Win32.Trojan.RX

[ThePaper88]

Hello everyone,

I'm having an issue with a Trojan virus I believe. It's called Win32.Trojan.RX

I've used SpybotS&D, Ad-Aware and "Avast!" to try and solve the problem, but it doesn't seem to want to go away (if I'm even getting rid of it to begin with.) It seemed to have also locked me out of my own Task Manager and probably changed some other settings. When I try to get into my task manager it says "Task Manager has been disabled by your administrator." The issue with that is, I am the only admin on my laptop.

Avast detected something in the memory and wanted to do a boot-scan, however when tried to accept it said something along the lines of "Lacking Permission" meaning that I wasn't allowed to schedule a system boot.

Recently, I've been getting a lot of spam to my e-mail address, (10 or so a day) which has never happed before in the 4 years of having this e-mail address.

If theres a way to eradicate this issue once and for all without having to reformat (which I'm sure there is.) you would have my most sincerest gratitude.

If there is any other additional information you may require, please let me know and I will be willing to comply.

[ThePaper88]

Quote:

Originally Posted by Hijackthis Log

Logfile of HijackThis v1.99.1
Scan saved at 7:09:58 PM, on 4/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\tmrsrv32.exe
C:\WINDOWS\system32\idleserv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system32\uvnx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\verclsid.exe
C:\WINDOWS\sysrlb32.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Documents and Settings\The Paper (Host)\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: Hgni_BHO - {888826A1-3C63-4687-8696-482FDBB129DF} - C:\WINDOWS\system32\hgni_ecol.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: msnhlp32.msn_hlp - {EEFBE5D6-FEFF-4CB4-AA26-6A464090CB89} - C:\WINDOWS\system32\msnhlp32.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [uvnx] c:\windows\system32\uvnx.exe
O4 - HKLM\..\Run: [SpyAway] C:\Program Files\SpyAway\spyaway.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\THEPAP~1\LOCALS~1\Temp\winlogon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

This is the Hijackthis log... I think I did everything correctly according to the tutorial.

[Sempurna]

Hi ThePaper88,

Welcome to Tech Support Forum!

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

OK, let’s do this first.

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: Hgni_BHO - {888826A1-3C63-4687-8696-482FDBB129DF} - C:\WINDOWS\system32\hgni_ecol.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: msnhlp32.msn_hlp - {EEFBE5D6-FEFF-4CB4-AA26-6A464090CB89} - C:\WINDOWS\system32\msnhlp32.dll
O4 - HKLM\..\Run: [uvnx] c:\windows\system32\uvnx.exe


Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Please download OTMoveIt by OldTimer:

• Save it to your desktop.
• Please double-click OTMoveIt.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  C:\windows\system32\uvnx.exe
  C:\WINDOWS\sysrlb32.exe
  C:\WINDOWS\system32\hgni_ecol.dll
  C:\WINDOWS\system32\msnhlp32.dll
  
  
• Return to OTMoveIt, right-click on the Paste List of Files/Folders to be Moved window and choose Paste.
• Click the red MoveIt! button.
• Copy everything in the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy), and paste it in your next reply.
• Close OTMoveIt.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. After reboot, please run OTMoveIt again, follow the directions as above, and post the Results report for me to see.


NEXT:

Please go to: VirusTotal

• At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to next file:
  
  C:\WINDOWS\system32\tmrsrv32.exe
  
  
• Click "Open".
• Then click the "Send" button at the top of the VirusTotal page.
• This will scan the file. Please be patient.
• Once scanned, copy and paste the results in your next reply together with a new HijackThis log.

Then please do the same as above for the following files:

C:\WINDOWS\system32\idleserv.exe


NEXT:

Let's run some cleanup and diagnostic scans to make sure we're not leaving anything behind.

Please download CCleaner (freeware) and save it to your desktop:

1. Run the CCleaner installer.
2. During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
3. Once installed, run CCleaner and click the Windows tab.
4. Select the following:
   • Check everything under the Internet Explorer section.
   • Check everything under the Windows Explorer section.
   • Check everything under the System section.
   • Check ONLY Old Prefetch data under the Advanced section.
5. Then, click the Applications tab:
   • UNCHECK everything there.
6. Next, click the Options button, then click the Advanced button:
   • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".
7. Next, click the Cleaner button, then click the Run Cleaner button (bottom right), then Exit.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.


NEXT:

Please download ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.

• Save it to your desktop.
• Double-click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT:

Please do an online scan with Panda ActiveScan:

1. Once you are on the Panda site click the "Scan your PC" button located at the bottom of the page.
2. A new window will open... click the "Check Now" button.
3. Enter your Country.
4. Enter your State/Province.
5. Enter your e-mail address.
6. Select either Home User or Company.
7. Click the big "Free Online Scan" button.
8. If it wants to install an ActiveX component allow it.
9. It will start downloading the files it requires for the scan (Note: It may take a couple of minutes).
10. When the download is complete, click on "Local Disks" to start the scan.
11. When the scan completes, if anything malicious is detected, click the "See Report" button; then "Save Report" and save it to a convenient location. Post the contents of the Panda scan report in your next reply.

NEXT:

Please do an online scan with Kaspersky Online Scanner:

1. Click on Kaspersky Online Scanner.
2. You will be prompted to install an ActiveX component from Kaspersky, click Yes.
3. The program will launch and then begin downloading the latest definition files.
4. Once the files have been downloaded click on Next.
5. Now click on Scan Settings.
6. In the scan settings make sure that the following are selected:
   • Scan using the following Anti-Virus database:
     Extended
   • Scan Options:
     Scan Archives
     Scan Mail Bases
7. Click OK.
8. Now under select a target to scan:
   • Select My Computer.
9. This program will start and scan your system.
10. The scan will take a while so be patient and let it run.
11. Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report As button.
    • In the File name: field, type kavscan.
    • In the Save as type: field, select Text file (*.txt).
12. Save the file to your desktop.
13. Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:

1. The results report from OTMoveIt.
2. The reports from VirusTotal.
3. The log from the ComboFix scan.
4. The log from the Panda scan.
5. The log from the Kaspersky scan.
6. A new HijackThis log.

(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.

[ThePaper88]

Thank you for the welcoming!

I completely understand, and I greatly appreciate your time. Yes, I'm still have malware issues and it seems to get worse with time, like a deadly disease.


After running Combofix, it restarted my computer unexpectedly and I lost the first OTMoveit results. So I re-ran it and this is what I came up with.

Quote:

File/Folder C:\windows\system32\uvnx.exe not found.
File/Folder C:\WINDOWS\sysrlb32.exe not found.
File/Folder C:\WINDOWS\system32\hgni_ecol.dll not found.
C:\WINDOWS\system32\msnhlp32.dll unregistered successfully.
C:\WINDOWS\system32\msnhlp32.dll moved successfully.

Created on 04/25/2007 17:09:49

Quote:

"The Paper (Host)" - 07-04-25 17:00:18 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\The Paper (Host)\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ipv6mons.dll
C:\WINDOWS\system32\1036.exe
C:\WINDOWS\system32\7084.exe
C:\WINDOWS\764.exe
C:\WINDOWS\system32\nvs2.inf
C:\WINDOWS\winhp32.exe
C:\WINDOWS\system32\bfmoxrnvva_navps.dat
C:\WINDOWS\system32\bfmoxrnvva.exe
C:\WINDOWS\system32\bfmoxrnvva.dat
C:\WINDOWS\system32\msvcrl.dll


((((((((((((((((((((((((((((((( Files Created from 2007-03-25 to 2007-04-25 ))))))))))))))))))))))))))))))))))


2007-04-25 16:41 <DIR> d-------- C:\Program Files\CCleaner
2007-04-25 16:14 18,432 --a------ C:\WINDOWS\sysrlb32.exe
2007-04-25 15:59 32,512 --a------ C:\WINDOWS\Biprep.exe
2007-04-25 15:59 31,232 --a------ C:\WINDOWS\mssvr.exe
2007-04-25 15:59 16,128 --a------ C:\WINDOWS\2020search2.dll
2007-04-25 15:59 15,872 --a------ C:\WINDOWS\2020search.dll
2007-04-25 15:59 13,312 --a------ C:\WINDOWS\bi.dll
2007-04-25 08:08 10,756 --a------ C:\WINDOWS\loader.exe
2007-04-24 17:14 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-23 23:31 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2007-04-23 23:31 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2007-04-23 23:31 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-04-23 23:31 <DIR> d-------- C:\Program Files\Alwil Software
2007-04-23 19:13 <DIR> d-------- C:\Program Files\SpyAway
2007-04-23 06:49 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-04-23 06:26 31,232 --a------ C:\WINDOWS\vxddsk.exe
2007-04-23 06:26 30,208 --a------ C:\WINDOWS\system32\vxddsk.exe
2007-04-23 06:26 29,696 --a------ C:\WINDOWS\system32\wml.exe
2007-04-23 06:26 28,672 --a------ C:\WINDOWS\wml.exe
2007-04-23 06:26 26,368 --a------ C:\WINDOWS\satmat.exe
2007-04-23 06:26 16,128 --a------ C:\WINDOWS\SUSP.exe
2007-04-23 06:26 12 --a------ C:\WINDOWS\system32\sl.bin
2007-04-23 06:25 9,728 --a------ C:\WINDOWS\system32\MSIXU.DLL
2007-04-23 06:25 81,412 --a------ C:\WINDOWS\system32\idleserv.exe
2007-04-23 06:25 32,256 --a------ C:\WINDOWS\stcloader.exe
2007-04-23 06:25 31,488 --a------ C:\WINDOWS\salm.exe
2007-04-23 06:25 30,976 --a------ C:\WINDOWS\updatetc.exe
2007-04-23 06:25 30,976 --a------ C:\WINDOWS\saiemod.dll
2007-04-23 06:25 29,952 --a------ C:\WINDOWS\cdsm32.dll
2007-04-23 06:25 29,696 --a------ C:\WINDOWS\mspphe.dll
2007-04-23 06:25 28,416 --a------ C:\WINDOWS\flt.dll
2007-04-23 06:25 28,160 --a------ C:\WINDOWS\bjam.dll
2007-04-23 06:25 26,624 --a------ C:\WINDOWS\7search.dll
2007-04-23 06:25 24,832 --a------ C:\WINDOWS\180ax.exe
2007-04-23 06:25 20,480 --a------ C:\WINDOWS\swin32.dll
2007-04-23 06:25 17,664 --a------ C:\WINDOWS\voiceip.dll
2007-04-23 06:25 17,408 --a------ C:\WINDOWS\system32\tmrsrv32.exe
2007-04-23 06:25 16,896 --a------ C:\WINDOWS\pbar.dll
2007-04-23 06:25 13,312 --a------ C:\WINDOWS\system32\WER8274.DLL
2007-04-23 06:25 12,800 --a------ C:\WINDOWS\system32\user_32.dll
2007-04-23 06:25 12 --a------ C:\WINDOWS\system32\gtv_sd.bin
2007-04-23 06:25 10,752 --a------ C:\WINDOWS\bokja.exe
2007-04-23 06:25 0 --a------ C:\WINDOWS\system32\msnhlp32.dll
2007-04-22 15:54 155,648 --a------ C:\WINDOWS\mgrab.exe
2007-04-20 11:55 196,608 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-04-20 11:55 1,040,384 --a------ C:\WINDOWS\system32\libeay32.dll
2007-04-18 09:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-18 09:58 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-18 09:58 <DIR> d-------- C:\DOCUME~1\THEPAP~1\APPLIC~1\Lavasoft
2007-04-15 17:02 36,864 --a------ C:\WINDOWS\ul.exe
2007-04-12 15:12 0 --a------ C:\WINDOWS\system32\692D963F.exe
2007-04-12 11:48 80,384 --a------ C:\WINDOWS\installer.exe
2007-04-09 16:09 <DIR> d-------- C:\DOCUME~1\THEPAP~1\havenROp
2007-04-08 14:18 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-04-08 14:18 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-04-08 14:18 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-04-08 14:18 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-04-08 14:18 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-04-08 14:18 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-04-08 14:18 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-04-08 14:18 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-04-08 14:18 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-04-08 14:18 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-04-08 14:15 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-04-08 13:26 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2007-04-08 13:18 <DIR> d-------- C:\Program Files\Lineage II
2007-04-06 20:07 248,988 --a------ C:\WINDOWS\system32\bfmoxrnvva_nav.dat
2007-04-03 19:24 <DIR> d-------- C:\DOCUME~1\THEPAP~1\APPLIC~1\Ventrilo
2007-04-03 19:23 <DIR> d-------- C:\Program Files\Ventrilo
2007-04-03 19:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-03 13:43 <DIR> d-------- C:\WINDOWS\system32\ReinstallBackups
2007-04-03 13:05 <DIR> d-------- C:\Dell
2007-04-03 12:00 <DIR> d-------- C:\Program Files\ATI Technologies
2007-04-03 11:59 <DIR> d-------- C:\ATI
2007-04-03 10:12 262,144 --a------ C:\DOCUME~1\ALLUSE~1\ntuser.dat
2007-04-03 10:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-04-03 09:02 <DIR> d-------- C:\Program Files\Silkroad
2007-03-28 00:43 <DIR> d-------- C:\Program Files\Neat Image


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required
Rootkit driver pe386 is present. ... attempting disinfection
msguard ...... driver unloaded successfully.
ADS removed - system32: deleted 78070 bytes in 1 streams.

2007-04-25 16:54 -------- d-------- C:\DOCUME~1\THEPAP~1\APPLIC~1\skype
2007-04-18 14:01 -------- d-------- C:\Program Files\mirc
2007-04-08 13:18 -------- d--h----- C:\Program Files\installshield installation information
2007-03-23 17:31 1423 --a------ C:\WINDOWS\mozver.dat
2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-08 06:14 -------- d-------- C:\DOCUME~1\THEPAP~1\APPLIC~1\vlc
2007-03-08 05:28 -------- d-------- C:\Program Files\videolan
2007-01-29 15:49 65536 --a------ C:\WINDOWS\ifinst27.exe
2007-01-25 21:19 524288 --a------ C:\WINDOWS\system32\divxsm.exe
2007-01-25 21:19 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-01-25 21:19 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-01-25 21:19 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-01-25 21:19 116472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-01-25 21:18 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-01-25 21:18 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-01-25 21:13 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-01-25 21:13 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-01-25 21:13 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-01-25 21:13 738906 --a------ C:\WINDOWS\system32\divx.dll
2007-01-25 21:13 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-01-25 21:13 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2007-01-25 21:13 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-01-25 21:13 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2007-01-25 21:13 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-01-25 21:13 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-01-25 21:13 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-01-25 21:13 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-01-25 18:15 0 --a------ C:\WINDOWS\nsreg.dat
2007-01-25 16:56 0 -rahs---- C:\MSDOS.SYS
2007-01-25 16:56 0 -rahs---- C:\IO.SYS
2007-01-25 16:56 0 --a------ C:\CONFIG.SYS
2007-01-25 16:56 0 --a------ C:\AUTOEXEC.BAT
2007-01-25 16:52 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-01-24 18:58 62 --ahs---- C:\DOCUME~1\THEPAP~1\APPLIC~1\desktop.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIModeChange"="Ati2mdxx.exe"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"CoolSwitch"="C:\\WINDOWS\\system32\\taskswitch.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"SpyAway"="C:\\Program Files\\SpyAway\\spyaway.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\Setup]
"Registrando Panda ActiveX"="C:\\WINDOWS\\system32\\regsvr32.exe /s C:\\WINDOWS\\system32\\ActiveScan\\as.dll"
"Registrando Panda Almacen"="C:\\WINDOWS\\system32\\regsvr32.exe /s C:\\WINDOWS\\system32\\ActiveScan\\pavpz.dll"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000001

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0


********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-25 17:05:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-25 17:07:04 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-04-25 17:07

Quote:

Logfile of HijackThis v1.99.1
Scan saved at 5:56:37 PM, on 4/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\tmrsrv32.exe
C:\WINDOWS\system32\idleserv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
C:\Documents and Settings\The Paper (Host)\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
O2 - BHO: (no name) - {00000026-8735-428D-B81F-DD098223B25F} - (no file)
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {000006b1-19b5-414a-849f-2a3c64ae6939} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: msnhlp32.msn_hlp - {EEFBE5D6-FEFF-4CB4-AA26-6A464090CB89} - C:\WINDOWS\system32\msnhlp32.dll
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SpyAway] C:\Program Files\SpyAway\spyaway.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

List:

1. The results report from OTMoveIt. [x]
2. The reports from VirusTotal. [x]
3. The log from the ComboFix scan. [x]
4. The log from the Panda scan. [Error]
5. The log from the Kaspersky scan. [Error]
6. A new HijackThis log. [x]

I couldn't run the Panda Scan, or the Kasperky Lab Scan. For some reason my Internet Explorer isn't working "because msvcl.dll was not found" or some such. When I try to install Internet Explorer 7 my computer goes to a blue screen then reboots. I hope those last two scans do not hinder the process of my CPU's recovery.

[Sempurna]

Hi ThePaper88,

You’re most welcome, ThePaper88.

OK, here’s what we do next.

Go to Start -> Control Panel -> Add/Remove Programs and remove any of the following that are listed:

SpyAway


NEXT:

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

O2 - BHO: (no name) - {00000026-8735-428D-B81F-DD098223B25F} - (no file)
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {000006b1-19b5-414a-849f-2a3c64ae6939} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: msnhlp32.msn_hlp - {EEFBE5D6-FEFF-4CB4-AA26-6A464090CB89} - C:\WINDOWS\system32\msnhlp32.dll
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O4 - HKLM\..\Run: [SpyAway] C:\Program Files\SpyAway\spyaway.exe


Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Please run OTMoveIt and quarantine the following files/folders (please also remember to copy the Results report and paste it in your next reply for me to see):

C:\WINDOWS\system32\msnhlp32.dll
C:\WINDOWS\system32\tmrsrv32.exe
C:\WINDOWS\system32\idleserv.exe
C:\WINDOWS\sysrlb32.exe
C:\WINDOWS\Biprep.exe
C:\WINDOWS\mssvr.exe
C:\WINDOWS\2020search2.dll
C:\WINDOWS\2020search.dll
C:\WINDOWS\bi.dll
C:\WINDOWS\loader.exe
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\satmat.exe
C:\WINDOWS\SUSP.exe
C:\WINDOWS\system32\MSIXU.DLL
C:\WINDOWS\system32\idleserv.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\salm.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\flt.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\7search.dll
C:\WINDOWS\180ax.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\voiceip.dll
C:\WINDOWS\system32\tmrsrv32.exe
C:\WINDOWS\pbar.dll
C:\WINDOWS\system32\WER8274.DLL
C:\WINDOWS\system32\user_32.dll
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\bokja.exe
C:\WINDOWS\system32\msnhlp32.dll
C:\WINDOWS\mgrab.exe
C:\WINDOWS\ul.exe
C:\WINDOWS\system32\692D963F.exe
C:\WINDOWS\installer.exe
C:\WINDOWS\system32\bfmoxrnvva_nav.dat
C:\WINDOWS\ifinst27.exe
C:\Program Files\SpyAway


NEXT:

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below (don't forget to copy and paste REGEDIT4 as well):

Code:

REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-

Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop.

It should look like this:

Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful.

In case you still are unsure on how to create a REG file, please take a look HERE with screenshots.


NEXT:

BEFORE BEGINNING, Please read completely through the instructions below. Please also print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you won’t be able to access the Internet to view these instructions.

Please download Dr.Web CureIt and save it to your desktop:

Next, please reboot your computer into Safe Mode by doing the following:

• Reboot your computer.
• After hearing your computer beep once during startup, but just before the Windows icon appears, begin tapping the F8 key on your keyboard. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, reboot the computer and try again.
• Instead of Windows loading as normal, a menu should appear.
• Using the arrow keys on the keyboard, scroll to and select the Safe Mode menu item, and then press Enter.

Now scan with Dr.Web CureIt:

• Double-click the drweb-cureit.exe file. It will then suggest to run an "Express Scan" -- this you should allow.
• After this (Dr.Web writes "Done" at the bottom left), you click "Options" menu -> "Change settings".
• Choose the "Scan" tab, uncheck the mark at "Heuristic analysis".
• Choose the "Actions" tab, and choose "Rename" under all the "Malware" issues. Then click "OK".
• Back at the main window, you should now mark the drives that you want to scan (a red dot shows which drives have been chosen).
• Click the green arrow at the right, and the scan will start. The first time Dr.Web finds something, you click "Yes to All", and it will after this automatically fix what is found.
• After the scan, go to the "View" menu -> "Report list".
• Then go to the "File" menu -> "Save report list".
• Save the report to your desktop. The report will be called DrWeb.csv. Copy and paste the contents of the report in your next reply.
• Close Dr.Web CureIt.
• REBOOT your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:

1. The results report from OTMoveIt.
2. The log from the Dr.Web CureIt scan.
3. A new ComboFix log.
4. A new HijackThis log.

(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.

[ThePaper88]

I had to run the OTmove it again after the new process you gave me to follow since it rebooted my CPU and I didn't get a chance to save the old one. I'm also assuming what you meant by "quarantine" was to use the "clean up" feature. (Geez, I hope so.)

[/quote]File/Folder C:\avenger.zip not found.
File/Folder C:\Avenger not found.
File/Folder C:\avenger.txt not found.
File/Folder C:\bfu.zip not found.
File/Folder C:\BFU not found.
File/Folder C:\combofix.exe not found.
File/Folder C:\QooBox not found.
C:\ComboFix*.txt moved successfully.
C:\ComboFix*.txt moved successfully.
C:\Documents and Settings\The Paper (Host)\Desktop\ComboFix*.txt moved successfully.
C:\WINDOWS\ComboFix*.txt moved successfully.
C:\WINDOWS\system32\ComboFix*.txt moved successfully.
C:\WINDOWS\system32\drivers\ComboFix*.txt moved successfully.
File/Folder C:\catchme.exe not found.
File/Folder C:\nircmd.exe not found.
File/Folder C:\swreg.exe not found.
File/Folder C:\Swxcacls.exe not found.
File/Folder C:\Swsc.exe not found.
File/Folder C:\dss.exe not found.
File/Folder C:\Deckard not found.
File/Folder C:\FindAWF.exe not found.
File/Folder C:\AWF.txt not found.
File/Folder C:\fixwareout.exe not found.
File/Folder C:\fixwareout not found.
File/Folder C:\fsbl.exe not found.
C:\fsbl*.log moved successfully.
C:\fsbl*.log moved successfully.
C:\Documents and Settings\The Paper (Host)\Desktop\fsbl*.log moved successfully.
C:\WINDOWS\fsbl*.log moved successfully.
C:\WINDOWS\system32\fsbl*.log moved successfully.
C:\WINDOWS\system32\drivers\fsbl*.log moved successfully.
File/Folder C:\gmer.exe not found.
File/Folder C:\gmer.dll not found.
File/Folder C:\gmer.ini not found.
File/Folder C:\gmer.log not found.
File/Folder C:\gmer_uninstall.cmd not found.
File/Folder C:\gmer.sys not found.
Unable to delete service gmer.
File/Folder C:\haxfix.exe not found.
File/Folder C:\haxfix.txt not found.
File/Folder C:\killbox.exe not found.
File/Folder C:\!Killbox not found.
File move failed. C:\Documents and Settings\The Paper (Host)\Desktop\OTMoveIt.exe scheduled to be moved on reboot.
File/Folder C:\_OTMoveIt not found.
File/Folder C:\rustbfix.exe not found.
File/Folder C:\Rustbfix not found.
File/Folder C:\sdfix.exe not found.
File/Folder C:\SDFix not found.
File/Folder C:\SmitfraudFix.exe not found.
File/Folder C:\SmitfraudFix not found.
File/Folder C:\rapport.txt not found.
File/Folder C:\SysInsite not found.
File/Folder C:\VundoFix.exe not found.
File/Folder C:\VundoFix Backups not found.
File/Folder C:\vundofix.txt not found.
File/Folder C:\win32delfkil.exe not found.
File/Folder C:\_backupD not found.
File/Folder C:\windelf.txt not found.
File/Folder C:\winpfind.exe not found.
File/Folder C:\WinPfind not found.
File/Folder C:\winpfind3u.exe not found.
File/Folder C:\WinPFind3u not found.
C:\cleanup.txt moved successfully.
File move failed. C:\Documents and Settings\The Paper (Host)\Desktop\OTMoveIt.exe scheduled to be moved on reboot.[/quote]

Quote:

AdobeUpdater.exe;C:\Program Files\Common Files\Adobe\Updater;Win32.Grum;Cured.;
iexplore.exe;C:\Program Files\Internet Explorer;Trojan.PWS.GoldSpy;Deleted.;
msvcrl.dll.vir;C:\RECYCLER\S-1-5-21-1292428093-1383384898-839522115-1005\Dc3;Trojan.PWS.GoldSpy;Deleted.;
A0039095.exe;C:\System Volume Information\_restore{1CBE8F2F-64D2-4188-9ECF-B526622E2B48}\RP100;Trojan.DownLoader.21675;Deleted.;
A0040086.exe;C:\System Volume Information\_restore{1CBE8F2F-64D2-4188-9ECF-B526622E2B48}\RP100;Trojan.DownLoader.21092;Incurable.Moved.;
A0042115.dll;C:\System Volume Information\_restore{1CBE8F2F-64D2-4188-9ECF-B526622E2B48}\RP101;Trojan.PWS.GoldSpy;Deleted.;
A0042116.exe;C:\System Volume Information\_restore{1CBE8F2F-64D2-4188-9ECF-B526622E2B48}\RP101;Trojan.PWS.Tanspy;Incurable.Moved.;
A0043139.dll;C:\System Volume Information\_restore{1CBE8F2F-64D2-4188-9ECF-B526622E2B48}\RP101;Trojan.PWS.GoldSpy;Deleted.;
A0047166.exe;C:\System Volume Information\_restore{1CBE8F2F-64D2-4188-9ECF-B526622E2B48}\RP102;Win32.Grum;Cured.;
A0047167.exe;C:\System Volume Information\_restore{1CBE8F2F-64D2-4188-9ECF-B526622E2B48}\RP102;Trojan.PWS.GoldSpy;Deleted.;
installer.exe;C:\WINDOWS;Trojan.PWS.Tanspy;Incurable.Moved.;
loader.exe;C:\WINDOWS;Trojan.DownLoader.21675;Deleted.;
update2.html;C:\WINDOWS;Trojan.PWS.Tanspy;Incurable.Moved.;

A strange error occurred when I tried to run the ComboFix program. It rebooted my computer and was processing the log, then my computer went into a blue screen and rebooted. In the end I was never able to receive the log.

Quote:

Logfile of HijackThis v1.99.1
Scan saved at 08:16, on 07-04-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tmrsrv32.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
C:\Documents and Settings\The Paper (Host)\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
O2 - BHO: (no name) - {00000026-8735-428D-B81F-DD098223B25F} - (no file)
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {000006b1-19b5-414a-849f-2a3c64ae6939} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: msnhlp32.msn_hlp - {EEFBE5D6-FEFF-4CB4-AA26-6A464090CB89} - C:\WINDOWS\system32\msnhlp32.dll
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Also, is it just me or does it seem like the things you're having me delete in the "Hijackthis" program are returning? That or they just all look alike...

[Sempurna]

Hi ThePaper88,

Sorry for the confusion on what to do with OTMoveIt. My bad.

Could you run OTMoveIt again, but this time use the red MoveIt! button on the list of files/folders to delete. Please also remember to copy the Results report and paste it in your next reply for me to see.


NEXT:

Please delete your current copy of ComboFix.

Then please delete this folder, C:\ComboFix.

Now download a new copy of ComboFix and run the tool and see if it works. If it does, please copy the log and paste it in your next reply along with the results report from OTMoveIt and a new HijackThis log.

p.s. Yes, it does seem that some of the entries are returning. They are mostly harmless, but we’ll look at them later.

[ThePaper88]

Haha, don't worry about it. I probably should have known it was "move" and not "clean". I can't complain at all because of how wonderfully this is working. A lot of the errors seem to have ceased, I can even get into my Task manager! However it also seems like some settings have reset? For instance my clock is back on the default military time setting; I don't have a problem with this, just thought it was kind of cool how that works. lol

ComboFix seems to make my "AntiVir" program angry; It's accusing it of being a Virus or something.

Quote:

C:\WINDOWS\system32\msnhlp32.dll unregistered successfully.
C:\WINDOWS\system32\msnhlp32.dll moved successfully.
C:\WINDOWS\system32\tmrsrv32.exe moved successfully.
C:\WINDOWS\system32\idleserv.exe moved successfully.
C:\WINDOWS\sysrlb32.exe moved successfully.
C:\WINDOWS\Biprep.exe moved successfully.
C:\WINDOWS\mssvr.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\2020search2.dll
C:\WINDOWS\2020search2.dll NOT unregistered.
C:\WINDOWS\2020search2.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search.dll NOT unregistered.
C:\WINDOWS\2020search.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\bi.dll
C:\WINDOWS\bi.dll NOT unregistered.
C:\WINDOWS\bi.dll moved successfully.
File/Folder C:\WINDOWS\loader.exe not found.
C:\WINDOWS\system32\stfv.bin moved successfully.
C:\WINDOWS\vxddsk.exe moved successfully.
C:\WINDOWS\system32\vxddsk.exe moved successfully.
C:\WINDOWS\satmat.exe moved successfully.
C:\WINDOWS\SUSP.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\MSIXU.DLL
C:\WINDOWS\system32\MSIXU.DLL NOT unregistered.
C:\WINDOWS\system32\MSIXU.DLL moved successfully.
File/Folder C:\WINDOWS\system32\idleserv.exe not found.
C:\WINDOWS\stcloader.exe moved successfully.
C:\WINDOWS\salm.exe moved successfully.
C:\WINDOWS\updatetc.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\saiemod.dll
C:\WINDOWS\saiemod.dll NOT unregistered.
C:\WINDOWS\