Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
Problems with task manager, dos prompt and pop up Problems with task manager, dos prompt and pop up
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2 >
 
Thread Tools
Old 01-29-2008, 11:28 PM   #1 (permalink)
HJT Trainee
 
Join Date: Jan 2008
Location: Brisbane, Australia
Posts: 134
OS: XP SP2


Cry Problems with task manager, dos prompt and pop up
Hi,I follow all your instruction as posted in the website.
I currently having 3 problems as following:

1. I cant assess to my task manager which I believe something to do with virus.It is greyed when i rightclick on taskbar and it say 'task manager has been disabled by your admistrator' when i ctrl+alt+del.

2. I cant open my dos prompt.Have no idea the what is the cause.I tried to fix that using the hijackthis and somehow manage to find the registry saying regedit disable and so i tried fix using hijackthis but it stored back up file in my hijackthis which i dont know how to delete it.

3. There is this window pop ups frequently and it has a name CiD (on top left corner of explorer)follow by area of which the pop up relates to eg: CiD: car, CiD: music and etc.

Here is the log and I have attached activescan from panda and extra.txt, please help me resolve this problem.


Deckard's System Scanner v20071014.68
Run by Eva sucks on 2008-01-30 15:42:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-01-30 05:42:06 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Eva sucks.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:43:05 PM, on 30/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
c:\program files\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.EXE
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsImSvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\WebProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Eva sucks\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Eva sucks.exe

F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\sembako-cmzjlii.exe"
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Way dvd] C:\DOCUME~1\EVASUC~1\APPLIC~1\TWOROA~1\sign meet.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/229?104e68fe1fe0480ab6b3929fdfd62a4a
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/230?104e68fe1fe0480ab6b3929fdfd62a4a
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/s...wserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe

--
End of file - 7317 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080130-113236-828 F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\sembako-cmzjlii.exe"
backup-20080130-115138-286 O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20080130-122515-696 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
backup-20080130-122547-240 O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20080130-123827-189 O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
backup-20080130-123827-826 O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
backup-20080130-124256-695 O4 - HKCU\..\Run: [Way dvd] C:\DOCUME~1\EVASUC~1\APPLIC~1\TWOROA~1\sign meet.exe
backup-20080130-124426-823 O4 - HKLM\..\Run: [Loud Idol Setup Grid] C:\Documents and Settings\All Users\Application Data\4 Curb Loud Idol\Link Idle.exe
backup-20080130-131217-301 O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20080130-131327-960 O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20080130-133110-407 O4 - HKCU\..\Run: [Way dvd] C:\DOCUME~1\EVASUC~1\APPLIC~1\TWOROA~1\sign meet.exe

-- File Associations -----------------------------------------------------------

.js - JSFile - shell\open\command - C:\PROGRA~1\PANDAS~1\PANDAA~1\PAVSCRIP.EXE "%1" %*
.vbs - VBSFile - shell\open\command - C:\PROGRA~1\PANDAS~1\PANDAA~1\PAVSCRIP.EXE "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 BTSERIAL (Bluetooth Serial Driver) - c:\windows\system32\drivers\btserial.sys
R2 BTSLBCSP (Bluetooth Port Client Driver) - c:\windows\system32\drivers\btslbcsp.sys <Not Verified; ; Bluetooth Software 1.3.2.7>
R3 AvFlt (Antivirus Filter Driver) - c:\windows\system32\drivers\av5flt.sys (file missing)
R3 PavSRK.sys - c:\windows\system32\pavsrk.sys (file missing)
R3 PavTPK.sys - c:\windows\system32\pavtpk.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E978-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ROOT\PORTS\0008
Manufacturer:
Name:
PNP Device ID: ROOT\PORTS\0008
Service:

Class GUID: {4D36E978-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ROOT\PORTS\0009
Manufacturer:
Name:
PNP Device ID: ROOT\PORTS\0009
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-01-30 15:00:06 280 --ah----- C:\WINDOWS\Tasks\A467B05091882244.job
2008-01-30 11:03:02 418 --a------ C:\WINDOWS\Tasks\At1.job


-- Files created between 2007-12-30 and 2008-01-30 -----------------------------

2008-01-30 15:32:51 0 d-------- C:\ie-spyad_zo
2008-01-30 15:31:53 0 d-------- C:\Program Files\SpywareBlaster
2008-01-30 15:16:34 0 d-------- C:\Program Files\DivX
2008-01-30 14:45:48 8576 --a------ C:\WINDOWS\system32\drivers\ixxlpmkugsuu.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-30 14:42:15 8576 --a------ C:\WINDOWS\system32\drivers\RkPavProc.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-30 14:31:52 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-30 14:31:50 0 d-------- C:\WINDOWS\LastGood
2008-01-30 13:34:06 0 d-------- C:\!KillBox
2008-01-30 11:30:15 0 d-------- C:\Program Files\Trend Micro
2008-01-30 00:44:11 0 d-------- C:\WINDOWS\system32\PreInstall
2008-01-30 00:44:08 0 d--h----- C:\WINDOWS\$hf_mig$
2008-01-29 23:57:36 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-01-29 23:01:48 96 --a------ C:\WINDOWS\system32\drivers\wnmsav.dat
2008-01-29 22:58:30 0 d-------- C:\Documents and Settings\All Users\Application Data\sentinel
2008-01-29 22:54:10 281 --a------ C:\WINDOWS\system32\PavCPL.dat
2008-01-29 22:54:05 225404 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT
2008-01-29 22:53:39 0 d-------- C:\WINDOWS\system32\PAV
2008-01-29 22:53:28 101888 --a------ C:\WINDOWS\system32\SYSTOOLS.DLL <Not Verified; Panda Software; SYSTOOLS>
2008-01-29 22:53:27 0 d-------- C:\Program Files\Panda Security
2008-01-29 22:51:33 0 d-------- C:\Program Files\Common Files\Panda Software
2008-01-29 19:28:20 12696 --a------ C:\WINDOWS\smss.dll
2008-01-29 19:27:22 0 d--hs---- C:\FOUND.007
2008-01-29 08:58:41 0 d-------- C:\WINDOWS\system32\LogFiles
2008-01-28 22:51:11 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-01-28 22:24:16 0 d-------- C:\Documents and Settings\All Users\Application Data\4 Curb Loud Idol
2008-01-28 22:23:37 0 d-------- C:\Program Files\Two roam download
2008-01-28 22:18:26 0 d-------- C:\WINDOWS\system32\NtmsData
2008-01-28 21:01:51 12697 --a------ C:\WINDOWS\smsss.exe


-- Find3M Report ---------------------------------------------------------------

2008-01-29 22:47:58 7 ---hs---- C:\AUTOEXEC.BAT


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [20/06/2003 09:55 PM C:\WINDOWS\SOUNDMAN.EXE]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [23/06/2003 12:34 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [23/06/2003 12:34 PM]
"AGRSMMSG"="AGRSMMSG.exe" [23/06/2003 12:35 PM C:\WINDOWS\AGRSMMSG.exe]
"Creative WebCam Tray"="C:\Program Files\Creative\Shared Files\CAMTRAY.EXE" [30/07/2004 11:04 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [18/08/2006 02:34 AM]
"Bron-Spizaetus"="" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [30/08/2006 12:17 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [14/06/2006 04:24 PM]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.exe" [19/07/2007 03:23 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tok-Cirrhatus"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [04/08/2004 01:06 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [28/03/2007 04:00 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:00 PM]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [19/01/2007 12:54 PM]
"Way dvd"="C:\DOCUME~1\EVASUC~1\APPLIC~1\TWOROA~1\sign meet.exe" [28/01/2008 10:23 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Tok-Cirrhatus"=
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [21/02/2003 10:12:04 AM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 10:05:26 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableCMD"=0 (0x0)
"DisableTaskMgr"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableCMD"=0 (0x0)
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"hx-1"=1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe \"C:\WINDOWS\sembako-cmzjlii.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 15/02/2007 08:02 PM 50736 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360Safe.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\adam.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp.com]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\EGHOST.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IceSword.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iparmo.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kabaload.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KRegEx.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvDetect.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVMonXP.kxp]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvXP.kxp]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MagicSet.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mmsk.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\msconfig.com]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\msconfig.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NOD32.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PFW.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PFWLiveUpdate.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QQDoctor.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Ras.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Rav.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavMon.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\regedit.com]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\regedit.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\runiep.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SREng.EXE]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TrojDie.kxp]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\WoptiClean.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0a537800-19cd-11dc-bad4-0080bdc141b2}]
Auto\command- F:\WIn.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL WIn.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e3100a0-4426-11dc-bae9-0080bd2e51f3}]
Auto\command- F:\OSO.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL OSO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6df65300-802d-11db-b9fe-0080bde30473}]
Auto\command- F:\WIn.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL WIn.exe

*Newly Created Service* - COMFILTR
*Newly Created Service* - IXXLPMKUGSUU
*Newly Created Service* - RKPAVPROC
*Newly Created Service* - SDTHOOK



-- End of Deckard's System Scanner: finished at 2008-01-30 15:43:59 ------------
Attached Files
File Type: txt Activescan.txt (1.8 KB, 0 views)
File Type: txt extra.txt (12.9 KB, 2 views)
Last edited by vicky612 : 01-29-2008 at 11:31 PM.
vicky612 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-03-2008, 03:47 AM   #2 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 3,045
OS: XP


Re: Problems with task manager, dos prompt and pop up
Hi, welcome to TSF!

If you still need assistance,

please post a fresh main.txt log
__________________
Proud member of UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-04-2008, 08:27 AM   #3 (permalink)
HJT Trainee
 
Join Date: Jan 2008
Location: Brisbane, Australia
Posts: 134
OS: XP SP2


Re: Problems with task manager, dos prompt and pop up
Here a fresh main.txt log.

The problems with my laptop:
1. I cant assess to my task manager which I believe something to do with virus.It is greyed when i rightclick on taskbar and it say 'task manager has been disabled by your admistrator' when i ctrl+alt+del.

2. I cant open dos prompt to edit the registry.Have no idea what is the cause.I tried to fix that using the hijackthis and somehow manage to find the registry saying regedit disable and so i tried fix using hijackthis but it stored back up file in my hijackthis which i dont know how to delete it.

3. There is this window pop ups frequently and it has a name CiD (on top left corner of explorer)follow by area of which the pop up relates to eg: CiD: car, CiD: music and etc.


Deckard's System Scanner v20071014.68
Run by Eva sucks on 2008-02-05 01:16:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Eva sucks.exe) -------------------------------------------

logfile has no content; running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-02-05 01:16:21
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PAVSRV51.EXE
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsCtrlS.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\PavPrSrv.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\FIREWALL\PSHost.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsImSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\WEBPROXY.EXE
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\explorer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Eva sucks\Desktop\dss.exe
C:\Program Files\Trend Micro\HijackThis\Eva sucks.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
F0 - system.ini: Shell=Explorer.exe "C:\WINDOWS\sembako-cmzjlii.exe"
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\sembako-cmzjlii.exe"
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: CDLPObj Object - {BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA} - C:\WINDOWS\mpcodecplg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Way dvd] C:\DOCUME~1\EVASUC~1\APPLIC~1\TWOROA~1\sign meet.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Startup: WordWeb.lnk = ?
O4 - Global Startup: BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/229?104e68fe1fe0480ab6b3929fdfd62a4a
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/230?104e68fe1fe0480ab6b3929fdfd62a4a
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/s...wserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsCtrlS.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\PavPrSrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PAVSRV51.EXE
O23 - Service: Panda Host Service (PSHost) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\FIREWALL\PSHost.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe


--
End of file - 10657 bytes

-- Files created between 2008-01-05 and 2008-02-05 -----------------------------

2008-02-02 18:29:43 0 d-------- C:\Documents and Settings\Eva sucks\Application Data\WinRAR
2008-02-02 17:29:00 0 d--hs---- C:\FOUND.008
2008-01-31 18:46:51 0 d-------- C:\Documents and Settings\Eva sucks\Application Data\BitTorrent
2008-01-31 18:46:26 0 d-------- C:\Program Files\BitTorrent
2008-01-31 04:23:45 0 d-------- C:\Documents and Settings\Eva sucks\Application Data\WordWeb
2008-01-31 04:22:33 0 d-------- C:\Program Files\WordWeb
2008-01-31 01:40:56 0 d-------- C:\Documents and Settings\Eva sucks\Application Data\DivX
2008-01-30 17:54:43 0 d-------- C:\Program Files\Xi
2008-01-30 17:52:53 0 d-------- C:\Downloads
2008-01-30 17:49:33 0 d-------- C:\Documents and Settings\Eva sucks\Application Data\Free Download Manager
2008-01-30 17:49:28 0 d-------- C:\Program Files\Free Download Manager
2008-01-30 17:49:28 0 d-------- C:\Documents and Settings\All Users\Application Data\FreeDownloadManager.ORG
2008-01-30 17:31:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-01-30 15:31:53 0 d-------- C:\Program Files\SpywareBlaster
2008-01-30 15:16:34 0 d-------- C:\Program Files\DivX
2008-01-30 14:31:52 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-30 13:34:06 0 d-------- C:\!KillBox
2008-01-30 11:30:15 0 d-------- C:\Program Files\Trend Micro
2008-01-30 00:44:11 0 d-------- C:\WINDOWS\system32\PreInstall
2008-01-30 00:44:08 0 d--h----- C:\WINDOWS\$hf_mig$
2008-01-29 23:57:36 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-01-29 23:01:48 144 --a------ C:\WINDOWS\system32\drivers\wnmsav.dat
2008-01-29 22:58:30 0 d-------- C:\Documents and Settings\All Users\Application Data\sentinel
2008-01-29 22:54:10 281 --a------ C:\WINDOWS\system32\PavCPL.dat
2008-01-29 22:54:05 250480 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT
2008-01-29 22:53:39 0 d-------- C:\WINDOWS\system32\PAV
2008-01-29 22:53:28 101888 --a------ C:\WINDOWS\system32\SYSTOOLS.DLL <Not Verified; Panda Software; SYSTOOLS>
2008-01-29 22:53:27 0 d-------- C:\Program Files\Panda Security
2008-01-29 22:51:33 0 d-------- C:\Program Files\Common Files\Panda Software
2008-01-29 19:28:20 12696 --a------ C:\WINDOWS\smss.dll
2008-01-29 19:27:22 0 d--hs---- C:\FOUND.007
2008-01-29 08:58:41 0 d-------- C:\WINDOWS\system32\LogFiles
2008-01-28 22:51:11 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-01-28 22:24:16 0 d-------- C:\Documents and Settings\All Users\Application Data\4 Curb Loud Idol
2008-01-28 22:23:37 0 d-------- C:\Program Files\Two roam download
2008-01-28 22:18:26 0 d-------- C:\WINDOWS\system32\NtmsData
2008-01-28 21:01:51 12697 --a------ C:\WINDOWS\smsss.exe
2008-01-05 07:58:50 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-01-05 07:57:22 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-01-05 07:57:22 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-01-05 07:57:12 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-01-05 07:57:10 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-01-05 07:57:10 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-01-05 07:57:10 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-01-05 07:56:24 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Find3M Report ---------------------------------------------------------------

2008-01-31 22:21:54 14 --a------ C:\WINDOWS\popcinfo.dat
2008-01-29 22:47:58 7 ---hs---- C:\AUTOEXEC.BAT
2007-11-18 09:57:44 130048 --a------ C:\WINDOWS\mpcodecplg.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA}]
18/11/2007 09:57 AM 130048 --a------ C:\WINDOWS\mpcodecplg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [20/06/2003 09:55 PM C:\WINDOWS\SOUNDMAN.EXE]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [23/06/2003 12:34 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [23/06/2003 12:34 PM]
"AGRSMMSG"="AGRSMMSG.exe" [23/06/2003 12:35 PM C:\WINDOWS\AGRSMMSG.exe]
"Creative WebCam Tray"="C:\Program Files\Creative\Shared Files\CAMTRAY.EXE" [30/07/2004 11:04 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [18/08/2006 02:34 AM]
"Bron-Spizaetus"="" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [30/08/2006 12:17 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [14/06/2006 04:24 PM]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.exe" [19/07/2007 03:23 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tok-Cirrhatus"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [14/10/2004 02:24 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [28/03/2007 04:00 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:00 PM]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [19/01/2007 12:54 PM]
"Way dvd"="C:\DOCUME~1\EVASUC~1\APPLIC~1\TWOROA~1\sign meet.exe" [28/01/2008 10:23 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Tok-Cirrhatus"=
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

C:\Documents and Settings\Eva sucks\Start Menu\Programs\Startup\
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [31/01/2008 4:22:33 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [21/02/2003 10:12:04 AM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 10:05:26 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableCMD"=0 (0x0)
"DisableTaskMgr"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableCMD"=0 (0x0)
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"hx-1"=1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe \"C:\WINDOWS\sembako-cmzjlii.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 15/02/2007 08:02 PM 50736 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360Safe.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\adam.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp.com]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\EGHOST.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IceSword.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iparmo.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kabaload.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KRegEx.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvDetect.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVMonXP.kxp]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvXP.kxp]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MagicSet.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mmsk.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\msconfig.com]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\msconfig.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NOD32.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PFW.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PFWLiveUpdate.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QQDoctor.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Ras.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Rav.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavMon.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\regedit.com]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\regedit.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\runiep.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SREng.EXE]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TrojDie.kxp]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\WoptiClean.exe]
Debugger=C:\WINDOWS\system32\drivers\ujrpjk.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0a537800-19cd-11dc-bad4-0080bdc141b2}]
Auto\command- F:\WIn.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL WIn.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e3100a0-4426-11dc-bae9-0080bd2e51f3}]
Auto\command- F:\OSO.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL OSO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6df65300-802d-11db-b9fe-0080bde30473}]
Auto\command- F:\WIn.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL WIn.exe




-- End of Deckard's System Scanner: finished at 2008-02-05 01:17:16 ------------
Last edited by vicky612 : 02-04-2008 at 08:39 AM.
vicky612 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-05-2008, 03:14 AM   #4 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 3,045
OS: XP


Re: Problems with task manager, dos prompt and pop up
Hi,

Bittorrent
This program is very likely the reason your system is infested with malware. Even when a program like this is not infected itself, it will still bring malware into your system because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. I recommend that you remove this program from your system.

*If you choose to remove those optionals, click start > control panel > add or remove programs > uninstall the optionals.

Delete the following folder if you uninstalled bittorrent:

C:\Program Files\BitTorrent
C:\Documents and Settings\Eva sucks\Application Data\BitTorrent
_______

Download Flash_Disinfector from here and save it to your desktop.
Doubleclick on Flash_Disinfector.exe to run it and follow the prompts.
Wait until it has finished scanning and then exit the program.
The utility may ask you to insert your flash drive and/or other removable drives. This may include your mobile phone.
Please do so and allow the utility to clean up those drives as well.
_______

Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

F0 - system.ini: Shell=Explorer.exe "C:\WINDOWS\sembako-cmzjlii.exe"
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\sembako-cmzjlii.exe"
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
_______

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    C:\WINDOWS\mpcodecplg.dll
C:\WINDOWS\smsss.exe
C:\Program Files\Two roam download
C:\Documents and Settings\All Users\Application Data\4 Curb Loud Idol
C:\WINDOWS\smss.dll
C:\WINDOWS\sembako-cmzjlii.exe
C:\WINDOWS\system32\drivers\ujrpjk.exe

  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA}
HKCU\software\microsoft\windows\currentversion\run\\Way dvd
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\\DisableTaskMgr
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Bron-Spizaetus
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Tok-Cirrhatus
HKU\.default\software\microsoft\windows\currentversion\run\\Tok-Cirrhatus
HKU\.default\software\microsoft\windows\currentversion\policies\system\\DisableRegistryTools
HKU\.default\software\microsoft\windows\currentversion\policies\system\\DisableTaskMgr
HKLM\software\microsoft\windows\currentversion\policies\explorer\\hx-1
HKCU\software\microsoft\windows\currentversion\policies\explorer\\NoFolderOptions
HKU\.default\software\microsoft\windows\currentversion\policies\explorer\\NoFolderOptions
HKLM\software\microsoft\windows nt\currentversion\image file execution options\360Safe.exe
HKLM\software\microsoft\windows nt\currentversion\image file execution options\adam.exe
HKLM\software\microsoft\windows nt\currentversion\image file execution options\avp.com
HKLM\software\microsoft\windows nt\currentversion\image file execution options\avp.exe
HKLM\software\microsoft\windows nt\currentversion\image file execution options\EGHOST.exe
HKLM\software\microsoft\windows nt\currentversion\image file execution options\IceSword.exe
HKLM\software\microsoft\windows nt\currentversion\image file execution options\iparmo.exe
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kabaload.exe
HKLM\software\microsoft\windows nt\currentversion\image file execution options\KRegEx.exe
HKLM\software\microsoft\windows nt\currentversion\image file execution options\KvDetect.exe
HKLM\software\microsoft\windows nt\currentversion\image file execution options\KVMonXP.kxp
HKLM\software\microsoft\windows nt\currentversion\image file execution options\KvXP.kxp
HKLM\software\microsoft\windows nt\currentversion\image file execution options\MagicSet.exe
HKLM\software\microsoft\windows nt\currentversion\image file execution options\mmsk.exe
HKLM\software\microsoft\windows nt\currentversion\image file execution options\msconfig.com
HKLM\software\microsoft\windows nt\currentversion\image file execution options\msconfig.exe
HKLM\software\microsoft\windows nt\currentversion\image file execution options\NOD32.exe
HKLM\software\microsoft\windows nt\currentversion\image file execution options\PFW.exe
HKLM\software\microsoft\windows nt\currentversion\image file execution options\PFWLiveUpdate.exe
HKLM\software\microsoft\windows nt\currentversion\image file execution options\QQDoctor.exe
HKLM\software\microsoft\windows nt\currentversion\image file execution options\Ras.exe
HKLM\software\microsoft\windows nt\currentversion\image file execution options\Rav.exe
HKLM\software\microsoft\windows nt\currentversion\image file execution options\RavMon.exe
HKLM\software\microsoft\windows nt\currentversion\image file execution options\regedit.com
HKLM\software\microsoft\windows nt\currentversion\image file execution options\regedit.exe
HKLM\software\microsoft\windows nt\currentversion\image file execution options\runiep.exe
HKLM\software\microsoft\windows nt\currentversion\image file execution options\SREng.EXE
HKLM\software\microsoft\windows nt\currentversion\image file execution options\TrojDie.kxp
HKLM\software\microsoft\windows nt\currentversion\image file execution options\WoptiClean.exe
HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\{0a537800-19cd-11dc-bad4-0080bdc141b2}
HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e3100a0-4426-11dc-bae9-0080bd2e51f3}
HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\{6df65300-802d-11db-b9fe-0080bde30473}

  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
_______

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic, along with a new HijackThis log and a description of any remaining problems
_______

I would like you to scan a file for me.

Please go HERE. Copy and paste the following file path in to the box.

C:\WINDOWS\system32\drivers\wnmsav.dat

Then click submit.

Please post the results to your next reply.

If Jotti is too busy, you can go HERE and do the same as above.

On your next reply, please include a
  • Fresh main.txt
  • eset scan log
  • otmoveit log
  • jotti scan log
__________________
Proud member of UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Last edited by Angelfire777 : 02-05-2008 at 03:15 AM.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-06-2008, 04:17 AM   #5 (permalink)
HJT Trainee
 
Join Date: Jan 2008
Location: Brisbane, Australia
Posts: 134
OS: XP SP2


Re: Problems with task manager, dos prompt and pop up
Hi Angelfire777,

Great to see your reply with instructions. Well, about the torrent, I just downloaded it about a week ago wherelse I having problems with my laptop lk past few months.By the way, I chose to keep Bitorrent cause that my only entertainment as I can download movies and songs.Is there any software I can download to kept my system from malware in the future?

I did the Hijackthis stuff, and I couldnt locate this 2 "stuff" ( "no idea what its called"):

F0 - system.ini: Shell=Explorer.exe "C:\WINDOWS\sembako-cmzjlii.exe"
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)

But I manage to fix the following "stuff":

F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\sembako-cmzjlii.exe"


Here is latest HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:03:57 PM, on 6/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
c:\program files\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsImSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/229?104e68fe1fe0480ab6b3929fdfd62a4a
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/230?104e68fe1fe0480ab6b3929fdfd62a4a
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/s...wserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe

--
End of file - 7883 bytes


_____________

Just to let you know, while performing the OTmoveit2.exe,there was an error saying cant locate a file but sorry I cant remember the name of it.

Here is the result for OTmoveit:

C:\WINDOWS\mpcodecplg.dll unregistered successfully.
C:\WINDOWS\mpcodecplg.dll moved successfully.
C:\WINDOWS\smsss.exe moved successfully.
C:\Program Files\Two roam download moved successfully.
C:\Documents and Settings\All Users\Application Data\4 Curb Loud Idol moved successfully.
LoadLibrary failed for C:\WINDOWS\smss.dll
C:\WINDOWS\smss.dll NOT unregistered.
C:\WINDOWS\smss.dll moved successfully.
File/Folder C:\WINDOWS\sembako-cmzjlii.exe not found.
File/Folder C:\WINDOWS\system32\drivers\ujrpjk.exe not found.
[Custom Input]
< HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\\ deleted successfully.
< HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA}\\ not found.
< HKCU\software\microsoft\windows\currentversion\run\\Way dvd >
Registry value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\\Way dvd deleted successfully.
< HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\\DisableTaskMgr >
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\\DisableTaskMgr deleted successfully.
< HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Bron-Spizaetus >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Bron-Spizaetus deleted successfully.
< HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Tok-Cirrhatus >
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Tok-Cirrhatus deleted successfully.
< HKU\.default\software\microsoft\windows\currentversion\run\\Tok-Cirrhatus >
Registry value HKEY_USERS\.default\software\microsoft\windows\currentversion\run\\Tok-Cirrhatus deleted successfully.
< HKU\.default\software\microsoft\windows\currentversion\policies\system\\DisableRegistryTools >
Registry value HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system\\DisableRegistryTools deleted successfully.
< HKU\.default\software\microsoft\windows\currentversion\policies\system\\DisableTaskMgr >
Registry value HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system\\DisableTaskMgr deleted successfully.
< HKLM\software\microsoft\windows\currentversion\policies\explorer\\hx-1 >
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\\hx-1 deleted successfully.
< HKCU\software\microsoft\windows\currentversion\policies\explorer\\NoFolderOptions >
Registry value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\\NoFolderOptions deleted successfully.
< HKU\.default\software\microsoft\windows\currentversion\policies\explorer\\NoFolderOptions >
Registry value HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\\NoFolderOptions deleted successfully.
< HKLM\software\microsoft\windows nt\currentversion\image file execution options\360Safe.exe >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360Safe.exe\\ deleted successfully.
< HKLM\software\microsoft\windows nt\currentversion\image file execution options\adam.exe >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\adam.exe\\ deleted successfully.
< HKLM\software\microsoft\windows nt\currentversion\image file execution options\avp.com >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp.com\\ deleted successfully.
< HKLM\software\microsoft\windows nt\currentversion\image file execution options\avp.exe >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp.exe\\ deleted successfully.
< HKLM\software\microsoft\windows nt\currentversion\image file execution options\EGHOST.exe >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\EGHOST.exe\\ deleted successfully.
< HKLM\software\microsoft\windows nt\currentversion\image file execution options\IceSword.exe >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IceSword.exe\\ deleted successfully.
< HKLM\software\microsoft\windows nt\currentversion\image file execution options\iparmo.exe >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iparmo.exe\\ deleted successfully.
< HKLM\software\microsoft\windows nt\currentversion\image file execution options\kabaload.exe >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kabaload.exe\\ deleted successfully.
< HKLM\software\microsoft\windows nt\currentversion\image file execution options\KRegEx.exe >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KRegEx.exe\\ deleted successfully.
< HKLM\software\microsoft\windows nt\currentversion\image file execution options\KvDetect.exe >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvDetect.exe\\ deleted successfully.
< HKLM\software\microsoft\windows nt\currentversion\image file execution options\KVMonXP.kxp >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVMonXP.kxp\\ deleted successfully.
< HKLM\software\microsoft\windows nt\currentversion\image file execution options\KvXP.kxp >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvXP.kxp\\ deleted successfully.
< HKLM\software\microsoft\windows nt\currentversion\image file execution options\MagicSet.exe >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MagicSet.exe\\ deleted successfully.
< HKLM\software\microsoft\windows nt\currentversion\image file execution options\mmsk.exe >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mmsk.exe\\ deleted successfully.
< HKLM\software\microsoft\windows nt\currentversion\image file execution options\msconfig.com >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\msconfig.com\\ deleted successfully.
< HKLM\software\microsoft\windows nt\currentversion\image file execution options\msconfig.exe >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\msconfig.exe\\ deleted successfully.
< HKLM\software\microsoft\windows nt\currentversion\image file execution options\NOD32.exe >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NOD32.exe\\ deleted successfully.
< HKLM\software\microsoft\windows nt\currentversion\image file execution options\PFW.exe >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PFW.exe\\ deleted successfully.
< HKLM\software\microsoft\windows nt\currentversion\image file execution options\PFWLiveUpdate.exe >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PFWLiveUpdate.exe\\ deleted successfully.
< HKLM\software\microsoft\windows nt\currentversion\image file execution options\QQDoctor.exe >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QQDoctor.exe\\ deleted successfully.
< HKLM\software\microsoft\windows nt\currentversion\image file execution options\Ras.exe >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Ras.exe\\ deleted successfully.
< HKLM\software\microsoft\windows nt\currentversion\image file execution options\Rav.exe >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Rav.exe\\ deleted successfully.
< HKLM\software\microsoft\windows nt\currentversion\image file execution options\RavMon.exe >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavMon.exe\\ deleted successfully.
< HKLM\software\microsoft\windows nt\currentversion\image file execution options\regedit.com >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\regedit.com\\ deleted successfully.
< HKLM\software\microsoft\windows nt\currentversion\image file execution options\regedit.exe >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\regedit.exe\\ deleted successfully.
< HKLM\software\microsoft\windows nt\currentversion\image file execution options\runiep.exe >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\runiep.exe\\ deleted successfully.
< HKLM\software\microsoft\windows nt\currentversion\image file execution options\SREng.EXE >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SREng.EXE\\ deleted successfully.
< HKLM\software\microsoft\windows nt\currentversion\image file execution options\TrojDie.kxp >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TrojDie.kxp\\ deleted successfully.
< HKLM\software\microsoft\windows nt\currentversion\image file execution options\WoptiClean.exe >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\WoptiClean.exe\\ deleted successfully.
< HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\{0a537800-19cd-11dc-bad4-0080bdc141b2} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0a537800-19cd-11dc-bad4-0080bdc141b2}\\ deleted successfully.
< HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e3100a0-4426-11dc-bae9-0080bd2e51f3} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e3100a0-4426-11dc-bae9-0080bd2e51f3}\\ deleted successfully.
< HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\{6df65300-802d-11db-b9fe-0080bde30473} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6df65300-802d-11db-b9fe-0080bde30473}\\ deleted successfully.

OTMoveIt2 v1.0.17 log created on 02062008_194304

_________

Here the log for Esset:
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2851 (20080205)
# vers_arch_module=1.063 (20080117)
# vers_adv_heur_module=1.060 (20070601)
# EOSSerial=e9cb7b2884c6b9458608a1bb39566765
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-02-06 10:25:34
# local_time=2008-02-06 08:25:34 (+1000, E. Australia Standard Time)
# country="Australia"
# osver=5.1.2600 NT Service Pack 2
# scanned=217418
# found=0
# scan_time=1617

______
Here the results for Jotti:

wnmsav.dat
Status: OK
MD5: a78078809992b683034a4e38d4c30ed7
Packers detected: -
Bit9 reports: File not found

Scan