PC runs s-l-o-w-l-y

panget · March 2008

Here's the log

Logfile of HijackThis v1.99.1
Scan saved at 6:31:57 AM, on 3/10/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = HELLO WORLD i am VB
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [MSConfigs] C:\WINDOWS\RUNDLL64.dll.vbs
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus C65 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE /P23 "EPSON Stylus C65 Series" /O6 "USB001" /M "Stylus C65"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE12\REFIEBAR.DLL
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe" /service (file missing)

***

I'm tempted to fix things myself but I decided not to touch anything instead. Please assess. Thanks.

Veka · March 2008

Hello panget,

Some bad things there, so lets get rid of them. Please download these to your Desktop:

SDFix from here
SUPERAntiSpyware from here

Note: You may want to print out these instructions or save them as a text file with Notepad to your desktop because we will be restarting into Safe Mode later on in the fix.

Step 1:

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log.

Step 2:

Once in Normal Mode,

Run SUPERAntiSpyware and click the check for updates button.
Once the update is finished click the scan your computer button.
Check Perform Complete Scan and then next.
SUPERAntiSpyware will now scan your computer and when its finished it will list all the infections it has found.
Make sure that they all have a check next to them and press next.
Click finish and you will be taken back to the main interface.
Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
Copy and paste the log onto the forum.

Step 3:

Please post the contents of the SDFix and the SUPERAntiSpyware logs, along with a new HijackThis.

Veka · March 2008

Hello panget, how it's goin?

I'm waiting your reply.

panget · March 2008

From SDFix:

SDFix: Version 1.156

Run by asd on Thu 03/13/2008 at 03:19 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name:
MSWindows

Path:
"C:\WINDOWS\System32\urdvxc.exe" /service

MSWindows - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\.exe - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-13 15:39:05
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 3 Oct 2006 50,280 A..H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"

Finished!

From SuperAntiSpyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/14/2008 at 05:06 AM

Application Version : 4.0.1154

Core Rules Database Version : 3419
Trace Rules Database Version: 1411

Scan type : Complete Scan
Total Scan Time : 00:58:05

Memory items scanned : 369
Memory threats detected : 0
Registry items scanned : 4802
Registry threats detected : 0
File items scanned : 13801
File threats detected : 83

Adware.Tracking Cookie
C:\Documents and Settings\asd\Cookies\asd@richmedia.yahoo[1].txt
C:\Documents and Settings\asd\Cookies\asd@youporn[1].txt
C:\Documents and Settings\asd\Cookies\asd@www.burstnet[2].txt
C:\Documents and Settings\asd\Cookies\asd@bs.serving-sys[2].txt
C:\Documents and Settings\asd\Cookies\asd@ad1.clickhype[1].txt
C:\Documents and Settings\asd\Cookies\asd@ad.yieldmanager[2].txt
C:\Documents and Settings\asd\Cookies\asd@mediaplex[2].txt
C:\Documents and Settings\asd\Cookies\asd@msnportal.112.2o7[1].txt
C:\Documents and Settings\asd\Cookies\asd@indextools[2].txt
C:\Documents and Settings\asd\Cookies\asd@teenistcams.streamray[2].txt
C:\Documents and Settings\asd\Cookies\asd@adbrite[2].txt
C:\Documents and Settings\asd\Cookies\asd@vip2.clickzs[1].txt
C:\Documents and Settings\asd\Cookies\asd@image.masterstats[1].txt
C:\Documents and Settings\asd\Cookies\asd@AdRotator[3].txt
C:\Documents and Settings\asd\Cookies\asd@counter8.sextracker[1].txt
C:\Documents and Settings\asd\Cookies\asd@media.adrevolver[1].txt
C:\Documents and Settings\asd\Cookies\asd@yadro[1].txt
C:\Documents and Settings\asd\Cookies\asd@advertising[1].txt
C:\Documents and Settings\asd\Cookies\asd@doubleclick[1].txt
C:\Documents and Settings\asd\Cookies\asd@sextracker[2].txt
C:\Documents and Settings\asd\Cookies\asd@counter1.sextracker[1].txt
C:\Documents and Settings\asd\Cookies\asd@casalemedia[1].txt
C:\Documents and Settings\asd\Cookies\asd@2o7[1].txt
C:\Documents and Settings\asd\Cookies\asd@ads-dev.youporn[1].txt
C:\Documents and Settings\asd\Cookies\asd@ads.usercash[2].txt
C:\Documents and Settings\asd\Cookies\asd@cz8.clickzs[1].txt
C:\Documents and Settings\asd\Cookies\asd@hentaicounter[1].txt
C:\Documents and Settings\asd\Cookies\asd@thats****ed[1].txt
C:\Documents and Settings\asd\Cookies\asd@multiply.112.2o7[1].txt
C:\Documents and Settings\asd\Cookies\asd@atdmt[1].txt
C:\Documents and Settings\asd\Cookies\asd@statcounter[1].txt
C:\Documents and Settings\asd\Cookies\asd@cz2.clickzs[2].txt
C:\Documents and Settings\asd\Cookies\asd@4.adbrite[1].txt
C:\Documents and Settings\asd\Cookies\asd@3.adbrite[1].txt
C:\Documents and Settings\asd\Cookies\asd@serving-sys[2].txt
C:\Documents and Settings\asd\Cookies\asd@tribalfusion[1].txt
C:\Documents and Settings\asd\Cookies\asd@adultfriendfinder[1].txt
C:\Documents and Settings\asd\Cookies\asd@counter.hitslink[1].txt
C:\Documents and Settings\asd\Cookies\asd@apmebf[1].txt
C:\Documents and Settings\asd\Cookies\asd@www.fpctraffic2[1].txt
C:\Documents and Settings\asd\Cookies\asd@adultadworld[1].txt
C:\Documents and Settings\asd\Cookies\asd@revenue[2].txt
C:\Documents and Settings\asd\Cookies\asd@burstnet[1].txt
C:\Documents and Settings\asd\Cookies\asd@www.thats****ed[1].txt
C:\Documents and Settings\asd\Cookies\asd@ads.adgoto[2].txt
C:\Documents and Settings\asd\Cookies\asd@clicksor[2].txt
C:\Documents and Settings\lrs\Cookies\lrs@adinterax[2].txt
C:\Documents and Settings\lrs\Cookies\lrs@bs.serving-sys[2].txt
C:\Documents and Settings\lrs\Cookies\lrs@doubleclick[1].txt
C:\Documents and Settings\lrs\Cookies\lrs@questionmarket[1].txt
C:\Documents and Settings\lrs\Cookies\lrs@serving-sys[2].txt
C:\Documents and Settings\sd\Cookies\sd@ads.gamesbannernet[1].txt
C:\Documents and Settings\sd\Cookies\sd@2o7[1].txt
C:\Documents and Settings\sd\Cookies\sd@ad.yieldmanager[2].txt
C:\Documents and Settings\sd\Cookies\sd@adbrite[1].txt
C:\Documents and Settings\sd\Cookies\sd@adinterax[1].txt
C:\Documents and Settings\sd\Cookies\sd@adrevolver[2].txt
C:\Documents and Settings\sd\Cookies\sd@adrevolver[3].txt
C:\Documents and Settings\sd\Cookies\sd@ads.adbrite[2].txt
C:\Documents and Settings\sd\Cookies\sd@casalemedia[1].txt
C:\Documents and Settings\sd\Cookies\sd@adultadworld[2].txt
C:\Documents and Settings\sd\Cookies\sd@apmebf[2].txt
C:\Documents and Settings\sd\Cookies\sd@atdmt[2].txt
C:\Documents and Settings\sd\Cookies\sd@azjmp[1].txt
C:\Documents and Settings\sd\Cookies\sd@burstnet[2].txt
C:\Documents and Settings\sd\Cookies\sd@clicksor[2].txt
C:\Documents and Settings\sd\Cookies\sd@clicktorrent[2].txt
C:\Documents and Settings\sd\Cookies\sd@doubleclick[1].txt
C:\Documents and Settings\sd\Cookies\sd@eas.apm.emediate[2].txt
C:\Documents and Settings\sd\Cookies\sd@ehg-nokiafin.hitbox[2].txt
C:\Documents and Settings\sd\Cookies\sd@fastclick[2].txt
C:\Documents and Settings\sd\Cookies\sd@hentaicounter[2].txt
C:\Documents and Settings\sd\Cookies\sd@hitbox[1].txt
C:\Documents and Settings\sd\Cookies\sd@media.adrevolver[1].txt
C:\Documents and Settings\sd\Cookies\sd@msnportal.112.2o7[1].txt
C:\Documents and Settings\sd\Cookies\sd@questionmarket[2].txt
C:\Documents and Settings\sd\Cookies\sd@perf.overture[1].txt
C:\Documents and Settings\sd\Cookies\sd@tribalfusion[1].txt
C:\Documents and Settings\sd\Cookies\sd@revsci[2].txt
C:\Documents and Settings\sd\Cookies\sd@richmedia.yahoo[1].txt
C:\Documents and Settings\sd\Cookies\sd@server.cpmstar[2].txt
C:\Documents and Settings\sd\Cookies\sd@specificclick[1].txt
C:\Documents and Settings\sd\Cookies\sd@www.burstnet[1].txt

Veka · March 2008

Thanks. Post a new HijackThis log also, please.

panget · March 2008

Logfile of HijackThis v1.99.1
Scan saved at 3:59:15 AM, on 3/18/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\mdm.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = HELLO WORLD i am VB
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [MSConfigs] C:\WINDOWS\RUNDLL64.dll.vbs
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus C65 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE /P23 "EPSON Stylus C65 Series" /O6 "USB001" /M "Stylus C65"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Windows Networking Monitoring] C:\WINDOWS\System32\mdm.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Windows Networking Monitoring] C:\WINDOWS\System32\mdm.exe
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE12\REFIEBAR.DLL
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

Veka · March 2008

Please do a re-scan with SDFix in Safe Mode and post the results here.

Once you're back in normal mode, scan your computer with Kaspersky Online Scanner.

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

panget · March 2008

SDFix: Version 1.156

Run by asd on Sat 03/22/2008 at 03:44 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HKCU HomePage

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\.exe - Deleted
C:\WINDOWS\system32\o - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,

http://www.gmer.net
Rootkit scan 2008-03-22 03:52:32
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 3 Oct 2006 50,280 A..H. --- "C:\Program Files\Common

Files\Adobe\ESD\DLMCleanup.exe"

Finished!

***

Kaspersky coming soon.

Veka · March 2008

Thank you, panget. I'm waiting the Kaspersky log.

Veka · April 2008

This topic is now closed due to inactivity.

If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

If you are not the user who started this thread, you must start your own Thread instead.

PC runs s-l-o-w-l-y

Comments