Help please, need to get rid of trogan

View previous topic View next topic Go down

Solved Help please, need to get rid of trogan

Post by Lauren421 on 22nd November 2008, 6:07 pm

The trojan started out as generic!atr worm. I am running Windows XP and it also went onto my Windows Vista, so I have two comps I need help with destroying this virus. Please, what do I do to get rid of it? How do I make sure it is fully gone?

Lauren421
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-11-22
Gender Gender : Female
OS OS : Windows XP
Points Points : 29390
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Help please, need to get rid of trogan

Post by Belahzur on 22nd November 2008, 6:09 pm

Hello Lauren.
Welcome to Geekpolice. Smile
If these two machines are on a network, please disconnect the two machines.

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Help please, need to get rid of trogan

Post by Lauren421 on 22nd November 2008, 6:12 pm

This log is from the Desktop:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:12:12 PM, on 11/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\svchost.exe
I:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
I:\WINDOWS\Explorer.EXE
I:\WINDOWS\system32\spoolsv.exe
I:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
I:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
I:\WINDOWS\eHome\ehRecvr.exe
I:\WINDOWS\eHome\ehSched.exe
I:\Program Files\McAfee\SiteAdvisor\McSACore.exe
I:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
i:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
i:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
I:\Program Files\McAfee\VirusScan\McShield.exe
I:\Program Files\McAfee\MPF\MPFSrv.exe
I:\Program Files\McAfee\MSK\MskSrver.exe
I:\WINDOWS\system32\nvsvc32.exe
I:\PROGRA~1\AVG\AVG8\avgrsx.exe
I:\WINDOWS\system32\svchost.exe
i:\PROGRA~1\mcafee.com\agent\mcagent.exe
I:\PROGRA~1\AVG\AVG8\avgemc.exe
I:\WINDOWS\system32\dllhost.exe
I:\WINDOWS\ehome\ehtray.exe
I:\WINDOWS\stsystra.exe
I:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
I:\WINDOWS\eHome\ehmsas.exe
I:\PROGRA~1\AVG\AVG8\avgtray.exe
I:\WINDOWS\system32\ctfmon.exe
I:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
I:\WINDOWS\System32\svchost.exe
I:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
I:\PROGRA~1\AVG\AVG8\avgscanx.exe
I:\Program Files\AVG\AVG8\avgui.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - I:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - i:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - I:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - I:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - I:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - I:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - I:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - i:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - I:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - i:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - I:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] I:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [OpwareSE2] "I:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [mcagent_exe] I:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [AVG8_TRAY] I:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] I:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - I:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - I:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - i:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - I:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - I:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - I:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - I:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Google Updater Service (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - I:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - I:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - i:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - i:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - I:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - I:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - I:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - I:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - I:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe

--
End of file - 8147 bytes

Lauren421
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-11-22
Gender Gender : Female
OS OS : Windows XP
Points Points : 29390
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Help please, need to get rid of trogan

Post by Belahzur on 22nd November 2008, 6:16 pm

Hello.
We will clean the other machine, but lets get this clean before we touch that machine.

There is no signs of malware in that log, but I do see you are running two AV's (Anti virus's). AVG and McAfee. Two AV's will conflict with each other and cause more problems.

Please uninstall McAfee.

Please Download [You must be registered and logged in to see this link.] to your desktop.

  • Close all windows and open it
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up called OTViewIt.txt, the other will be saved on your desktop and called Extras. Post both those logs here.
  • You may need to use two posts to get it all on the forum


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Help please, need to get rid of trogan

Post by Lauren421 on 22nd November 2008, 6:25 pm

OTViewIt Extras logfile created on: 11/22/2008 1:22:50 PM - Run
OTViewIt by OldTimer - Version 1.0.20.0 Folder = I:\Documents and Settings\Lauren\Local Settings\Temporary Internet Files\Content.IE5\2HKLTY2X
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.09 Mb Total Physical Memory | 576.49 Mb Available Physical Memory | 56.40% Memory free
2.40 Gb Paging File | 2.03 Gb Available in Paging File | 84.66% Paging File free
Paging file location(s): I:\pagefile.sys 1536 3072;

%SystemDrive% = I: | %SystemRoot% = I:\WINDOWS | %ProgramFiles% = I:\Program Files
Drive C: | 144.32 Gb Total Space | 144.18 Gb Free Space | 99.90% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 298.08 Gb Total Space | 273.98 Gb Free Space | 91.92% Space Free | Partition Type: NTFS

Computer Name: LAUREN-FBB5CCF8
Current User Name: Lauren
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.chm [@ = chm.file] -- I:\WINDOWS\hh File not found
.hlp [@ = hlpfile] -- I:\WINDOWS\system32\winhlp32 File not found
.hta [@ = htafile] -- I:\WINDOWS\system32\mshta File not found
.html [@ = htmlfile] -- I:\Program Files\Internet Explorer\iexplore File not found
.inf [@ = inffile] -- I:\WINDOWS\system32\notepad File not found
.ini [@ = inifile] -- I:\WINDOWS\system32\notepad File not found
.js [@ = JSFile] -- I:\WINDOWS\system32\wscript File not found
.jse [@ = JSEFile] -- I:\WINDOWS\system32\wscript File not found
.reg [@ = regfile] -- I:\WINDOWS\regedit File not found
.txt [@ = txtfile] -- I:\WINDOWS\system32\notepad File not found
.vbe [@ = VBEFile] -- I:\WINDOWS\system32\wscript File not found
.vbs [@ = VBSFile] -- I:\WINDOWS\system32\wscript File not found
.wsf [@ = WSFFile] -- I:\WINDOWS\system32\wscript File not found
.wsh [@ = WSHFile] -- I:\WINDOWS\system32\wscript File not found

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=1
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
"UpdatesDisableNotify"=0
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=1
"DoNotAllowExceptions"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
File not found -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
File not found -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
File not found -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
File not found -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
File not found -- I:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
File not found -- I:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:*:Enabled:BlueSoleil
File not found -- I:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour
File not found -- I:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
File not found -- I:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe
File not found -- I:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe

========== (O10) Winsock2 Catalogs ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\]
NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] -- I:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]
[2005/09/20 11:33:58 | 00,843,984 | ---- | M] (Microsoft Corporation) I:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]
[2008/11/11 15:16:53 | 00,079,128 | ---- | M] (AVG Technologies CZ, s.r.o.) I:\Program Files\AVG\AVG8\avgpp.dll (linkscanner:{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} (HKLM) [XPLPPFilter Class])
msdaipp: [HKLM - No CLSID value]
[2005/09/20 11:33:58 | 00,843,984 | ---- | M] (Microsoft Corporation) I:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]
[2005/09/20 11:33:58 | 00,843,984 | ---- | M] (Microsoft Corporation) I:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]
[2007/03/14 12:10:22 | 07,255,384 | ---- | M] (Microsoft Corporation) I:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (mso-offdap:{3D9F03FA-7A94-11D3-BE81-0050048385D1} (HKLM) [Data Page Pluggable Protocol mso-offdap Handler])
[2007/05/10 12:45:34 | 08,069,464 | ---- | M] (Microsoft Corporation) I:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} (HKLM) [Data Page Plugable Protocal mso-offdap11 Handler])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2007/04/19 12:57:40 | 00,046,432 | ---- | M] (Microsoft Corporation) I:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL text/xml:{807553E5-5146-11D5-A672-00B0D022E945} (HKLM) [Reg Error: Value does not exist or could not be read.]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

Lauren421
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-11-22
Gender Gender : Female
OS OS : Windows XP
Points Points : 29390
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Help please, need to get rid of trogan

Post by Lauren421 on 22nd November 2008, 6:25 pm

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}"=Adobe AIR
"{08CA9554-B5FE-4313-938F-D4A417B81175}"=QuickTime
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}"=Roxio Central Data
"{098122AB-C605-4853-B441-C0A4EB359B75}"=DirectXInstallService
"{15095BF3-A3D7-4DDF-B193-3A496881E003}"=Microsoft .NET Framework 3.0
"{1B683082-8791-4D00-8ADE-6C8986FCCC68}"=Roxio CinePlayer
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}"=Roxio Central Tools
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"=Google Toolbar for Internet Explorer
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}"=Roxio Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0160060}"=Java(TM) 6 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160070}"=Java(TM) 6 Update 7
"{3249FD43-B24B-413F-B786-F8FEA32FA747}"=V CAST Music
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{3DE0053C-FD9A-483E-B7C9-B06E4392206E}"=iTunes
"{3E67A8DA-FE7B-4160-8465-F5571EA18753}"=Roxio Disc Gallery
"{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}"=Bonjour
"{491DD792-AD81-429C-9EB4-86DD3D22E333}"=Windows Communication Foundation
"{49C88E44-1B38-4FC6-824E-2BDA3063B0E3}"=Apple Mobile Device Support
"{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}"=SmartSound Quicktracks Plugin
"{4CEA6811-DFAD-4892-828D-49941FE3B779}"=Intel(R) PROSet for Wired Connections
"{5A06423A-210C-49FB-950E-CB0EB8C5CEC7}"=Roxio BackOnTrack
"{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}"=Sony USB Driver
"{60B2315F-680F-4EB3-B8DD-CCDC86A7CCAB}"=Roxio File Backup
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}"=Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}"=Microsoft Visual C++ 2005 Redistributable
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}"=Roxio Central Audio
"{77DCDCE3-2DED-62F3-8154-05E745472D07}"=Acrobat.com
"{79D5997E-BF79-48BB-8B41-9BE59C15C2D7}"=OmniPage SE 2.0
"{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}"=Windows Workflow Foundation
"{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}"=Roxio CinePlayer Decoder Pack
"{90110409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Professional Edition 2003
"{9941F0AA-B903-4AF4-A055-83A9815CC011}"=Sonic Encoders
"{9A9A1828-31D1-4590-A99F-022B7237AFAE}"=Roxio MediaShare
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}"=SigmaTel Audio
"{AC76BA86-7AD7-1033-7B44-A90000000001}"=Adobe Reader 9
"{AE3D38A6-13B1-40B3-9423-D1FA9982FB6A}"=Adobe Bridge 1.0
"{B508B3F1-A24A-32C0-B310-85786919EF28}"=Microsoft .NET Framework 2.0 Service Pack 1
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}"=Roxio Central Copy
"{B9F499B8-D1F0-42FC-84BE-CC552123CCCB}"=BlueSoleil
"{BAF78226-3200-4DB4-BE33-4D922A799840}"=Windows Presentation Foundation
"{BF83EFE2-C9F0-40D4-841C-2066668C1D7A}"=Roxio Easy Media Creator 10 Suite
"{C7EEF2B9-8C16-4A04-B98D-B1A952A47E55}"=Linksys Wireless-G USB Network Adapter
"{CA9A3609-3ECC-4574-8824-A8161A71A603}"=Canon MP150
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}"=Microsoft .NET Framework 1.1
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}"=Ad-Aware
"{EC877639-07AB-495C-BFD1-D63AF9140810}"=Roxio Activation Module
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}"=Roxio Central Core
"{FA17A726-B229-4116-B793-A2AB1A4EAE2E}"=Adobe Premiere Pro 2.0
"{FA61D601-A0FC-48BD-AE7A-54946BCD7FB6}_is1"=BitPim 1.0.5
"{FCD9CD52-7222-4672-94A0-A722BA702FD0}"=Dell Resource CD
"{FDB46DE7-9045-47BB-970A-3E4ED5369E03}"=EMC 10 Content
"1Click DVD Copy 4.1"=1Click DVD Copy 4.1
"Adobe AIR"=Adobe AIR
"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"Adobe Premiere Pro 2.0"=Adobe Premiere Pro 2.0
"AVG8Uninstall"=AVG Free 8.0
"B3EE3001-DC24-4cd1-8743-5692C716659F"=Otto
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1"=Acrobat.com
"Cool Edit Pro 2.0"=Cool Edit Pro 2.0
"DVD Decrypter"=DVD Decrypter (Remove Only)
"DVD43_is1"=DVD43 v3.5.3
"Handbrake"=Handbrake 0.9.2
"HijackThis"=HijackThis 2.0.2
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"InstallShield_{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}"=SmartSound Quicktracks Plugin
"LG USB Drivers"=LG USB Drivers
"Microsoft .NET Framework 1.1 (1033)"=Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.0"=Microsoft .NET Framework 3.0
"MSCompPackV1"=Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers"=NVIDIA Drivers
"PROSet"=Intel(R) PRO Network Connections Drivers
"ThreatExpert Memory Scanner_is1"=ThreatExpert Memory Scanner 1.0
"VCast Music Essentials Manager"=V CAST Music Essentials Manager
"WIC"=Windows Imaging Component
"Windows Media Format Runtime"=Windows Media Format 11 runtime
"Windows Media Player"=Windows Media Player 11
"Windows XP Service Pack"=Windows XP Service Pack 3
"WMFDist11"=Windows Media Format 11 runtime
"wmp11"=Windows Media Player 11
"Wudf01000"=Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC"=XML Paper Specification Shared Components Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/7/2008 5:42:12 PM | Computer Name = LAUREN-FBB5CCF8 | Source = McLogEvent | ID = 5022
Description =

Error - 11/7/2008 5:44:52 PM | Computer Name = LAUREN-FBB5CCF8 | Source = McLogEvent | ID = 5022
Description =

Error - 11/7/2008 5:44:52 PM | Computer Name = LAUREN-FBB5CCF8 | Source = McLogEvent | ID = 5022
Description =

Error - 11/7/2008 5:46:23 PM | Computer Name = LAUREN-FBB5CCF8 | Source = LoadPerf | ID = 3001
Description = The performance counter name string value in the registry is incorrectly
formatted.
The bogus string is 4556, the bogus index value is the first DWORD in Data section
while the last valid index values are the second and third DWORD in Data section.

Error - 11/7/2008 5:46:23 PM | Computer Name = LAUREN-FBB5CCF8 | Source = LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The Error code is the first DWORD in Data section.

Error - 11/7/2008 5:46:26 PM | Computer Name = LAUREN-FBB5CCF8 | Source = LoadPerf | ID = 3001
Description = The performance counter name string value in the registry is incorrectly
formatted.
The bogus string is 4556, the bogus index value is the first DWORD in Data section
while the last valid index values are the second and third DWORD in Data section.

Error - 11/11/2008 1:35:09 PM | Computer Name = LAUREN-FBB5CCF8 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module unknown, version 0.0.0.0, fault address 0x72206562.

Error - 11/11/2008 1:35:17 PM | Computer Name = LAUREN-FBB5CCF8 | Source = Application Error | ID = 1001
Description = Fault bucket 247506802.

Error - 11/11/2008 1:35:24 PM | Computer Name = LAUREN-FBB5CCF8 | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.

Error - 11/11/2008 1:35:27 PM | Computer Name = LAUREN-FBB5CCF8 | Source = Application Error | ID = 1001
Description = Fault bucket 223121472.

[ System Events ]
Error - 11/11/2008 4:53:16 PM | Computer Name = LAUREN-FBB5CCF8 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 11/11/2008 4:54:32 PM | Computer Name = LAUREN-FBB5CCF8 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AvgLdx86 AvgMfx86 Fips intelppm mfehidk

Error - 11/11/2008 4:54:54 PM | Computer Name = LAUREN-FBB5CCF8 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McNASvc with
arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}

Error - 11/11/2008 4:54:55 PM | Computer Name = LAUREN-FBB5CCF8 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McNASvc with
arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}

Error - 11/11/2008 4:55:06 PM | Computer Name = LAUREN-FBB5CCF8 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McShield with
arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}

Error - 11/11/2008 4:55:06 PM | Computer Name = LAUREN-FBB5CCF8 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McNASvc with
arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}

Error - 11/11/2008 4:55:36 PM | Computer Name = LAUREN-FBB5CCF8 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 11/11/2008 5:24:14 PM | Computer Name = LAUREN-FBB5CCF8 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 11/11/2008 5:25:47 PM | Computer Name = LAUREN-FBB5CCF8 | Source = Service Control Manager | ID = 7000
Description = The SessionLauncher service failed to start due to the following error:
%%3

Error - 11/22/2008 9:45:07 AM | Computer Name = LAUREN-FBB5CCF8 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service RoxMediaDB10
with arguments "" in order to run the server: {14EFC14B-A5E8-4CC7-8E8F-2E46FA6A3878}


< End of report >

Lauren421
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-11-22
Gender Gender : Female
OS OS : Windows XP
Points Points : 29390
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Help please, need to get rid of trogan

Post by Lauren421 on 22nd November 2008, 6:26 pm

OTViewIt logfile created on: 11/22/2008 1:22:49 PM - Run
OTViewIt by OldTimer - Version 1.0.20.0 Folder = I:\Documents and Settings\Lauren\Local Settings\Temporary Internet Files\Content.IE5\2HKLTY2X
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.09 Mb Total Physical Memory | 576.49 Mb Available Physical Memory | 56.40% Memory free
2.40 Gb Paging File | 2.03 Gb Available in Paging File | 84.66% Paging File free
Paging file location(s): I:\pagefile.sys 1536 3072;

%SystemDrive% = I: | %SystemRoot% = I:\WINDOWS | %ProgramFiles% = I:\Program Files
Drive C: | 144.32 Gb Total Space | 144.18 Gb Free Space | 99.90% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 298.08 Gb Total Space | 273.98 Gb Free Space | 91.92% Space Free | Partition Type: NTFS

Computer Name: LAUREN-FBB5CCF8
Current User Name: Lauren
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2008/09/10 13:01:28 | 00,611,664 | ---- | M] (Lavasoft) -- I:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
[2008/11/11 15:16:42 | 00,231,704 | ---- | M] (AVG Technologies CZ, s.r.o.) -- I:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
[2008/03/28 17:34:00 | 00,072,704 | ---- | M] (Creative Labs) -- I:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
[2006/10/09 15:16:56 | 00,237,568 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\eHome\ehRecvr.exe
[2005/08/05 13:56:32 | 00,102,912 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\eHome\ehSched.exe
[2004/11/11 17:10:00 | 00,127,046 | ---- | M] (NVIDIA Corporation) -- I:\WINDOWS\system32\nvsvc32.exe
[2005/08/05 13:27:08 | 00,099,328 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\ehome\mcrdsvc.exe
[2008/11/11 15:16:42 | 00,287,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- I:\PROGRA~1\AVG\AVG8\avgrsx.exe
[2008/11/11 15:16:43 | 00,875,288 | ---- | M] (AVG Technologies CZ, s.r.o.) -- I:\PROGRA~1\AVG\AVG8\avgemc.exe
[2005/08/05 13:56:34 | 00,064,512 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\ehome\ehtray.exe
[2005/03/22 18:20:44 | 00,339,968 | ---- | M] (SigmaTel, Inc.) -- I:\WINDOWS\stsystra.exe
[2003/05/08 11:00:58 | 00,049,152 | ---- | M] (ScanSoft, Inc.) -- I:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
[2008/11/11 15:16:44 | 01,234,712 | ---- | M] (AVG Technologies CZ, s.r.o.) -- I:\PROGRA~1\AVG\AVG8\avgtray.exe
[2005/08/05 13:56:28 | 00,046,592 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\eHome\ehmsas.exe
[2008/07/01 16:38:35 | 00,068,856 | ---- | M] (Google Inc.) -- I:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[2008/08/23 00:56:15 | 00,635,848 | ---- | M] (Microsoft Corporation) -- I:\Program Files\Internet Explorer\iexplore.exe
[2008/10/16 14:09:44 | 00,051,224 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\system32\wuauclt.exe
[2008/04/13 19:12:40 | 00,218,112 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\system32\wbem\wmiprvse.exe
[2008/11/22 13:22:47 | 00,422,400 | ---- | M] (OldTimer Tools) -- I:\Documents and Settings\Lauren\Local Settings\Temporary Internet Files\Content.IE5\2HKLTY2X\OTViewIt[1].exe

========== (O23) Win32 Services ==========

File not found -- -- (aawservice [Auto | Running])
File not found -- -- (Adobe LM Service [Disabled | Stopped])
File not found -- -- (Alerter [Disabled | Stopped])
File not found -- -- (Apple Mobile Device [Disabled | Stopped])
File not found -- -- (AppMgmt [On_Demand | Stopped])
File not found -- -- (aspnet_state [On_Demand | Stopped])
File not found -- -- (avg8emc [Auto | Running])
File not found -- -- (avg8wd [Auto | Running])
[2008/08/23 22:42:37 | 00,000,000 | ---D | M] -- I:\WINDOWS\System32\bits -- (BITS [Auto | Running])
File not found -- -- (BlueSoleil Hid Service [Disabled | Stopped])
File not found -- -- (Bonjour Service [Disabled | Stopped])
File not found -- -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
File not found -- -- (COMSysApp [On_Demand | Running])
File not found -- -- (Creative Labs Licensing Service [Auto | Running])
File not found -- -- (DcomLaunch [Auto | Running])
[2008/03/09 14:38:10 | 00,000,000 | ---D | M] -- I:\WINDOWS\System32\dhcp -- (Dhcp [Auto | Running])
File not found -- -- (Dnscache [Auto | Running])
[2008/04/13 19:11:52 | 00,132,096 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\System32\dot3svc.dll -- (Dot3svc [On_Demand | Stopped])
File not found -- -- (EapHost [On_Demand | Stopped])
File not found -- -- (ehRecvr [Auto | Running])
File not found -- -- (ehSched [Auto | Running])
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\System32\eventlog.dll -- (Eventlog [Auto | Running])
File not found -- -- (EventSystem [On_Demand | Running])
File not found -- -- (FastUserSwitchingCompatibility [On_Demand | Running])
File not found -- -- (FontCache3.0.0.0 [On_Demand | Stopped])
File not found -- -- (gusvc [On_Demand | Stopped])
File not found -- -- (helpsvc [Auto | Running])
File not found -- -- (hkmsvc [On_Demand | Stopped])
File not found -- -- (HTTPFilter [On_Demand | Running])
File not found -- -- (idsvc [Unknown | Stopped])
File not found -- -- (ImapiService [On_Demand | Stopped])
File not found -- -- (iPod Service [Disabled | Stopped])
File not found -- -- (lanmanserver [Auto | Running])
File not found -- -- (lanmanworkstation [Auto | Running])
File not found -- -- (LmHosts [Auto | Running])
File not found -- -- (McrdSvc [Auto | Running])
File not found -- -- (Messenger [Disabled | Stopped])
[2004/08/10 04:11:50 | 00,085,504 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\System32\mhn.dll -- (MHN [On_Demand | Stopped])
[2008/03/09 19:51:36 | 00,000,000 | ---D | M] -- I:\WINDOWS\system32\msdtc -- (MSDTC [On_Demand | Stopped])
File not found -- -- (MSIServer [On_Demand | Stopped])
File not found -- -- (napagent [On_Demand | Stopped])
File not found -- -- (NetDDEdsdm [Disabled | Stopped])
[2008/04/13 19:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\System32\netlogon.dll -- (Netlogon [On_Demand | Stopped])
File not found -- -- (NetSvc [On_Demand | Stopped])
File not found -- -- (NetTcpPortSharing [Disabled | Stopped])
File not found -- -- (Nla [On_Demand | Running])
File not found -- -- (NtLmSsp [On_Demand | Stopped])
File not found -- -- (NVSvc [Auto | Running])
File not found -- -- (ose [On_Demand | Stopped])
File not found -- -- (PlugPlay [Auto | Running])
File not found -- -- (PolicyAgent [Auto | Running])
File not found -- -- (ProtectedStorage [Auto | Running])
[2008/04/13 19:12:03 | 00,061,440 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\System32\rasman.dll -- (RasMan [On_Demand | Running])
File not found -- -- (RDSessMgr [On_Demand | Stopped])
File not found -- -- (RemoteAccess [Disabled | Stopped])
File not found -- -- (RemoteRegistry [Auto | Running])
File not found -- -- (Roxio UPnP Renderer 10 [Disabled | Stopped])
File not found -- -- (Roxio Upnp Server 10 [Disabled | Stopped])
File not found -- -- (RoxLiveShare10 [Auto | Stopped])
File not found -- -- (RoxMediaDB10 [Disabled | Stopped])
File not found -- -- (RoxWatch10 [Disabled | Stopped])
File not found -- -- (RpcLocator [On_Demand | Stopped])
[2008/04/13 19:12:04 | 00,399,360 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\System32\rpcss.dll -- (RpcSs [Auto | Running])
File not found -- -- (SamSs [Auto | Running])
File not found -- -- (Schedule [Auto | Running])
File not found -- -- (SessionLauncher [Disabled | Stopped])
File not found -- -- (SharedAccess [Auto | Running])
File not found -- -- (ShellHWDetection [Auto | Running])
File not found -- -- (Spooler [Auto | Running])
File not found -- -- (srservice [Auto | Running])
[2008/04/13 19:12:07 | 00,071,680 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\System32\ssdpsrv.dll -- (SSDPSRV [Auto | Running])
File not found -- -- (stisvc [Auto | Running])
[2004/08/10 06:00:00 | 00,138,752 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\System32\swprv.dll -- (SwPrv [On_Demand | Stopped])
File not found -- -- (SysmonLog [On_Demand | Stopped])
File not found -- -- (TermService [On_Demand | Running])
[2008/03/15 18:00:51 | 00,000,000 | ---D | M] -- I:\Program Files\Common Files\Roxio Shared\10.0\DLLShared\Themes -- (Themes [Auto | Running])
[2008/04/13 19:12:08 | 00,185,856 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\System32\upnphost.dll -- (upnphost [On_Demand | Stopped])
File not found -- -- (VSS [On_Demand | Stopped])
File not found -- -- (WebClient [Auto | Running])
File not found -- -- (winmgmt [Auto | Running])
File not found -- -- (WmdmPmSN [On_Demand | Stopped])
[2008/04/13 19:11:15 | 00,005,632 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\System32\wmi.dll -- (Wmi [On_Demand | Stopped])
File not found -- -- (WmiApSrv [On_Demand | Stopped])
File not found -- -- (WMPNetworkSvc [On_Demand | Stopped])
[2006/09/28 17:56:14 | 00,055,808 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\System32\WudfSvc.dll -- (WudfSvc [Auto | Running])

========== Driver Services ==========

[2008/04/13 13:46:20 | 00,048,128 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\System32\drivers\61883.sys -- (61883 [On_Demand | Stopped])
[2008/03/09 20:39:58 | 00,019,915 | ---- | M] (Meetinghouse Data Communications) -- I:\WINDOWS\System32\drivers\AegisP.sys -- (AegisP [Auto | Running])
[2008/04/13 13:46:20 | 00,038,912 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\System32\drivers\avc.sys -- (Avc [On_Demand | Stopped])
[2008/11/11 15:16:58 | 00,097,928 | ---- | M] (AVG Technologies CZ, s.r.o.) -- I:\WINDOWS\System32\drivers\avgldx86.sys -- (AvgLdx86 [System | Running])
[2008/11/11 15:16:56 | 00,026,824 | ---- | M] (AVG Technologies CZ, s.r.o.) -- I:\WINDOWS\System32\drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])
[2008/11/11 15:17:01 | 00,076,040 | ---- | M] (AVG Technologies CZ, s.r.o.) -- I:\WINDOWS\System32\drivers\avgtdix.sys -- (AvgTdiX [Auto | Running])
[2005/05/31 14:40:20 | 00,020,480 | ---- | M] (IVT Corporation) -- I:\WINDOWS\System32\drivers\blueletaudio.sys -- (BlueletAudio [On_Demand | Running])
File not found -- -- (BT [On_Demand | Running])
File not found -- -- (BTHidEnum [On_Demand | Running])
[2005/04/30 13:50:10 | 00,028,271 | ---- | M] (IVT Corporation) -- I:\WINDOWS\System32\drivers\BTHidMgr.sys -- (BTHidMgr [Boot | Running])
[2004/12/16 15:32:54 | 00,013,304 | ---- | M] () -- I:\WINDOWS\System32\drivers\BTNetFilter.sys -- (BTNetFilter [On_Demand | Stopped])
[2004/12/13 16:14:00 | 00,039,904 | ---- | M] (Adaptec, Inc.) -- I:\WINDOWS\System32\drivers\cercsr6.sys -- (cercsr6 [Boot | Stopped])
[2008/03/15 17:36:57 | 00,018,816 | ---- | M] (RIF) -- I:\WINDOWS\System32\drivers\dvd43llh.sys -- (dvd43llh [On_Demand | Running])
File not found -- -- (e1express [On_Demand | Running])
[2008/01/29 11:01:28 | 00,016,168 | ---- | M] (GEAR Software Inc.) -- I:\WINDOWS\System32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
File not found -- -- (Gpc [On_Demand | Running])
[2008/04/13 11:36:05 | 00,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) -- I:\WINDOWS\System32\drivers\hdaudbus.sys -- (HDAudBus [On_Demand | Running])
[2006/05/11 11:30:52 | 00,247,808 | ---- | M] (Intel Corporation) -- I:\WINDOWS\System32\drivers\iaStor.sys -- (iastor [Boot | Running])
[2008/04/13 13:39:48 | 00,014,592 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\System32\drivers\kbdhid.sys -- (kbdhid [System | Running])
[2008/04/13 13:46:09 | 00,051,200 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\System32\drivers\msdv.sys -- (MSDV [On_Demand | Stopped])
File not found -- -- (nv [On_Demand | Running])
File not found -- -- (PptpMiniport [On_Demand | Running])
[2004/08/10 06:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- I:\WINDOWS\System32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2007/07/26 02:00:00 | 00,043,872 | ---- | M] (Sonic Solutions) -- I:\WINDOWS\System32\drivers\pxhelp20.sys -- (PxHelp20 [Boot | Running])
File not found -- -- (ROOTMODEM [On_Demand | Running])
[2007/08/18 02:09:04 | 00,057,328 | ---- | M] (Sonic Solutions) --

Lauren421
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-11-22
Gender Gender : Female
OS OS : Windows XP
Points Points : 29390
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Help please, need to get rid of trogan

Post by Lauren421 on 22nd November 2008, 6:29 pm

I:\WINDOWS\System32\drivers\RxFilter.sys -- (RxFilter [Disabled | Stopped])
[2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- I:\WINDOWS\System32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2002/10/15 21:41:06 | 00,102,220 | ---- | M] (Sony Corporation) -- I:\WINDOWS\System32\drivers\sonypvs1.sys -- (sonypvs1 [On_Demand | Stopped])
[2005/06/14 17:40:08 | 00,180,864 | ---- | M] (SigmaTel, Inc.) -- I:\WINDOWS\System32\drivers\sthda.sys -- (STHDA [On_Demand | Running])
[2008/07/22 19:32:44 | 00,032,000 | ---- | M] (Apple, Inc.) -- I:\WINDOWS\System32\drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])
[2008/04/13 13:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\System32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])
[2004/10/19 12:37:38 | 00,061,312 | ---- | M] (IVT Corporation) -- I:\WINDOWS\System32\drivers\VComm.sys -- (VComm [On_Demand | Running])
[2005/03/25 16:18:48 | 00,082,148 | ---- | M] (IVT Corporation) -- I:\WINDOWS\System32\drivers\VcommMgr.sys -- (VcommMgr [On_Demand | Running])
File not found -- -- (VgaSave [System | Running])
[2006/04/20 20:19:34 | 00,104,576 | R--- | M] (Microsoft Corporation) -- I:\WINDOWS\System32\drivers\wceusbsh.sys -- (wceusbsh [On_Demand | Stopped])
File not found -- -- (WUSB54GPV4SRV [On_Demand | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://go.microsoft.com/fwlink/?LinkId=69157

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=I:\WINDOWS\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Start Page"=http://aol.com/

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- I:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = *.local

========== (O1) Hosts File ==========

HOSTS File = (734 bytes) - I:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} (HKLM) -- I:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} (HKLM) -- I:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- I:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
{AA58ED58-01DD-4d91-8333-CF10577473F7} (HKLM) -- I:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (HKLM) -- I:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll (Google Inc.)
{C84D72FE-E17D-4195-BB24-76C02E2E7C4E} (HKLM) -- I:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll (Google Inc.)

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" (HKLM) -- I:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- I:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"=I:\PROGRA~1\AVG\AVG8\avgtray.exe File not found
"ehTray"=I:\WINDOWS\ehome\ehtray.exe File not found
"NvCplDaemon"=RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
"OpwareSE2"="I:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" File not found
"SigmatelSysTrayApp"=stsystra.exe File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=I:\WINDOWS\system32\ctfmon.exe File not found
"swg"=I:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe File not found

========== (O4) Startup Folders ==========

File not found -- I:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop
File not found -- I:\Documents and Settings\Lauren\Start Menu\Programs\Startup\desktop

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=I:\WINDOWS\Resources\Themes\Royale\Royale.mss -- File not found
"InstallTheme"=I:\WINDOWS\Resources\Themes\Royale.the -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=255
"_NoDriveTypeAutoRun"=145

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [2008/06/10 03:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [2007/04/19 13:10:18 | 00,063,840 | ---- | M] (Microsoft Corporation)
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\network diagnostic\xpnetdiag File not found
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs File not found
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs [Messenger] -> File not found

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = [You must be registered and logged in to see this link.]
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}: [You must be registered and logged in to see this link.] -- MUWebControl Class
{8AD9C840-044E-11D1-B3E9-00805F499D93}: [You must be registered and logged in to see this link.] -- Java Plug-in 1.6.0_07
{9600F64D-755F-11D4-A47F-0001023E6D5A}: [You must be registered and logged in to see this link.] -- Shutterfly Picture Upload Plugin
{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}: [You must be registered and logged in to see this link.] -- Java Plug-in 1.6.0_06
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}: [You must be registered and logged in to see this link.] -- Java Plug-in 1.6.0_07
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: [You must be registered and logged in to see this link.] -- Java Plug-in 1.6.0_07

========== (O17) DNS Name Servers ==========

{531F3E21-AFF8-4D0B-9C8A-CF8E0F3F94C8} (Servers: | Description: )
{8DF8743C-6960-4338-97AB-3F91E8AFDD6F} (Servers: | Description: )
{BDEAB5C4-4F71-494B-8FCA-BDE2F44523FA} (Servers: | Description: Intel(R) PRO/1000 PL Network Connection)
{D7BF3C5A-2EE1-48B7-9FE6-BB0E5463ED53} (Servers: | Description: Linksys Wireless-G USB Network Adapter)
{DE928B98-C57C-4375-8A1B-9803F0BB94C4} (Servers: | Description: 1394 Net Adapter)

========== (O20) AppInit_DLLs ==========

Lauren421
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-11-22
Gender Gender : Female
OS OS : Windows XP
Points Points : 29390
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Help please, need to get rid of trogan

Post by Lauren421 on 22nd November 2008, 6:30 pm

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_Dlls"=avgrsstx.dll
>[2008/11/11 15:17:01 | 00,010,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- I:\WINDOWS\system32\avgrsstx.dll

========== (O20) HKLM Winlogon Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"=Explorer.exe
>File not found -- I:\WINDOWS\explorer

"UserInit"=I:\WINDOWS\system32\userinit.exe,
>File not found -- I:\WINDOWS\system32\userinit

"UIHost"=logonui.exe
>File not found -- I:\WINDOWS\system32\logonui

"VMApplet"=rundll32 shell32,Control_RunDLL "sysdm.cpl"
>File not found -- I:\WINDOWS\system32\sysdm


========== IFEO "Debugger" Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\]
Your Image File Name Here without a path:"Debugger" = I:\WINDOWS\system32\ntsd File not found

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

autorun.inf [[autorun] | open=setup.exe | ]
File not found -- I:\autorun -- [ NTFS ]


========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b19d1a4a-16ed-11dd-b6b5-0014bf74a2b6}\Shell\AutoRun\command]
""=K:\WD_Windows_Tools\Setup.exe -- File not found

========== Files/Folders - Created Within 30 Days ==========

[1 I:\WINDOWS\System32\*.tmp files]
[7 I:\WINDOWS\*.tmp files]
[2008/11/22 13:11:40 | 00,001,734 | ---- | C] () -- I:\Documents and Settings\Lauren\Desktop\HijackThis.lnk
[2008/11/22 13:11:38 | 00,000,000 | ---D | C] -- I:\Program Files\Trend Micro
[2008/11/12 20:23:36 | 00,202,071 | ---- | C] () -- I:\Documents and Settings\Lauren\My Documents\RipIt4Me.zip
[2008/11/11 18:32:02 | 00,455,296 | ---- | C] (Microsoft Corporation) -- I:\WINDOWS\System32\dllcache\mrxsmb.sys
[2008/11/11 18:31:24 | 01,106,944 | ---- | C] (Microsoft Corporation) -- I:\WINDOWS\System32\dllcache\msxml3.dll
[2008/11/11 17:20:32 | 00,000,000 | R--D | C] -- I:\Documents and Settings\Lauren\My Documents\My Music
[2008/11/11 16:33:03 | 00,000,000 | ---D | C] -- I:\Program Files\ThreatExpert Memory Scanner
[2008/11/11 16:26:12 | 00,000,000 | ---D | C] -- I:\WINDOWS\pss
[2008/11/11 15:36:08 | 00,000,000 | -H-D | C] -- I:\$AVG8.VAULT$
[2008/11/11 15:17:02 | 00,001,507 | ---- | C] () -- I:\Documents and Settings\All Users\Desktop\AVG Free 8.0.lnk
[2008/11/11 15:17:01 | 00,076,040 | ---- | C] (AVG Technologies CZ, s.r.o.) -- I:\WINDOWS\System32\drivers\avgtdix.sys
[2008/11/11 15:17:01 | 00,010,520 | ---- | C] (AVG Technologies CZ, s.r.o.) -- I:\WINDOWS\System32\avgrsstx.dll
[2008/11/11 15:16:58 | 00,097,928 | ---- | C] (AVG Technologies CZ, s.r.o.) -- I:\WINDOWS\System32\drivers\avgldx86.sys
[2008/11/11 15:16:56 | 00,026,824 | ---- | C] (AVG Technologies CZ, s.r.o.) -- I:\WINDOWS\System32\drivers\avgmfx86.sys
[2008/11/11 15:16:53 | 30,281,709 | ---- | C] () -- I:\WINDOWS\System32\drivers\Avg\incavi.avm
[2008/11/11 15:16:53 | 06,061,540 | ---- | C] () -- I:\WINDOWS\System32\drivers\Avg\avi7.avg
[2008/11/11 15:16:53 | 00,334,743 | ---- | C] () -- I:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2008/11/11 15:16:53 | 00,042,274 | ---- | C] () -- I:\WINDOWS\System32\drivers\Avg\microavi.avg
[2008/11/11 15:16:53 | 00,000,000 | ---D | C] -- I:\WINDOWS\System32\drivers\Avg
[2008/11/11 15:16:42 | 00,000,000 | ---D | C] -- I:\Program Files\AVG
[2008/11/11 15:16:42 | 00,000,000 | ---D | C] -- I:\Documents and Settings\All Users\Application Data\avg8
[2008/11/11 15:14:35 | 00,000,000 | ---D | C] -- I:\Documents and Settings\Lauren\My Documents\Roxio
[2008/11/09 18:00:11 | 00,000,000 | ---D | C] -- I:\Documents and Settings\Lauren\Desktop\Pics
[2008/11/08 13:03:03 | 00,000,000 | R--D | C] -- I:\Documents and Settings\Lauren\My Documents\My Pictures
[2008/11/07 16:57:38 | 00,333,824 | ---- | C] (Microsoft Corporation) -- I:\WINDOWS\System32\dllcache\srv.sys
[2008/11/07 16:56:05 | 01,846,400 | ---- | C] (Microsoft Corporation) -- I:\WINDOWS\System32\dllcache\win32k.sys
[2008/11/07 16:55:56 | 02,145,280 | ---- | C] (Microsoft Corporation) -- I:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2008/11/07 16:55:55 | 02,189,184 | ---- | C] (Microsoft Corporation) -- I:\WINDOWS\System32\dllcache\ntoskrnl.exe
[2008/11/07 16:55:54 | 02,066,048 | ---- | C] (Microsoft Corporation) -- I:\WINDOWS\System32\dllcache\ntkrnlpa.exe
[2008/11/07 16:55:54 | 02,023,936 | ---- | C] (Microsoft Corporation) -- I:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2008/11/07 16:52:07 | 00,337,408 | ---- | C] (Microsoft Corporation) -- I:\WINDOWS\System32\dllcache\netapi32.dll
[2008/11/07 16:51:19 | 00,000,793 | ---- | C] () -- I:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2008/11/07 16:51:03 | 00,000,000 | ---D | C] -- I:\Program Files\Common Files\Wise Installation Wizard
[2008/11/07 16:42:49 | 00,000,000 | ---D | C] -- I:\Documents and Settings\Lauren\My Documents\Bluetooth
[2008/11/07 16:38:37 | 00,000,000 | ---D | C] -- I:\WINDOWS\Temporary Internet Files
[2008/11/07 16:38:37 | 00,000,000 | ---D | C] -- I:\WINDOWS\System32\COLOR
[2008/11/07 16:38:37 | 00,000,000 | ---D | C] -- I:\WINDOWS\History
[2008/11/07 16:38:37 | 00,000,000 | ---D | C] -- I:\WINDOWS\Cookies
[2008/11/07 16:38:37 | 00,000,000 | ---D | C] -- I:\KPCMS
[2008/11/07 16:34:20 | 00,000,000 | ---D | C] -- I:\drvrtmp
[2008/11/07 16:34:20 | 00,000,000 | ---D | C] -- I:\Config.Msi
[2008/11/07 16:34:18 | 00,000,000 | ---D | C] -- I:\Program Files\LimeWire
[2008/11/07 16:34:06 | 00,000,000 | ---D | C] -- I:\Program Files\ComPlus Applications
[2008/11/07 16:20:48 | 00,000,000 | ---D | C] -- I:\Program Files\Webroot
[2008/11/07 16:20:48 | 00,000,000 | ---D | C] -- I:\Documents and Settings\Lauren\Application Data\Webroot
[2008/11/07 16:20:48 | 00,000,000 | ---D | C] -- I:\Documents and Settings\All Users\Application Data\Webroot
[2008/11/06 21:01:20 | 00,000,000 | ---D | C] -- I:\Documents and Settings\Lauren\My Documents\PcSetup
[2008/11/06 19:08:28 | 00,000,000 | -HSD | C] -- I:\WINDOWS\CSC
[2008/11/06 18:58:48 | 00,000,000 | ---D | C] -- I:\Program Files\Alwil Software

========== Files - Modified Within 30 Days ==========

[1 I:\WINDOWS\System32\*.tmp files]
[7 I:\WINDOWS\*.tmp files]
[2008/11/22 13:21:43 | 00,007,275 | ---- | M] () -- I:\WINDOWS\System32\nvapps.xml
[2008/11/22 13:21:15 | 00,000,006 | -H-- | M] () -- I:\WINDOWS\tasks\SA.DAT
[2008/11/22 13:21:03 | 00,002,048 | --S- | M] () -- I:\WINDOWS\bootstat.dat
[2008/11/22 13:11:41 | 00,001,734 | ---- | M] () -- I:\Documents and Settings\Lauren\Desktop\HijackThis.lnk
[2008/11/22 08:36:41 | 30,281,709 | ---- | M] () -- I:\WINDOWS\System32\drivers\Avg\incavi.avm
[2008/11/20 21:52:05 | 00,042,274 | ---- | M] () -- I:\WINDOWS\System32\drivers\Avg\microavi.avg
[2008/11/20 21:47:43 | 00,002,206 | ---- | M] () -- I:\WINDOWS\System32\wpa.dbl
[2008/11/12 22:06:34 | 03,771,818 | -H-- | M] () -- I:\Documents and Settings\Lauren\Local Settings\Application Data\IconCache.db
[2008/11/12 20:23:38 | 00,202,071 | ---- | M] () -- I:\Documents and Settings\Lauren\My Documents\RipIt4Me.zip
[2008/11/11 18:34:49 | 00,001,393 | ---- | M] () -- I:\WINDOWS\imsins.BAK
[2008/11/11 18:29:00 | 00,000,743 | ---- | M] () -- I:\WINDOWS\win.ini
[2008/11/11 18:29:00 | 00,000,253 | ---- | M] () -- I:\WINDOWS\system.ini
[2008/11/11 15:18:07 | 00,334,743 | ---- | M] () -- I:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2008/11/11 15:17:02 | 00,001,507 | ---- | M] () -- I:\Documents and Settings\All Users\Desktop\AVG Free 8.0.lnk
[2008/11/11 15:17:01 | 00,076,040 | ---- | M] (AVG Technologies CZ, s.r.o.) -- I:\WINDOWS\System32\drivers\avgtdix.sys
[2008/11/11 15:17:01 | 00,010,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- I:\WINDOWS\System32\avgrsstx.dll
[2008/11/11 15:16:58 | 00,097,928 | ---- | M] (AVG Technologies CZ, s.r.o.) -- I:\WINDOWS\System32\drivers\avgldx86.sys
[2008/11/11 15:16:56 | 00,026,824 | ---- | M] (AVG Technologies CZ, s.r.o.) -- I:\WINDOWS\System32\drivers\avgmfx86.sys
[2008/11/11 15:16:53 | 06,061,540 | ---- | M] () -- I:\WINDOWS\System32\drivers\Avg\avi7.avg
[2008/11/08 13:02:20 | 00,009,728 | ---- | M] () -- I:\Documents and Settings\Lauren\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/11/07 17:05:59 | 00,245,512 | ---- | M] () -- I:\WINDOWS\System32\FNTCACHE.DAT
[2008/11/07 16:51:19 | 00,000,793 | ---- | M] () -- I:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2008/11/07 16:46:26 | 00,462,976 | ---- | M] () -- I:\WINDOWS\System32\perfh009.dat
[2008/11/07 16:46:26 | 00,078,478 | ---- | M] () -- I:\WINDOWS\System32\perfc009.dat
[2008/11/07 16:28:41 | 00,000,734 | ---- | M] () -- I:\WINDOWS\System32\drivers\etc\HOSTS
[2008/11/06 18:59:09 | 00,002,626 | ---- | M] () -- I:\WINDOWS\System32\CONFIG.NT
[2008/11/03 19:10:25 | 17,318,336 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\System32\MRT.exe
[2008/10/24 06:21:09 | 00,455,296 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\System32\drivers\mrxsmb.sys
[2008/10/24 06:21:09 | 00,455,296 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\System32\dllcache\mrxsmb.sys
< End of report >

Lauren421
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-11-22
Gender Gender : Female
OS OS : Windows XP
Points Points : 29390
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Help please, need to get rid of trogan

Post by Lauren421 on 22nd November 2008, 6:30 pm

Ok....both are fully posted

Lauren421
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-11-22
Gender Gender : Female
OS OS : Windows XP
Points Points : 29390
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Help please, need to get rid of trogan

Post by Belahzur on 22nd November 2008, 6:35 pm

All looks clean.
What problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Help please, need to get rid of trogan

Post by Lauren421 on 22nd November 2008, 6:38 pm

When I did the AVG, it said the trojan was in mcafee quarantine and it kept popping up in adaware

Lauren421
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-11-22
Gender Gender : Female
OS OS : Windows XP
Points Points : 29390
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Help please, need to get rid of trogan

Post by Lauren421 on 22nd November 2008, 6:39 pm

With the laptop, there is an MRU object that won't go away and I think it is associated with internet explorer.

Lauren421
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-11-22
Gender Gender : Female
OS OS : Windows XP
Points Points : 29390
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Help please, need to get rid of trogan

Post by Belahzur on 22nd November 2008, 6:42 pm

AVG said it was in McAfee quarantine? then nothing to worry about, it's dead.
When you uninstalled McAfee, it probably took it's stuff away with it, so it's gone now.
MRU cache is like temporary files, use this to clean it.

Download [You must be registered and logged in to see this link.]

  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
  • Close ATF-Cleaner.exe.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Help please, need to get rid of trogan

Post by Lauren421 on 22nd November 2008, 6:45 pm

Both computers don't have any trace of the worm anymore?

Lauren421
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-11-22
Gender Gender : Female
OS OS : Windows XP
Points Points : 29390
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Help please, need to get rid of trogan

Post by Lauren421 on 22nd November 2008, 6:46 pm

Also, since I uninstalled Mcafee what antivirus should I use?

Thank you by the way for all the help.

Lauren421
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-11-22
Gender Gender : Female
OS OS : Windows XP
Points Points : 29390
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Help please, need to get rid of trogan

Post by Belahzur on 22nd November 2008, 6:49 pm

You still Have AVG on the system, so AVG should do fine. I just warned you of two AV's and asked you only to uninstall one.

Some old versions of Java is my only concern here.

Press Start > Control Panel > Add/remove programs
Uninstall all this by pressing the Remove button on the right after selecting each one.

Java(TM) 6 Update 6
Java(TM) 6 Update 7

===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 10".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    - Java 2 Runtime Environment, SE v1.4.2
    - J2SE Runtime Environment 5.0
    - J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe that you downloaded to install the newest version.

Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from [You must be registered and logged in to see this link.]

  • First, unzip it.
  • Then run JavaRa.
  • Select English from the drop down menu and press Select.
  • This will open JavaRa.
  • Press Remove older versions
  • Press yes to the prompt.
  • It will make a log file of what it's removed.
  • Copy and paste the log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Help please, need to get rid of trogan

Post by Lauren421 on 22nd November 2008, 7:03 pm

Did the laptop log look ok?

Lauren421
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-11-22
Gender Gender : Female
OS OS : Windows XP
Points Points : 29390
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Help please, need to get rid of trogan

Post by Belahzur on 22nd November 2008, 7:08 pm

Yep.
Is the laptop okay now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Help please, need to get rid of trogan

Post by Lauren421 on 22nd November 2008, 7:10 pm

I didn't do anything different to it yet. All of the things you told me to do I did to my desktop. My main concern is the laptop since it is newer.

Lauren421
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-11-22
Gender Gender : Female
OS OS : Windows XP
Points Points : 29390
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Help please, need to get rid of trogan

Post by Belahzur on 22nd November 2008, 7:13 pm

Ah, well the logs were clean, so I wouldn't worry.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Help please, need to get rid of trogan

Post by Lauren421 on 22nd November 2008, 7:16 pm

Thank you very much

Lauren421
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-11-22
Gender Gender : Female
OS OS : Windows XP
Points Points : 29390
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Help please, need to get rid of trogan

Post by Belahzur on 22nd November 2008, 7:18 pm

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Help please, need to get rid of trogan

Post by Doctor Inferno on 1st December 2008, 2:12 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104630
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum