Something has taken over

2»

Comments

  • edited March 2007
    Hi Rahina - I'm back, after innumerable reboots, force quits, "program not responding" notifications, and two online Bitdefender scans (one failing after 5 hours and freezing my computer.) Yikes.

    Anyway - here is the Movit Report (took three tries after locking up the computer)

    c:\windows\system32\directx.exe moved successfully.

    Created on 03/21/2007 09:38:38


    And here is the Bitdefender (after 10 scan hours) report
    (ps - sorry for the formatting, but the result page was a table that was not easily copy and pasted):

    BitDefender Online Scanner

    Scan report generated at: Wed, Mar 21, 2007 - 23:57:37

    Scan path: C:\;D:\;

    Statistics
    Time

    04:51:20
    Files

    486291
    Folders

    6778
    Boot Sectors

    3
    Archives

    9026
    Packed Files

    36950

    Results
    Identified Viruses

    0
    Infected Files

    0
    Suspect Files

    1
    Warnings

    0
    Disinfected

    0
    Deleted Files

    1

    Engines Info
    Virus Definitions

    406595
    Engine build

    AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)
    Scan plugins

    14
    Archive plugins

    38
    Unpack plugins

    6
    E-mail plugins

    6
    System plugins

    1

    Scan Settings
    First Action

    Disinfect
    Second Action

    Delete
    Heuristics

    Yes
    Enable Warnings

    Yes
    Scanned Extensions

    *;
    Exclude Extensions


    Scan Emails

    Yes
    Scan Archives

    Yes
    Scan Packed

    Yes
    Scan Files

    Yes
    Scan Boot

    Yes

    Scanned File

    Status
    C:\_OTMoveIt\MovedFiles\WINDOWS\SYSTEM32\directx.exe

    Suspected of: BehavesLike:Win32.AV-Killer
    C:\_OTMoveIt\MovedFiles\WINDOWS\SYSTEM32\directx.exe

    Disinfection failed
    C:\_OTMoveIt\MovedFiles\WINDOWS\SYSTEM32\directx.exe

    Deleted


    END
    The first failed online bitdefender scan brought up a list of about ten recognized viruses which, being unable to disinfect, deleted them. I was unable to scroll or copy the list because the scan froze my computer. Sorry.

    Hope to hear from you in the morning (here, that is.)

    regards -
  • Rahina-RescueRahina-Rescue Finland
    edited March 2007
    Alright, I'm not seeing Anything Critical In that log,

    Please go ahead and Empty OTmoveIT Moved Files Folder.

    _____________

    Please print these instructions out, or write them down, as you can't read them during the fix.

    Please download MWav:
    • Unzip it to its predetermined directory (C:\Kaspersky)
    • Locate kavupd.exe in the new folder and double-click to Update.
    • If your firewall gives any messages about this program accessing to internet, allow it.
    • If it says the signatures are more than 30 days old, keep trying, until you get the actual definition updates.
    • When you see Updates Downloaded Successfully, hit Enter to continue.
    • Restart onto Safe Mode and locate the Kaspersky folder.
    • Locate mwavscan.com and double-click on it to launch the MWAV Scanner.
    Now lets do the settings:
    • Leave the Default Settings checked.
    • Add a check to Drives
    • This will light up All Drives
    • Add a check to Scan all Files
    • Click Scan Clean to begin.
    This scan might take around 3+ hours to finish when set to scan everything.
    • Please be sure it has finished before proceeding.
    • Once the scan has finished, all entries identified as Infected, will be displayed in the lower panel.
    • Highlight everything that is inside the lower panel and hit Ctrl+C at the same time to copy.
    • Open an empty notepad file and paste the results (Ctrl+V) to it. Save the notepad to your desktop, name it as you want (e.g; MWav Results).
    Reboot into normal Windows and post the results here along with a fresh HijackThis log.
  • edited March 2007
    Hi again,

    Here's the mwav result:

    File C:\Documents and Settings\Mark Goulding\Desktop\Security\SmitfraudFix\Reboot.exe tagged as not-a-virus:RiskTool.Win32.Reboot.f. No Action Taken.
    File C:\Documents and Settings\Mark Goulding\Desktop\Security\SmitfraudFix.exe tagged as not-a-virus:RiskTool.Win32.Reboot.f. No Action Taken.
    File C:\RECYCLER\NPROTECT\00000204. infected by "BkCln.Unknown" Virus. Action Taken: File Renamed
    File C:\RECYCLER\NPROTECT\00000216. infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\RECYCLER\NPROTECT\00000230. infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\RECYCLER\NPROTECT\00000253. infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\RECYCLER\NPROTECT\00000336. infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\RECYCLER\NPROTECT\00000421. infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\RECYCLER\NPROTECT\00000451. infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\RECYCLER\NPROTECT\00000452. infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\RECYCLER\NPROTECT\00000524. infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\RECYCLER\NPROTECT\00000573. infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\RECYCLER\NPROTECT\00000602. infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\RECYCLER\NPROTECT\00000605. infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\RECYCLER\NPROTECT\00000628. infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\RECYCLER\NPROTECT\00001002. infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\RECYCLER\NPROTECT\00001359. infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\RECYCLER\NPROTECT\00001362. infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\RECYCLER\NPROTECT\00001363. infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\RECYCLER\NPROTECT\00001364. infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\RECYCLER\NPROTECT\00001366. infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\RECYCLER\NPROTECT\00001368. infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\RECYCLER\NPROTECT\00001369. infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\RECYCLER\NPROTECT\00001370. infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.

    Is this recycle bin virus stuff you asked me to delete from the Movit "moved files" folder?

    Anyway, as per your request, a new HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 6:51:23 PM, on 3/22/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\ibmpmsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
    C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Softwin\BitDefender10\vsserv.exe
    C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    C:\WINDOWS\system32\RunDll32.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Softwin\BitDefender10\bdmcon.exe
    C:\Program Files\Softwin\BitDefender10\bdagent.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\WordWeb\wweb32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Real\RealOne Player\RealPlay.exe
    C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\HijackThis\HijackThis.exe
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar4.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar4.dll
    O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
    O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
    O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
    O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {68EA624F-619A-11D6-99CF-006094235084} (IbmEgathDetectCtl Class) - https://www-3.ibm.com/pc/support/access/sdccommon/download/IbmEgathDetect.cab
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.writewaypro.com/download/msxml4.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - [URL]file://C:\Program[/URL] Files\Support.com\bin\IBMAccessSupport\common\install\AcpControl.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C1DF194A-25C4-4C09-B9BB-6362C95EA7ED}: NameServer = 64.136.173.8 64.136.164.66
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
    O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
    O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
    O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
    O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

    I look forward to your always helpful reply.
  • Rahina-RescueRahina-Rescue Finland
    edited March 2007
    Hey Goulds :) Your HJT Log Is Clean :)

    Yes, You may now go ahead and delete ethose tools we used :smiles:


    Instructions for using CCleaner:
    • Launch CCleaner and under Options > Advanced > UNcheck "Only delete files in Windows Temp folder older than 48 hours".
    • A pop up box will appear advising this process will permanently delete files from your system.
    • To protect logon cookies that you wish to retain, under Options > Cookies. Select and using the arrow move those cookies to the "Cookies to keep" column.
    • Then select the items you wish to clean up.
      1. In the Windows Tab:
        • Clean all entries in the "Internet Explorer" section.
        • Clean all the entries in the "Windows Explorer" section.
        • Clean all entries in the "System" section.
        • Clean all entries in the "Advanced" section.
        • Clean any others that you choose.
      2. In the Applications Tab:
        • Clean all in the Firefox/Mozilla section if you use it.
        • Clean all in the Opera section if you use it.
        • Clean Sun Java in the Internet Section.
        • Please UNcheck "Utilities" (i.e., Ad-Aware, ewido and other security program logs.)
    • Click the "Run Cleaner" button and it will scan and clean your system.
    • Click exit.
    • Shutdown/restart the computer.
    ____________________
      Windows XP System Restore Guide

      Reenable system restore with instructions from tutorial above

      [*]Make your Internet Explorer more secure - This can be done by following these simple instructions:
      [*]From within Internet Explorer click on the Tools menu and then click on Options.
      [*]Click once on the Security tab
      [*]Click once on the Internet icon so it becomes highlighted.
      [*]Click once on the Custom Level button.
      1. Change the Download signed ActiveX controls to Prompt
      2. Change the Download unsigned ActiveX controls to Disable
      3. Change the Initialize and script ActiveX controls not marked as safe to Disable
      4. Change the Installation of desktop items to Prompt
      5. Change the Launching programs and files in an IFRAME to Prompt
      6. Change the Navigate sub-frames across different domains to Prompt
      7. When all these settings have been made, click on the OK button.
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
      [*]Next press the Apply button and then the OK to exit the Internet Properties page.
      • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

        See this link for a listing of some online & their stand-alone antivirus programs:

        Virus, Spyware, and Malware Protection and Removal Resources
      • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
      • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

        For a tutorial on Firewalls and a listing of some available ones see the link below:

        Understanding and Using Firewalls
      • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
      • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

        A tutorial on installing & using this product can be found here:

        Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
      • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

        A tutorial on installing & using this product can be found here:

        Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
      • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

        A tutorial on installing & using this product can be found here:

        Using SpywareBlaster to protect your computer from Spyware and Malware
      • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
      Follow this list and your potential for being infected again will reduce dramatically.

      here are some additional utilities that will enhance your safety
      • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
      • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
      • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
      • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
        Using Winpatrol to protect your computer from malicious software

      Let me know if you still receive problems :)
    1. edited March 2007
      Hi Rahina.

      You said my HJT log was clean. Does that mean the nasty viruses are gone - kaput - irradicated?

      here's the post cc-clean HJT log you requested...

      Logfile of HijackThis v1.99.1
      Scan saved at 11:12:28 AM, on 3/23/2007
      Platform: Windows XP SP2 (WinNT 5.01.2600)
      MSIE: Internet Explorer v7.00 (7.00.6000.16414)
      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\System32\ibmpmsvc.exe
      C:\WINDOWS\system32\Ati2evxx.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
      C:\PROGRA~1\Iomega\System32\AppServices.exe
      C:\WINDOWS\System32\QCONSVC.EXE
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
      C:\WINDOWS\system32\Ati2evxx.exe
      C:\Program Files\Iomega\AutoDisk\ADService.exe
      C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
      C:\WINDOWS\Explorer.EXE
      C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
      C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
      C:\WINDOWS\system32\RunDll32.exe
      C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
      C:\WINDOWS\AGRSMMSG.exe
      C:\Program Files\Common Files\Real\Update_OB\realsched.exe
      C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
      C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
      C:\Program Files\iTunes\iTunesHelper.exe
      C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
      C:\Program Files\Softwin\BitDefender10\bdmcon.exe
      C:\Program Files\Softwin\BitDefender10\bdagent.exe
      C:\WINDOWS\system32\ctfmon.exe
      C:\Program Files\Softwin\BitDefender10\vsserv.exe
      C:\Program Files\WordWeb\wweb32.exe
      C:\Program Files\iPod\bin\iPodService.exe
      C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
      C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
      C:\WINDOWS\system32\wuauclt.exe
      C:\WINDOWS\system32\wscntfy.exe
      C:\Program Files\Internet Explorer\iexplore.exe
      C:\Program Files\HijackThis\HijackThis.exe
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rawstory.com/
      O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
      O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
      O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
      O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar4.dll
      O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar4.dll
      O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
      O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
      O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
      O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
      O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
      O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
      O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
      O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
      O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
      O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
      O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
      O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
      O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
      O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
      O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
      O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
      O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
      O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
      O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
      O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
      O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
      O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
      O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
      O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
      O11 - Options group: [INTERNATIONAL] International*
      O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
      O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
      O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
      O16 - DPF: {68EA624F-619A-11D6-99CF-006094235084} (IbmEgathDetectCtl Class) - https://www-3.ibm.com/pc/support/access/sdccommon/download/IbmEgathDetect.cab
      O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.writewaypro.com/download/msxml4.cab
      O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
      O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
      O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - [URL]file://C:\Program[/URL] Files\Support.com\bin\IBMAccessSupport\common\install\AcpControl.cab
      O17 - HKLM\System\CCS\Services\Tcpip\..\{C1DF194A-25C4-4C09-B9BB-6362C95EA7ED}: NameServer = 64.136.173.8 64.136.164.66
      O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
      O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
      O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
      O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
      O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
      O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
      O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
      O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
      O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
      O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
      O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
      O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
      O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
      O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

      Please update me to where my laptop stands. Thanks a million.
    2. Rahina-RescueRahina-Rescue Finland
      edited March 2007
      Your system is clean now :) If you are Happy i'm Happy. Stay Clean! ;)
    3. edited March 2007
      Hi Rahina,

      Thank you so very much. It was a pleasure following your directions, and even more pleasurable being told my laptop is now "clean." A lot of time and effort, but worth it in the end thanks to you. Your assistance was fantastic, and I am most definitely a short-media convert!

      Best Wishes,

      Mark
    4. Rahina-RescueRahina-Rescue Finland
      edited March 2007
      Glad I could be of assistance! The help you received here was free. Please read through some of these Prevention Tips that Short-Media offers.

      This topic is now closed. If you wish it reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.

      Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.

      If you are not the user who started this thread, you must start a new Thread instead :)
    Sign In or Register to comment.