition to your computers security. Here is a list of tools I like to recommend to people that will help ensure safe surfing on the internet, and to help you from getting infected again. Note: DO NOT install more than one antivirus or Firewall program. They will conflict, and provide less protection, not more. Uninstall any existing Anti Virus\Firewall programs if you're going to install a new one. Free Online Scans:Free Active X and Java based online scans. You can use these scans from other companies and it will not interfere with your current Anti Virus. If you find that you are infected, post a Hijack This log in the forums.Kapersky online scanPanda Online ScanF-Secure Online ScanTrendMicro HouseCall online scanBit Defender online scanFree Temp Cleaners:Use these tools to clean temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders. ATF cleaner recommended.CCleanerATF CleanerFree Firewall Downloads:You must have a Firewall installed on your computer. This helps stop anything from leaving or entering your computer without your permission.ZoneAlarm Kerio Firewall Free Anti Spyware Downloads:An Antispyware is a great tool that can help remove infections along side your Anti Virus. Some include real time protection, scheduled scans and automatic definition updates.AVG Antispyware A-Squared AntispywareSpywareGuardSpywareBlaster SpywareTerminator Spybot Search & DestroyAd AwareFree Anti Virus Downloads:A must have for all computers. Avast! recommended.SpywareTerminator With ClamAV Enabled.AntiVirAvast!Grisoft AVGBit Defender Free a² FreeComodo BOCleanSuperAntiSpywareOther Free Tools:SpywareGuardWorks as a Spyware "Shield" to protect your computer from getting malware in the first place.IE-SpyAdThis tool puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.Memtest86Great memory testing software.CPU-ZThis application gives detailed information about your system in a nice layoutSpeedfanReturns and monitors system temperatures.Windows UpdatesIt is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.Useful Reading:Slow Computer? HERE are some tips to speed it up.Where do infections come from? How did I get an infection? Click HERE for some tips on preventing future infections.If you have any other problems or questions be sure to ask. Link to post Share on other sites
outbenchthis Posted September 14, 2008 Author Report Share Posted September 14, 2008 Hi Sarahw,Thanks! I'll go through all of your recommendations. If I have any questions in the future, I'll know where to ask.Thanks again for all your help. Link to post Share on other sites
sarahw Posted September 17, 2008 Report Share Posted September 17, 2008 Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic. Link to post Share on other sites
Recommended Posts