help...OLDMAN, i'm creating a new thread as advised by u

Viruses and worms
21

I can’t say for 100% that it did work completely, but you are going to help me find out. ;D 8)

After the 2 little quick fixes, I want you to do the manual procedure that you did before. Making changes as needed. :slight_smile:

It did remove kavo.exe, but left a kavo.dll. Or else the .dll was recreated. Looking at the time stamp it may have been just an old one. It also left the mount points, that we can remove. The tool does seem to have some use. With your help we’ll find out how much.

For now we’ll do the following.

Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.

Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\kavo0.dll

Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new DSS log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Now do the following registry fix

Back up your registry with erunt first

WARNING these fixes are designed for this user only and may cause damage if run on an uninfected machine

REGISTRY FIX

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{44aec12e-803c-11dc-ac38-000b6b581de1}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{4d8963b4-9976-11dc-aee9-000b6b581de1}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{7fbc6c60-9713-11dc-aedf-806d6172696f}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{b925cbac-8af4-11dc-ac5e-000b6b581de1}]

Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
Make sure the save in box is set to desktop
This will create a fix.reg file on your desktop
http://img127.imageshack.us/img127/433/regtg8.jpg

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

Do the manual reset of the registry keys that you did before.

Also find and remove all the AUTORUN.INF per the instructions you found earlier.

I just want to verify that the program you used did reset all the reg keys and removed the autorun.inf

Turn off system retsore and reboot your computer. Do not use any usb storage devices for now, I’m interested in how well this program works. We’ll look at your usb after.

After you reboot run DSS again and post the log. No need for a hijackthis log.

If you have any problems, let me know.

22

hi Oldman,

initially it didn’t manage to erase the kavo.dll in the C/windows/prefetch but few hours later, the autorun came up again

but this time it only shown as autorun.inf without the drive letter of G and avast manage to catch it n were moved into

the chest. it only runs once.

after it has been successfully moved into the chest by avast, the kavo.dll at C/windows/prefetch are no longer exist.

its seems to be quite successful in killing this kavo.

i’ll try to download the OTMoveIT as per your instruction to confirm the effectiveness of this kavo remover file.

will sumit my report to u again once i’ve finished the scanning.

thx Oldman for your effort n time for going thru my log file.

regards
michaelong

23

Deckard’s System Scanner v20071014.68
Run by myself on 2007-11-28 14:58:25
Computer is in Normal Mode.

System Drive C: has 3.23 GiB (less than 15%) free.

– HijackThis (run as myself.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:58:26 PM, on 11/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CRW\shwicon.exe
C:\Program Files\Aspire Arcade\PCMService.exe
C:\PROGRA~1\LAUNCH~1\CPLFL32.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\myself\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\myself.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [LaunchApp] Alaunch
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM..\Run: [ShowIcon_Chander_CRW Series Driver v1.17r019] “C:\Program Files\CRW\shwicon.exe” -t"Chander\CRW Series Driver v1.17r019"
O4 - HKLM..\Run: [PCMService] “C:\Program Files\Aspire Arcade\PCMService.exe”
O4 - HKLM..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLFL32.EXE
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Send To &Bluetooth - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra ‘Tools’ menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra ‘Tools’ menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193064255312
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe


End of file - 7857 bytes

24

– Files created between 2007-10-28 and 2007-11-28 -----------------------------

2007-11-27 21:31:16 0 d-------- C:\EFix
2007-11-27 09:12:34 0 d-------- C:\Program Files\Trend Micro
2007-11-27 07:36:59 0 d-------- C:\My Downloads
2007-11-27 07:36:57 0 d-------- C:\Program Files\BearFlix
2007-11-26 09:15:36 0 d–h----- C:\Documents and Settings\Administrator\Templates
2007-11-26 09:15:36 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-11-26 09:15:36 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-11-26 09:15:36 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-11-26 09:15:36 0 d–h----- C:\Documents and Settings\Administrator\PrintHood
2007-11-26 09:15:36 0 d–h----- C:\Documents and Settings\Administrator\NetHood
2007-11-26 09:15:36 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-11-26 09:15:36 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-11-26 09:15:36 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-11-26 09:15:36 0 d–hs---- C:\Documents and Settings\Administrator\Cookies
2007-11-26 09:15:36 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-11-26 09:15:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2007-11-26 09:15:36 0 d—s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-11-26 09:15:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-11-26 09:15:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2007-11-26 09:15:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2007-11-26 09:15:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2007-11-26 09:15:35 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-11-26 09:15:35 0 d–h----- C:\Documents and Settings\Administrator\Local Settings
2007-11-19 19:26:12 0 d-------- C:\Program Files\WM Converter
2007-11-16 19:01:40 0 d-------- C:\Program Files\ms 10
2007-11-16 05:13:13 0 d-------- C:\Program Files\m
2007-11-12 01:16:51 0 d-------- C:\Program Files\FlashGet
2007-11-10 09:27:49 0 d-------- C:\Program Files\Common Files\DirectX
2007-11-10 09:24:30 0 d-------- C:\Program Files\Paris-Dakar Rally
2007-11-08 08:14:13 0 d-------- C:\Program Files\Xider
2007-11-03 00:27:39 0 d-------- C:\Program Files\Apple Software Update
2007-11-03 00:27:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-02 03:15:45 94208 --a------ C:\WINDOWS\system32\GTW32N50.dll
2007-11-02 03:15:45 15872 --a------ C:\WINDOWS\system32\GTNDIS5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2007-11-01 02:25:16 0 d-------- C:\Program Files\Global Star Software
2007-10-31 08:50:14 0 d-------- C:\Documents and Settings\myself\Application Data\SEGA
2007-10-31 07:39:08 0 d-------- C:\TODC
2007-10-31 07:32:38 0 d-------- C:\ËÀÍö¹íÎÝ
2007-10-31 07:25:31 0 d-------- C:\HOD3
2007-10-28 17:26:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2007-10-28 17:05:53 0 d-------- C:\Documents and Settings\myself\Application Data\EA
2007-10-28 17:05:45 0 d-------- C:\Documents and Settings\All Users\Application Data\EA
2007-10-28 16:57:11 0 d-------- C:\Program Files\BFG
2007-10-28 01:43:18 0 dr------- C:\Program Files\nepal_everest
2007-10-28 01:26:52 0 dr------- C:\Program Files\mike holidays
2007-10-28 01:15:31 0 d-------- C:\notes 20_10
2007-10-28 00:26:03 0 dr------- C:\Program Files\wmv
2007-10-28 00:02:05 0 d-------- C:\Program Files\video hp

– Find3M Report ---------------------------------------------------------------

2007-11-25 10:25:50 46 --a------ C:\WINDOWS\popcinfo.dat
2007-10-27 23:46:12 0 d-------- C:\Program Files\video
2007-10-25 13:03:44 4096 --a------ C:\WINDOWS\d3dx.dat
2007-10-25 09:06:02 0 dr------- C:\Program Files\ad onli
2007-10-25 08:54:28 0 d-------- C:\Program Files\PopCap Games
2007-10-25 08:44:24 0 d-------- C:\Program Files\reflexive games
2007-10-25 08:36:26 0 d-------- C:\Program Files\GameHouse
2007-10-24 19:32:40 0 d-------- C:\Documents and Settings\myself\Application Data\Apple Computer
2007-10-24 18:24:22 0 dr------- C:\Program Files\scenery
2007-10-24 18:22:30 0 dr------- C:\Program Files\eqtc edu
2007-10-24 18:12:58 0 d-------- C:\Program Files\ReflexiveArcade
2007-10-24 17:53:22 0 dr------- C:\Program Files\songs
2007-10-24 09:50:44 0 d-------- C:\Documents and Settings\myself\Application Data\Talkback
2007-10-24 09:50:34 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-24 09:50:30 0 d-------- C:\Documents and Settings\myself\Application Data\Mozilla
2007-10-24 09:48:10 0 d-------- C:\Program Files\Windows Media Connect 2
2007-10-24 09:38:52 0 d-------- C:\Program Files\mIRC
2007-10-24 09:38:12 0 d-------- C:\Program Files\Yahoo!
2007-10-24 09:37:08 0 d-------- C:\Program Files\MSN Messenger
2007-10-24 09:35:16 0 d-------- C:\Documents and Settings\myself\Application Data\ICQ
2007-10-24 09:34:58 0 d-------- C:\Program Files\ICQ6
2007-10-24 09:34:30 0 d-------- C:\Documents and Settings\myself\Application Data\InstallShield
2007-10-24 09:33:30 0 d-------- C:\Program Files\Common Files\Java
2007-10-23 01:38:26 0 d-------- C:\Documents and Settings\myself\Application Data\Macromedia
2007-10-23 01:13:44 278528 --a------ C:\WINDOWS\system32\livesnth.dll <Not Verified; LiveUpdate; LiveSynth>
2007-10-23 01:13:44 203776 --a------ C:\WINDOWS\system32\clrviddc.dll <Not Verified; Iterated Systems, Inc.; ClearVideo Decoder DLL>
2007-10-22 09:22:10 0 d-------- C:\Program Files\QuickTime
2007-10-22 09:20:58 0 d-------- C:\Program Files\Common Files\xing shared
2007-10-22 09:20:48 0 d-------- C:\Program Files\Real
2007-10-22 09:20:48 0 d-------- C:\Program Files\Common Files\Real
2007-10-22 09:20:38 0 d-------- C:\Documents and Settings\myself\Application Data\Real
2007-10-22 09:19:12 0 d-------- C:\Documents and Settings\myself\Application Data\Skype
2007-10-22 09:19:08 0 d-------- C:\Program Files\Google
2007-10-22 09:19:04 0 d-------- C:\Program Files\Skype
2007-10-22 09:19:02 0 d-------- C:\Program Files\Common Files\Skype
2007-10-22 09:18:08 0 d-------- C:\Program Files\Lavasoft
2007-10-22 09:17:50 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-22 09:16:06 0 d-------- C:\Program Files\Alwil Software
2007-10-22 08:04:02 0 d-------- C:\Program Files\WIDCOMM
2007-10-22 08:03:24 0 d-------- C:\Program Files\ATI Technologies
2007-10-21 18:39:50 0 d-------- C:\Documents and Settings\myself\Application Data\Google

25

– Registry Dump ---------------------------------------------------------------

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“LaunchApp”=“Alaunch”
“SoundMan”=“SOUNDMAN.EXE” [02/09/2004 04:54 PM C:\WINDOWS\SOUNDMAN.EXE]
“AGRSMMSG”=“AGRSMMSG.exe” [11/19/2003 03:41 PM C:\WINDOWS\AGRSMMSG.exe]
“SynTPLpr”=“C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [03/12/2004 12:15 PM]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [03/12/2004 12:14 PM]
“IgfxTray”=“C:\WINDOWS\System32\igfxtray.exe” [10/02/2003 02:37 PM]
“HotKeysCmds”=“C:\WINDOWS\System32\hkcmd.exe” [10/02/2003 02:19 PM]
“ATIModeChange”=“Ati2mdxx.exe” [09/04/2001 04:24 PM C:\WINDOWS\system32\Ati2mdxx.exe]
“ShowIcon_Chander_CRW Series Driver v1.17r019”=“C:\Program Files\CRW\shwicon.exe” [01/09/2003 12:05 AM]
“PCMService”=“C:\Program Files\Aspire Arcade\PCMService.exe” [03/25/2004 06:41 PM]
“LManager”=“C:\PROGRA~1\LAUNCH~1\CPLFL32.EXE” [04/05/2004 09:46 PM]
“ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [03/22/2004 09:10 PM]
“IMJPMIG8.1”=“C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe” [08/04/2004 01:32 PM]
“MSPY2002”=“C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe” [03/31/2003 12:00 PM]
“PHIME2002ASync”=“C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe” [03/31/2003 12:00 PM]
“PHIME2002A”=“C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe” [03/31/2003 12:00 PM]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [09/06/2007 06:06 PM]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [06/29/2007 06:24 AM]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [09/25/2007 01:11 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [08/04/2004 03:56 PM]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [10/23/2007 07:58 PM]
“updateMgr”=“C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe” [03/30/2006 04:45 PM]

C:\Documents and Settings\myself\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [10/20/2005 12:04:08 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [8/14/2003 1:28:28 PM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=“Service”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@=“Service”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@=“Volume shadow copy”

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{4d8963b4-9976-11dc-aee9-000b6b581de1}]

  • F:\ntdelect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{b925cbac-8af4-11dc-ac5e-000b6b581de1}]
open\Command- F:\ntdelect.com

– End of Deckard’s System Scanner: finished at 2007-11-28 14:58:53 ------------

26

hi Oldman,

i’ve done as instructed by u like running OTMoveit , followed by pasting the kavo file which is longer found by OTMoveit,

fixing the registry wt your key provided followed by running DSS.

during the initial report from the DSS, it found the autorn file in my E drive(i formatted it earlier bcos can’t access)

and i do the deletion on whole file folder that contain the autorun. inf.

i’m also deleting those autorun file which were found at the mount2 section but during the course of delection,

i may hv erased 1 of the registry key.

i also notice a lot of those ntdelect.com key in those registry.

not sure if i should erase it or not but i delete it somehow.

after rebooting n scanning n deleting several times, the ntdelect.com key were found in the windows key that u provided

but i’m not deleting bcos that registry key were given to u by me.

on my last report, there’s a remainders of ntdelect.com at the windows registry that u gave which i leave it for u to study.

hope this information might help u locate the error or damage that i’ve done to my reg key.

currently my windows boot without error n seems to be quite fast too.

a million thx to u Oldman for all your painstaking that i’m causing u.

with best regards
michaelong

27

hi michaelong

Please follow the instructions for manual cleanup of the keys as outlined here

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ONLINEG.JRC&VSect=Sn

Some keys will have all ready been changed, but change the ones that haven’t been.

one more registry fix, just do it like you did before

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{4d8963b4-9976-11dc-aee9-000b6b581de1}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{b925cbac-8af4-11dc-ac5e-000b6b581de1}]

Do the manual cleanup of the keys first, ok.

after you are done please post 1 more DSS scan.

28

hi Oldman,

i’ve done the manual fix as guided by

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ONLINEG.JRC&VSect=Sn

and found that only hidden n autorun value were changed. the rest remain were intact.

instead of manual clean up of this ntdelect.com key, i went to the extent of deleting the whole registry key

that were quoted by u thinking that i’ll able to restore it back.

unfortunately the registry that u provided

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{4d8963b4-9976-11dc-aee9-000b6b581de1}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{b925cbac-8af4-11dc-ac5e-000b6b581de1}]

were lost n i’m unable to restore it back.

i’m submitting my latest DSS log file to u as requested.

29

Deckard’s System Scanner v20071014.68
Run by myself on 2007-11-29 04:09:13
Computer is in Normal Mode.

System Drive C: has 1.49 GiB (less than 15%) free.

– HijackThis (run as myself.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:09:20 AM, on 11/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CRW\shwicon.exe
C:\Program Files\Aspire Arcade\PCMService.exe
C:\PROGRA~1\LAUNCH~1\CPLFL32.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\myself\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\myself.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [LaunchApp] Alaunch
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM..\Run: [ShowIcon_Chander_CRW Series Driver v1.17r019] “C:\Program Files\CRW\shwicon.exe” -t"Chander\CRW Series Driver v1.17r019"
O4 - HKLM..\Run: [PCMService] “C:\Program Files\Aspire Arcade\PCMService.exe”
O4 - HKLM..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLFL32.EXE
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Send To &Bluetooth - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra ‘Tools’ menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra ‘Tools’ menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193064255312
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe


End of file - 7947 bytes

30

– Files created between 2007-10-29 and 2007-11-29 -----------------------------

2007-11-28 16:31:52 0 d-------- C:\Program Files\Burn
2007-11-28 16:31:18 17408 --a------ C:\psapi.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-11-27 21:31:16 0 d-------- C:\EFix
2007-11-27 09:12:34 0 d-------- C:\Program Files\Trend Micro
2007-11-27 07:36:59 0 d-------- C:\My Downloads
2007-11-27 07:36:57 0 d-------- C:\Program Files\BearFlix
2007-11-26 09:15:36 0 d–h----- C:\Documents and Settings\Administrator\Templates
2007-11-26 09:15:36 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-11-26 09:15:36 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-11-26 09:15:36 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-11-26 09:15:36 0 d–h----- C:\Documents and Settings\Administrator\PrintHood
2007-11-26 09:15:36 0 d–h----- C:\Documents and Settings\Administrator\NetHood
2007-11-26 09:15:36 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-11-26 09:15:36 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-11-26 09:15:36 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-11-26 09:15:36 0 d–hs---- C:\Documents and Settings\Administrator\Cookies
2007-11-26 09:15:36 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-11-26 09:15:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2007-11-26 09:15:36 0 d—s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-11-26 09:15:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-11-26 09:15:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2007-11-26 09:15:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2007-11-26 09:15:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2007-11-26 09:15:35 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-11-26 09:15:35 0 d–h----- C:\Documents and Settings\Administrator\Local Settings
2007-11-19 19:26:12 0 d-------- C:\Program Files\WM Converter
2007-11-16 19:01:40 0 d-------- C:\Program Files\ms 10
2007-11-16 05:13:13 0 d-------- C:\Program Files\m
2007-11-12 01:16:51 0 d-------- C:\Program Files\FlashGet
2007-11-10 09:27:49 0 d-------- C:\Program Files\Common Files\DirectX
2007-11-10 09:24:30 0 d-------- C:\Program Files\Paris-Dakar Rally
2007-11-08 08:14:13 0 d-------- C:\Program Files\Xider
2007-11-03 00:27:39 0 d-------- C:\Program Files\Apple Software Update
2007-11-03 00:27:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-02 03:15:45 94208 --a------ C:\WINDOWS\system32\GTW32N50.dll
2007-11-02 03:15:45 15872 --a------ C:\WINDOWS\system32\GTNDIS5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2007-11-01 02:25:16 0 d-------- C:\Program Files\Global Star Software
2007-10-31 08:50:14 0 d-------- C:\Documents and Settings\myself\Application Data\SEGA
2007-10-31 07:39:08 0 d-------- C:\TODC
2007-10-31 07:32:38 0 d-------- C:\ËÀÍö¹íÎÝ
2007-10-31 07:25:31 0 d-------- C:\HOD3

– Find3M Report ---------------------------------------------------------------

2007-11-25 10:25:50 46 --a------ C:\WINDOWS\popcinfo.dat
2007-10-28 17:05:54 0 d-------- C:\Documents and Settings\myself\Application Data\EA
2007-10-28 16:57:12 0 d-------- C:\Program Files\BFG
2007-10-28 01:43:20 0 dr------- C:\Program Files\nepal_everest
2007-10-28 01:28:48 0 dr------- C:\Program Files\mike holidays
2007-10-28 00:50:56 0 dr------- C:\Program Files\wmv
2007-10-28 00:02:06 0 d-------- C:\Program Files\video hp
2007-10-27 23:46:12 0 d-------- C:\Program Files\video
2007-10-25 13:03:44 4096 --a------ C:\WINDOWS\d3dx.dat
2007-10-25 09:06:02 0 dr------- C:\Program Files\ad onli
2007-10-25 08:54:28 0 d-------- C:\Program Files\PopCap Games
2007-10-25 08:44:24 0 d-------- C:\Program Files\reflexive games
2007-10-25 08:36:26 0 d-------- C:\Program Files\GameHouse
2007-10-24 19:32:40 0 d-------- C:\Documents and Settings\myself\Application Data\Apple Computer
2007-10-24 18:24:22 0 dr------- C:\Program Files\scenery
2007-10-24 18:22:30 0 dr------- C:\Program Files\eqtc edu
2007-10-24 18:12:58 0 d-------- C:\Program Files\ReflexiveArcade
2007-10-24 17:53:22 0 dr------- C:\Program Files\songs
2007-10-24 09:50:44 0 d-------- C:\Documents and Settings\myself\Application Data\Talkback
2007-10-24 09:50:34 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-24 09:50:30 0 d-------- C:\Documents and Settings\myself\Application Data\Mozilla
2007-10-24 09:48:10 0 d-------- C:\Program Files\Windows Media Connect 2
2007-10-24 09:38:52 0 d-------- C:\Program Files\mIRC
2007-10-24 09:38:12 0 d-------- C:\Program Files\Yahoo!
2007-10-24 09:37:08 0 d-------- C:\Program Files\MSN Messenger
2007-10-24 09:35:16 0 d-------- C:\Documents and Settings\myself\Application Data\ICQ
2007-10-24 09:34:58 0 d-------- C:\Program Files\ICQ6
2007-10-24 09:34:30 0 d-------- C:\Documents and Settings\myself\Application Data\InstallShield
2007-10-24 09:33:30 0 d-------- C:\Program Files\Common Files\Java
2007-10-23 01:38:26 0 d-------- C:\Documents and Settings\myself\Application Data\Macromedia
2007-10-23 01:13:44 278528 --a------ C:\WINDOWS\system32\livesnth.dll <Not Verified; LiveUpdate; LiveSynth>
2007-10-23 01:13:44 203776 --a------ C:\WINDOWS\system32\clrviddc.dll <Not Verified; Iterated Systems, Inc.; ClearVideo Decoder DLL>
2007-10-22 09:22:10 0 d-------- C:\Program Files\QuickTime
2007-10-22 09:20:58 0 d-------- C:\Program Files\Common Files\xing shared
2007-10-22 09:20:48 0 d-------- C:\Program Files\Real
2007-10-22 09:20:48 0 d-------- C:\Program Files\Common Files\Real
2007-10-22 09:20:38 0 d-------- C:\Documents and Settings\myself\Application Data\Real
2007-10-22 09:19:12 0 d-------- C:\Documents and Settings\myself\Application Data\Skype
2007-10-22 09:19:08 0 d-------- C:\Program Files\Google
2007-10-22 09:19:04 0 d-------- C:\Program Files\Skype
2007-10-22 09:19:02 0 d-------- C:\Program Files\Common Files\Skype
2007-10-22 09:18:08 0 d-------- C:\Program Files\Lavasoft
2007-10-22 09:17:50 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-22 09:16:06 0 d-------- C:\Program Files\Alwil Software
2007-10-22 08:04:02 0 d-------- C:\Program Files\WIDCOMM
2007-10-22 08:03:24 0 d-------- C:\Program Files\ATI Technologies
2007-10-21 18:39:50 0 d-------- C:\Documents and Settings\myself\Application Data\Google

31

– Registry Dump ---------------------------------------------------------------

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“LaunchApp”=“Alaunch”
“SoundMan”=“SOUNDMAN.EXE” [02/09/2004 04:54 PM C:\WINDOWS\SOUNDMAN.EXE]
“AGRSMMSG”=“AGRSMMSG.exe” [11/19/2003 03:41 PM C:\WINDOWS\AGRSMMSG.exe]
“SynTPLpr”=“C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [03/12/2004 12:15 PM]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [03/12/2004 12:14 PM]
“IgfxTray”=“C:\WINDOWS\System32\igfxtray.exe” [10/02/2003 02:37 PM]
“HotKeysCmds”=“C:\WINDOWS\System32\hkcmd.exe” [10/02/2003 02:19 PM]
“ATIModeChange”=“Ati2mdxx.exe” [09/04/2001 04:24 PM C:\WINDOWS\system32\Ati2mdxx.exe]
“ShowIcon_Chander_CRW Series Driver v1.17r019”=“C:\Program Files\CRW\shwicon.exe” [01/09/2003 12:05 AM]
“PCMService”=“C:\Program Files\Aspire Arcade\PCMService.exe” [03/25/2004 06:41 PM]
“LManager”=“C:\PROGRA~1\LAUNCH~1\CPLFL32.EXE” [04/05/2004 09:46 PM]
“ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [03/22/2004 09:10 PM]
“IMJPMIG8.1”=“C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe” [08/04/2004 01:32 PM]
“MSPY2002”=“C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe” [03/31/2003 12:00 PM]
“PHIME2002ASync”=“C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe” [03/31/2003 12:00 PM]
“PHIME2002A”=“C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe” [03/31/2003 12:00 PM]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [09/06/2007 06:06 PM]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [06/29/2007 06:24 AM]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [09/25/2007 01:11 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [08/04/2004 03:56 PM]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [10/23/2007 07:58 PM]
“updateMgr”=“C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe” [03/30/2006 04:45 PM]

C:\Documents and Settings\myself\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [10/20/2005 12:04:08 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [8/14/2003 1:28:28 PM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=“Service”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@=“Service”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@=“Volume shadow copy”

– End of Deckard’s System Scanner: finished at 2007-11-29 04:09:47 ------------

32

hi Oldman,

forgot to inform u that i cant find this

HKEY_CLASSES_ROOT>AutoRun>2>Shell>open>Command

in my registry key.

i just check my C:drive n out of sudden a lots of hidden files n folders were shown out(previouly none)

and one of them is the MS DOS application name NTDELECT.COM(47kb).

should i delete this file too?

in a lost now as i may hv done a lot of error to my pc now bcos of not properly follow ur instruction.

as at now, my pc still boot n runs normally.

hope i’m giving u a clear information in troubleshooting the error on my pc.

33

Hi

What is the error you are recieving?

NTDELECT.COM

I’d move it to the chest.

right click the “a” icon, select start avast, click on the chest

in the chest, click users button
right click in the white window and select add
browse to the NTDELECT.COM(47kb) file, click on it and then click add.
once the file is in the chest, you’ll see it in the window, close the chest

Now go and delete the file.

In windows explorer, click tools, folder options, view tab

-uncheck Show hidden files and folders.

-check Hide protected operating system files (recommended)

As for the reg key. Is this the one that you thought you deleted? I’ll have to look it up and see if it’s required. I’ll get back to you on that.

The log looks fine.

Open OTMOVEIT then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

34

hi Oldman.

as instructed, i’ve moved the NTDELECT,COM into virus chest followed by manual deletion of this file from my C:drive then proceed wt the uncheck of my hidden file.

then i’m using the OTMoveIT to do the clean up. after the clean up were done, it request for a reboot

which i click yes.

from then on, my pc were unable to boot into windows wt no error message display.

it keeps restart but unable to boot into windows.

i’m now login from my frens pc.

need help badly now.

thanks
michaelong

p/s: might be inconvenience for me to follow your advice if i can log in wt my own pc.

35

Did you get the right file as there is a legitimate file called NTDETECT.COM which starts your system

http://pcsupport.about.com/od/fixtheproblem/ht/ntldrntdetect.htm fix here

36

hi essexboy,

thanks for your quick response n your link.

indeed i’ve deleted the NTDELECT.COM file(MS DOS application 47kb) from my C:drive

thought it was a virus. :frowning: ???

37

Look very carefully at the spelling in your post “ntde L ect” and essexboy’s “ntde T ect”. If the file was spelled like essexboy’s then that was a windows file.

Do you or your friend have a xp cd?

38

hi Oldman,

now i start to recall that it seems like NTDETECT.COM n not NTDELECT.com.
think i i’ve deleted it wrongly.
got a phobia towards those words start wt NT.COM
i got the cd on hand but i’ve forgotten the admin password
which stopped me from doing the neccessary reinstallation of those missing file.
any other option beside the recovery console?
thx Oldman for your quick reply. ;D ;D

39

Can’t remember the pass word, hey. Can understand the phobia.

Well if you are sure your friend’s computer is clean, you could put your hd in his as a slave drive and copy the file. I think, ??? I’ll have to check with some others just to make certain that will work. So wait till you hear from me, ok?

40

hi Oldman,

i’m thinking of doing the repair instead of recovery since i cant remember the passwords.

will let u know when i’m done wt the repair.

not sure if the cd compatible bcos previously i installed the windows wt my original acer recovery cd sp1.

i’m now using the xp sp2 oem retail for the repair.

til then, i’m off to my repairs. ;D