Jump to content

Change Mode

SillyDI DJM trojan


Recommended Posts

Hi there, i have this SillyDI DJM trojan and can't get rid of it, i saw another thread about this so have posted my logs for ComboFix & Hijackthis

 

Combofix

 

ComboFix 08-11-17.01 - Ian 2008-11-18 8:53:07.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1542 [GMT 0:00]

Running from: c:\documents and settings\Ian\Desktop\ComboFix.exe

* Created a new restore point

.

 

((((((((((((((((((((((((( Files Created from 2008-10-18 to 2008-11-18 )))))))))))))))))))))))))))))))

.

 

2008-11-18 08:00 . 2008-11-18 08:00 <DIR> d-------- c:\program files\Trend Micro

2008-11-17 23:01 . 2008-11-17 23:01 <DIR> d-------- c:\documents and settings\Ian\Application Data\Malwarebytes

2008-11-17 23:01 . 2008-10-22 16:28 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-11-17 23:00 . 2008-11-17 23:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-11-17 23:00 . 2008-11-17 23:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-11-17 23:00 . 2008-10-22 16:28 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-11-17 22:43 . 2008-11-17 22:55 <DIR> d-------- c:\program files\NoAdware

2008-11-17 22:08 . 2008-11-18 08:51 3,162,278 --a------ c:\windows\{00000003-00000000-00000008-00001102-00000004-00511102}.BAK

2008-11-16 20:21 . 2008-11-16 20:21 2,138,112 --a------ c:\documents and settings\Ian\FahCore_7c.exe

2008-11-16 13:01 . 2004-08-04 12:00 94,720 --a------ c:\windows\system32\batmeter(3.dll

2008-11-16 13:01 . 2008-11-16 13:01 47,897 --a------ c:\windows\system32\boewqjqxsaokawjub.exe

2008-11-13 10:27 . 2008-11-13 10:27 <DIR> d-------- c:\program files\devolo

2008-11-12 20:48 . 2008-11-12 20:48 <DIR> d-------- c:\program files\K-Lite Codec Pack

2008-11-12 19:32 . 2008-11-12 19:42 <DIR> d-------- c:\documents and settings\Ian\Application Data\Orbit

2008-11-12 09:23 . 2008-11-12 09:23 <DIR> d-------- c:\program files\MSXML 4.0

2008-11-08 13:00 . 2008-11-08 13:00 2,396,160 --a------ c:\documents and settings\Ian\FahCore_81.exe

2008-11-07 17:58 . 2008-11-08 08:52 <DIR> d-------- c:\program files\Custom PC Benchmarks Suite 2007

2008-11-04 19:38 . 2008-11-04 20:10 <DIR> d-------- c:\program files\RivaTuner v2.11

2008-11-04 19:00 . 2008-11-18 08:39 <DIR> d-------- c:\documents and settings\Ian\work

2008-11-04 19:00 . 2008-11-04 19:00 1,683,456 --a------ c:\documents and settings\Ian\FahCore_82.exe

2008-11-04 19:00 . 2008-11-16 20:21 7,168 --a------ c:\documents and settings\Ian\queue.dat

2008-11-04 16:45 . 2008-11-04 16:49 <DIR> d-------- c:\program files\Motherboard Monitor 5

2008-11-04 11:59 . 2008-11-04 12:00 <DIR> d-------- c:\program files\Common Files\InstallerA

2008-11-04 11:55 . 2008-11-04 11:55 249,856 --------- c:\windows\Setup1.exe

2008-11-04 11:55 . 2008-11-04 11:55 73,216 --a------ c:\windows\ST6UNST.EXE

2008-11-01 22:02 . 2006-04-14 10:09 810,056 --a------ c:\windows\system32\SATA.bmp

2008-11-01 22:02 . 2006-04-14 10:09 278 --a------ c:\windows\system32\raidmgmt.ini

2008-11-01 21:23 . 2008-11-12 08:57 <DIR> d-------- c:\program files\[email protected]

2008-11-01 21:23 . 2008-11-04 18:49 <DIR> d-------- c:\documents and settings\Ian\Application Data\[email protected]

2008-11-01 16:37 . 2008-11-04 12:59 <DIR> d-------- c:\program files\SpeedFan

2008-10-31 16:39 . 2008-10-31 16:38 410,976 --a------ c:\windows\system32\deploytk.dll

2008-10-24 15:10 . 2008-10-15 16:57 332,800 --a------ c:\windows\system32\SET229.tmp

2008-10-24 15:10 . 2008-10-15 16:57 332,800 --------- c:\windows\system32\SET1E.tmp

2008-10-21 23:46 . 2008-10-21 23:46 1,080 --a------ c:\windows\system32\settingsbkup.sfm

2008-10-21 23:46 . 2008-10-21 23:46 1,080 --a------ c:\windows\system32\settings.sfm

2008-10-21 23:37 . 2008-11-02 21:15 <DIR> d-------- c:\documents and settings\Ian\Application Data\skypePM

2008-10-21 23:37 . 2008-10-21 23:37 56 --ah----- c:\windows\system32\ezsidmv.dat

2008-10-21 23:36 . 2008-10-21 23:36 <DIR> d-------- c:\program files\Common Files\Skype

2008-10-21 17:29 . 2008-11-18 08:37 27,408 --a------ c:\windows\system32\BMXBkpCtrlState-{00000003-00000000-00000008-00001102-00000004-00511102}.rfx

2008-10-21 17:29 . 2008-11-18 08:37 11,564 --a------ c:\windows\system32\DVCState-{00000003-00000000-00000008-00001102-00000004-00511102}.rfx

2008-10-21 17:27 . 2008-11-18 08:51 3,162,278 --a------ c:\windows\{00000003-00000000-00000008-00001102-00000004-00511102}.CDF

2008-10-21 15:52 . 2003-06-12 22:25 7,062 --a------ c:\windows\system32\audiopid.vxd

2008-10-21 14:13 . 2008-11-18 08:37 30,120 --a------ c:\windows\system32\BMXStateBkp-{00000003-00000000-00000008-00001102-00000004-00511102}.rfx

2008-10-21 14:13 . 2008-11-18 08:37 30,120 --a------ c:\windows\system32\BMXState-{00000003-00000000-00000008-00001102-00000004-00511102}.rfx

2008-10-21 14:13 . 2008-11-18 08:37 27,408 --a------ c:\windows\system32\BMXCtrlState-{00000003-00000000-00000008-00001102-00000004-00511102}.rfx

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-18 03:23 --------- d-----w c:\program files\Common Files\Command Software

2008-11-16 19:34 --------- d-----w c:\program files\Ad-Aware SE Personal

2008-11-14 20:36 --------- d-----w c:\program files\Common Files\PestPatrol

2008-11-14 14:36 --------- d-----w c:\documents and settings\All Users\Application Data\Retrospect

2008-11-12 20:43 --------- d-----w c:\documents and settings\Ian\Application Data\DivX

2008-11-11 20:28 --------- d-----w c:\program files\Paint Shop Pro 7

2008-11-06 19:15 --------- d-----w c:\documents and settings\Ian\Application Data\Vso

2008-11-02 23:36 --------- d-----w c:\documents and settings\Ian\Application Data\Skype

2008-11-02 14:02 7,680 ----a-w c:\windows\system32\ff_vfw.dll

2008-11-01 21:59 --------- d--h--w c:\program files\InstallShield Installation Information

2008-10-31 16:38 --------- d-----w c:\program files\Java

2008-10-28 22:35 684,032 ----a-w c:\windows\system32\divx.dll

2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-21 23:36 --------- d-----w c:\program files\Skype

2008-10-21 23:36 --------- d-----w c:\documents and settings\All Users\Application Data\Skype

2008-10-21 17:27 --------- d-----w c:\program files\Creative

2008-10-21 17:26 444,952 ----a-w c:\windows\system32\wrap_oal.dll

2008-10-21 17:26 109,080 ----a-w c:\windows\system32\OpenAL32.dll

2008-10-21 17:23 --------- d-----w c:\program files\SureThing CD Labeler

2008-10-21 17:23 --------- d-----w c:\program files\Serials 2000

2008-10-21 17:23 --------- d-----w c:\program files\PhatNoise Music Manager

2008-10-21 17:23 --------- d-----w c:\program files\OfficeUpdate11

2008-10-21 17:23 --------- d-----w c:\program files\DivX

2008-10-21 17:23 --------- d-----w c:\program files\CyberLink

2008-10-21 17:23 --------- d-----w c:\program files\Common Files\MAGIX Shared

2008-10-21 14:11 --------- d-----w c:\documents and settings\Ian\Application Data\Creative

2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll

2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll

2008-10-02 12:04 3,140 --sha-w c:\windows\system32\KGyGaAvL.sys

2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll

2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll

2008-09-19 21:57 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll

2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys

2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll

2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll

2008-06-18 20:43 67,512 ----a-w c:\documents and settings\Ian\Application Data\GDIPFONTCACHEV1.DAT

2007-12-19 20:38 47,360 ----a-w c:\documents and settings\Ian\Application Data\pcouffin.sys

2006-10-27 13:12 0 ----a-w c:\documents and settings\Ian\Application Data\wklnhst.dat

2001-10-05 12:53 21,866 ----a-w c:\program files\Common Files\tppupd2k.dll

.

 

((((((((((((((((((((((((((((( [email protected]_22.29.44.42 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-11-18 08:39:26 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_73c.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A9022EE-DDEC-4A7B-90E3-E20C9C52D9E6}]

2004-08-04 12:00 94720 --a------ c:\windows\system32\batmeter(3.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{997921B6-9144-4D0F-AFB1-A626E979B81F}]

2004-08-04 12:00 94720 --a------ c:\windows\system32\batmeter(3.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]

"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]

"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]

"MaxtorCombo"="c:\progra~1\Dantz\RETROS~1\ComboButton.exe" [2002-07-16 40960]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-31 136600]

"TPP Auto Loader"="c:\windows\TPPALDR.EXE" [2001-10-05 118784]

"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-01-24 2037240]

"PCguard"="c:\program files\Virgin Broadband\PCguard\Rps.exe" [2007-01-24 275960]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 c:\windows\system32\CTXFIHLP.EXE]

"CTHelper"="CTHELPER.EXE" [2008-06-27 c:\windows\system32\CtHelper.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

 

c:\documents and settings\Ian\Start Menu\Programs\Startup\

Syndicate Manager Checker.lnk - c:\gsp\SMANAGER\LOTTERY.EXE [2006-12-12 599008]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\Belkin\Bluetooth Software\BTTray.exe [2005-08-24 577597]

[email protected] [2008-08-01 442880]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Ian^Start Menu^Programs^Startup^YouTube Uploader.lnk]

path=c:\documents and settings\Ian\Start Menu\Programs\Startup\YouTube Uploader.lnk

backup=c:\windows\pss\YouTube Uploader.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

--a----t- 2008-07-16 20:29 119280 c:\documents and settings\Ian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]

-ra------ 2007-06-13 07:16 528384 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\devolo\\informer\\devinf.exe"=

"c:\\Program Files\\devolo\\easyshare\\easyshare.exe"=

 

R0 gkzmykih;gkzmykih;c:\windows\system32\drivers\gkzmykih.sys [2006-04-17 23424]

R2 NPF_devolo;NetGroup Packet Filter Driver (devolo);c:\windows\system32\drivers\npf_devolo.sys [2007-02-07 35840]

R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.SYS [2008-06-27 99352]

R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.SYS [2008-06-27 555032]

R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.SYS [2008-06-27 566296]

S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [2008-06-27 99352]

S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [2008-06-27 555032]

S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.SYS [2008-06-27 100888]

S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [2008-06-27 100888]

S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [2008-06-27 566296]

S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe []

S3 TCCrystalCpuInfo;TCCrystalCpuInfo;\??\c:\docume~1\Ian\LOCALS~1\Temp\TCCpuInfo.sys []

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-02-11 10112]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2044a21-6549-11da-a5a1-806d6172696f}]

\Shell\AutoRun\command - E:\Launch.exe

.

Contents of the 'Scheduled Tasks' folder

 

2008-10-31 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

.

.

------- Supplementary Scan -------

.

FireFox -: Profile - c:\documents and settings\Ian\Application Data\Mozilla\Firefox\Profiles\kao78oxi.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://smg.photobucket.com/albums/v188/Granby/Smileys/?start=all

FF -: plugin - c:\documents and settings\Ian\Local Settings\Application Data\Google\Update\1.2.121.9\npGoogleOneClick.dll

FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll

FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll

FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll

FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-18 08:55:04

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CTHelper = CTHELPER.EXE?

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-11-18 8:55:48

ComboFix-quarantined-files.txt 2008-11-18 08:55:43

ComboFix2.txt 2008-11-17 22:30:08

 

Pre-Run: 355,613,216,768 bytes free

Post-Run: 355,588,517,888 bytes free

 

209 --- E O F --- 2008-11-12 09:26:06

 

Hijackthis

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 08:58:10, on 18/11/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Virgin Broadband\PCguard\fws.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\TPPALDR.EXE

C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Belkin\Bluetooth Software\BTTray.exe

C:\PROGRA~1\Belkin\BLUETO~1\BTSTAC~1.EXE

C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Common Files\Command Software\dvpapi.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Dantz\Retrospect\retrorun.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll

O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll

O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {8A9022EE-DDEC-4A7B-90E3-E20C9C52D9E6} - C:\WINDOWS\system32\batmeter(3.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {997921B6-9144-4D0F-AFB1-A626E979B81F} - C:\WINDOWS\system32\batmeter(3.dll

O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE

O4 - HKLM\..\Run: [broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN

O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Syndicate Manager Checker.lnk = C:\GSP\SMANAGER\LOTTERY.EXE

O4 - Global Startup: Bluetooth.lnk = ?

O4 - Global Startup: [email protected]

O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab

O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...101/CTSUEng.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162472994843

O16 - DPF: {79E54B26-46B9-40EF-BFDC-0B1BB0D68897} - http://www.piclens.com/shared/plinstll.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15106/CTPID.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe

O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - Unknown owner - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

O23 - Service: RetroLauncher - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe

O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe

O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

 

--

End of file - 9600 bytes

 

Thanks in advance for any help

Edited by Granby64
Link to post
Share on other sites
  • Replies 118
  • Created
  • Last Reply

Top Posters In This Topic

Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a HJT log and start a new topic.

 

 

 

 

 

 

Hi and welcome

 

I'm not able to locate the exact information related to this specific trojan, so I'll supply a generic definition

What is the difference between viruses, worms, and Trojans?

 

 

There is a log file from the previous run from ComboFix I need to see.

ComboFix2.txt If you could please post this in your next reply

 

 

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {8A9022EE-DDEC-4A7B-90E3-E20C9C52D9E6} - C:\WINDOWS\system32\batmeter(3.dll

O2 - BHO: (no name) - {997921B6-9144-4D0F-AFB1-A626E979B81F} - C:\WINDOWS\system32\batmeter(3.dll

 

 

 

 

Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.

This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

 

Click on this link Here to see a list of programs that should be disabled.

 

 

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:

Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

KILLALL::

 

File::

c:\windows\system32\batmeter(3.dll

c:\windows\system32\boewqjqxsaokawjub.exe

c:\windows\system32\ezsidmv.dat

 

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A9022EE-DDEC-4A7B-90E3-E20C9C52D9E6}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{997921B6-9144-4D0F-AFB1-A626E979B81F}]

Posted Image

 

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

 

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

 

 

 

 

 

NEXT**

Go to Start > Control Panel > Internet Options

In the General tab, Temporary Internet Files, click:Delete Files When prompted, check:Delete all offline content

You can also check: Delete Cookies (You will have to re-enter passwords at websites that require them.)

Click OK

 

For I.E. 7 - under Browsing History, click delete... Under Temporary Internet Files, click Delete files...

 

Then, go to Start >Run and enter: cleanmgr

Select the drive to clean: C:\

Check the following boxes and then press OK to remove:

Temporary Files

Temporary Internet Files

RecycleBin

Agree to the prompt to perform the action...

 

 

Please download ATF Cleaner by Atribune From Here and save it to your Desktop.

Follow the instructions for the browser you use.

Read the instructions about the cookies. Delete what you do not need.

 

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Java Cache

The rest are optional - if you want to remove the lot, check "Select All".

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program

as a quick way to tidy those up as well.

When you have finished, click on the Exit button in the Main menu.

 

 

NEXT**

I'd like for you to run this next online scan to check for remnants or anything that might be hidden.

The below scan can take up to an hour or longer, please be patient.

 

*Note

It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.

Please don't go surfing while your resident protection is disabled!

Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

 

Please do a scan with Kaspersky Online Scanner or from here

http://www.kaspersky.com/virusscanner

 

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

 

Click on the Accept button and install any components it needs.

[*]The program will install and then begin downloading the latest definition

files.

[*]After the files have been downloaded on the left side of the page in the Scan section select My Computer.

[*]This will start the program and scan your system.

[*]The scan will take a while, so be patient and let it run. (At times it may appear to stall)

* Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.

* Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

* Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

 

[*]Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As

Next, in the Save as prompt, Save in area, select: Desktop

In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:

Text file [*.txt]

Then, click: Save

Please post the Kaspersky Online Scanner Report in

your reply.

 

Animated tutorial

http://i275.photobucket.com/albums/jj285/B...ng/KAS/KAS9.gif

 

(Note.. for Internet Explorer 7 users:

If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)

Or use Firefox with IE-Tab plugin

https://addons.mozilla.org/en-US/firefox/addon/1419

 

 

In your next reply post:

ComboFix2.txt

ComboFix.txt

Kaspersky log

New HJT log taken after the above scan has run

 

 

You may need several replies to post the requested logs, otherwise they might get cut off.

 

 

 

Also please give me an update on how the computer is at the moment.

Link to post
Share on other sites

There is a log file from the previous run from ComboFix I need to see.

ComboFix2.txt If you could please post this in your next reply

 

Not 100% sure which log file you mean but i seem to only have this one

 

ComboFix 08-11-16.05 - Ian 2008-11-17 22:28:07.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1536 [GMT 0:00]

Running from: c:\documents and settings\Ian\Desktop\ComboFix.exe

* Created a new restore point

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\Ian\Application Data\inst.exe

 

.

((((((((((((((((((((((((( Files Created from 2008-10-17 to 2008-11-17 )))))))))))))))))))))))))))))))

.

 

2008-11-17 22:08 . 2008-11-17 22:26 3,162,278 --a------ c:\windows\{00000003-00000000-00000008-00001102-00000004-00511102}.BAK

2008-11-16 20:21 . 2008-11-16 20:21 2,138,112 --a------ c:\documents and settings\Ian\FahCore_7c.exe

2008-11-16 13:01 . 2008-11-16 13:01 102,172 --a------ c:\windows\system32\cont_offersfortoday-remove.exe

2008-11-16 13:01 . 2004-08-04 12:00 94,720 --a------ c:\windows\system32\batmeter(3.dll

2008-11-16 13:01 . 2008-11-16 13:01 47,897 --a------ c:\windows\system32\boewqjqxsaokawjub.exe

2008-11-16 09:52 . 2008-11-16 09:52 296,448 --a------ c:\windows\system32\rbcfuptgovuxs.dll

2008-11-13 10:27 . 2008-11-13 10:27 <DIR> d-------- c:\program files\devolo

2008-11-12 20:48 . 2008-11-12 20:48 <DIR> d-------- c:\program files\K-Lite Codec Pack

2008-11-12 19:32 . 2008-11-12 19:42 <DIR> d-------- c:\documents and settings\Ian\Application Data\Orbit

2008-11-12 09:23 . 2008-11-12 09:23 <DIR> d-------- c:\program files\MSXML 4.0

2008-11-08 13:00 . 2008-11-08 13:00 2,396,160 --a------ c:\documents and settings\Ian\FahCore_81.exe

2008-11-07 17:58 . 2008-11-08 08:52 <DIR> d-------- c:\program files\Custom PC Benchmarks Suite 2007

2008-11-04 19:38 . 2008-11-04 20:10 <DIR> d-------- c:\program files\RivaTuner v2.11

2008-11-04 19:00 . 2008-11-17 22:11 <DIR> d-------- c:\documents and settings\Ian\work

2008-11-04 19:00 . 2008-11-04 19:00 1,683,456 --a------ c:\documents and settings\Ian\FahCore_82.exe

2008-11-04 19:00 . 2008-11-16 20:21 7,168 --a------ c:\documents and settings\Ian\queue.dat

2008-11-04 16:45 . 2008-11-04 16:49 <DIR> d-------- c:\program files\Motherboard Monitor 5

2008-11-04 11:59 . 2008-11-04 12:00 <DIR> d-------- c:\program files\Common Files\InstallerA

2008-11-04 11:55 . 2008-11-04 11:55 249,856 --------- c:\windows\Setup1.exe

2008-11-04 11:55 . 2008-11-04 11:55 73,216 --a------ c:\windows\ST6UNST.EXE

2008-11-01 22:02 . 2006-04-14 10:09 810,056 --a------ c:\windows\system32\SATA.bmp

2008-11-01 22:02 . 2006-04-14 10:09 278 --a------ c:\windows\system32\raidmgmt.ini

2008-11-01 21:23 . 2008-11-12 08:57 <DIR> d-------- c:\program files\[email protected]

2008-11-01 21:23 . 2008-11-04 18:49 <DIR> d-------- c:\documents and settings\Ian\Application Data\[email protected]

2008-11-01 16:37 . 2008-11-04 12:59 <DIR> d-------- c:\program files\SpeedFan

2008-10-31 16:39 . 2008-10-31 16:38 410,976 --a------ c:\windows\system32\deploytk.dll

2008-10-24 15:10 . 2008-10-15 16:57 332,800 --a------ c:\windows\system32\SET229.tmp

2008-10-24 15:10 . 2008-10-15 16:57 332,800 --------- c:\windows\system32\SET1E.tmp

2008-10-21 23:46 . 2008-10-21 23:46 1,080 --a------ c:\windows\system32\settingsbkup.sfm

2008-10-21 23:46 . 2008-10-21 23:46 1,080 --a------ c:\windows\system32\settings.sfm

2008-10-21 23:37 . 2008-11-02 21:15 <DIR> d-------- c:\documents and settings\Ian\Application Data\skypePM

2008-10-21 23:37 . 2008-10-21 23:37 56 --ah----- c:\windows\system32\ezsidmv.dat

2008-10-21 23:36 . 2008-10-21 23:36 <DIR> d-------- c:\program files\Common Files\Skype

2008-10-21 17:29 . 2008-11-17 22:09 27,408 --a------ c:\windows\system32\BMXBkpCtrlState-{00000003-00000000-00000008-00001102-00000004-00511102}.rfx

2008-10-21 17:29 . 2008-11-17 22:09 11,564 --a------ c:\windows\system32\DVCState-{00000003-00000000-00000008-00001102-00000004-00511102}.rfx

2008-10-21 17:27 . 2008-11-17 22:26 3,162,278 --a------ c:\windows\{00000003-00000000-00000008-00001102-00000004-00511102}.CDF

2008-10-21 15:52 . 2003-06-12 22:25 7,062 --a------ c:\windows\system32\audiopid.vxd

2008-10-21 14:13 . 2008-11-17 22:09 30,120 --a------ c:\windows\system32\BMXStateBkp-{00000003-00000000-00000008-00001102-00000004-00511102}.rfx

2008-10-21 14:13 . 2008-11-17 22:09 30,120 --a------ c:\windows\system32\BMXState-{00000003-00000000-00000008-00001102-00000004-00511102}.rfx

2008-10-21 14:13 . 2008-11-17 22:09 27,408 --a------ c:\windows\system32\BMXCtrlState-{00000003-00000000-00000008-00001102-00000004-00511102}.rfx

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-17 21:23 --------- d-----w c:\program files\Common Files\Command Software

2008-11-16 19:34 --------- d-----w c:\program files\Ad-Aware SE Personal

2008-11-14 20:36 --------- d-----w c:\program files\Common Files\PestPatrol

2008-11-14 14:36 --------- d-----w c:\documents and settings\All Users\Application Data\Retrospect

2008-11-12 20:43 --------- d-----w c:\documents and settings\Ian\Application Data\DivX

2008-11-11 20:28 --------- d-----w c:\program files\Paint Shop Pro 7

2008-11-06 19:15 --------- d-----w c:\documents and settings\Ian\Application Data\Vso

2008-11-02 23:36 --------- d-----w c:\documents and settings\Ian\Application Data\Skype

2008-11-02 14:02 7,680 ----a-w c:\windows\system32\ff_vfw.dll

2008-11-01 21:59 --------- d--h--w c:\program files\InstallShield Installation Information

2008-10-31 16:38 --------- d-----w c:\program files\Java

2008-10-28 22:35 684,032 ----a-w c:\windows\system32\divx.dll

2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-21 23:36 --------- d-----w c:\program files\Skype

2008-10-21 23:36 --------- d-----w c:\documents and settings\All Users\Application Data\Skype

2008-10-21 17:27 --------- d-----w c:\program files\Creative

2008-10-21 17:26 444,952 ----a-w c:\windows\system32\wrap_oal.dll

2008-10-21 17:26 109,080 ----a-w c:\windows\system32\OpenAL32.dll

2008-10-21 17:23 --------- d-----w c:\program files\SureThing CD Labeler

2008-10-21 17:23 --------- d-----w c:\program files\Serials 2000

2008-10-21 17:23 --------- d-----w c:\program files\PhatNoise Music Manager

2008-10-21 17:23 --------- d-----w c:\program files\OfficeUpdate11

2008-10-21 17:23 --------- d-----w c:\program files\DivX

2008-10-21 17:23 --------- d-----w c:\program files\CyberLink

2008-10-21 17:23 --------- d-----w c:\program files\Common Files\MAGIX Shared

2008-10-21 14:11 --------- d-----w c:\documents and settings\Ian\Application Data\Creative

2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll

2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll

2008-10-08 14:58 364,544 ----a-w c:\windows\system32\nsl11.dll

2008-10-02 12:04 3,140 --sha-w c:\windows\system32\KGyGaAvL.sys

2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll

2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll

2008-09-19 21:57 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll

2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys

2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll

2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll

2008-06-18 20:43 67,512 ----a-w c:\documents and settings\Ian\Application Data\GDIPFONTCACHEV1.DAT

2007-12-19 20:38 47,360 ----a-w c:\documents and settings\Ian\Application Data\pcouffin.sys

2006-10-27 13:12 0 ----a-w c:\documents and settings\Ian\Application Data\wklnhst.dat

2001-10-05 12:53 21,866 ----a-w c:\program files\Common Files\tppupd2k.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{410A5D62-ED9A-D9D5-3EF7-CE29B1BD7535}]

2008-11-16 09:52 296448 --a------ c:\windows\system32\rbcfuptgovuxs.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82dd008b-92a0-8929-6b6b-53cd2311e47e}]

2008-10-08 14:58 364544 --a------ c:\windows\system32\nsl11.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A9022EE-DDEC-4A7B-90E3-E20C9C52D9E6}]

2004-08-04 12:00 94720 --a------ c:\windows\system32\batmeter(3.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{997921B6-9144-4D0F-AFB1-A626E979B81F}]

2004-08-04 12:00 94720 --a------ c:\windows\system32\batmeter(3.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]

"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]

"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]

"MaxtorCombo"="c:\progra~1\Dantz\RETROS~1\ComboButton.exe" [2002-07-16 40960]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-31 136600]

"TPP Auto Loader"="c:\windows\TPPALDR.EXE" [2001-10-05 118784]

"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-01-24 2037240]

"PCguard"="c:\program files\Virgin Broadband\PCguard\Rps.exe" [2007-01-24 275960]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"lclpszbfbw"="c:\windows\system32\rbcfuptgovuxs.dll" [2008-11-16 296448]

"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 c:\windows\system32\CTXFIHLP.EXE]

"CTHelper"="CTHELPER.EXE" [2008-06-27 c:\windows\system32\CtHelper.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

 

c:\documents and settings\Ian\Start Menu\Programs\Startup\

Syndicate Manager Checker.lnk - c:\gsp\SMANAGER\LOTTERY.EXE [2006-12-12 599008]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\Belkin\Bluetooth Software\BTTray.exe [2005-08-24 577597]

[email protected] [2008-08-01 442880]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Ian^Start Menu^Programs^Startup^YouTube Uploader.lnk]

path=c:\documents and settings\Ian\Start Menu\Programs\Startup\YouTube Uploader.lnk

backup=c:\windows\pss\YouTube Uploader.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

--a----t- 2008-07-16 20:29 119280 c:\documents and settings\Ian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]

-ra------ 2007-06-13 07:16 528384 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\devolo\\informer\\devinf.exe"=

"c:\\Program Files\\devolo\\easyshare\\easyshare.exe"=

 

R0 gkzmykih;gkzmykih;c:\windows\system32\drivers\gkzmykih.sys [2006-04-17 23424]

R2 NPF_devolo;NetGroup Packet Filter Driver (devolo);c:\windows\system32\drivers\npf_devolo.sys [2007-02-07 35840]

R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.SYS [2008-06-27 99352]

R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.SYS [2008-06-27 555032]

R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.SYS [2008-06-27 566296]

S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [2008-06-27 99352]

S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [2008-06-27 555032]

S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.SYS [2008-06-27 100888]

S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [2008-06-27 100888]

S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [2008-06-27 566296]

S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe []

S3 TCCrystalCpuInfo;TCCrystalCpuInfo;\??\c:\docume~1\Ian\LOCALS~1\Temp\TCCpuInfo.sys []

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-02-11 10112]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2044a21-6549-11da-a5a1-806d6172696f}]

\Shell\AutoRun\command - E:\Launch.exe

 

*Newly Created Service* - PROCEXP90

.

Contents of the 'Scheduled Tasks' folder

 

2008-10-31 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

.

- - - - ORPHANS REMOVED - - - -

 

MSConfigStartUp-AOL_Demo - c:\applications\Tool\AOL Demo\DSGDemo.exe

MSConfigStartUp-ImInstaller_IncrediMail - c:\docume~1\Ian\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install.exe

MSConfigStartUp-Power2GoExpress - c:\docume~1\Ian\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install.exe

 

 

.

------- Supplementary Scan -------

.

FireFox -: Profile - c:\documents and settings\Ian\Application Data\Mozilla\Firefox\Profiles\kao78oxi.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://smg.photobucket.com/albums/v188/Granby/Smileys/?start=all

FF -: plugin - c:\documents and settings\Ian\Local Settings\Application Data\Google\Update\1.2.121.9\npGoogleOneClick.dll

FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll

FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll

FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll

FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-17 22:29:25

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CTHelper = CTHELPER.EXE?

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-11-17 22:30:07

ComboFix-quarantined-files.txt 2008-11-17 22:30:03

 

Pre-Run: 355,562,389,504 bytes free

Post-Run: 355,660,189,696 bytes free

 

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /numproc=2

 

221 --- E O F --- 2008-11-12 09:26:06

Link to post
Share on other sites

Will get the other 2 log files up tonight as Kaspersky is taking quite a long while to scan

 

ComboFix 08-11-17.01 - Ian 2008-11-19 9:48:21.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1491 [GMT 0:00]

Running from: c:\documents and settings\Ian\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Ian\Desktop\CFScript.txt

* Created a new restore point

 

FILE ::

c:\windows\system32\batmeter(3.dll

c:\windows\system32\boewqjqxsaokawjub.exe

c:\windows\system32\ezsidmv.dat

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\system32\boewqjqxsaokawjub.exe

c:\windows\system32\ezsidmv.dat

c:\windows\system32\batmeter(3.dll . . . . failed to delete

 

.

((((((((((((((((((((((((( Files Created from 2008-10-19 to 2008-11-19 )))))))))))))))))))))))))))))))

.

 

2008-11-18 08:00 . 2008-11-18 08:00 <DIR> d-------- c:\program files\Trend Micro

2008-11-17 23:01 . 2008-11-17 23:01 <DIR> d-------- c:\documents and settings\Ian\Application Data\Malwarebytes

2008-11-17 23:01 . 2008-10-22 16:28 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-11-17 23:00 . 2008-11-17 23:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-11-17 23:00 . 2008-11-17 23:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-11-17 23:00 . 2008-10-22 16:28 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-11-17 22:43 . 2008-11-17 22:55 <DIR> d-------- c:\program files\NoAdware

2008-11-17 22:08 . 2008-11-19 09:47 3,162,278 --a------ c:\windows\{00000003-00000000-00000008-00001102-00000004-00511102}.BAK

2008-11-16 20:21 . 2008-11-16 20:21 2,138,112 --a------ c:\documents and settings\Ian\FahCore_7c.exe

2008-11-16 13:01 . 2004-08-04 12:00 94,720 --a------ c:\windows\system32\batmeter(3.dll

2008-11-13 10:27 . 2008-11-13 10:27 <DIR> d-------- c:\program files\devolo

2008-11-12 20:48 . 2008-11-12 20:48 <DIR> d-------- c:\program files\K-Lite Codec Pack

2008-11-12 19:32 . 2008-11-12 19:42 <DIR> d-------- c:\documents and settings\Ian\Application Data\Orbit

2008-11-12 09:23 . 2008-11-12 09:23 <DIR> d-------- c:\program files\MSXML 4.0

2008-11-08 13:00 . 2008-11-08 13:00 2,396,160 --a------ c:\documents and settings\Ian\FahCore_81.exe

2008-11-07 17:58 . 2008-11-08 08:52 <DIR> d-------- c:\program files\Custom PC Benchmarks Suite 2007

2008-11-04 19:38 . 2008-11-04 20:10 <DIR> d-------- c:\program files\RivaTuner v2.11

2008-11-04 19:00 . 2008-11-19 09:52 <DIR> d-------- c:\documents and settings\Ian\work

2008-11-04 19:00 . 2008-11-04 19:00 1,683,456 --a------ c:\documents and settings\Ian\FahCore_82.exe

2008-11-04 19:00 . 2008-11-19 07:50 7,168 --a------ c:\documents and settings\Ian\queue.dat

2008-11-04 16:45 . 2008-11-04 16:49 <DIR> d-------- c:\program files\Motherboard Monitor 5

2008-11-04 11:59 . 2008-11-04 12:00 <DIR> d-------- c:\program files\Common Files\InstallerA

2008-11-04 11:55 . 2008-11-04 11:55 249,856 --------- c:\windows\Setup1.exe

2008-11-04 11:55 . 2008-11-04 11:55 73,216 --a------ c:\windows\ST6UNST.EXE

2008-11-01 22:02 . 2006-04-14 10:09 810,056 --a------ c:\windows\system32\SATA.bmp

2008-11-01 22:02 . 2006-04-14 10:09 278 --a------ c:\windows\system32\raidmgmt.ini

2008-11-01 21:23 . 2008-11-12 08:57 <DIR> d-------- c:\program files\[email protected]

2008-11-01 21:23 . 2008-11-04 18:49 <DIR> d-------- c:\documents and settings\Ian\Application Data\[email protected]

2008-11-01 16:37 . 2008-11-04 12:59 <DIR> d-------- c:\program files\SpeedFan

2008-10-31 16:39 . 2008-10-31 16:38 410,976 --a------ c:\windows\system32\deploytk.dll

2008-10-24 15:10 . 2008-10-15 16:57 332,800 --a------ c:\windows\system32\SET229.tmp

2008-10-24 15:10 . 2008-10-15 16:57 332,800 --------- c:\windows\system32\SET1E.tmp

2008-10-21 23:46 . 2008-10-21 23:46 1,080 --a------ c:\windows\system32\settingsbkup.sfm

2008-10-21 23:46 . 2008-10-21 23:46 1,080 --a------ c:\windows\system32\settings.sfm

2008-10-21 23:37 . 2008-11-02 21:15 <DIR> d-------- c:\documents and settings\Ian\Application Data\skypePM

2008-10-21 23:36 . 2008-10-21 23:36 <DIR> d-------- c:\program files\Common Files\Skype

2008-10-21 17:29 . 2008-11-19 09:49 27,408 --a------ c:\windows\system32\BMXBkpCtrlState-{00000003-00000000-00000008-00001102-00000004-00511102}.rfx

2008-10-21 17:29 . 2008-11-19 09:49 11,564 --a------ c:\windows\system32\DVCState-{00000003-00000000-00000008-00001102-00000004-00511102}.rfx

2008-10-21 17:27 . 2008-11-19 09:47 3,162,278 --a------ c:\windows\{00000003-00000000-00000008-00001102-00000004-00511102}.CDF

2008-10-21 15:52 . 2003-06-12 22:25 7,062 --a------ c:\windows\system32\audiopid.vxd

2008-10-21 14:13 . 2008-11-19 09:49 30,120 --a------ c:\windows\system32\BMXStateBkp-{00000003-00000000-00000008-00001102-00000004-00511102}.rfx

2008-10-21 14:13 . 2008-11-19 09:49 30,120 --a------ c:\windows\system32\BMXState-{00000003-00000000-00000008-00001102-00000004-00511102}.rfx

2008-10-21 14:13 . 2008-11-19 09:49 27,408 --a------ c:\windows\system32\BMXCtrlState-{00000003-00000000-00000008-00001102-00000004-00511102}.rfx

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-19 09:43 69,112 ----a-w c:\documents and settings\Ian\Application Data\GDIPFONTCACHEV1.DAT

2008-11-19 01:36 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-11-19 01:27 --------- d-----w c:\program files\Spybot - Search & Destroy

2008-11-18 12:00 --------- d-----w c:\documents and settings\All Users\Application Data\Retrospect

2008-11-18 03:23 --------- d-----w c:\program files\Common Files\Command Software

2008-11-16 19:34 --------- d-----w c:\program files\Ad-Aware SE Personal

2008-11-14 20:36 --------- d-----w c:\program files\Common Files\PestPatrol

2008-11-12 20:43 --------- d-----w c:\documents and settings\Ian\Application Data\DivX

2008-11-11 20:28 --------- d-----w c:\program files\Paint Shop Pro 7

2008-11-06 19:15 --------- d-----w c:\documents and settings\Ian\Application Data\Vso

2008-11-02 23:36 --------- d-----w c:\documents and settings\Ian\Application Data\Skype

2008-11-01 21:59 --------- d--h--w c:\program files\InstallShield Installation Information

2008-10-31 16:38 --------- d-----w c:\program files\Java

2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-21 23:36 --------- d-----w c:\program files\Skype

2008-10-21 23:36 --------- d-----w c:\documents and settings\All Users\Application Data\Skype

2008-10-21 17:27 --------- d-----w c:\program files\Creative

2008-10-21 17:23 --------- d-----w c:\program files\SureThing CD Labeler

2008-10-21 17:23 --------- d-----w c:\program files\Serials 2000

2008-10-21 17:23 --------- d-----w c:\program files\PhatNoise Music Manager

2008-10-21 17:23 --------- d-----w c:\program files\OfficeUpdate11

2008-10-21 17:23 --------- d-----w c:\program files\DivX

2008-10-21 17:23 --------- d-----w c:\program files\CyberLink

2008-10-21 17:23 --------- d-----w c:\program files\Common Files\MAGIX Shared

2008-10-21 14:11 --------- d-----w c:\documents and settings\Ian\Application Data\Creative

2007-12-19 20:38 47,360 ----a-w c:\documents and settings\Ian\Application Data\pcouffin.sys

2006-10-27 13:12 0 ----a-w c:\documents and settings\Ian\Application Data\wklnhst.dat

2001-10-05 12:53 21,866 ----a-w c:\program files\Common Files\tppupd2k.dll

.

 

((((((((((((((((((((((((((((( [email protected]_22.29.44.42 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-11-19 09:51:40 16,384 ----atw c:\windows\temp\Perflib_Perfdata_7f4.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{997921B6-9144-4D0F-AFB1-A626E979B81F}]

2004-08-04 12:00 94720 --a------ c:\windows\system32\batmeter(3.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]

"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]

"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]

"MaxtorCombo"="c:\progra~1\Dantz\RETROS~1\ComboButton.exe" [2002-07-16 40960]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-31 136600]

"TPP Auto Loader"="c:\windows\TPPALDR.EXE" [2001-10-05 118784]

"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-01-24 2037240]

"PCguard"="c:\program files\Virgin Broadband\PCguard\Rps.exe" [2007-01-24 275960]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 c:\windows\system32\CTXFIHLP.EXE]

"CTHelper"="CTHELPER.EXE" [2008-06-27 c:\windows\system32\CtHelper.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

 

c:\documents and settings\Ian\Start Menu\Programs\Startup\

Syndicate Manager Checker.lnk - c:\gsp\SMANAGER\LOTTERY.EXE [2006-12-12 599008]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\Belkin\Bluetooth Software\BTTray.exe [2005-08-24 577597]

[email protected] [2008-08-01 442880]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Ian^Start Menu^Programs^Startup^YouTube Uploader.lnk]

path=c:\documents and settings\Ian\Start Menu\Programs\Startup\YouTube Uploader.lnk

backup=c:\windows\pss\YouTube Uploader.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

--a----t- 2008-07-16 20:29 119280 c:\documents and settings\Ian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]

-ra------ 2007-06-13 07:16 528384 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\devolo\\informer\\devinf.exe"=

"c:\\Program Files\\devolo\\easyshare\\easyshare.exe"=

 

R0 gkzmykih;gkzmykih;c:\windows\system32\drivers\gkzmykih.sys [2006-04-17 23424]

R2 NPF_devolo;NetGroup Packet Filter Driver (devolo);c:\windows\system32\drivers\npf_devolo.sys [2007-02-07 35840]

R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.SYS [2008-06-27 99352]

R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.SYS [2008-06-27 555032]

R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.SYS [2008-06-27 566296]

S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [2008-06-27 99352]

S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [2008-06-27 555032]

S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.SYS [2008-06-27 100888]

S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [2008-06-27 100888]

S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [2008-06-27 566296]

S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe []

S3 TCCrystalCpuInfo;TCCrystalCpuInfo;\??\c:\docume~1\Ian\LOCALS~1\Temp\TCCpuInfo.sys []

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-02-11 10112]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2044a21-6549-11da-a5a1-806d6172696f}]

\Shell\AutoRun\command - E:\Launch.exe

.

Contents of the 'Scheduled Tasks' folder

 

2008-10-31 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-19 09:52:01

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Virgin Broadband\PCguard\fws.exe

c:\program files\Common Files\Seagate\Schedule2\schedul2.exe

c:\program files\Belkin\Bluetooth Software\bin\btwdins.exe

c:\program files\Common Files\Command Software\dvpapi.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\PSIService.exe

c:\program files\Dantz\Retrospect\retrorun.exe

c:\windows\system32\rundll32.exe

c:\documents and settings\All Users\Start Menu\Programs\Startup\[email protected]

c:\windows\system32\ntvdm.exe

c:\program files\Belkin\Bluetooth Software\BTStackServer.exe

c:\documents and settings\Ian\FahCore_7c.exe

.

**************************************************************************

.

Completion time: 2008-11-19 9:56:31 - machine was rebooted

ComboFix-quarantined-files.txt 2008-11-19 09:56:23

ComboFix2.txt 2008-11-18 08:55:49

ComboFix3.txt 2008-11-17 22:30:08

 

Pre-Run: 355,423,911,936 bytes free

Post-Run: 355,412,971,520 bytes free

Edited by Granby64
Link to post
Share on other sites

Will get the other 2 log files up tonight as Kaspersky is taking quite a long while to scan

Before I have you do anything else I'd like to see the results of the Kaspersky scan.

 

So far it's looking better.

Link to post
Share on other sites

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7 REPORT

Thursday, November 20, 2008

Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Wednesday, November 19, 2008 22:50:00

Records in database: 1395220

--------------------------------------------------------------------------------

 

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

 

Scan area - My Computer:

A:\

C:\

D:\

E:\

F:\

H:\

I:\

J:\

K:\

M:\

Z:\

 

Scan statistics:

Files scanned: 396733

Threat name: 12

Infected objects: 24

Suspicious objects: 1

Duration of the scan: 04:26:47

 

 

File name / Threat name / Threats count

C:\Downloads\FilterGate (V5.17).exe Infected: Trojan-Spy.Win32.Agent.ed 1

C:\Downloads\Netpumper (V1.10.3).exe Infected: not-a-virus:AdWare.Win32.Cydoor 2

C:\Downloads\Netpumper (V1.10.3).exe Infected: not-a-virus:AdWare.Win32.SaveNow.ae 1

C:\Downloads\Netpumper (V1.10.3).exe Infected: not-a-virus:AdWare.Win32.SaveNow.af 1

C:\Downloads\Netpumper (V1.10.3).exe Infected: not-a-virus:AdWare.Win32.SaveNow.h 1

C:\Downloads\Netpumper (V1.10.3).exe Infected: not-a-virus:AdWare.Win32.SaveNow.bu 1

C:\Downloads\Netpumper (V1.10.3).exe Infected: not-a-virus:AdWare.Win32.CommonName.b 1

C:\Downloads\Netpumper (V1.10.3).exe Infected: not-a-virus:AdWare.Win32.CommonName.o 1

C:\Downloads\Netpumper (V1.10.3).exe Infected: not-a-virus:AdWare.Win32.CommonName.c 1

C:\Program Files\Trend Micro\HijackThis\backups\backup-20081119-094635-478.dll Infected: Rootkit.Win32.Podnuha.bhw 1

C:\Program Files\Trend Micro\HijackThis\backups\backup-20081119-094635-604.dll Infected: Rootkit.Win32.Podnuha.bhw 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\_batmeter(3_.dll.zip Infected: Rootkit.Win32.Podnuha.bhw 1

D:\Documents and Settings\Ian\Local Settings\Temporary Internet Files\Content.IE5\DQXTYLMS\wbkA24.tmp Suspicious: Trojan-Spy.HTML.Fraud.gen 1

D:\Downloads\FilterGate (V5.17).exe Infected: Trojan-Spy.Win32.Agent.ed 1

D:\Downloads\Netpumper (V1.10.3).exe Infected: not-a-virus:AdWare.Win32.Cydoor 2

D:\Downloads\Netpumper (V1.10.3).exe Infected: not-a-virus:AdWare.Win32.SaveNow.ae 1

D:\Downloads\Netpumper (V1.10.3).exe Infected: not-a-virus:AdWare.Win32.SaveNow.af 1

D:\Downloads\Netpumper (V1.10.3).exe Infected: not-a-virus:AdWare.Win32.SaveNow.h 1

D:\Downloads\Netpumper (V1.10.3).exe Infected: not-a-virus:AdWare.Win32.SaveNow.bu 1

D:\Downloads\Netpumper (V1.10.3).exe Infected: not-a-virus:AdWare.Win32.CommonName.b 1

D:\Downloads\Netpumper (V1.10.3).exe Infected: not-a-virus:AdWare.Win32.CommonName.o 1

D:\Downloads\Netpumper (V1.10.3).exe Infected: not-a-virus:AdWare.Win32.CommonName.c 1

Z:\zcodec.1579.exe Infected: Trojan-Downloader.Win32.CodecPack.aak 1

 

The selected area was scanned.

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 07:47:28, on 20/11/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Virgin Broadband\PCguard\fws.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\TPPALDR.EXE

C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Belkin\Bluetooth Software\BTTray.exe

C:\WINDOWS\system32\ntvdm.exe

C:\PROGRA~1\Belkin\BLUETO~1\BTSTAC~1.EXE

C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Common Files\Command Software\dvpapi.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Dantz\Retrospect\retrorun.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {997921B6-9144-4D0F-AFB1-A626E979B81F} - C:\WINDOWS\system32\batmeter(3.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE

O4 - HKLM\..\Run: [broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN

O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Syndicate Manager Checker.lnk = C:\GSP\SMANAGER\LOTTERY.EXE

O4 - Global Startup: Bluetooth.lnk = ?

O4 - Global Startup: [email protected]

O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab

O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...101/CTSUEng.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162472994843

O16 - DPF: {79E54B26-46B9-40EF-BFDC-0B1BB0D68897} - http://www.piclens.com/shared/plinstll.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15106/CTPID.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe

O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - Unknown owner - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

O23 - Service: RetroLauncher - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe

O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe

O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

 

--

End of file - 9782 bytes

Link to post
Share on other sites

Welcome back

 

 

Go to Start > Control Panel > Internet Options

In the General tab, Temporary Internet Files, click:Delete Files When prompted, check:Delete all offline content

You can also check: Delete Cookies (You will have to re-enter passwords at websites that require them.)

Click OK

 

For I.E. 7 - under Browsing History, click delete... Under Temporary Internet Files, click Delete files...

 

Then, go to Start >Run and enter: cleanmgr

Select the drive to clean: C:\

Check the following boxes and then press OK to remove:

Temporary Files

Temporary Internet Files

RecycleBin

Agree to the prompt to perform the action...

 

 

Please download ATF Cleaner by Atribune From Here and save it to your Desktop.

Follow the instructions for the browser you use.

Read the instructions about the cookies. Delete what you do not need.

 

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Java Cache

The rest are optional - if you want to remove the lot, check "Select All".

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program

as a quick way to tidy those up as well.

When you have finished, click on the Exit button in the Main menu.

 

 

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

O2 - BHO: (no name) - {997921B6-9144-4D0F-AFB1-A626E979B81F} - C:\WINDOWS\system32\batmeter(3.dll

 

 

Kaspersky scan found a few infected files/folders that need to be removed.

If one should resist deletion drop into safe mode and try again

 

To Reboot your computer into SafeMode

You can do this by restarting your computer and tapping the F8 key before Windows starts

You are presented with a Windows XP Advanced Options menu

Use your up arrow key to highlight SafeMode then hit enter.

http://www.bleepingcomputer.com/tutorials/tutorial61.html

How to start Windows in Safe Mode

 

 

 

Go to My Computer->Tools->Folder Options->View tab:

  • Under the Hidden files and folders heading:

  • Select - Show hidden files and folders.

  • Uncheck- Hide protected operating system files (recommended) option.

  • Also, make sure there is no checkmark beside Hide file extensions for known file types.

  • Click OK. (Remember to Hide files and folders once done)

Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to and delete the following files/folders in bold

 

There will be more then one directory here to remove bad files

 

C:\Downloads\FilterGate (V5.17).exe <--delete this file

C:\Downloads\Netpumper (V1.10.3).exe <--delete

C:\Program Files\Trend Micro\HijackThis\backups\backup-20081119-094635-478.dll <--this file

D:\Downloads\FilterGate (V5.17).exe <--this file

D:\Downloads\Netpumper (V1.10.3).exe <--this file

Z:\zcodec.1579.exe <--this file

C:\WINDOWS\system32\batmeter(3.dll <--this file

 

 

 

 

Next, launch Notepad, (Start > Run, type in: notepad) copy and paste the blue text below into notepad (don't forget to copy and paste REGEDIT4)

 

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{997921B6-9144-4D0F-AFB1-A626E979B81F}]

 

[-HKEY_CLASSES_ROOT\CLSID\{997921B6-9144-4D0F-AFB1-A626E979B81F}]

 

Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this: Posted Image

Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful. You may delete the file afterwards

 

 

 

 

Now please reboot the machine

 

 

Please post back with a new HJT log and give me an update on how the machine is at the moment.

Link to post
Share on other sites

Please download OTMoveIt3 by OldTimer. Save it to your desktop.

 

Double click OTMoveIt3.exe to start the tool.

  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

     

    C:\WINDOWS\system32\batmeter(3.dll
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

If the machine reboots, the Results log can be found here:

 

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

 

Where mmddyyyy_hhmmss is the date of the tool run.

 

 

 

NEXT**

 

Please download Malwarebytes' Anti-Malware to your desktop

 

Additional Link

 

* Double-click mbam-setup.exe and follow the prompts to install the program.

* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

* If an update is found, it will download and install the latest version.

* Once the program has loaded, select Perform quick scan, then click Scan.

* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.

* You can also access the log by doing the following:

 

o Click on the Malwarebytes' Anti-Malware icon to launch the program.

o Click on the Logs tab.

o Click on the log at the bottom of those listed to highlight it.

o Click Open.

 

Tutorial if needed

http://thespykiller.co.uk/index.php/topic,5946.0.html

 

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

 

 

 

In your next reply post:

OTMoveIt log

Malwarebytes' Anti-Malware log

New HJT log

 

 

 

Please tell me how the machine is now.

Link to post
Share on other sites

OTMoveIt doesn't ask me to reboot unless i go through the CleanUp procedure

 

Error: Unable to interpret <C:\WINDOWS\system32\batmeter(3.dll> in the current context!

 

OTMoveIt3 by OldTimer - Version 1.0.7.1 log created on 11222008_100654

 

---------------------------------------------------------------------------------------

 

Malwarebytes didn't delete batmeter(3.dll on reboot

 

Malwarebytes' Anti-Malware 1.30

Database version: 1415

Windows 5.1.2600 Service Pack 2

 

22/11/2008 10:21:09

mbam-log-2008-11-22 (10-21-09).txt

 

Scan type: Quick Scan

Objects scanned: 59195

Time elapsed: 10 minute(s), 18 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{997921b6-9144-4d0f-afb1-a626e979b81f} (Trojan.BHO.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{997921b6-9144-4d0f-afb1-a626e979b81f} (Trojan.BHO.H) -> Delete on reboot.

 

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

C:\WINDOWS\system32\batmeter(3.dll (Trojan.BHO.H) -> Delete on reboot.

 

---------------------------------------------------------------------------------------

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:30:23, on 22/11/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Virgin Broadband\PCguard\fws.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\TPPALDR.EXE

C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe

C:\Program Files\Virgin Broadband\PCguard\Rps.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Belkin\Bluetooth Software\BTTray.exe

C:\WINDOWS\system32\ntvdm.exe

C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Common Files\Command Software\dvpapi.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\Belkin\BLUETO~1\BTSTAC~1.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Dantz\Retrospect\retrorun.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wuauclt.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {997921B6-9144-4D0F-AFB1-A626E979B81F} - C:\WINDOWS\system32\batmeter(3.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE

O4 - HKLM\..\Run: [broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN

O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Syndicate Manager Checker.lnk = C:\GSP\SMANAGER\LOTTERY.EXE

O4 - Global Startup: Bluetooth.lnk = ?

O4 - Global Startup: [email protected]

O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab

O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...101/CTSUEng.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162472994843

O16 - DPF: {79E54B26-46B9-40EF-BFDC-0B1BB0D68897} - http://www.piclens.com/shared/plinstll.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15106/CTPID.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe

O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - Unknown owner - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

O23 - Service: RetroLauncher - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe

O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe

O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

 

--

End of file - 9833 bytes

Link to post
Share on other sites

It says MBAM found it and deleted..

Now the HJT log says it's still there.

 

Did you run MBAM first or HJT first?

 

 

Also, after you ran MBAM did you reboot the machine?

 

 

Tell me how the computer is behaving.

Link to post
Share on other sites

It says MBAM found it and deleted..

Now the HJT log says it's still there.

 

Did you run MBAM first or HJT first?

Also, after you ran MBAM did you reboot the machine?

Tell me how the computer is behaving.

 

MBAM was run first, then the computer rebooted as requested by MBAM and HJT run after reboot

 

MBAM never seems to delete batmeter(3.dll file although it says it's deleted

 

Computer seems to be running fine, when i first had this problem sometimes if i did a google search it would go to different website from the link in google but that doesn't happen any more

 

Once again thanks for your help in this matter even though it seems to be a pain to get rid off :angry:

Link to post
Share on other sites

I must have given the wrong syntax.....

 

We'll try again

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

O2 - BHO: (no name) - {997921B6-9144-4D0F-AFB1-A626E979B81F} - C:\WINDOWS\system32\batmeter(3.dll

 

 

 

Next, launch Notepad, (Start > Run, type in: notepad) copy and paste the blue text below into notepad (don't forget to copy and paste REGEDIT4)

 

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{997921B6-9144-4D0F-AFB1-A626E979B81F}]

 

[-HKEY_CLASSES_ROOT\CLSID\{997921B6-9144-4D0F-AFB1-A626E979B81F}]

 

Save this as fix2.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this: Posted Image

Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful. You may delete the file afterwards

 

 

 

 

 

Double click OTMoveIt3 to start the tool.

  • Copy the lines in blue text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

     

    :Files

    C:\WINDOWS\system32\batmeter(3.dll

     

  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

Please reboot the computer even if not asked to do so.

 

If the machine reboots, the Results log can be found here:

 

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

 

Where mmddyyyy_hhmmss is the date of the tool run.

 

 

 

Please post:

OTMoveIt log

New HJT log

Link to post
Share on other sites

When i click on a reg file it says do i want to add the information into the registry, is that the same as merge the contents to the registry

 

----------------------------------------------------------------------------------------------------------

 

Error: Unable to interpret <C:\WINDOWS\system32\batmeter(3.dll> in the current context!

 

OTMoveIt3 by OldTimer - Version 1.0.7.1 log created on 11232008_165550

 

---------------------------------------------------------------------------------------

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:04:19, on 23/11/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Virgin Broadband\PCguard\fws.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\TPPALDR.EXE

C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe

C:\Program Files\Virgin Broadband\PCguard\Rps.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Belkin\Bluetooth Software\BTTray.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\[email protected]

C:\WINDOWS\system32\ntvdm.exe

C:\PROGRA~1\Belkin\BLUETO~1\BTSTAC~1.EXE

C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Common Files\Command Software\dvpapi.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Documents and Settings\Ian\FahCore_78.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Dantz\Retrospect\retrorun.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {997921B6-9144-4D0F-AFB1-A626E979B81F} - C:\WINDOWS\system32\batmeter(3.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE

O4 - HKLM\..\Run: [broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN

O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [ErrorFix] C:\Program Files\ErrorFix\ErrorFix.exe -boot

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Syndicate Manager Checker.lnk = C:\GSP\SMANAGER\LOTTERY.EXE

O4 - Global Startup: Bluetooth.lnk = ?

O4 - Global Startup: [email protected]

O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab

O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...101/CTSUEng.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162472994843

O16 - DPF: {79E54B26-46B9-40EF-BFDC-0B1BB0D68897} - http://www.piclens.com/shared/plinstll.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15106/CTPID.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe

O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

O23 - Service: RetroLauncher - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe

O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe

O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

 

--

End of file - 10006 bytes

Edited by Granby64
Link to post
Share on other sites

When i click on a reg file it says do i want to add the information into the registry, is that the same as merge the contents to the registry

 

Yes

 

 

I think I found my error

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

O2 - BHO: (no name) - {997921B6-9144-4D0F-AFB1-A626E979B81F} - C:\WINDOWS\system32\batmeter(3.dll

 

 

 

Next, launch Notepad, (Start > Run, type in: notepad) copy and paste the blue text below into notepad (don't forget to copy and paste REGEDIT4)

 

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{997921B6-9144-4D0F-AFB1-A626E979B81F}]

 

[-HKEY_CLASSES_ROOT\CLSID\{997921B6-9144-4D0F-AFB1-A626E979B81F}]

 

 

Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this: Posted Image

Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful. You may delete the file afterwards

 

 

 

 

 

Double click OTMoveIt3 to start the tool.

  • Copy the lines in blue text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

     

    :Files

    C:\WINDOWS\system32\batmeter(3).dll

     

  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

Please reboot the computer even if not asked to do so.

 

If the machine reboots, the Results log can be found here:

 

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

 

Where mmddyyyy_hhmmss is the date of the tool run.

 

 

 

Please post:

OTMoveIt log

New HJT log

Link to post
Share on other sites

Error: Unable to interpret <C:\WINDOWS\system32\batmeter(3).dll> in the current context!

 

OTMoveIt3 by OldTimer - Version 1.0.7.1 log created on 11232008_202444

 

--------------------------------------------------------------------------------------

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:33:02, on 23/11/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Virgin Broadband\PCguard\fws.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\TPPALDR.EXE

C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe

C:\Program Files\Virgin Broadband\PCguard\Rps.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Belkin\Bluetooth Software\BTTray.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\[email protected]

C:\WINDOWS\system32\ntvdm.exe

C:\PROGRA~1\Belkin\BLUETO~1\BTSTAC~1.EXE

C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Common Files\Command Software\dvpapi.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Documents and Settings\Ian\FahCore_78.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Dantz\Retrospect\retrorun.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {997921B6-9144-4D0F-AFB1-A626E979B81F} - C:\WINDOWS\system32\batmeter(3.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE

O4 - HKLM\..\Run: [broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN

O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [ErrorFix] C:\Program Files\ErrorFix\ErrorFix.exe -boot

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Syndicate Manager Checker.lnk = C:\GSP\SMANAGER\LOTTERY.EXE

O4 - Global Startup: Bluetooth.lnk = ?

O4 - Global Startup: [email protected]

O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab

O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...101/CTSUEng.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162472994843

O16 - DPF: {79E54B26-46B9-40EF-BFDC-0B1BB0D68897} - http://www.piclens.com/shared/plinstll.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15106/CTPID.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe

O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

O23 - Service: RetroLauncher - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe

O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe

O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

 

--

End of file - 10095 bytes

Link to post
Share on other sites

Think it was a program for fixing .dll files but it's not on my computer anymore (well not in that location)

Could be our problem....

If you know where the program is located please delete it

 

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

O2 - BHO: (no name) - {997921B6-9144-4D0F-AFB1-A626E979B81F} - C:\WINDOWS\system32\batmeter(3.dll

O4 - HKCU\..\Run: [ErrorFix] C:\Program Files\ErrorFix\ErrorFix.exe -boot

 

 

 

 

Next, launch Notepad, (Start > Run, type in: notepad) copy and paste the blue text below into notepad (don't forget to copy and paste REGEDIT4)

 

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ErrorFix"=-

Save this as delete.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this: Posted Image

Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful. You may delete the file afterwards

 

 

 

 

 

 

Go to My Computer->Tools->Folder Options->View tab:

  • Under the Hidden files and folders heading:

  • Select - Show hidden files and folders.

  • Uncheck- Hide protected operating system files (recommended) option.

  • Also, make sure there is no checkmark beside Hide file extensions for known file types.

  • Click OK. (Remember to Hide files and folders once done)
Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to and delete the following files/folders in bold

 

C:\WINDOWS\system32\batmeter(3.dll <--file if found

C:\Program Files\ErrorFix <--delete this folder

 

 

Now reboot the machine......

 

Post back with a new HJT log

 

 

How's the computer?

Link to post
Share on other sites

 

C:\WINDOWS\system32\batmeter(3.dll <--file if found

C:\Program Files\ErrorFix <--delete this folder

Now reboot the machine......

 

 

batmeter(3.dll cannot be deleted as it comes back

 

"cannot delete barmeter(3: access is denied

make sure the disk is not full or write-protected and that the file is not currently in use"

 

Error fix folder does not exsist on my computer

 

Computer is running fine still

 

----------------------------------------------

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:31:02, on 23/11/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Virgin Broadband\PCguard\fws.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\TPPALDR.EXE

C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe

C:\Program Files\Virgin Broadband\PCguard\Rps.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Belkin\Bluetooth Software\BTTray.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\[email protected]

C:\WINDOWS\system32\ntvdm.exe

C:\PROGRA~1\Belkin\BLUETO~1\BTSTAC~1.EXE

C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Common Files\Command Software\dvpapi.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Documents and Settings\Ian\FahCore_78.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Dantz\Retrospect\retrorun.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wuauclt.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {997921B6-9144-4D0F-AFB1-A626E979B81F} - C:\WINDOWS\system32\batmeter(3.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE

O4 - HKLM\..\Run: [broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN

O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Syndicate Manager Checker.lnk = C:\GSP\SMANAGER\LOTTERY.EXE

O4 - Global Startup: Bluetooth.lnk = ?

O4 - Global Startup: [email protected]

O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab

O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...101/CTSUEng.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162472994843

O16 - DPF: {79E54B26-46B9-40EF-BFDC-0B1BB0D68897} - http://www.piclens.com/shared/plinstll.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15106/CTPID.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe

O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

O23 - Service: RetroLauncher - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe

O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe

O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

 

--

End of file - 9849 bytes

Edited by Granby64
Link to post
Share on other sites

That one file has been a pain in my gorgonzollie for two days now

 

 

May have to boot into safemode to do this

 

1. Make sure that "Use simple file sharing (Recommended)" is unchecked. This is how:

1a. Go to start->Control Panel->Folder Options.

1b. Select the "View" tab

1c. Under "Advanced Settings:" list, look for "Use simple file sharing (Recommended)" and uncheck it if it is checked.

1d. Click OK to close the dialog box

 

2. Right click on the file or folder you want to delete and click properties.

 

3. Go to the "Security" tab.

 

4. Under "Group or user names" list make sure that "Everyone" is selected

 

5. Under the "Permissions for Everyone" list make sure that "Full Control" is allowed. If not, click on the "Allow" column check box for "Full Control".

 

6. Click OK to apply and close the dialog box.

 

7. Delete the file that has the new permission set.

 

 

http://support.microsoft.com/?kbid=308421

Link to post
Share on other sites

Getting ready to throw the computer out the window at the moment :cr@sh:

 

Even being adminstrator in safe mode it will not be deleted

 

I get a message "you only have permission to view the current owner on batmeter(3.dll"

 

Will try and see if there are any answers on the microsoft support site

Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×
×
  • Create New...