guys help on this. auto.exe .exe in my drives. cannot remove it since it keeps on coming back after restart. any suggestions? avast cannot detect and remove it. thanks.
You probably have a re-infector hidden elsewhere on your system, which will need to be removed. As Mauserme is away learning at the moment I could help you. But first I would need to know what it is that you have
Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
ok… will do as soon as finished repairing windows… thanks.
are you also familiar with TTMS virus? avast cannot removed it. have removed it manually but it would be nice if avast could detect it and remove it on its own.
I think both the TTMS(vbnokrupt) and auto.exe transfers to other pc thru network connection or by using flashdrive/external disk…
Can you send the samples to virus@avast.com ?
You can zip and password the files… Inform a link to this thread and the password used.
You can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks for helping to improve avast detection.
Saturday, June 2nd, 2007 first notification
It is a fairly new one that does not appear to be spreading that fast (yet) Please follow Techs advice and upload the file to Avast
message exceed maximum allowable length when i pasted the text… can i send it to you thru email instead?
No but you can put it in, in multiple posts that way everyone can observe what is happening 
main1
Deckard’s System Scanner v20070905.67
Run by jon on 2007-09-13 02:32:22
Computer is in Normal Mode.
– System Restore --------------------------------------------------------------
Successfully created a Deckard’s System Scanner Restore Point.
– Last 2 Restore Point(s) –
2: 2007-09-12 18:32:27 UTC - RP2 - Deckard’s System Scanner Restore Point
1: 2007-09-12 18:23:20 UTC - RP1 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
– HijackThis Clone ------------------------------------------------------------
Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-09-13 02:33:55
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\smss.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragService.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\defragActivityMonitor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Accelerator Professional\pcperf.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\system32\tsnp2std.exe
C:\Program Files\Notebook Hardware Control\nhc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Elantech\Ktp.exe
C:\WINDOWS\vsnp2std.exe
C:\WINDOWS\RTHDCPL.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragCtrl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Jemman Files\Downloads\Utils\dss.exe
C:\Program Files\Real\RealPlayer\realplay.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Jemman and Rizza Rules!!
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F0 - system.ini: Shell=explorer.exe “C:\WINDOWS\smss.exe”
F2 - REG:system.ini: Shell=explorer.exe “C:\WINDOWS\smss.exe”
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe, c:\services.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKEY_LOCAL_MACHINE..\Run: [PCPerf] “C:\PROGRA~1\PCACCE~1\pcperf.exe”
O4 - HKEY_LOCAL_MACHINE..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKEY_LOCAL_MACHINE..\Run: [tsnp2std] C:\WINDOWS\system32\tsnp2std.exe
O4 - HKEY_LOCAL_MACHINE..\Run: [NotebookHardwareControl] “C:\Program Files\Notebook Hardware Control\nhc.exe” -quiet
O4 - HKEY_LOCAL_MACHINE..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKEY_LOCAL_MACHINE..\Run: [system] C:\WINDOWS\kernel32.ini
O4 - HKEY_LOCAL_MACHINE..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKEY_LOCAL_MACHINE..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKEY_LOCAL_MACHINE..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKEY_LOCAL_MACHINE..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKEY_LOCAL_MACHINE..\Run: [KTPWare] C:\Program Files\Elantech\ktp.exe
O4 - HKEY_LOCAL_MACHINE..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKEY_LOCAL_MACHINE..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKEY_LOCAL_MACHINE..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKEY_LOCAL_MACHINE..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: Ashampoo Magical Defrag.lnk = C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragCtrl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra ‘Tools’ menuitem: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: Unknown ‘about’ protocol is in Restricted Zone (HKEY_LOCAL_MACHINE)
O15 - ProtocolDefaults: Unknown ‘about:’ protocol is in Restricted Zone (HKEY_LOCAL_MACHINE)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: AshampooDefragService - Unknown owner - C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - “C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe”
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE %SystemRoot%\System32\bcmwltry.exe
main2
– File Associations -----------------------------------------------------------
.ini - inifile - shell\open\command - “%1” %*
– Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R1 CPEb - c:\windows\system32\drivers\cpeb.sys <Not Verified; Compal; >
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.10.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.10.0>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R2 VMnetBridge (VMware Bridge Protocol) - c:\windows\system32\drivers\vmnetbridge.sys <Not Verified; VMware, Inc.; VMware Network Driver>
R2 VMnetuserif (VMware Network Application Interface) - c:\windows\system32\drivers\vmnetuserif.sys <Not Verified; VMware, Inc.; VMware Network Driver>
R2 vmx86 (VMware vmx86) - c:\windows\system32\drivers\vmx86.sys <Not Verified; VMware, Inc.; VMware Workstation>
R3 nhcDriverDevice (Notebook Hardware Control Driver) - c:\windows\system32\drivers\nhcdriver.sys <Not Verified; pBUS-167 Software - http://www.pbus-167.com; Notebook Hardware Control Driver>
S1 TPwSav (Common Driver) - c:\windows\system32\drivers\tpwsav.sys (file missing)
– Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 AshampooDefragService - c:\program files\ashampoo\ashampoo magical defrag\bin\adefragservice.exe <Not Verified; ; Ashampoo Magical Defrag>
S4 RegSrvc (Intel(R) PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel(R) PROSet/Wireless Registry Service>
S4 VMAuthdService (VMware Authorization Service) - c:\program files\vmware\vmware workstation\vmware-authd.exe <Not Verified; VMware, Inc.; VMware Workstation>
S4 VMnetDHCP (VMware DHCP Service) - c:\windows\system32\vmnetdhcp.exe <Not Verified; VMware, Inc.; VMware Workstation>
S4 VMware NAT Service - c:\windows\system32\vmnat.exe <Not Verified; VMware, Inc.; VMware Workstation>
– Device Manager: Disabled ----------------------------------------------------
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom 802.11g Network Adapter
Device ID: PCI\VEN_14E4&DEV_4311&SUBSYS_00071028&REV_01\4&192AC53F&0&00E0
Manufacturer: Broadcom
Name: Broadcom 802.11g Network Adapter
PNP Device ID: PCI\VEN_14E4&DEV_4311&SUBSYS_00071028&REV_01\4&192AC53F&0&00E0
Service: BCM43XX
Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}
Description: Integrated Camera
Device ID: USB\VID_0C45&PID_624F\5&12245C4C&0&4
Manufacturer:
Name: Integrated Camera
PNP Device ID: USB\VID_0C45&PID_624F\5&12245C4C&0&4
Service: SNP2STD
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: VMware Virtual Ethernet Adapter for VMnet1
Device ID: ROOT\VMWARE\0000
Manufacturer: VMware, Inc.
Name: VMware Virtual Ethernet Adapter for VMnet1
PNP Device ID: ROOT\VMWARE\0000
Service: VMnetAdapter
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: VMware Virtual Ethernet Adapter for VMnet8
Device ID: ROOT\VMWARE\0001
Manufacturer: VMware, Inc.
Name: VMware Virtual Ethernet Adapter for VMnet8
PNP Device ID: ROOT\VMWARE\0001
Service: VMnetAdapter
– Files created between 2007-08-13 and 2007-09-13 -----------------------------
2007-09-13 02:15:19 0 d-------- C:\WINDOWS\Prefetch
2007-09-13 00:27:22 0 d–h----- C:\Documents and Settings\Administrator\Templates
2007-09-13 00:27:22 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-09-13 00:27:22 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-09-13 00:27:22 0 d–h----- C:\Documents and Settings\Administrator\Recent
2007-09-13 00:27:22 0 d–h----- C:\Documents and Settings\Administrator\PrintHood
2007-09-13 00:27:22 245760 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-09-13 00:27:22 0 d–h----- C:\Documents and Settings\Administrator\NetHood
2007-09-13 00:27:22 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-09-13 00:27:22 0 d–h----- C:\Documents and Settings\Administrator\Local Settings
2007-09-13 00:27:22 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-09-13 00:27:22 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-09-13 00:27:22 0 d—s---- C:\Documents and Settings\Administrator\Cookies
2007-09-13 00:27:22 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-09-13 00:27:22 0 d—s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-09-13 00:27:14 0 d-------- C:\WINDOWS\CSC
2007-09-08 23:51:02 0 dr-h----- C:\Documents and Settings\jon\Recent
2007-09-06 09:14:53 0 d-------- C:\Documents and Settings\jon\Application Data\Help
2007-09-02 18:14:55 0 d-------- C:\Documents and Settings\jon\Application Data\Dev-Cpp
2007-09-02 18:14:30 0 d-------- C:\Dev-Cpp
2007-08-31 22:07:34 0 --a------ C:\s7o
2007-08-23 23:22:57 0 d-------- C:\Documents and Settings\jon\Application Data\Datalayer
2007-08-22 21:37:31 0 d-------- C:\Documents and Settings\jon\amaya
2007-08-22 21:37:19 0 d-------- C:\Program Files\Amaya
2007-08-17 15:32:48 0 d-------- C:\Documents and Settings\jon\Application Data\Skype
2007-08-17 15:32:37 0 d-------- C:\Program Files\Skype
2007-08-17 15:32:37 0 d-------- C:\Program Files\Common Files\Skype
2007-08-17 15:32:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Skype
– Find3M Report ---------------------------------------------------------------
2007-09-13 01:56:07 0 d-------- C:\Program Files\Movie Maker
2007-09-13 01:52:35 22748 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-09-13 01:52:06 0 d-------- C:\Program Files\Messenger
2007-09-13 01:52:03 0 d-------- C:\Program Files\Windows NT
2007-09-01 14:56:57 0 d-------- C:\Documents and Settings\jon\Application Data\VMware
2007-08-24 18:36:30 24 --a------ C:\WINDOWS\popcinfo.dat
2007-08-17 15:32:37 0 d-------- C:\Program Files\Common Files
2007-08-05 21:32:52 0 d-------- C:\Documents and Settings\jon\Application Data\Ahead
2007-08-03 10:40:05 0 d–h----- C:\Program Files\InstallShield Installation Information
2007-07-21 18:38:48 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-07-19 22:35:12 0 d-------- C:\Documents and Settings\jon\Application Data\Real
2007-07-19 22:33:36 0 d-------- C:\Program Files\Common Files\xing shared
2007-07-19 22:33:33 0 d-------- C:\Program Files\Common Files\Real
2007-07-15 09:56:27 0 d-------- C:\Documents and Settings\jon\Application Data\GameHouse
2007-07-15 09:56:23 0 d-------- C:\Program Files\GameHouse
2007-07-15 09:56:11 0 d-------- C:\Program Files\Google
2007-07-14 02:51:51 0 d-------- C:\Program Files\Notebook Hardware Control
2007-07-14 02:41:38 0 d-------- C:\Documents and Settings\jon\Application Data\Lavasoft
2007-07-14 01:57:51 0 d-------- C:\Documents and Settings\jon\Application Data\GRETECH
2007-07-14 01:57:39 0 d-------- C:\Program Files\GRETECH
2007-07-10 12:26:44 36864 --a------ C:\WINDOWS\system32\CPEbLib.DLL <Not Verified; ; EBLibA30 Dynamic Link Library>
2007-07-01 17:05:38 4096 --a------ C:\WINDOWS\d3dx.dat
2007-06-28 10:45:02 0 --a------ C:\WINDOWS\nsreg.dat
2007-06-27 06:52:58 678912 --a------ C:\WINDOWS\is-3H5GD.exe <Not Verified; ; Inno Setup>
2007-06-27 06:29:46 46 --a------ C:\CONFIG.SYS
2007-06-27 02:35:09 62 --ahs---- C:\Documents and Settings\jon\Application Data\desktop.ini
2007-06-26 19:04:04 5536 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-06-26 18:48:15 0 --a------ C:\MSDOS.SYS
2007-06-26 18:48:15 0 -rahs---- C:\IO.SYS
2007-06-26 18:48:15 0 --a------ C:\AUTOEXEC.BAT
main3
– Registry Dump ---------------------------------------------------------------
Note empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“PCPerf”=“C:\PROGRA~1\PCACCE~1\pcperf.exe” [05/19/2006 12:00 AM]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [07/28/2007 06:03 AM]
“tsnp2std”=“C:\WINDOWS\system32\tsnp2std.exe” [06/14/2006 07:20 PM]
“NotebookHardwareControl”=“C:\Program Files\Notebook Hardware Control\nhc.exe” [05/04/2007 08:33 AM]
“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [07/19/2007 10:33 PM]
“system”=“C:\WINDOWS\kernel32.ini” [04/02/2007 10:51 AM]
“igfxtray”=“C:\WINDOWS\system32\igfxtray.exe” [03/23/2006 11:17 AM]
“igfxhkcmd”=“C:\WINDOWS\system32\hkcmd.exe” [03/23/2006 11:13 AM]
“igfxpers”=“C:\WINDOWS\system32\igfxpers.exe” [03/23/2006 11:17 AM]
“AGRSMMSG”=“AGRSMMSG.exe” [12/12/2005 01:50 PM C:\WINDOWS\AGRSMMSG.exe]
“KTPWare”=“C:\Program Files\Elantech\ktp.exe” [03/29/2006 01:36 AM]
“snp2std”=“C:\WINDOWS\vsnp2std.exe” [05/15/2006 03:52 PM]
“RTHDCPL”=“RTHDCPL.EXE” [02/27/2006 11:28 PM C:\WINDOWS\RTHDCPL.exe]
“Alcmtr”=“ALCMTR.EXE” [05/04/2005 12:43 AM C:\WINDOWS\Alcmtr.exe]
“KernelFaultCheck”=“C:\WINDOWS\system32\dumprep 0 -k”
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Ashampoo Magical Defrag.lnk - C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragCtrl.exe [6/28/2007 12:06:14 AM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“RunStartupScriptSync”=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
“DisableRegistryTools”=0 (0x0)
“NoSecCPL”=0 (0x0)
“NoConfigPage”=0 (0x0)
“NoVirtMemPage”=0 (0x0)
“NoDevMgrPage”=0 (0x0)
“DisableLockWorkstation”=0 (0x0)
“NoCommonGroups”=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
“NoChangeAnimation”=1 (0x1)
“NoStrCmpLogical”=1 (0x1)
“NoLowDiskSpaceChecks”=0 (0x0)
“NoChangeKeyboardNavigationIndicators”=0 (0x0)
“NoSMConfigurePrograms”=0 (0x0)
“NoSharedDocuments”=0 (0x0)
“NoTrayContextMenu”=0 (0x0)
“LockTaskbar”=0 (0x0)
“NoTrayItemsDisplay”=0 (0x0)
“NoUserNameInStartMenu”=0 (0x0)
“NoSetTaskbar”=0 (0x0)
“NoStartMenuEjectPC”=0 (0x0)
“StartMenuLogoff”=0 (0x0)
“ForceStartMenuLogoff”=0 (0x0)
“NoRecentDocsNetHood”=0 (0x0)
“NoStartMenuNetworkPlaces”=0 (0x0)
“NoNetworkConnections”=0 (0x0)
“DisablePersonalDirChange”=0 (0x0)
“DisableMyPicturesDirChange”=0 (0x0)
“DisableMyMusicDirChange”=0 (0x0)
“DisableFavoritesDirChange”=0 (0x0)
“NoSMMyDocs”=0 (0x0)
“NoWindowsUpdate”=1 (0x1)
“GreyMSIAds”=0 (0x0)
“NoStartMenuPinnedList”=0 (0x0)
“NoPropertiesRecycleBin”=0 (0x0)
“Run”=1 (0x1)
“NoFolderOptions”=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
@=C:\WINDOWS\system32\msarti.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“MemCheckBoxInRunDlg”=1 (0x1)
“NoStrCmpLogical”=1 (0x1)
“NoActiveDesktopChanges”=0 (0x0)
“NoRecentDocsHistory”=0 (0x0)
“ClearRecentDocsOnExit”=1 (0x1)
“NoSMHelp”=0 (0x0)
“NoInternetIcon”=0 (0x0)
“NoDesktop”=0 (0x0)
“NoFavoritesMenu”=0 (0x0)
“NoLogOff”=0 (0x0)
“NoRecentDocsMenu”=0 (0x0)
“NoResolveTrack”=1 (0x1)
“NoInstrumentation”=0 (0x0)
“NoRun”=0 (0x0)
“NoStartBanner”=01000000
“NoFileUrl”=0 (0x0)
“NoSimpleStartMenu”=0 (0x0)
“NoStartMenuMFUprogramsList”=0 (0x0)
“NoStartMenuMorePrograms”=0 (0x0)
“NoDFSTab”=0 (0x0)
“NoSecurityTab”=0 (0x0)
“NoHardwareTab”=0 (0x0)
“NoResolveSearch”=0 (0x0)
“NoSMConfigurePrograms”=0 (0x0)
“NoSharedDocuments”=0 (0x0)
“NoTrayContextMenu”=0 (0x0)
“LockTaskbar”=0 (0x0)
“NoTrayItemsDisplay”=0 (0x0)
“NoToolbarsOnTaskbar”=0 (0x0)
main4
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
“Shell”=“explorer.exe "C:\WINDOWS\smss.exe"”
“Userinit”=“c:\windows\system32\userinit.exe, c:\services.exe,”
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CASS]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EOUApp]
“C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe”
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
“C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” /tf Intel PROSet/Wireless
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
“C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe”
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KTPWare]
C:\Program Files\Elantech\ktp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
“wltrysvc”=2 (0x2)
“EvtEng”=2 (0x2)
“S24EventMonitor”=2 (0x2)
“RegSrvc”=2 (0x2)
“VMware NAT Service”=2 (0x2)
“VMnetDHCP”=2 (0x2)
“VMAuthdService”=2 (0x2)
“ose”=3 (0x3)
“IDriverT”=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{0c9f7084-2629-11dc-bc18-8ea4a2b2973a}]
Auto\command- infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{4a8e4680-2654-11dc-bc1c-c738bc0e103a}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{7c42b9d5-2412-11dc-8082-806d6172696f}]
- C:\auto.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{7c42b9d6-2412-11dc-8082-806d6172696f}]
- D:\auto.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{7c42b9d7-2412-11dc-8082-806d6172696f}]
- E:\auto.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{7c42b9d8-2412-11dc-8082-806d6172696f}]
- F:\auto.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{8afdf8a4-2d0b-11dc-bc37-cf4e2072fb3d}]
- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe FS6519.dll.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{8dcfb36a-2635-11dc-bc19-cab47021b35b}]
- H:\infrom.exe
– Hosts -----------------------------------------------------------------------
127.0.0.1 pop3.norton.antivirus # Added by Norton AntiVirus for e-Mail scanning
127.0.0.1 pop3.spa.norton.antivirus # Added by Norton AntiVirus for e-Mail scanning
– End of Deckard’s System Scanner: finished at 2007-09-13 02:36:13 ------------
extra1
Deckard’s System Scanner v20070905.67
Extra logfile - please post this as an attachment with your post.
– System Information ----------------------------------------------------------
Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: Genuine Intel(R) CPU T1080 @ 1.73GHz
CPU 1: Genuine Intel(R) CPU T1080 @ 1.73GHz
Percentage of Memory in Use: 32%
Physical Memory (total/avail): 1014.04 MiB / 680.83 MiB
Pagefile Memory (total/avail): 2444.61 MiB / 2152.18 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1960.67 MiB
C: is Fixed (NTFS) - 14.65 GiB total, 8.82 GiB free.
D: is Fixed (NTFS) - 14.65 GiB total, 12 GiB free.
E: is Fixed (NTFS) - 24.41 GiB total, 13.76 GiB free.
F: is Fixed (NTFS) - 20.81 GiB total, 2.27 GiB free.
G: is CDROM (No Media)
\.\PHYSICALDRIVE0 - FUJITSU MHW2080BH - 74.53 GiB - 4 partitions
\PARTITION0 (bootable) - Installable File System - 14.65 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 59.87 GiB - D: - E: - F:
– Security Center -------------------------------------------------------------
AUOptions is disabled.
Windows Internal Firewall is enabled.
FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.
AV: avast! antivirus 4.7.1029 [VPS 000773-3] v4.7.1029 (ALWIL Software)
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019”
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019”
– Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\jon\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JJSFERNANDEZ
ComSpec=C:\WINDOWS\system32\cmd.exe
DEVMGR_SHOW_NONPRESENT_DEVICES=0
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\jon
LOGONSERVER=\JJSFERNANDEZ
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 12, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e0c
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\jon\LOCALS~1\Temp
TMP=C:\DOCUME~1\jon\LOCALS~1\Temp
USERDOMAIN=JJSFERNANDEZ
USERNAME=jon
USERPROFILE=C:\Documents and Settings\jon
windir=C:\WINDOWS
– User Profiles ---------------------------------------------------------------
jon I[/I]
Administrator (new local, admin)
– Add/Remove Programs ---------------------------------------------------------
→ C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
→ C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
→ C:\WINDOWS\UNNeroVision.exe /UNINSTALL
→ C:\WINDOWS\UNNMP.exe /UNINSTALL
→ rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal → C:\PROGRA~1\Lavasoft\Ad-Aware SE Personal\UNWISE.EXE C:\PROGRA~1\Lavasoft\Ad-Aware SE Personal\INSTALL.LOG
Adobe Flash Player ActiveX → C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin → C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.5 → MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70500000002}
Advanced Office Password Recovery (remove only) → C:\Program Files\ElcomSoft\AOPR\uninstall.exe
Agere Systems HDA Modem → agrsmdel
Amaya → “C:\Program Files\Amaya\Uninstall.exe”
Ashampoo Magical Defrag → “C:\Program Files\Ashampoo\Ashampoo Magical Defrag\Uninstall\0044_Uninstall.EXE”
Ashampoo WinOptimizer Platinum 3 → “C:\Program Files\Ashampoo\Ashampoo WinOptimizer Platinum 3\Uninstall\WOP3_Uninstall.exe”
avast! Antivirus → rundll32 “C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll”,RunSetup
Broadcom 802.11 Network Adapter → “C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\bcmwlu00.exe” verbose /rootkey=“Software\Broadcom\802.11\UninstallInfo” /rootdir=“C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter”
Dev-C++ 5 beta 9 release (4.9.9.2) → “C:\Dev-Cpp\uninstall.exe”
DivX → C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Player → C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player → C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
GOM Player → “C:\Program Files\GRETECH\GomPlayer\Uninstall.exe”
Google Toolbar for Internet Explorer → regsvr32 /u /s “c:\program files\google\googletoolbar1.dll”
Integrated Camera → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{75438C0E-9925-412E-AD85-D0E71C6CE2ED}\Setup.exe” -l0x9
Intel(R) Graphics Media Accelerator Driver → RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_27A6 PCI\VEN_8086&DEV_27A2
Intel(R) Processor ID Utility → MsiExec.exe /X{A92A4DB0-CD37-42D1-BE1D-603D53C24328}
Intel(R) PROSet/Wireless Software → C:\WINDOWS\Installer\iProInst.exe
KTP Ware PS/2-WDM 5.0.3.6 → rundll32.exe “C:\Program Files\Elantech\KTUninst.dll”,KTech_Uninstall 0
mCore → MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDriver → MsiExec.exe /I{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}
mDrWiFi → MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mEoU → MsiExec.exe /I{B502B428-3386-40A9-98DB-079AAB72E64F}
mHelp → MsiExec.exe /I{8C6BB412-D3A8-4AAE-A01B-35B681789D68}
Microsoft Office Professional Edition 2003 → MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
mIWA → MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView → MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse → MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Mozilla Firefox (2.0.0.6) → C:\Program Files\Mozilla Firefox\uninstall\helper.exe
mPfMgr → MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz → MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe → MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mWlsSafe → MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML → MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig → MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
Nero Suite → C:\Program Files\Common Files\Ahead\Uninstall\Setup.exe /uninstall
Nokia Connectivity Cable Driver → C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{3C1599DA-9ED9-4090-930F-B8BC4D99D6B0}
Nokia PC Suite → C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{FBD6A335-7E02-43B0-AF58-1B472F9BD3E1}
Notebook Hardware Control 2.0 Pre-Release-06 → C:\Program Files\Notebook Hardware Control\uninst.exe
Passware Kit Enterprise 7.3 → C:\Program Files\Passware\un-kit_ent.exe
PowerDVD → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe” -uninstall
RealPlayer → C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
REALTEK GbE & FE Ethernet PCI-E NIC Driver → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{C9BED750-1211-4480-B1A5-718A3BE15525}\setup.exe” -l0x9 -removeonly
Realtek High Definition Audio Driver → RtlUpd.exe -r -m
Registry Mechanic 5.2 → “C:\Program Files\Registry Mechanic\unins000.exe”
Skype™ 3.5 → MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Smartalec PC Accelerator 2007 Professional Suite 1.1 → “C:\Program Files\PC Accelerator Professional\setup\uninst.exe”
VistaMizer 1.1.6 → C:\WINDOWS\VistaMizer\Uninstall.exe
VMware Workstation → MsiExec.exe /I{98D1A713-438C-4A23-8AB6-41B37C4A2D47}
Winamp (remove only) → “C:\Program Files\Winamp\UninstWA.exe”
Windows Registry Guide 2003 → “C:\Program Files\WinGuides\unins000.exe”
WinRAR archiver → C:\Program Files\WinRAR\uninstall.exe
extra2
– Application Event Log -------------------------------------------------------
Event Record #/Type3690 / Error
Event Submitted/Written: 09/13/2007 02:34:16 AM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt with error: 407 (HTTP Response Status)
Event Record #/Type3684 / Error
Event Submitted/Written: 09/13/2007 02:26:06 AM
Event ID/Source: 8193 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.
Event Record #/Type3683 / Error
Event Submitted/Written: 09/13/2007 02:26:06 AM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 80070422 from line 44 of d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.
Event Record #/Type3673 / Warning
Event Submitted/Written: 09/13/2007 01:59:00 AM
Event ID/Source: 4353 / EventSystem
Event Description:
The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.
Event Record #/Type3672 / Warning
Event Submitted/Written: 09/13/2007 01:59:00 AM
Event ID/Source: 4356 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}. CoGetObject returned HRESULT 80070422.
– Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
– System Event Log ------------------------------------------------------------
Event Record #/Type5040 / Warning
Event Submitted/Written: 09/13/2007 02:27:57 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0016D4CBB2D3. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.
Event Record #/Type5024 / Error
Event Submitted/Written: 09/13/2007 02:26:11 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error “%%1058” attempting to start the service EventSystem with arguments “”
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
Event Record #/Type5023 / Error
Event Submitted/Written: 09/13/2007 02:26:06 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error “%%1058” attempting to start the service EventSystem with arguments “”
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
Event Record #/Type5011 / Error
Event Submitted/Written: 09/13/2007 02:23:49 AM
Event ID/Source: 7 / Cdrom
Event Description:
The device, \Device\CdRom0, has a bad block.
Event Record #/Type5010 / Error
Event Submitted/Written: 09/13/2007 02:23:48 AM
Event ID/Source: 7 / Cdrom
Event Description:
The device, \Device\CdRom0, has a bad block.
– End of Deckard’s System Scanner: finished at 2007-09-13 02:36:13 ------------
Hi bokang,
C:\WINDOWS\smss.exe
C:\WINDOWS\kernel32.ini
Please disable ‘Hide protected operating system files’ and enable ‘View Hidden Files and Folders’, and upload the above files to VirusTotal for analysis. Post the results here.
If confirmed as malware, please send the files to virus[at]avast.com in a password-protected archive, mentioning the password in the email.
If you know what you’re doing, you can adapt the solution here to suit you computer. If you’re not sure, wait for essexboy to cut and paste a bespoke solution. The VirusTotal result will allow us to recommend which anti-malware products ,might remove the malware automatically, if you prefer to do it that way.
virus files:
hidden in each drive and in windows folder…
auto.exe
.exe
services.exe
have removed them including the registry but keeps on coming back since I cant remove services.exe from windows folder as it seems to be running and taskman cannot end process…
will try it using safemode…
if anyone knew how to remove this, pls post. thanks…
essexboy I’m counting on you…
Those are not the only virus files. C:\WINDOWS\smss.exe and C:\WINDOWS\kernel32.ini are also infected. You need to submit them to VirusTotal and avast! as instructed in my previous post. You could try a manual removal with HijackThis! Run HijackThis! again, tick the following entries, close all other Windows, then click ‘fix’. Reboot into Safe Mode and delete the files. If the files persist, you could try OTMoveIt as described in the thread I linked to previously.
C:\WINDOWS\smss.exe
F0 - system.ini: Shell=explorer.exe “C:\WINDOWS\smss.exe”
F2 - REG:system.ini: Shell=explorer.exe “C:\WINDOWS\smss.exe”
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe, c:\services.exe,
O4 - HKEY_LOCAL_MACHINE..\Run: [system] C:\WINDOWS\kernel32.ini
You could also try some online scanners:
(Disable avast! while scanning.)
OK lets go for the first stage kill. Avast will need copies of those files before they are killed so that they can update the detections once they are uploaded
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. [b]
F0 - system.ini: Shell=explorer.exe “C:\WINDOWS\smss.exe”
F2 - REG:system.ini: Shell=explorer.exe “C:\WINDOWS\smss.exe”
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe, c:\services.exe,
O4 - HKEY_LOCAL_MACHINE..\Run: [tsnp2std] C:\WINDOWS\system32\tsnp2std.exe
O4 - HKEY_LOCAL_MACHINE..\Run: [system] C:\WINDOWS\kernel32.ini
[/b]Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.
THEN
Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\smss.exe
C:\WINDOWS\system32\tsnp2std.exe
c:\services.exe
C:\WINDOWS\kernel32.ini
C:\auto.exe
D:\auto.exe
E:\auto.exe
F:\auto.exe
H:\infrom.exe
Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
THEN
WARNING these fixes are designed for this user only and may cause damage if run on an uninfected machine
First we must back up the entire registry.To do this
REGISTRY BACKUP
Go START > RUN and type in REGEDIT then press your enter key.
When Regedit is open ensure that ‘my computer’ is highlighted in the left pane.
Go to FILE and select EXPORT.
Check the ‘all’ button at the bottom of the screen to backup the entire registry.
You will need to select a location to save the exported registry (it will be saved as a single file) I would suggest the Desktop
Choose the FILE NAME as Oldreg
In the drop down box called SAVE AS TYPE select registration files (*.reg).
Then click SAVE
This will create a file on your desktop called Oldreg.reg
http://img127.imageshack.us/img127/433/regtg8.jpg
REGISTRY FIX
REGEDIT4[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{0c9f7084-2629-11dc-bc18-8ea4a2b2973a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{4a8e4680-2654-11dc-bc1c-c738bc0e103a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{7c42b9d5-2412-11dc-8082-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{7c42b9d6-2412-11dc-8082-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{7c42b9d7-2412-11dc-8082-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{7c42b9d8-2412-11dc-8082-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{8afdf8a4-2d0b-11dc-bc37-cf4e2072fb3d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{8dcfb36a-2635-11dc-bc19-cab47021b35b}]
Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop
http://img127.imageshack.us/img127/433/regtg8.jpg
To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.
FINALLY
Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.
how to disable avast while scanning online?
Right click the ‘a’ blue icon and choose the last (bottom) option (Stop on-access protection).