slow pc.Pop ups/ With hijackthis log file

Just delete the C:\_OTMoveIt folder then - it will accomplish the same thing, and then continue with the remainder of my post.
 
  • Open Up My Computer
  • Double click on your C:\ drive
  • Right click on _OTMoveIt and click Delete
  • Answer Yes when asked whether you wish to move the folder to the Recycle Bin

Once done, do the following:
Please also turn off System Restore, and turn it back on again. This will clean out your infected Restore Points. To do so:

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Then to turn it back on again:
1. Wait for Windows to finish clearing Restore Points.
2. Clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

There are a few very important updates I would strongly recommend.

I notice that you do not seem to be running antivirus software. This is somewhat suicidal in today's digital world. AVG makes an excellent free antivirus client, as do AntiVir or avast!. Please download and install one of the above antivirus programs, and allow it to run a full scan. Let me know if you have any troubles with the installation, or if the scan finds anything it can't remove.

Please consider maintaining a firewall, as it is a vital element of your overall system security. Some good free firewalls are ZoneAlarm, Kerio, or Outpost

You desperately need to update your Windows XP to Service Pack 2 since it is probably the most important security update they have ever created and running without it almost guarantees you will get infected again. You can obtain Service Pack 2 from http://update.microsoft.com/

Once you've updated to Service Pack 2, please also download all critical updates from http://update.microsoft.com/

Please post a report on how your system is running after the upgrade to Service Pack 2, as any problems with the update may indicate that malware is still present.
 
Those were just the backups we deleted. You can delete the file from the desktop manually (just right click on it and choose Delete)
 
So what should I do next?
Im updating rite now.It has been stuck on the registering page for like 30mins but it says 100% ??????
 
The upgrade process can take a very long time. If it won't proceed, restart and try once more. If it still won't proceed, post a ComboFix log:

1. Please download this file - Combofix to your desktop
2. Double click ComboFix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply together with a new HijackThis log.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall
 
ComboFix 07-11-08.3 - Owner 2007-11-17 6:37:28.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.101 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\SCURIT~1
C:\Documents and Settings\Administrator\Application Data\SCURIT~1\s?curity\
C:\Documents and Settings\Administrator\My Documents\YSTEM3~1
C:\Documents and Settings\Owner\Application Data\SCURIT~1
C:\Documents and Settings\Owner\Application Data\SCURIT~1\s?curity\
C:\Program Files\Common Files\icroso~1.net
C:\Program Files\Common Files\icroso~1.net\t?skmgr.exe
C:\Temp\xOe
C:\WINDOWS\b.exe
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\system32\app.exe
C:\WINDOWS\system32\config\systemprofile\Application Data\SCURIT~1
C:\WINDOWS\system32\config\systemprofile\Application Data\SCURIT~1\s?curity\
C:\WINDOWS\system32\config\systemprofile\My Documents\YSTEM3~1
C:\WINDOWS\system32\dccdd.bak1
C:\WINDOWS\system32\dccdd.bak2
C:\WINDOWS\system32\dccdd.ini
C:\WINDOWS\system32\ddccd.dll
C:\WINDOWS\system32\gebcdab.dll
C:\WINDOWS\system32\mljgfeb.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\winlogo.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))
.

2007-11-17 06:34 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-16 17:07 <DIR> d-------- C:\Documents and Settings\Administrator\DoctorWeb
2007-11-16 02:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-11-16 01:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2007-11-16 01:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-16 01:53 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-13 05:08 58,368 --a------ C:\Documents and Settings\Administrator\app.exe
2007-11-13 05:08 167 --a------ C:\Documents and Settings\Administrator\6173.bat
2007-11-13 04:16 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-11-13 04:16 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2007-11-13 04:16 <DIR> d-------- C:\Documents and Settings\Administrator\Shared
2007-11-13 04:16 <DIR> d-------- C:\Documents and Settings\Administrator\Incomplete
2007-11-13 04:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2007-11-13 04:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo! Messenger
2007-11-13 04:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2007-11-13 04:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\WhenU
2007-11-13 04:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Viewpoint
2007-11-13 04:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\VERITAS
2007-11-13 04:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-11-13 04:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-11-13 04:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2007-11-13 04:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Musicmatch
2007-11-13 04:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MSNInstaller
2007-11-13 04:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MSN6
2007-11-13 04:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Motive
2007-11-13 04:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\McAfee.com Personal Firewall
2007-11-13 04:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2007-11-13 04:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lexmark Imaging Studio
2007-11-13 04:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-11-13 04:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo
2007-11-13 04:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-11-13 04:16 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\GTek
2007-11-13 04:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Freedom
2007-11-13 04:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Corel
2007-11-13 04:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-11-13 04:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ArcSoft
2007-11-13 04:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2007-11-13 04:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Aim
2007-11-13 04:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2007-11-13 04:16 389,120 --a------ C:\Documents and Settings\Administrator\remote.exe
2007-11-13 04:16 32,768 --a------ C:\Documents and Settings\Administrator\winlogo.exe
2007-11-12 23:18 <DIR> d-------- C:\WINDOWS\LastGood
2007-11-12 18:24 <DIR> d-------- C:\sdfix'
2007-10-28 22:58 33,588 -ra------ C:\WINDOWS\system32\drivers\wanatw4.sys
2007-10-28 13:47 151,552 --a------ C:\WINDOWS\system32\igfxres.dll
2007-10-28 13:45 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-10-28 13:41 58,368 --a------ C:\WINDOWS\system32\config\systemprofile\app.exe
2007-10-28 13:41 167 --a------ C:\WINDOWS\system32\config\systemprofile\6173.bat
2007-10-28 13:18 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Incomplete
2007-10-28 13:18 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\You've Got Pictures Screensaver
2007-10-28 13:18 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Yahoo! Messenger
2007-10-28 13:18 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Yahoo!
2007-10-28 13:18 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\WhenU
2007-10-28 13:18 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Viewpoint
2007-10-28 13:18 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec
2007-10-28 13:18 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Musicmatch
2007-10-28 13:18 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\MSNInstaller
2007-10-28 13:18 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\MSN6
2007-10-28 13:18 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Motive
2007-10-28 13:18 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\McAfee.com Personal Firewall
2007-10-28 13:18 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\LimeWire
2007-10-28 13:18 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Lexmark Imaging Studio
2007-10-28 13:18 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Lavasoft
2007-10-28 13:18 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\InterVideo
2007-10-28 13:18 <DIR> d--h----- C:\WINDOWS\system32\config\systemprofile\Application Data\GTek
2007-10-28 13:18 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Freedom
2007-10-28 13:18 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Corel
2007-10-28 13:18 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\AVG7
2007-10-28 13:18 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\ArcSoft
2007-10-28 13:18 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\AOL
2007-10-28 13:18 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Aim
2007-10-28 13:18 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\AdobeUM
2007-10-28 13:18 389,120 --a------ C:\WINDOWS\system32\config\systemprofile\remote.exe
2007-10-28 13:18 32,768 --a------ C:\WINDOWS\system32\config\systemprofile\winlogo.exe
2007-10-28 13:17 <DIR> d---s---- C:\WINDOWS\system32\config\systemprofile\UserData
2007-10-28 13:17 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Shared
2007-10-28 13:17 51,072 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys
2007-10-28 13:17 23,424 --a------ C:\WINDOWS\system32\drivers\kbdclass.sys
2007-10-28 13:14 58,368 --a------ C:\Documents and Settings\Default User\app.exe
2007-10-28 13:14 167 --a------ C:\Documents and Settings\Default User\6173.bat
2007-10-28 12:45 <DIR> d---s---- C:\Documents and Settings\Default User\UserData
2007-10-28 12:45 <DIR> d-------- C:\Documents and Settings\Default User\Shared
2007-10-28 12:45 <DIR> d-------- C:\Documents and Settings\Default User\Incomplete
2007-10-28 12:45 389,120 --a------ C:\Documents and Settings\Default User\remote.exe
2007-10-28 12:45 32,768 --a------ C:\Documents and Settings\Default User\winlogo.exe
2007-10-28 01:50 56,832 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2007-10-28 01:50 50,048 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-10-28 01:50 7,040 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2007-10-28 01:50 5,120 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-10-28 01:50 4,608 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2007-10-28 01:50 2,816 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2007-10-28 01:47 134,272 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2007-10-28 01:47 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-10-28 01:47 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-10-26 00:33 <DIR> d-------- C:\WINDOWS\pss
2007-10-23 00:04 <DIR> d-------- C:\Program Files\NoAdware5.0
2007-10-22 22:40 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-22 22:20 58,368 --------- C:\Documents and Settings\Owner\app.exe
2007-10-22 22:20 167 --a------ C:\Documents and Settings\Owner\6173.bat
2007-10-22 22:18 32,768 --a------ C:\Documents and Settings\Owner\winlogo.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-17 13:13 --------- d-----w C:\Program Files\LimeWire
2007-11-15 11:13 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2007-11-13 07:44 --------- d-----w C:\Program Files\RecordNow
2007-11-13 07:42 --------- d-----w C:\Program Files\Corel
2007-11-13 07:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-13 07:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-13 07:14 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-13 07:11 --------- d-----w C:\Program Files\HP Instant Support
2007-11-13 06:00 --------- d-----w C:\Program Files\WildTangent
2007-11-13 05:59 --------- d-----w C:\Program Files\Simple Backup for My Pictures
2007-11-12 12:33 --------- d-----w C:\Program Files\Java
2007-11-12 08:16 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-29 06:56 28,164 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys
2007-10-28 22:07 --------- d-----w C:\Program Files\Quicken
2007-10-28 22:05 --------- d-----w C:\Program Files\AWS
2007-10-28 21:46 4,108 --sha-r C:\WINDOWS\system32\drivers\HP_D7218F-ABA 554Y_YUU_Pavi_QMX309S_E31NAheBLU4_4_INBGV - Northwood Brookdale-G Validation Board_SIntel Corporation_V_B6.00_T030207_WXH1_L409_M248_J41_7Intel_8Celeron_92.19_1_N10EC8139_P_Z11C1044E_K_A808624C5_U808624C2.MRK
2007-10-26 02:25 --------- d-----w C:\Program Files\CallWave
2007-10-23 22:48 --------- d-----w C:\Program Files\WinISD
2007-10-13 07:47 --------- d-----w C:\Program Files\Lx_cats
2007-10-11 22:04 --------- d-----w C:\Program Files\uTorrent
2007-10-08 15:45 --------- d-----w C:\Program Files\DAEMON Tools SearchBar
2007-10-05 23:36 --------- d-----w C:\Program Files\DAEMON Tools
2007-10-05 23:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\WhenU
2007-10-05 23:14 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2006-03-10 19:46 389,120 ----a-w C:\Documents and Settings\Owner\remote.exe
2004-09-14 04:37 208,614 -c--a-w C:\Program Files\systemsoappro.exe
2004-09-05 19:36 5,815,952 -c--a-w C:\Program Files\zlsSetup_51_011.exe
2004-08-04 17:57 20,480 ----a-w C:\Program Files\log.exe
2001-01-06 15:03 125,154 -c--a-w C:\Program Files\Qutrit.exe
2006-03-24 05:16:13 723,105 --sh--w C:\WINDOWS\system32\stutv.bak1
2006-03-28 06:34:34 647,949 --sh--w C:\WINDOWS\system32\stutv.bak2
2006-03-28 07:53:18 648,087 --sh--w C:\WINDOWS\system32\stutv.ini2
2005-03-01 18:29:18 140,288 --sha-r C:\WINDOWS\system32\config\systemprofile\Desktop\PhoTags Express\Setup.exe
2004-12-15 09:14:32 39,936 --sha-r C:\WINDOWS\system32\config\systemprofile\Desktop\PhoTags Express\_Setupx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BlockTracker"="c:\hp\bin\BlockTracker.exe" []
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-09-09 07:05]
"AutoTBar"="C:\hp\bin\autotbar.exe" []
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 21:42]
"NvCplDaemon"="NvQTwk" []
"nwiz"="nwiz.exe" [2002-09-30 23:39 C:\WINDOWS\system32\nwiz.exe]
"_Res"="c:\hp\bin\cloaker c:\hp\bin\SetRes\SetRes.bat" []
"PS2"="C:\WINDOWS\system32\ps2.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-10 16:52]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2002-09-30 23:39 C:\WINDOWS\system32\nview.dll]
"AOL Fast Start"="C:\Program Files\America Online 9.0a\AOL.exe" [2005-07-12 06:17]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 22:08]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Stardust Wallpaper Control 2003.lnk - C:\WINDOWS\WCMain.exe [2003-10-27 09:51:45]
Verizon Online Support Center.lnk - C:\Program Files\Verizon Online\bin\matcli.exe [2006-03-10 10:54:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

S3 PCDRDRV;Pcdr Helper Driver;\??\C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-17 06:42:36
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-17 6:48:11 - machine was rebooted
.
--- E O F ---
 
Heres the hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:09:23 AM, on 11/17/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\WCMain.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://accountservices.passport.net/reg.srf?xpwiz=true&lc=1033&fid=RegXPWizCredOnly
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [_Res] c:\hp\bin\cloaker c:\hp\bin\SetRes\SetRes.bat
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Stardust Wallpaper Control 2003.lnk = C:\WINDOWS\WCMain.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1195303255734
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1195304942906
O17 - HKLM\System\CCS\Services\Tcpip\..\{18D259BD-77B4-40CC-93AC-404A16901D81}: NameServer = 205.188.146.145
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 4281 bytes
 
The ComboFix log is showing more. Hopefully you'll be able to run this tool this time:

Step 1
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to C:\SDFix

You may wish to print out these instructions or copy them to a notepad document since you will be unable to access the Internet while in Safe Mode to read from this site.

Please then reboot your computer in Safe Mode (tap F8 just before Windows starts to load and select Safe Mode from the list).
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).

Step 2:
Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths in the codebox to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    Code: 
    C:\Documents and Settings\Administrator\app.exe
C:\Documents and Settings\Administrator\6173.bat
C:\Documents and Settings\Administrator\Application Data\WhenU
C:\Documents and Settings\Administrator\winlogo.exe
C:\WINDOWS\system32\config\systemprofile\app.exe
C:\WINDOWS\system32\config\systemprofile\6173.bat
C:\Documents and Settings\Administrator\winlogo.exe
C:\WINDOWS\system32\config\systemprofile\app.exe
C:\WINDOWS\system32\config\systemprofile\6173.bat
C:\WINDOWS\system32\config\systemprofile\Application Data\WhenU
C:\WINDOWS\system32\config\systemprofile\winlogo.exe
C:\Documents and Settings\Default User\app.exe
C:\Documents and Settings\Default User\6173.bat
C:\Documents and Settings\Default User\winlogo.exe
C:\Documents and Settings\Owner\app.exe
C:\Documents and Settings\Owner\6173.bat
C:\Documents and Settings\Owner\winlogo.exe
C:\Program Files\systemsoappro.exe
C:\WINDOWS\system32\stutv.bak1
C:\WINDOWS\system32\stutv.bak2
C:\WINDOWS\system32\stutv.ini2

  • Return to OTMoveIt, right click on the Paste List of Files/Folders to be moved window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Don't run the CleanUp or delete the file afterwards - we may still need it.

Step 3:
Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:

C:\Documents and Settings\Administrator\remote.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If that scanner is busy, please use this one: http://www.virustotal.com/

Repeat that process for the following files:
C:\Program Files\log.exe
C:\Program Files\Qutrit.exe

Step 4:
Please use HijackThis to generate an uninstall list:
  • Double click on HijackThis.exe and choose Open the Misc Tools section
  • Click Open Uninstall Manager
  • Click Save list and save the uninstall list to a location on your computer. This will open up a Notepad document containing an uninstall list, please copy and paste the contents into your next reply

Please post:
  • The SDFix report
  • The OTMoveIt log
  • The Jotti or VirusTotal results for those files
  • The HijackThis uninstall list
  • A new Combofix log
 
Ok, I have one question do i down load the sdfix and otmoveit then reboot in safe mode?
Or just the sdfix the reboot in safe mood.Then get back in regular mode and download otmoveit?
 
Only SDFix needs to be run in Safe Mode, so you can do the latter.

Additionally, I still don't see an Antivirus in your log. I suggest installing one ASAP.
 
SDFix: Version 1.114

Run by Administrator on Sat 11/17/2007 at 11:30 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\TASKKILL.EXE - Deleted
C:\VDM13.TMP - Deleted
C:\VDM1E.TMP - Deleted
C:\VDMA6.TMP - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-17 23:39:49
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\Temp\_ISTMP1.DIR\_ISTMP0.DIR
C:\WINDOWS\Temp\_ISTMP1.DIR\_ISTMP0.DIR\2503e61.DLL 132096 bytes executable
C:\WINDOWS\Temp\_ISTMP1.DIR\_ISTMP0.DIR\2503e70.DLL 38400 bytes executable
C:\WINDOWS\Temp\_ISTMP1.DIR\_ISTMP0.DIR\Corecomp.ini 28290 bytes
C:\WINDOWS\Temp\_ISTMP1.DIR\_ISTMP0.DIR\Ctl3d32.dll 27136 bytes executable
C:\WINDOWS\Temp\_ISTMP1.DIR\_ISTMP0.DIR\IsUninst.Exe 306688 bytes executable

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 6


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Fri 7 May 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Fri 19 Nov 2004 54,872 A..H. --- "C:\Program Files\America Online 9.0a\AOLphx.exe"
Fri 19 Nov 2004 31,832 A..H. --- "C:\Program Files\America Online 9.0a\rbm.exe"
Fri 16 Dec 2005 374,951 ..SH. --- "C:\WINDOWS\system32\stutv.tmp"
Thu 23 Mar 2006 723,105 ..SH. --- "C:\WINDOWS\system32\stutv.bak1"
Mon 27 Mar 2006 647,949 ..SH. --- "C:\WINDOWS\system32\stutv.bak2"
Sat 8 Jan 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 22 Oct 2007 363 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti1D.tmp"
Tue 1 Mar 2005 140,288 A.SHR --- "C:\Documents and Settings\Default User\Desktop\PhoTags Express\Setup.exe"
Wed 15 Dec 2004 39,936 A.SHR --- "C:\Documents and Settings\Default User\Desktop\PhoTags Express\_Setupx.dll"
Sat 8 Jan 2005 4,348 ...H. --- "C:\RECYCLER\S-1-5-21-1920368367-3126209749-2022339029-500\Dc42\License Backup\drmv1key.bak"
Fri 9 Dec 2005 20 A..H. --- "C:\RECYCLER\S-1-5-21-1920368367-3126209749-2022339029-500\Dc42\License Backup\drmv1lic.bak"
Wed 9 Nov 2005 488 A.SH. --- "C:\RECYCLER\S-1-5-21-1920368367-3126209749-2022339029-500\Dc42\License Backup\drmv2key.bak"
Sat 8 Jan 2005 4,348 A..H. --- "C:\RECYCLER\S-1-5-21-1920368367-3126209749-2022339029-500\Dc67\License Backup\drmv1key.bak"
Fri 9 Dec 2005 20 A..H. --- "C:\RECYCLER\S-1-5-21-1920368367-3126209749-2022339029-500\Dc67\License Backup\drmv1lic.bak"
Wed 9 Nov 2005 488 A.SH. --- "C:\RECYCLER\S-1-5-21-1920368367-3126209749-2022339029-500\Dc67\License Backup\drmv2key.bak"
Sat 8 Jan 2005 4,348 A..H. --- "C:\Documents and Settings\Default User\My Documents\My Music\License Backup\drmv1key.bak"
Fri 9 Dec 2005 20 A..H. --- "C:\Documents and Settings\Default User\My Documents\My Music\License Backup\drmv1lic.bak"
Wed 9 Nov 2005 488 A.SH. --- "C:\Documents and Settings\Default User\My Documents\My Music\License Backup\drmv2key.bak"
Tue 1 Mar 2005 140,288 A.SHR --- "C:\WINDOWS\system32\config\systemprofile\Desktop\PhoTags Express\Setup.exe"
Wed 15 Dec 2004 39,936 A.SHR --- "C:\WINDOWS\system32\config\systemprofile\Desktop\PhoTags Express\_Setupx.dll"
Sat 8 Jan 2005 4,348 A..H. --- "C:\WINDOWS\system32\config\systemprofile\My Documents\My Music\License Backup\drmv1key.bak"
Fri 9 Dec 2005 20 A..H. --- "C:\WINDOWS\system32\config\systemprofile\My Documents\My Music\License Backup\drmv1lic.bak"
Wed 9 Nov 2005 488 A.SH. --- "C:\WINDOWS\system32\config\systemprofile\My Documents\My Music\License Backup\drmv2key.bak"
Sun 5 Sep 2004 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"

Finished!
 
C:\Documents and Settings\Administrator\app.exe moved successfully.
C:\Documents and Settings\Administrator\6173.bat moved successfully.
C:\Documents and Settings\Administrator\Application Data\WhenU moved successfully.
C:\Documents and Settings\Administrator\winlogo.exe moved successfully.
C:\WINDOWS\system32\config\systemprofile\app.exe moved successfully.
C:\WINDOWS\system32\config\systemprofile\6173.bat moved successfully.
File/Folder C:\Documents and Settings\Administrator\winlogo.exe not found.
File/Folder C:\WINDOWS\system32\config\systemprofile\app.exe not found.
File/Folder C:\WINDOWS\system32\config\systemprofile\6173.bat not found.
C:\WINDOWS\system32\config\systemprofile\Application Data\WhenU moved successfully.
C:\WINDOWS\system32\config\systemprofile\winlogo.exe moved successfully.
C:\Documents and Settings\Default User\app.exe moved successfully.
C:\Documents and Settings\Default User\6173.bat moved successfully.
C:\Documents and Settings\Default User\winlogo.exe moved successfully.
C:\Documents and Settings\Owner\app.exe moved successfully.
C:\Documents and Settings\Owner\6173.bat moved successfully.
C:\Documents and Settings\Owner\winlogo.exe moved successfully.
C:\Program Files\systemsoappro.exe moved successfully.
C:\WINDOWS\system32\stutv.bak1 moved successfully.
C:\WINDOWS\system32\stutv.bak2 moved successfully.
C:\WINDOWS\system32\stutv.ini2 moved successfully.

Created on 11/18/2007 00:07:32
 
This is the virusscan.jotti.org scan for: c:\documents and settings\administrator\remote

Scan taken on 18 Nov 2007 04:06:24 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
 
For the log.exe:

Scan taken on 18 Nov 2007 04:12:41 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
 
You must log in or register to reply here.
Back
Top