CastleCops® HijackThis Log: 09/July/2008

Need help? Click here to register for free! Absolutely zero advertisements on this site!

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Forum FAQ

Usergroups

Profile

Select FavForums

[IN PROGRESS]HijackThis Log: 09/July/2008 - Lots of problems.
Goto page 1, 2, 3 Next

All -> FavForums -> Trend Micro HijackThis Logs

[del.icio.us!] [digg it!] [reddit!]

View previous topic :: View next topic

Author

Message

botanyrox

Private
Private

Joined: Oct 13, 2007
Posts: 35

Posted: Wed Jul 09, 2008 11:52 am Post subject: HijackThis Log: 09/July/2008 - Lots of problems.

I suspect that I got this virus/worm/problem from a USB I borrowed from my dormmate. I didn't run the USB or pressed OK when it asked to Autoplay since from my experience before, that is not a good thing. At first, the USB was empty but it said it had some program. So I asked my dormmate again to recopy the movie file I wanted and then I copied it on my comp. Since then, my computer had problems. Problem # 1: When I restarted the computer since it was really slow, it never goes to Windows Login screen but instead resets. So I reset it to Safe Mode and once there, I restarted. After that, I managed to get in my usual profile. However, Problem # 2: It says something like "Cannot load user profile, cyclic error redundancy check". I forgot what exactly is said but anyway, after pressing the OK in that notification, it loads Windows. However again, Problem # 3: When I click on Start and hover my mouse pointer to "All Programs" to see my programs, my computer seriously slows down and the programs don't appear. Same when I try to click. Problem # 4: I cannot run Firefox and Windows Live Messenger at the same time without the computer seriously freezing. Problem # 5: I cannot open Microsoft Office Picture Manager anymore because of some "error". Which was not the case before. Problem # 6: When I double-click on Drive C in "My Computer", it says "Access is denied". However, I can access the drive some other way, just not double clicking on it. Problem # 7: Slows down or freezes for maybe 1/2 seconds when I type something on the address bar. Problem # 8: When I installed Adaware for the MRP, some files failed to install. A lot of problems really... I don't know about any others but I'm sure there are. By the way I just recently reformatted this computer (maybe 2 weeks ago) so I am sure this wasn't because of accumulated malware/viruses. It was really running superbly until this USB went in my computer. However, my dormmates who used the USB (running Vista), don't have any problems. Also, I did the MRP multiple times, and don't even get any more results, errors. Just did it to make sure I didn't have something that was just easily fixable by MRP or that maybe I might have missed something. Here is the latest log anyway. Thank you for reading. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:45:16 PM, on 7/9/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPStart.exe C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\BisonCam\BisonTrayIcon.exe C:\WINDOWS\BisonCam\BisonHK.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe" O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [BisonTrayIcon] C:\WINDOWS\BisonCam\BisonTrayIcon.exe O4 - HKLM\..\Run: [BisonHK] C:\WINDOWS\BisonCam\BisonHK.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe -- End of file - 6257 bytes

Prince_Serendip

Site Moderator

Joined: Sep 07, 2002
Posts: 17542

Posted: Thu Jul 10, 2008 1:53 pm Post subject:

You're Ready for cleaning. At CastleCops we screen all HijackThis logs for errors, out-of-date versions, unupdated operating systems, omissions and P2P applications; getting you [READY] for cleaning by our 1st Responders and Security Experts. Now you wait for one of them to come help you. _________________ Microsoft MVP Consumer Security 2006, 2007 & 2008

botanyrox

Private
Private

Joined: Oct 13, 2007
Posts: 35

Posted: Thu Jul 10, 2008 7:31 pm Post subject:

Wow, faster than I expected. o_o Thank you.

Prince_Serendip

Site Moderator

Joined: Sep 07, 2002
Posts: 17542

Posted: Sun Jul 20, 2008 5:33 am Post subject:

Now that you've made an entry at the Unhandled Logs topic, you need to post a fresh log here (below this post). **NOTE: You have 2 weeks to post the updated log. Do not post it as a new topic. If your new updated log is not posted, this topic will be locked and your post removed from the Unhandled Logs topic list. _________________ Microsoft MVP Consumer Security 2006, 2007 & 2008

botanyrox

Private
Private

Joined: Oct 13, 2007
Posts: 35

Posted: Mon Jul 21, 2008 11:07 am Post subject:

Thanks. Here ya go: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:05:20 PM, on 7/21/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe C:\Program Files\Synaptics\SynTP\SynTPStart.exe C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\BisonCam\BisonTrayIcon.exe C:\WINDOWS\BisonCam\BisonHK.exe C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe \?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe" O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [BisonTrayIcon] C:\WINDOWS\BisonCam\BisonTrayIcon.exe O4 - HKLM\..\Run: [BisonHK] C:\WINDOWS\BisonCam\BisonHK.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe -- End of file - 6266 bytes

MauriceN

1st Responder
Premium Member

Joined: May 20, 2006
Posts: 1035
Location: USA

Posted: Mon Jul 21, 2008 10:20 pm Post subject:

Hello botanyrox,
Please do NOT run any other tools on your own or do any fixes other than what is listed here, or if directed by a forum moderator or forum admin.

Set Windows to show all files and all folders.
Bring up Windows Explorer / Tools / Folder Options/ select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.
=
Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}
=
Important! Open Notepad > Click on Format > Uncheck Word wrap, if checked. Exit Notepad.
=
Download Deckard's System Scanner: http://www.techsupportforum.com/sectools/Deckard/dss.exe
SAVING it to your Desktop. Do NOT run it from the download site or straight from your browser.

Close all applications and windows.
Double-click on dss.exe to run the application; follow the prompts.
When the scan is completed, a text file named Main.txt will open. Please save this file, then close Notepad.
The folder C:\Deckard also will open. This folder will contain another text file named Extra.txt. Please save this file to your desktop, too, then exit Notepad.

Note: Your firewall may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

In a reply to this thread, please post:

the contents of Main.txt and Extra.txt (from above).

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply.

_________________
~Maurice Naggar
MS-MVP

botanyrox

Private
Private

Joined: Oct 13, 2007
Posts: 35

botanyrox

Private
Private

Joined: Oct 13, 2007
Posts: 35

Posted: Wed Jul 23, 2008 12:14 am Post subject:

Extra.txt Deckard's System Scanner v20071014.68 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Professional (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: Genuine Intel(R) CPU T2300 @ 1.66GHz CPU 1: Genuine Intel(R) CPU T2300 @ 1.66GHz Percentage of Memory in Use: 57% Physical Memory (total/avail): 502.04 MiB / 212.74 MiB Pagefile Memory (total/avail): 1224.21 MiB / 811.04 MiB Virtual Memory (total/avail): 2047.88 MiB / 1938.48 MiB C: is Fixed (NTFS) - 36.92 GiB total, 30.24 GiB free. D: is Fixed (FAT32) - 37.63 GiB total, 1.75 GiB free. E: is CDROM (No Media) \\.\PHYSICALDRIVE0 - SAMSUNG HM080JI - 74.56 GiB - 2 partitions \PARTITION0 (bootable) - Installable File System - 36.92 GiB - C: \PARTITION1 - Extended w/Extended Int 13 - 37.64 GiB - D: -- Security Center ------------------------------------------------------------- AUOptions is scheduled to auto-install. Windows Internal Firewall is enabled. FirstRunDisabled is set. AV: eTrust EZ Antivirus v7.0.8.1 (Computer Associates) [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe::Enabled:Windows Live Messenger 8.1 (Phone)" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe::Enabled:Yahoo! Messenger" "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe::Enabled:Yahoo! FT Server" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe::Enabled:Windows Messenger" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe::Enabled:Windows Live Messenger 8.1 (Phone)" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\MOTHER OF ALL\Application Data CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=--- ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\MOTHER OF ALL LOGONSERVER=\\--- NUMBER_OF_PROCESSORS=2 OS=Windows_NT Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel PROCESSOR_LEVEL=6 PROCESSOR_REVISION=0e08 ProgramFiles=C:\Program Files PROMPT=$P$G SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\MOTHER~1\LOCALS~1\Temp TMP=C:\DOCUME~1\MOTHER~1\LOCALS~1\Temp USERDOMAIN=--- USERNAME=MOTHER OF ALL USERPROFILE=C:\Documents and Settings\MOTHER OF ALL windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- MOTHER OF ALL (admin) -- Add/Remove Programs --------------------------------------------------------- --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF} Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003} AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe BisonCam --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4A57592C-FF92-4083-97A9-92783BD5AFB4}\Setup.exe" -l0x9 CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe" eTrust EZ Antivirus --> C:\WINDOWS\unvet32.exe High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe" HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall Intel(R) Graphics Media Accelerator Driver --> C:\WINDOWS\system32\igxpun.exe -uninstall Java(TM) 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060} LimeWire 4.18.3 --> "D:\Program Files\LimeWire\uninstall.exe" Messenger Plus! Live --> "C:\Program Files\Messenger Plus! Live\Uninstall.exe" Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9} Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d} Motorola SM56 Data Fax Modem --> rundll32.exe sm56co6a.dll,SM56UnInstaller Mozilla Firefox (3.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe" Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320} Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F} Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe XP Codec Pack --> C:\Program Files\XP Codec Pack\Uninstall.exe -- Application Event Log ------------------------------------------------------- Event Record #/Type1927 / Error Event Submitted/Written: 07/22/2008 07:28:12 PM Event ID/Source: 1505 / Userenv Event Description: Windows cannot load the user's profile but has logged you on with the default profile for the system. DETAIL - Data error (cyclic redundancy check). Event Record #/Type1925 / Warning Event Submitted/Written: 07/22/2008 07:06:30 AM Event ID/Source: 1004 / MsiInstaller Event Description: Detection of product '{90110409-6000-11D3-8CFE-0150048383C9}', feature 'WebDriveUserData', component '{CDF6204B-55B7-431F-95DC-524D52A2C576}' failed. The resource 'HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\WebDriveUserData' does not exist. Event Record #/Type1924 / Warning Event Submitted/Written: 07/21/2008 10:27:12 PM Event ID/Source: 1004 / MsiInstaller Event Description: Detection of product '{90110409-6000-11D3-8CFE-0150048383C9}', feature 'WordUserData', component '{8ADD2C93-C8B7-11D1-9C67-0000F81F1B38}' failed. The resource 'HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\UserData' does not exist. Event Record #/Type1922 / Warning Event Submitted/Written: 07/21/2008 10:25:40 PM Event ID/Source: 1004 / MsiInstaller Event Description: Detection of product '{90110409-6000-11D3-8CFE-0150048383C9}', feature 'OfficeUserData', component '{4A31E933-6F67-11D2-AAA2-00A0C90F57B0}' failed. The resource 'HKEY_CURRENT_USER\Software\ODBC\ODBC.INI\MS Access Database\' does not exist. Event Record #/Type1914 / Error Event Submitted/Written: 07/21/2008 06:53:51 PM Event ID/Source: 1505 / Userenv Event Description: Windows cannot load the user's profile but has logged you on with the default profile for the system. DETAIL - Data error (cyclic redundancy check). -- Security Event Log ---------------------------------------------------------- No Errors/Warnings found. -- System Event Log ------------------------------------------------------------ Event Record #/Type7656 / Error Event Submitted/Written: 07/22/2008 10:16:42 PM Event ID/Source: 7 / Disk Event Description: The device, \Device\Harddisk0\D, has a bad block. Event Record #/Type7655 / Error Event Submitted/Written: 07/22/2008 10:16:41 PM Event ID/Source: 7 / Disk Event Description: The device, \Device\Harddisk0\D, has a bad block. Event Record #/Type7654 / Error Event Submitted/Written: 07/22/2008 10:00:13 PM Event ID/Source: 7 / Disk Event Description: The device, \Device\Harddisk0\D, has a bad block. Event Record #/Type7653 / Error Event Submitted/Written: 07/22/2008 10:00:12 PM Event ID/Source: 7 / Disk Event Description: The device, \Device\Harddisk0\D, has a bad block. Event Record #/Type7652 / Error Event Submitted/Written: 07/22/2008 10:00:10 PM Event ID/Source: 7 / Disk Event Description: The device, \Device\Harddisk0\D, has a bad block. -- End of Deckard's System Scanner: finished at 2008-07-22 22:22:24 ------------

MauriceN

1st Responder
Premium Member

Joined: May 20, 2006
Posts: 1035
Location: USA

Posted: Wed Jul 23, 2008 2:26 am Post subject:

This pc has signs of a Trojan.W32.MYTOB infection and an auto-mount infection. Likely from that USB flash drive you'd mentioned.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for member botanyrox only. If you are a lurker, do NOT try this on your system!
If you are not botanyrox and have a similar problem, do NOT post here; start your own topic

Also, do not run or start any other programs while these utilities and tools are in use!

Please do NOT run any other tools on your own or do any fixes other than what is listed here, or if directed by a forum moderator or forum admin.

Turn off Ad-Aware Ad-Watch:
Right click on the Ad-Watch icon in the system tray if present.
At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically
Uncheck both of those boxes.

Check up on Spybot & see if Tea Timer is active. If so, de-activate it,as it will interfere with the cleanup tools/tools procedures. Do that a.s.a.p.
Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.
=
Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from here:
http://cid-6aaab341ce47c5c2.skydrive.live.com/self.aspx/Public/FixPolicies.exe

Double-click FixPolicies.exe.
Click the "Install" button on the bottom toolbar of the box that will open.
The program will create a new Folder called FixPolicies.
Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
A black box will briefly appear and then close.
This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

=
Make sure all your USB flash drives are in-place & on-line to your pc at this time Exclamation

Please download Malwarebytes Anti-Malware from Here or Here
{If you alreday have MBAM, start it, click the Update Tab, Check for Updates, then click the OK button as prompted. Then click the Scanner tab.}
Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform Quick Scan, then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy & Paste the entire report in a new reply as soon as it has finished.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so immediately.
=
Next, Close all applications and windows.
If you have an older copy of SDFix, delete it now.
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual user account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back in a Reply here.

If you have any prior copy of ComboFix, delete it now Exclamation

We always need to get the latest version.
Next, Download and SAVE ComboFix -- to your Desktop -- (Do NOT run the file straight away from download) from either of these two sources:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines:

Code:

KILLALL::

File::
F:\.\svchosts.exe
C:\.\svchosts.exe
C:\bar311.exe
F:\bar311.exe
C:\WINDOWS\system32\svchosts.exe

Folder::
C:\Program Files\WindowsUpdate

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd4b7c4c-4cec-11dd-811b-0013020d1181}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd6aa59a-49c0-11dd-8113-0013020d1181}]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown:

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Do not run ComboFix more than once Exclamation

Once Complete, reboot! Exclamation

Make sure all your USB flash drives are in-place & on-line to your pc.
I'm going to have you get and run two utilities.
The first stops automatic use of the AutoRun feature of XP. The second will write to any connected devices a Read-only, System protected Autorun.inf file on all of your hard drives, and all connected removable storage devices.

Download and Install Microsoft's TweakUI:
http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx
Obtain and install TweakUI (part of the PowerToys for Windows XP package), and then start TweakUI.
Expand the My Computer branch, then the AutoPlay branch, and then select Drives.
Turn off the checkbox next to every drive letter to disable AutoPlay -- except your CD/DVD drive letters.

Download and run "Flash Drive Disinfector" by sUBs. It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe
There is no GUI interface or log file produced.

Run Hijackthis
Then close all windows/applications/browsers and run hijackthis, saving the log.

After following the above, post back with

C:\Combofix.txt

How are things now

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You'll likely have to do more than 1 reply.

_________________
~Maurice Naggar
MS-MVP

botanyrox

Private
Private

Joined: Oct 13, 2007
Posts: 35

Posted: Thu Jul 24, 2008 1:15 pm Post subject: #1 out of 5: MBAM log

Heya, thanks a lot. However, I haven't finished what you said because whenever I try to install TweakUI, it says there might have been error because of corrupt download. I delete what I downloaded and tried to download several times but it doesn't seem to install... so I just proceeded to Flash Drive Disinfector. First part: MBAM log Malwarebytes' Anti-Malware 1.23 Database version: 985 Windows 5.1.2600 Service Pack 2 7:05:40 PM 7/24/2008 mbam-log-7-24-2008 (19-05-40).txt Scan type: Quick Scan Objects scanned: 37622 Time elapsed: 44 minute(s), 38 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 74 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\gbplugin.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Brendom.htm (Malware.Trace) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SYSINFO.OCX (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\mstcpmvd.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Win32.dll (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windowsupdat.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msdoc.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows32.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\smss.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KB4182843.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\cmzo.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\czlq.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\bsyys.scr (Spyware.Banker) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\csrss.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\bzts.exe (Adware.Agent) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\fqrl.exe (Adware.Agent) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\lwbk.exe (Adware.Agent) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msnmsgr.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\\Programs\Startup\win.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\\Programs\Startup\GbpSvm.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ltul.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\toaw.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\mccv.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ncyc.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dniw.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ifmq.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\ANJWSOINHJ.EXE (Trojan.Downloader) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\anjwsoinhj.exe (Trojan.Downloader) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\YacsMon.exe (Trojan.Lop) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DW_Start.lnk (Malware.Links) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Deewoo.lnk (Malware.Links) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\lans.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\gabr.exe (Trojan.FakeAlert) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\findfast.exe (Trojan.FakeAlert) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\carlton (Dialer) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autos.exe (Trojan.FakeAlert) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\infos.exe (Trojan.FakeAlert) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\system.exe (Rogue.WinAntivirus) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Instant access (Adware.EGDAccess) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Join The Orgy (Adware.EGDAccess) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\GoRecord 2 (Adware.EGDAccess) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\GoAstro (Adware.EGDAccess) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\InternetGameBox (Adware.EGDAccess) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\SudoPlanet (Adware.EGDAccess) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\WebMediaPlayer (Adware.EGDAccess) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe (Trojan.FakeAlert) -> Delete on reboot. C:\Documents and Settings\MOTHER OF ALL\Local Settings\Application Data\Microsoft\Windows\sav.exe (Fake.Dropped.Malware) -> Delete on reboot. C:\Documents and Settings\MOTHER OF ALL\Local Settings\Application Dat