Sponsored By

outbenchthis

Wowfx.dll Please Help[RESOLVED]

Recommended Posts

Hi,

On my Windows Xp PC, every time I open it I receive a window with this message:

"the application or dll c:\windows\system32\wowfx.dll is not a valid

Windows image. Please verify with the installation disk."

I have AVG FREE installed and have performed a scan but still recieve the wowfx.dll message. I also have Smitfraud and have scanned which I was able to do but then I restarted in safemode to do the 'clean' process but it was unable to do the 'clean' because wowfx.dll window message would not go away, so I still keep getting this message On my Windows Xp PC, every time I open it I receive a windows with this message:

"the application or dll c:\windows\system32\wowfx.dll is not a valid Windows image. Please verify with the installation disk."

After reading a number of forums I noticed they all suggest the best way of dealing

with the problem is to post a log.

Below you can find my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:07:16, on 7/09/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\windows\system\hpsysdrv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\USB Storage RW\shwicon.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\HP\KBD\KBD.EXE

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Brother\ControlCenter3\brccMCtl.exe

C:\Program Files\Panasonic\Panasonic X700 PC Software Suite\connmngmntbox.exe

C:\Program Files\Panasonic\Panasonic X700 PC Software Suite\ectaskscheduler.exe

C:\PROGRA~1\PANASO~1\PANASO~2\Elogerr.exe

C:\Program Files\Intuwave Ltd\Shared\mRouterRunTime\mRouterRuntime.exe

C:\PROGRA~1\PANASO~1\PANASO~2\BROADC~1.EXE

C:\PROGRA~1\PANASO~1\PANASO~2\SCRFS.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [brMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN

O4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe

O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [braviax] C:\WINDOWS\System32\braviax.exe

O4 - HKCU\..\Run: [spoolsv] C:\WINDOWS\System32\spoolvs.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O4 - Global Startup: PanasonicX700PCSoftwareSuite Detect.lnk = ?

O4 - Global Startup: PanasonicX700PCSoftwareSuite TS.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{127B6989-7FC9-4963-84A5-8AB81D0D6FCD}: NameServer = 85.255.115.42,85.255.112.170

O17 - HKLM\System\CCS\Services\Tcpip\..\{41BE3759-F7F4-4BCE-969F-6F86E114A44B}: NameServer = 85.255.115.42,85.255.112.170

O17 - HKLM\System\CCS\Services\Tcpip\..\{C8F42016-28FF-4C04-84C9-E535E54047E5}: NameServer = 85.255.115.42,85.255.112.170

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.42 85.255.112.170

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.42 85.255.112.170

O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--

End of file - 7039 bytes

I would greatly appreciate any assistance. thanks in advance.

Share this post


Link to post
Share on other sites

Hi,

Welcome to the site

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

I want you to show hidden files. There are instructions HERE to help you do this.

You should have Administrator rights to perform the fixes. Some of the instructions I give may need to be printed or saved for reference during the fix. Some of the fix will be done in Safe Mode so you will be unable to access this thread at that time.

Please dont use any of the tools without specific instructions. Some of them are dangerous (and could leave your computer in worse condition that it is when infected) if used incorrectly.

These instructions should be read first, then followed. If you do not understand something, don't be afraid to ask, or see if I'm on chat. :)

Share this post


Link to post
Share on other sites

1.

Registry edits can be potentially dangerous; we can revert to the backup if needed.

Go to Start » Run » type: regedit » OK.

  • On the leftside, click to highlight My Computer at the top.
  • Go up to File » Export
    • Make sure in that window there is a tick next to "All" under Export Branch.
      Leave the "Save As Type" as "Registration Files".
      Under "Filename" put RegBackup.

    [*]Choose to save it to C:\

    [*]Click save and then go to File » Exit.

Launch Notepad, and copy/paste everything in the codebox below into the new document, including the word REGEDIT4. Go up to "File Save As" and click the drop-down box to change the "Save As Type" to "All Files" and save it to your desktop as fixme.reg

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=-

Locate fixme.reg on your Desktop. It should look like this --> reg.gif

Double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?" Answer Yes and wait for a message to appear similar to Merged Successfully.

2.

Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKCU\..\Run: [braviax] C:\WINDOWS\System32\braviax.exe

O4 - HKCU\..\Run: [spoolsv] C:\WINDOWS\System32\spoolvs.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis

3.

Please download the OTMoveIt2 by OldTimer.

  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    C:\WINDOWS\System32\ntos.exe
    C:\WINDOWS\system32\wowfx.dll
    C:\WINDOWS\system32\ALCXMNTR.EXE
    C:\WINDOWS\System32\braviax.exe
    C:\WINDOWS\System32\spoolvs.exe
    C:\WINDOWS\web


  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

4.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Share this post


Link to post
Share on other sites

Hi sarahw!

thanks for your help.

I have gone through step-by-step your list of instructions

below I have posted my new hijackthis log and the SDfix report (report.txt).

I also have a log from OTMoveIt2 that I can post for your analysis if you would like.

The window with the error message "the application or dll c:\windows\system32\wowfx.dll is not a valid

Windows image. Please verify with the installation disk." has stopped popping up after following your directions!

Based on the new logs, what else needs to be done now?

Thanks in advance for your help.

------------------------------------------------------------------------

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:01:17, on 8/09/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\wuauclt.exe

C:\windows\system\hpsysdrv.exe

C:\Program Files\USB Storage RW\shwicon.exe

C:\HP\KBD\KBD.EXE

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\Program Files\Brother\ControlCenter3\brccMCtl.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Panasonic\Panasonic X700 PC Software Suite\connmngmntbox.exe

C:\Program Files\Panasonic\Panasonic X700 PC Software Suite\ectaskscheduler.exe

C:\PROGRA~1\PANASO~1\PANASO~2\Elogerr.exe

C:\Program Files\Intuwave Ltd\Shared\mRouterRunTime\mRouterRuntime.exe

C:\PROGRA~1\PANASO~1\PANASO~2\BROADC~1.EXE

C:\PROGRA~1\PANASO~1\PANASO~2\SCRFS.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [brMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN

O4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe

O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O4 - Global Startup: PanasonicX700PCSoftwareSuite Detect.lnk = ?

O4 - Global Startup: PanasonicX700PCSoftwareSuite TS.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{41BE3759-F7F4-4BCE-969F-6F86E114A44B}: NameServer = 85.255.115.42,85.255.112.170

O17 - HKLM\System\CCS\Services\Tcpip\..\{C8F42016-28FF-4C04-84C9-E535E54047E5}: NameServer = 85.255.115.42,85.255.112.170

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.42 85.255.112.170

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.42 85.255.112.170

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--

End of file - 6311 bytes

---------------------------------------------------------------------------------------------------------------------------------

SDfix report

SDFix: Version 1.222

Run by Administrator on Mon 08/09/2008 at 09:34

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Checking Services :

Restoring Default Security Values

Restoring Default Hosts File

Resetting SecurityProviders Value

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]

"aux1"="wdmaud.drv"

Restoring aux1 registry value to wdmaud.drv

Resetting AppInit_DLLs value

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\KERNEL32.EXE - Deleted

C:\Program Files\altcmd\altcmd.inf - Deleted

C:\Program Files\altcmd\uninstall.bat - Deleted

C:\WINDOWS\rasqervy.dll - Deleted

C:\WINDOWS\sdfinacs.dll - Deleted

C:\WINDOWS\system32\Kernel32.exe - Deleted

C:\WINDOWS\wuasirvy.dll - Deleted

C:\WINDOWS\system32\41893321731.CPX - Deleted

C:\WINDOWS\system32\418933217312.CPX - Deleted

C:\WINDOWS\system32\418933217321.CPX - Deleted

C:\WINDOWS\system32\418933217331.CPX - Deleted

C:\WINDOWS\system32\418933217351.CPX - Deleted

C:\WINDOWS\system32\wowfx.dll - Deleted

Folder C:\Program Files\altcmd - Removed

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-08 09:44:11

Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"C:\\Documents and Settings\\Owner\\Application Data\\printer.exe"="C:\\Documents and Settings\\Owner\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"

"C:\\WINDOWS\\System32\\printer.exe"="C:\\WINDOWS\\System32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"

"C:\\WINDOWS\\System32\\spoolvs.exe"="C:\\WINDOWS\\System32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"

"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"

"C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"

"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"

"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"

"C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"

"C:\\Documents and Settings\\Owner\\Application Data\\62203.exe"="C:\\Documents and Settings\\Owner\\Application Data\\62203.exe:*:Enabled:@xpsp2res.dll,-22019"

"C:\\Documents and Settings\\Owner\\Application Data\\64355.exe"="C:\\Documents and Settings\\Owner\\Application Data\\64355.exe:*:Enabled:@xpsp2res.dll,-22019"

"C:\\Documents and Settings\\Owner\\Application Data\\14991.exe"="C:\\Documents and Settings\\Owner\\Application Data\\14991.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"C:\\Documents and Settings\\Owner\\Application Data\\printer.exe"="C:\\Documents and Settings\\Owner\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"

"C:\\WINDOWS\\System32\\printer.exe"="C:\\WINDOWS\\System32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"

"C:\\WINDOWS\\System32\\spoolvs.exe"="C:\\WINDOWS\\System32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"

"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"

"C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"

"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"

"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"

"C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"

"C:\\Documents and Settings\\Owner\\Application Data\\62203.exe"="C:\\Documents and Settings\\Owner\\Application Data\\62203.exe:*:Enabled:@xpsp2res.dll,-22019"

"C:\\Documents and Settings\\Owner\\Application Data\\64355.exe"="C:\\Documents and Settings\\Owner\\Application Data\\64355.exe:*:Enabled:@xpsp2res.dll,-22019"

"C:\\Documents and Settings\\Owner\\Application Data\\14991.exe"="C:\\Documents and Settings\\Owner\\Application Data\\14991.exe:*:Enabled:@xpsp2res.dll,-22019"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 4 Jun 2008 37,888 ...H. --- "C:\Seabrook\~WRL1868.tmp"

Fri 14 Mar 2008 92,160 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc157.tmp"

Thu 17 Apr 2008 80,896 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc158.tmp"

Mon 5 Nov 2007 32,256 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc61.tmp"

Mon 5 Nov 2007 29,184 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc62.tmp"

Mon 5 Nov 2007 31,232 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc63.tmp"

Mon 5 Nov 2007 32,256 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc64.tmp"

Mon 5 Nov 2007 39,936 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc65.tmp"

Mon 5 Nov 2007 36,352 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc66.tmp"

Mon 5 Nov 2007 29,184 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc67.tmp"

Mon 5 Nov 2007 30,208 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc68.tmp"

Mon 5 Nov 2007 33,280 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc69.tmp"

Mon 5 Nov 2007 26,624 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc70.tmp"

Mon 5 Nov 2007 40,960 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc71.tmp"

Mon 5 Nov 2007 37,888 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc72.tmp"

Mon 5 Nov 2007 40,960 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc73.tmp"

Mon 5 Nov 2007 37,888 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc74.tmp"

Mon 5 Nov 2007 36,352 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc75.tmp"

Mon 5 Nov 2007 29,184 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc76.tmp"

Mon 5 Nov 2007 26,112 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc77.tmp"

Mon 5 Nov 2007 41,472 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc78.tmp"

Mon 5 Nov 2007 39,936 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc79.tmp"

Mon 5 Nov 2007 40,960 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc80.tmp"

Mon 5 Nov 2007 40,960 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc81.tmp"

Mon 5 Nov 2007 37,888 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc82.tmp"

Mon 5 Nov 2007 29,184 A..H. --- "C:\RECYCLER\S-1-5-21-3305781904-3999868759-2749077437-1003\Dc84.tmp"

Tue 24 Aug 2004 21,504 A..H. --- "C:\OLD C\Uni Stuff\Legal Theory\~WRL2803.tmp"

Sun 29 Aug 2004 65,536 ...H. --- "C:\Program Files\Panasonic\Panasonic X700\MCCIUSBUninstall.exe"

Fri 5 Sep 2003 25,088 A..H. --- "C:\Documents and Settings\Owner\My Documents\unistuff\~WRL2657.tmp"

Fri 5 Sep 2003 29,696 A..H. --- "C:\Documents and Settings\Owner\My Documents\unistuff\~WRL2700.tmp"

Sun 13 Nov 2005 20,480 A..H. --- "C:\OLD C\Uni Stuff\corporations\Exam\~WRL0216.tmp"

Sun 13 Nov 2005 20,480 A..H. --- "C:\OLD C\Uni Stuff\corporations\Exam\~WRL1427.tmp"

Sun 13 Nov 2005 19,968 A..H. --- "C:\OLD C\Uni Stuff\corporations\Exam\~WRL3371.tmp"

Fri 7 Oct 2005 24,064 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL0023.tmp"

Fri 7 Oct 2005 42,496 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL0114.tmp"

Fri 7 Oct 2005 39,424 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL0248.tmp"

Fri 7 Oct 2005 21,504 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL0321.tmp"

Fri 7 Oct 2005 29,696 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL0328.tmp"

Fri 7 Oct 2005 26,624 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL0385.tmp"

Fri 7 Oct 2005 43,520 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL0406.tmp"

Fri 7 Oct 2005 46,080 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL0494.tmp"

Fri 7 Oct 2005 31,744 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL0502.tmp"

Thu 6 Oct 2005 23,552 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL0557.tmp"

Fri 7 Oct 2005 38,912 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL0580.tmp"

Thu 29 Sep 2005 23,552 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL0803.tmp"

Fri 7 Oct 2005 46,592 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL1028.tmp"

Mon 24 Oct 2005 22,016 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL1074.tmp"

Fri 7 Oct 2005 24,576 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL1159.tmp"

Fri 7 Oct 2005 48,128 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL1348.tmp"

Mon 24 Oct 2005 22,016 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL1578.tmp"

Fri 7 Oct 2005 79,872 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL1586.tmp"

Fri 7 Oct 2005 48,640 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL1688.tmp"

Fri 7 Oct 2005 78,848 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL1807.tmp"

Fri 7 Oct 2005 28,672 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL1844.tmp"

Fri 7 Oct 2005 78,336 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL1845.tmp"

Fri 7 Oct 2005 50,176 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL2157.tmp"

Fri 7 Oct 2005 37,376 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL2285.tmp"

Fri 7 Oct 2005 80,384 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL2329.tmp"

Fri 7 Oct 2005 38,400 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL2339.tmp"

Fri 7 Oct 2005 41,472 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL2465.tmp"

Fri 7 Oct 2005 38,912 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL2503.tmp"

Fri 7 Oct 2005 37,888 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL2685.tmp"

Fri 7 Oct 2005 33,280 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL2780.tmp"

Fri 7 Oct 2005 44,544 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL2877.tmp"

Mon 24 Oct 2005 22,016 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL3024.tmp"

Thu 29 Sep 2005 23,040 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL3679.tmp"

Fri 7 Oct 2005 38,912 A..H. --- "C:\OLD C\Uni Stuff\semester 2, 2005\Marketing Communication\~WRL3958.tmp"

Mon 24 Jul 2006 23,040 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL0014.tmp"

Mon 24 Jul 2006 23,040 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL0140.tmp"

Tue 8 Aug 2006 23,040 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL0476.tmp"

Mon 24 Jul 2006 22,528 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL0824.tmp"

Mon 24 Jul 2006 23,552 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL0965.tmp"

Mon 24 Jul 2006 24,064 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL1384.tmp"

Mon 24 Jul 2006 26,112 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL1429.tmp"

Mon 24 Jul 2006 29,696 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL1507.tmp"

Mon 24 Jul 2006 22,528 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL1710.tmp"

Mon 24 Jul 2006 22,016 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL1969.tmp"

Mon 24 Jul 2006 24,064 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL2107.tmp"

Mon 24 Jul 2006 28,160 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL2232.tmp"

Tue 8 Aug 2006 24,064 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL2257.tmp"

Mon 24 Jul 2006 27,648 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL2347.tmp"

Mon 24 Jul 2006 21,504 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL2684.tmp"

Tue 8 Aug 2006 21,504 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL2697.tmp"

Mon 24 Jul 2006 29,184 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL2726.tmp"

Mon 24 Jul 2006 22,528 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL3008.tmp"

Mon 24 Jul 2006 23,552 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL3255.tmp"

Tue 8 Aug 2006 22,528 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL3491.tmp"

Mon 24 Jul 2006 25,088 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL3543.tmp"

Mon 24 Jul 2006 22,528 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL3962.tmp"

Mon 24 Jul 2006 20,992 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\media law\~WRL4080.tmp"

Wed 5 Apr 2006 25,600 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\internet Marketing\~WRL0645.tmp"

Tue 2 May 2006 65,536 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\InternationalAcc\~WRL2853.tmp"

Tue 2 May 2006 44,544 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\InternationalAcc\~WRL3836.tmp"

Thu 4 May 2006 25,088 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL0023.tmp"

Thu 4 May 2006 45,568 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL0505.tmp"

Thu 4 May 2006 31,232 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL0798.tmp"

Thu 4 May 2006 26,112 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL0907.tmp"

Thu 4 May 2006 28,672 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL1027.tmp"

Thu 4 May 2006 27,648 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL1387.tmp"

Thu 4 May 2006 28,672 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL1573.tmp"

Thu 4 May 2006 31,744 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL1938.tmp"

Thu 4 May 2006 29,696 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL1940.tmp"

Thu 4 May 2006 44,032 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL1948.tmp"

Thu 4 May 2006 21,504 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL2048.tmp"

Thu 4 May 2006 26,112 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL2110.tmp"

Thu 4 May 2006 29,184 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL2273.tmp"

Wed 14 Jun 2006 35,328 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL2470.tmp"

Thu 4 May 2006 25,600 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL2494.tmp"

Thu 4 May 2006 25,600 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL2516.tmp"

Thu 4 May 2006 26,112 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL2553.tmp"

Thu 4 May 2006 21,504 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL2602.tmp"

Thu 4 May 2006 23,552 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL2633.tmp"

Wed 3 May 2006 24,064 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL2785.tmp"

Thu 4 May 2006 25,088 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL2929.tmp"

Thu 4 May 2006 24,064 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL2936.tmp"

Thu 4 May 2006 24,576 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL2960.tmp"

Thu 4 May 2006 24,576 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL2986.tmp"

Thu 4 May 2006 43,008 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL2987.tmp"

Thu 4 May 2006 29,184 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL3184.tmp"

Thu 4 May 2006 25,600 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL3323.tmp"

Thu 4 May 2006 47,616 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL3373.tmp"

Thu 4 May 2006 30,208 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL3393.tmp"

Thu 4 May 2006 27,136 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL3411.tmp"

Wed 14 Jun 2006 42,496 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL3420.tmp"

Thu 4 May 2006 27,136 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL3526.tmp"

Thu 4 May 2006 30,208 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL3606.tmp"

Thu 4 May 2006 45,568 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL3752.tmp"

Thu 4 May 2006 25,088 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL3950.tmp"

Thu 4 May 2006 29,184 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL3984.tmp"

Wed 14 Jun 2006 34,304 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\Jurisprudence\~WRL3997.tmp"

Sun 9 Dec 2007 69,632 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Templates\~WRL2327.tmp"

Tue 5 Jun 2007 50,176 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Templates\~WRL2844.tmp"

Mon 17 Sep 2007 48,128 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL0051.tmp"

Mon 21 May 2007 46,080 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL0193.tmp"

Thu 11 Oct 2007 59,392 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL0531.tmp"

Wed 10 Oct 2007 58,368 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL0597.tmp"

Sun 5 Aug 2007 39,936 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL0964.tmp"

Tue 13 Nov 2007 63,488 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL1166.tmp"

Sun 4 Nov 2007 64,512 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL1572.tmp"

Fri 2 Nov 2007 64,512 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL1698.tmp"

Thu 30 Aug 2007 44,544 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL2707.tmp"

Sun 20 May 2007 46,080 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL2882.tmp"

Fri 14 Sep 2007 47,616 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL3182.tmp"

Fri 31 Aug 2007 49,152 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL3242.tmp"

Mon 17 Sep 2007 48,128 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL3246.tmp"

Tue 9 Oct 2007 53,760 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL3510.tmp"

Wed 6 Sep 2006 29,184 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7010GSM Leadership Comm\~WRL0610.tmp"

Wed 6 Sep 2006 30,720 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7010GSM Leadership Comm\~WRL1224.tmp"

Wed 6 Sep 2006 31,232 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7010GSM Leadership Comm\~WRL2218.tmp"

Wed 6 Sep 2006 31,232 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7010GSM Leadership Comm\~WRL3408.tmp"

Wed 6 Sep 2006 29,184 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7010GSM Leadership Comm\~WRL3889.tmp"

Mon 25 Sep 2006 24,064 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7028GSM Cross-Cultural Mgt\~WRL0246.tmp"

Mon 25 Sep 2006 22,528 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7028GSM Cross-Cultural Mgt\~WRL0370.tmp"

Mon 25 Sep 2006 20,480 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7028GSM Cross-Cultural Mgt\~WRL0548.tmp"

Mon 25 Sep 2006 23,552 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7028GSM Cross-Cultural Mgt\~WRL0736.tmp"

Mon 25 Sep 2006 21,504 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7028GSM Cross-Cultural Mgt\~WRL0813.tmp"

Mon 25 Sep 2006 23,040 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7028GSM Cross-Cultural Mgt\~WRL1091.tmp"

Mon 25 Sep 2006 19,456 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7028GSM Cross-Cultural Mgt\~WRL1153.tmp"

Mon 25 Sep 2006 19,456 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7028GSM Cross-Cultural Mgt\~WRL1731.tmp"

Mon 25 Sep 2006 21,504 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7028GSM Cross-Cultural Mgt\~WRL2666.tmp"

Mon 25 Sep 2006 20,992 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7028GSM Cross-Cultural Mgt\~WRL2922.tmp"

Mon 25 Sep 2006 22,528 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7028GSM Cross-Cultural Mgt\~WRL3526.tmp"

Mon 25 Sep 2006 25,088 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7028GSM Cross-Cultural Mgt\~WRL3619.tmp"

Thu 9 Nov 2006 37,888 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\Property law\exams\~WRL1105.tmp"

Thu 2 Nov 2006 37,888 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\Property law\exams\~WRL2981.tmp"

Thu 9 Nov 2006 37,376 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\Property law\exams\~WRL3159.tmp"

Tue 11 Apr 2006 22,016 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL0291.tmp"

Tue 11 Apr 2006 20,992 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL0311.tmp"

Tue 11 Apr 2006 33,280 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL0531.tmp"

Tue 11 Apr 2006 21,504 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL0641.tmp"

Tue 11 Apr 2006 22,528 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL0765.tmp"

Tue 11 Apr 2006 19,456 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL0784.tmp"

Tue 11 Apr 2006 23,040 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL0895.tmp"

Tue 11 Apr 2006 20,480 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL1257.tmp"

Tue 11 Apr 2006 33,280 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL1360.tmp"

Tue 11 Apr 2006 22,528 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL1385.tmp"

Tue 11 Apr 2006 20,992 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL1595.tmp"

Tue 11 Apr 2006 20,992 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL1707.tmp"

Tue 11 Apr 2006 22,016 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL2111.tmp"

Tue 11 Apr 2006 33,280 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL2612.tmp"

Tue 11 Apr 2006 23,552 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL2685.tmp"

Tue 11 Apr 2006 33,280 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL2759.tmp"

Tue 11 Apr 2006 22,528 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL2827.tmp"

Tue 11 Apr 2006 19,968 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL3080.tmp"

Tue 11 Apr 2006 22,016 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL3601.tmp"

Tue 11 Apr 2006 35,840 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL3657.tmp"

Mon 10 Apr 2006 19,968 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL3694.tmp"

Tue 11 Apr 2006 19,456 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL3721.tmp"

Tue 11 Apr 2006 20,992 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL3992.tmp"

Tue 11 Apr 2006 21,504 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL3999.tmp"

Tue 11 Apr 2006 22,016 A..H. --- "C:\OLD C\Uni Stuff\semester 1 2006\intro to IB\assignment2\~WRL4046.tmp"

Sun 24 Sep 2006 2,159,104 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7028GSM Cross-Cultural Mgt\New Folder\~WRL0618.tmp"

Sun 24 Sep 2006 26,112 A..H. --- "C:\OLD C\Uni Stuff\semester 2 2006\MBA (Practicum)[5449] - International IMBA [5457]\7028GSM Cross-Cultural Mgt\New Folder\~WRL2537.tmp"

Finished!

Share this post


Link to post
Share on other sites

Hi Sarah

here is the OTMoveit2 log

thanks

----------------------

File/Folder C:\WINDOWS\System32\ntos.exe not found.

LoadLibrary failed for C:\WINDOWS\system32\wowfx.dll

C:\WINDOWS\system32\wowfx.dll NOT unregistered.

C:\WINDOWS\system32\wowfx.dll moved successfully.

File/Folder C:\WINDOWS\system32\ALCXMNTR.EXE not found.

File/Folder C:\WINDOWS\System32\braviax.exe not found.

File/Folder C:\WINDOWS\System32\spoolvs.exe not found.

C:\WINDOWS\web\Wallpaper moved successfully.

C:\WINDOWS\web\printers\images moved successfully.

C:\WINDOWS\web\printers moved successfully.

C:\WINDOWS\web moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09082008_091946

Share this post


Link to post
Share on other sites

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform full scan (Full scan is optional. According to the program's creator Quick Scan will do just fine.).

Click Scan.

When the scan is complete, click OK, then Show Results to view the results.

If Malware is found...

Be sure that everything is checked, and click Remove Selected.

When completed, a log will open in Notepad.

Please save it to your desktop.

NOTE: Logs can be retrieved at a later date from the Malwarebytes' Anti-Malware main screen:

Launch Malwarebytes' Anti-Malware.

Click the Logs tab.

Double-click log-mm.dd.yyyy [xxxxxx].txt.

In your next reply post the Malwarebytes' Anti-Malware log.

Share this post


Link to post
Share on other sites

I ran Malwarebytes Anti-Malware and it found 28 objects infected, which I checked and removed successfully.

here is the log file below

Thanks

-------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.26

Database version: 1127

Windows 5.1.2600 Service Pack 1

8/09/2008 3:59:15 PM

mbam-log-2008-09-08 (15-59-15).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 122455

Time elapsed: 2 hour(s), 11 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 1

Registry Data Items Infected: 15

Folders Infected: 3

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\secdrv (Rootkit.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\secdrv (Rootkit.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\secdrv (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.42 85.255.112.170 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{127b6989-7fc9-4963-84a5-8ab81d0d6fcd}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.42,85.255.112.170 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{41be3759-f7f4-4bce-969f-6f86e114a44b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.42,85.255.112.170 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{41be3759-f7f4-4bce-969f-6f86e114a44b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.42,85.255.112.170 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c8f42016-28ff-4c04-84c9-e535e54047e5}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.42,85.255.112.170 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.42 85.255.112.170 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{127b6989-7fc9-4963-84a5-8ab81d0d6fcd}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.42,85.255.112.170 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{41be3759-f7f4-4bce-969f-6f86e114a44b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.42,85.255.112.170 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{41be3759-f7f4-4bce-969f-6f86e114a44b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.42,85.255.112.170 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c8f42016-28ff-4c04-84c9-e535e54047e5}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.42,85.255.112.170 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.42 85.255.112.170 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{127b6989-7fc9-4963-84a5-8ab81d0d6fcd}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.42,85.255.112.170 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{41be3759-f7f4-4bce-969f-6f86e114a44b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.42,85.255.112.170 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{41be3759-f7f4-4bce-969f-6f86e114a44b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.42,85.255.112.170 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{c8f42016-28ff-4c04-84c9-e535e54047e5}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.42,85.255.112.170 -> Quarantined and deleted successfully.

Folders Infected:

C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\append.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\xlib254.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\msacm32.drv (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\secdrv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\EndNote X Introductory.pdf (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Application Data\temp.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Share this post


Link to post
Share on other sites

Please open the OTMoveIt2 by OldTimer.

  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    C:\Program Files\rhcp2pj0e7bv
    C:\Documents and Settings\Clementi\Application Data\rhcp2pj0e7bv
    C:\WINDOWS\system32\kdizk.exe


  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Post a Hijack This log with the OTMoveIt2 log in your reply.

:)

Share this post


Link to post
Share on other sites

Hi Sarahw

below is the OTMoveIt2 log and the Hijackthis log

thanks

OTMoveIt2

File/Folder C:\Program Files\rhcp2pj0e7bv not found.

File/Folder C:\Documents and Settings\Clementi\Application Data\rhcp2pj0e7bv not found.

File/Folder C:\WINDOWS\system32\kdizk.exe not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09092008_110907

-------------------------------------------------------------------------

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:11:11, on 9/09/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\windows\system\hpsysdrv.exe

C:\Program Files\USB Storage RW\shwicon.exe

C:\HP\KBD\KBD.EXE

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Brother\ControlCenter3\brccMCtl.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Panasonic\Panasonic X700 PC Software Suite\connmngmntbox.exe

C:\Program Files\Panasonic\Panasonic X700 PC Software Suite\ectaskscheduler.exe

C:\PROGRA~1\PANASO~1\PANASO~2\Elogerr.exe

C:\Program Files\Intuwave Ltd\Shared\mRouterRunTime\mRouterRuntime.exe

C:\PROGRA~1\PANASO~1\PANASO~2\BROADC~1.EXE

C:\PROGRA~1\PANASO~1\PANASO~2\SCRFS.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Owner\Desktop\OTMoveIt2.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [brMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN

O4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe

O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O4 - Global Startup: PanasonicX700PCSoftwareSuite Detect.lnk = ?

O4 - Global Startup: PanasonicX700PCSoftwareSuite TS.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--

End of file - 6018 bytes

Share this post


Link to post
Share on other sites

There was a problem with Mbam definitions.

These were deleted:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\secdrv (Rootkit.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\secdrv (Rootkit.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\secdrv (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\secdrv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Open Mbam, click the Quarantine tab, and search for these entries.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\secdrv

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\secdrv

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\secdrv

C:\WINDOWS\system32\drivers\secdrv.sys

Select them, then click the Restore button.

Let me know when you have done this.

Share this post


Link to post
Share on other sites

Hi,

Can you please uninstall Malware Bytes Anti Malware. If you wish to keep it you can reinstall it from the above link.

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Share this post


Link to post
Share on other sites

Hi Sarah,

Below is the ESET Online Scanner log

Thanks

--------------------------------------------------------------------

# version=4

# OnlineScanner.ocx=1.0.0.635

# OnlineScannerDLLA.dll=1, 0, 0, 79

# OnlineScannerDLLW.dll=1, 0, 0, 78

# OnlineScannerUninstaller.exe=1, 0, 0, 49

# vers_standard_module=3430 (20080910)

# vers_arch_module=1.064 (20080214)

# vers_adv_heur_module=1.064 (20070717)

# EOSSerial=16abe310adb8b84088d22846f792c154

# end=finished

# remove_checked=true

# unwanted_checked=true

# utc_time=2008-09-10 12:29:36

# local_time=2008-09-10 10:29:36 (+1000, E. Australia Standard Time)

# country="Australia"

# osver=5.1.2600 NT Service Pack 1

# scanned=492160

# found=2

# scan_time=14204

C:\Documents and Settings\Administrator\Desktop\catchme.zip a variant of Win32/Spy.Silentbanker trojan (deleted) 00000000000000000000000000000000

C:\Documents and Settings\Administrator\Desktop\catchme.zip »ZIP »41893321731.CPX a variant of Win32/Spy.Silentbanker trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000

Share this post


Link to post
Share on other sites

Hi Sarahw,

Sorry for my late reply. The computer is running much quicker now. Thank you very much for all your help!

I wanted to know a few things to ensure the computer will remain trojan and malware free.

Can you tell me (or how can I tell) if I have a firewall?

I currently have AVG 7.5 Free installed which scans periodically but I wanted to know your expert opinion on whether to use an alternative or continue with this scanning program.

Should I uninstall the programs HiJackThis, SDFix and OTMoveIT2 now that I've finished with them?

Thanks again for all your help, Sarah.

Regards,

Sean

Share this post


Link to post
Share on other sites

To find out if you have a firewall installed, go into Control Panel and open Security Center. You should be able to find information on all of your security products in there.

Please download OTCleanIt from HERE to your desktop.

Double click to run it. It will clean up the assortment of tools used during malware removal. When it has finnished, it will ask you to reboot so it can remove itself.

You can now Rehide your system files by using the reversal of these instructions HERE

Congratulations, your log is now clean. :thumbsup:

A well protected computer should have at least an Anti Virus and Firewall, an Anti Spyware is also great addition to your computers security. Here is a list of tools I like to recommend to people that will help ensure safe surfing on the internet, and to help you from getting infected again.

Note: DO NOT install more than one antivirus or Firewall program. They will conflict, and provide less protection, not more. Uninstall any existing Anti Virus\Firewall programs if you're going to install a new one.

Free Online Scans:

Free Active X and Java based online scans. You can use these scans from other companies and it will not interfere with your current Anti Virus. If you find that you are infected, post a Hijack This log in the forums.

Free Temp Cleaners:

Use these tools to clean temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders. ATF cleaner recommended.

Free Firewall Downloads:

You must have a Firewall installed on your computer. This helps stop anything from leaving or entering your computer without your permission.

Free Anti Spyware Downloads:

An Antispyware is a great tool that can help remove infections along side your Anti Virus. Some include real time protection, scheduled scans and automatic definition updates.

Free Anti Virus Downloads:

A must have for all computers. Avast! recommended.

Other Free Tools:

  • SpywareGuard
    Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd
    This tool puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • Memtest86
    Great memory testing software.
  • CPU-Z
    This application gives detailed information about your system in a nice layout
  • Speedfan
    Returns and monitors system temperatures.
  • Windows Updates
    It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Useful Reading:

Slow Computer? HERE are some tips to speed it up.

Where do infections come from? How did I get an infection? Click HERE for some tips on preventing future infections.

If you have any other problems or questions be sure to ask. :)

Share this post


Link to post
Share on other sites

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.