jholland1964
Posting Expert
Moderator
5,785 posts since Jul 2008
Reputation Points: 725
Solved Threads: 340
Have something to say? Contribute New Article Reply to this Article
Svchost.exe 100%
Svchost.exe is running at 90 to 100% i cannot run the windows installer it says error 1722.
apparently explorer was running as the same way but now it appears to be fixed by combofix.exe i hope but anyways here is my hjtlog:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:33:45 PM, on 4/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Bayer\Compi\compi.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
D:\Software\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/intl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.adobe.com/WebObjects/WEC?pageID=RegMp1&awe_301001&platformCode=WIN&version=5.0&nameCode=ACRO&languageCode=USENGLIS&systemCode=AOLN
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [MPMKrnl] rundll32 "C:\WINDOWS\MKMKrnl.dll",KMainProc
O4 - Global Startup: PC Information.lnk = C:\Program Files\Bayer\Compi\compi.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DE.BAYER.cnb
O17 - HKLM\Software\..\Telephony: DomainName = DE.BAYER.cnb
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DE.BAYER.cnb
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DE.BAYER.cnb
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
O21 - SSODL: msnmsg - {DA191DE0-AA86-4ED0-4B87-293D48B2AE99} - C:\Program Files\Messenger\msgmr.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 6254 bytes
hey johlland1964,
how are u, i hope u remember me but anyways.
look the whole situation is that i got a laptop in which i tried to install nortan antivirus but it keeps on getting hang at some stage and then give an error 1722 regarding windows installer furthermore svchost.exe is running at 100% and sometimes i see explorer.exe running the same way.
I hope this clears the situation.
by the way i think there is something wrong with my firewall as well.
as it does not allow to run updates in superantispyware which says it might be blocked
Yes jazzyjaj I do remember you. I went back and reviewed the last thread you had here. On that thread you had run multiple programs BEFORE you posted, including three runs at least of combofix and multiple other programs which are usually only run if a helper instructs a poster to do so. Is this that same computer or a different one? DID you run combofix on THIS computer before you made THIS thread?
jholland1964
Posting Expert
Moderator
5,785 posts since Jul 2008
Reputation Points: 725
Solved Threads: 340
no this is a different computer, that one was a desktop this one is a laptop.
i only ran combofix once after starting windows normally and once in safe mode. cause i forgot it has to be done in safe mode.
yes i posted here after running combofix
sorry i forgot to mention that i tried using the software which solved my previous problem SUPERAntiSpyware however it couldnt find anything other then adwares.
unfortunately i could not run the updater as it said it could be blocked by the firewall however this was not the case.
no this is a different computer, that one was a desktop this one is a laptop.
i only ran combofix once after starting windows normally and once in safe mode. cause i forgot it has to be done in safe mode.
yes i posted here after running combofix
Look, I told you in your previous thread and you obviously IGNORED my warning,Combofix is NOT A TOOL that should be run without first being told to do so. It is only for specific infections and you DON'T know what infections you have. It is a tool that is NOT run in Safe Mode, but should be run in NORMAL mode AND you say above you ran it once in normal mode and once in safe mode so you have run it twice on this computer. So you obviously don't know how to run this tool.
You say SUPERAntiSpyware however it couldnt find anything other then adwares.
unfortunately i could not run the updater as it said it could be blocked by the firewall however this was not the case.
What was the Adware? Adware can be very dangerous.
One piece of Adware showing in your log is a program called Thunderwise which is also known as Adware.Thunderwise...it is aBackdoor Trojan. Very dangerous. You are also showing MKMKrnl.dll which is very dangerous and a fraudulent security program.
How do you know absolutely that your firewall DIDN'T block updates? I don't see a firewall on the system so is that how you knew this for sure...you don't have a firewall? How long have you been running this computer without an antivirus program?
I honestly don't see how I can help you. I haven't a clue as to what you have done for sure. You are not forthcoming with information, it has to be dragged out of you. Why didn't you run MBA-M? I have no idea what damage has been done to the computer with your running of combofix twice incorrectly. I don't know that any steps will work properly because for one thing you refuse to follow standard procedures but leap ahead to programs that maybe shouldn't be run at all. As shown in your last thread, you didn't follow any instructions I gave you in the order I gave them. You insisted on running programs I had not told you to run. I honestly don't know that I can go further because you refuse to follow instructions.
jholland1964
Posting Expert
Moderator
5,785 posts since Jul 2008
Reputation Points: 725
Solved Threads: 340
this time i will follow.
I am trying to find and download MBA-M i try it in safe mode then i will post again i hope u are still there in the process
MBA-M MUST BE DONE in NORMAL MODE. It is not set up to be run in Safe Mode. If run in Safe Mode it will NOT do the full work it was designed to do. Please Follow these instructions TO THE LETTER. I don't want you to do ANYTHING ELSE except what is posted below.
download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.
* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.
REBOOT THE COMPUTER
Run a new HJT scan. Post back with the MBA-M log and the new HJT log.
jholland1964
Posting Expert
Moderator
5,785 posts since Jul 2008
Reputation Points: 725
Solved Threads: 340
this is mba-m but in safe mode i am running it again now and will do only as told:
Malwarebytes' Anti-Malware 1.36
Database version: 2014
Windows 5.1.2600 Service Pack 2
4/20/2009 8:43:35 PM
mbam-log-2009-04-20 (20-43-35).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 133139
Time elapsed: 36 minute(s), 35 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 33
Registry Keys Infected: 96
Registry Values Infected: 35
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 59
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\D9C002DD.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\2EF0D734.dll (Spyware.Onlinegames) -> Delete on reboot.
C:\WINDOWS\system32\erdznUfbK0ZF.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\hx7hWWpe.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\122B901E.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\etGBJk2YCXnM.dll (Spyware.Onlinegames) -> Delete on reboot.
C:\WINDOWS\system32\A1A6BC2E.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\skcfujQ5EDN.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\dhDhwS7fFW.dll (Spyware.Onlinegames) -> Delete on reboot.
C:\WINDOWS\system32\wBJk3Fs8ghs.dll (Spyware.Onlinegames) -> Delete on reboot.
C:\WINDOWS\system32\ufQCU5.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\704C3595.dll (Spyware.Onlinegames) -> Delete on reboot.
C:\WINDOWS\system32\A0C86020.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\STG4WdmetW2FP.dll (Spyware.Onlinegames) -> Delete on reboot.
C:\WINDOWS\system32\08223B03.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\BMsg6pdMD4ht.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\76B9BA7A.dll (Spyware.Onlinegames) -> Delete on reboot.
C:\WINDOWS\system32\GrTZqH5SnRhAt.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\56BC86C7.dll (Spyware.Onlinegames) -> Delete on reboot.
C:\WINDOWS\system32\efc0c52cc1.dll (Spyware.Onlinegames) -> Delete on reboot.
C:\WINDOWS\system32\YbKeaDWhb3vF4pe.dll (Spyware.Onlinegames) -> Delete on reboot.
C:\WINDOWS\system32\wS0GWMZ.dll (Spyware.Onlinegames) -> Delete on reboot.
C:\WINDOWS\system32\E4814792.dll (Spyware.Onlinegames) -> Delete on reboot.
C:\WINDOWS\system32\VAHVqDG3.dll (Spyware.Onlinegames) -> Delete on reboot.
C:\WINDOWS\Fonts\Q9UnbAWWNuSv4.fon (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\peV7mS4gcukR.dll (Spyware.Onlinegames) -> Delete on reboot.
C:\WINDOWS\system32\VnTU2WAqUcZA6.dll (Spyware.Onlinegames) -> Delete on reboot.
C:\WINDOWS\system32\Nj4gYd3rUbJ57.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\Fonts\tY5UFS434YYd.fon (Spyware.Onlinegames) -> Delete on reboot.
C:\WINDOWS\system32\gggg6sZAbKcD.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\J9mfQxkJ.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\CCCA2FB9.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\3D144530.dll (Trojan.Agent) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{d9c002dd-ea51-43a2-9009-54eaaaf031a4} (Spyware.OnlineGames) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{2ef0d734-21fd-4225-a1a2-bcd296182aaf} (Spyware.Onlinegames) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{669029ee-81fb-496f-9ac4-fe838b16f231} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3b951ae1-ae1c-4e3b-9159-9bffeb56cce9} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{122b901e-493f-4ad9-bc69-7de8c3e52fcc} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{feacaf74-8d58-42f4-ab39-1cda51437347} (Spyware.Onlinegames) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{a1a6bc2e-c6a1-43c1-8884-a31d772f42b8} (Spyware.OnlineGames) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{76cbcf38-0583-44c7-a1ae-d463dfe625ec} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{36ac68e6-0c26-4d39-b98e-54b49dab6baa} (Spyware.Onlinegames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f7b34ffc-2353-443b-b5ff-42f06417330d} (Spyware.Onlinegames) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{c722ad57-35da-4460-8353-328372f32ab2} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{704c3595-db85-40f6-a601-8d6f346907bd} (Spyware.Onlinegames) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{a0c86020-5935-4b87-b20e-0b656d450264} (Spyware.OnlineGames) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{de00760f-dc9f-46c2-9d4e-61b5bb810c51} (Spyware.Onlinegames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{08223b03-1b38-4a33-a83a-a4d3cc1d6e4e} (Spyware.OnlineGames) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{737858a9-9aea-4838-9b49-54da731f7f37} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{76b9ba7a-81d0-4979-8598-8471f2ab5186} (Spyware.Onlinegames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4e5cfe74-700b-4a8b-b0bf-a6b47d896c18} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{56bc86c7-0692-4f94-a2c1-6cf1dbf8096c} (Spyware.Onlinegames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{028a997c-4262-4107-bd46-2abbc6143e8c} (Spyware.Onlinegames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{609758cb-54e6-4c21-b57c-3407d9e232e8} (Spyware.Onlinegames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a5700c3-2847-4cbe-a3e5-f0c394690c9a} (Spyware.Onlinegames) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{e4814792-efa3-4c20-93d0-8b130a59f9a8} (Spyware.Onlinegames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6af45c53-676c-451f-a4a9-dc8d61d9d46a} (Spyware.Onlinegames) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ea25f4e7-8b67-452a-b9dd-b38c526250d3} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{16e42559-9ed5-46fd-878e-dc5d42746bb5} (Spyware.Onlinegames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0d267113-499a-4eef-998d-c45731c1b313} (Spyware.Onlinegames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{aa4cd878-b510-4508-83eb-de968e358d15} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cd95107f-52a5-42a4-9914-18949993e798} (Spyware.Onlinegames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{6d4c7e08-e021-414c-a42d-ab15a2302196} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{deef6582-9927-4cbd-897c-6a1f9e8c47de} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b5cb70cb-3dee-4e2e-9911-4870175eab78} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3fa3cad1-c5d8-48b9-800a-a7b2d2a23044} (Spyware.OnlineGames) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ccca2fb9-2d5d-4481-8bfe-1cddc458a3f4} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3d144530-43da-47cc-b7c7-a3a9f3b9a6b2} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{da191de0-aa86-4ed0-4b87-293d48b2ae99} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVFW.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVwsc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmonD.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCAN32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ÐÞ¸´¹¤¾ß.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arvmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\killhidepid.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStore.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravt08.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREngPS.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Syscheck2.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AST.exe (Security.Hijack) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{d9c002dd-ea51-43a2-9009-54eaaaf031a4} (Spyware.OnlineGames) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{2ef0d734-21fd-4225-a1a2-bcd296182aaf} (Spyware.Onlinegames) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{669029ee-81fb-496f-9ac4-fe838b16f231} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{3b951ae1-ae1c-4e3b-9159-9bffeb56cce9} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{122b901e-493f-4ad9-bc69-7de8c3e52fcc} (Spyware.OnlineGames) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{feacaf74-8d58-42f4-ab39-1cda51437347} (Spyware.Onlinegames) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{a1a6bc2e-c6a1-43c1-8884-a31d772f42b8} (Spyware.OnlineGames) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{76cbcf38-0583-44c7-a1ae-d463dfe625ec} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{36ac68e6-0c26-4d39-b98e-54b49dab6baa} (Spyware.Onlinegames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f7b34ffc-2353-443b-b5ff-42f06417330d} (Spyware.Onlinegames) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{c722ad57-35da-4460-8353-328372f32ab2} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{704c3595-db85-40f6-a601-8d6f346907bd} (Spyware.Onlinegames) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{a0c86020-5935-4b87-b20e-0b656d450264} (Spyware.OnlineGames) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{de00760f-dc9f-46c2-9d4e-61b5bb810c51} (Spyware.Onlinegames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{08223b03-1b38-4a33-a83a-a4d3cc1d6e4e} (Spyware.OnlineGames) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{737858a9-9aea-4838-9b49-54da731f7f37} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{76b9ba7a-81d0-4979-8598-8471f2ab5186} (Spyware.Onlinegames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{4e5cfe74-700b-4a8b-b0bf-a6b47d896c18} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{56bc86c7-0692-4f94-a2c1-6cf1dbf8096c} (Spyware.Onlinegames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{028a997c-4262-4107-bd46-2abbc6143e8c} (Spyware.Onlinegames) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{609758cb-54e6-4c21-b57c-3407d9e232e8} (Spyware.Onlinegames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{3a5700c3-2847-4cbe-a3e5-f0c394690c9a} (Spyware.Onlinegames) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{e4814792-efa3-4c20-93d0-8b130a59f9a8} (Spyware.Onlinegames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6af45c53-676c-451f-a4a9-dc8d61d9d46a} (Spyware.Onlinegames) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{ea25f4e7-8b67-452a-b9dd-b38c526250d3} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{16e42559-9ed5-46fd-878e-dc5d42746bb5} (Spyware.Onlinegames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{0d267113-499a-4eef-998d-c45731c1b313} (Spyware.Onlinegames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{aa4cd878-b510-4508-83eb-de968e358d15} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{cd95107f-52a5-42a4-9914-18949993e798} (Spyware.Onlinegames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\thunderadvise (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{b5cb70cb-3dee-4e2e-9911-4870175eab78} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{3fa3cad1-c5d8-48b9-800a-a7b2d2a23044} (Spyware.OnlineGames) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{ccca2fb9-2d5d-4481-8bfe-1cddc458a3f4} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{3d144530-43da-47cc-b7c7-a3a9f3b9a6b2} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\msnmsg (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\D9C002DD.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\2EF0D734.dll (Spyware.Onlinegames) -> Delete on reboot.
C:\WINDOWS\system32\erdznUfbK0ZF.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\hx7hWWpe.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\122B901E.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\etGBJk2YCXnM.dll (Spyware.Onlinegames) -> Delete on reboot.
C:\WINDOWS\system32\A1A6BC2E.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\skcfujQ5EDN.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\dhDhwS7fFW.dll (Spyware.Onlinegames) -> Delete on reboot.
C:\WINDOWS\system32\wBJk3Fs8ghs.dll (Spyware.Onlinegames) -> Delete on reboot.
C:\WINDOWS\system32\ufQCU5.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\704C3595.dll (Spyware.Onlinegames) -> Delete on reboot.
C:\WINDOWS\system32\A0C86020.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\STG4WdmetW2FP.dll (Spyware.Onlinegames) -> Delete on reboot.
C:\WINDOWS\system32\08223B03.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\BMsg6pdMD4ht.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\76B9BA7A.dll (Spyware.Onlinegames) -> Delete on reboot.
C:\WINDOWS\system32\GrTZqH5SnRhAt.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\56BC86C7.dll (Spyware.Onlinegames) -> Delete on reboot.
C:\WINDOWS\system32\efc0c52cc1.dll (Spyware.Onlinegames) -> Delete on reboot.
C:\WINDOWS\system32\YbKeaDWhb3vF4pe.dll (Spyware.Onlinegames) -> Delete on reboot.
C:\WINDOWS\system32\wS0GWMZ.dll (Spyware.Onlinegames) -> Delete on reboot.
C:\WINDOWS\system32\E4814792.dll (Spyware.Onlinegames) -> Delete on reboot.
C:\WINDOWS\system32\VAHVqDG3.dll (Spyware.Onlinegames) -> Delete on reboot.
C:\WINDOWS\Fonts\Q9UnbAWWNuSv4.fon (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\peV7mS4gcukR.dll (Spyware.Onlinegames) -> Delete on reboot.
C:\WINDOWS\system32\VnTU2WAqUcZA6.dll (Spyware.Onlinegames) -> Delete on reboot.
C:\WINDOWS\system32\Nj4gYd3rUbJ57.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\Fonts\tY5UFS434YYd.fon (Spyware.Onlinegames) -> Delete on reboot.
C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gggg6sZAbKcD.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\J9mfQxkJ.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\CCCA2FB9.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\3D144530.dll (Trojan.Agent) -> Delete on reboot.
C:\Program Files\Messenger\msgmr.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temp\wmsetup.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\360F2V4N\A01[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\360F2V4N\A11[1].exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\360F2V4N\A12[1].exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\360F2V4N\A15[1].exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\360F2V4N\A23[1].exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\360F2V4N\A27[1].exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\360F2V4N\adsup[1].dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\360F2V4N\update[1].gif (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\9EVAX6ZR\A06[1].exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\9EVAX6ZR\A26[1].exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\9WGVGBWV\A07[1].exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\9WGVGBWV\A13[1].exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\9WGVGBWV\A16[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\9WGVGBWV\A17[1].exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\9WGVGBWV\D55[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\BQO6URGS\A20[1].exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\EJ234JW7\adsup[1].dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\EJ234JW7\adsup[2].dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\ITYHKZMB\update[1].gif (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\ITYHKZMB\update[2].gif (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\Framdee.ttf (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\wmsetup.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\PrZWDcWgjaE3SQyr.ttf (Trojan.Agent) -> Quarantined and deleted successfully.
after running it normally then the new mba-m thenew log is:
Malwarebytes' Anti-Malware 1.36
Database version: 2014
Windows 5.1.2600 Service Pack 2
4/20/2009 9:14:07 PM
mbam-log-2009-04-20 (21-14-07).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 133680
Time elapsed: 16 minute(s), 15 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\drivers\HBKernel32.sys (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\Nskhelper2.sys (Spyware.OnlineGames) -> Delete on reboot.
the new hjt log is:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:18 PM, on 4/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\PROGRA~1\LANDesk\LDClient\LDregwatch.exe
C:\PROGRA~1\LANDesk\LDClient\LDInventoryProvider.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Bayer\Compi\compi.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
D:\Software\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/intl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.adobe.com/WebObjects/WEC?pageID=RegMp1&awe_301001&platformCode=WIN&version=5.0&nameCode=ACRO&languageCode=USENGLIS&systemCode=AOLN
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [MPMKrnl] rundll32 "C:\WINDOWS\MKMKrnl.dll",KMainProc
O4 - Global Startup: PC Information.lnk = C:\Program Files\Bayer\Compi\compi.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DE.BAYER.cnb
O17 - HKLM\Software\..\Telephony: DomainName = DE.BAYER.cnb
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DE.BAYER.cnb
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DE.BAYER.cnb
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 5958 bytes
the svchost.exe is still running at 90-100%.
the svchost.exe is running in network service.
what do you think now could be the problem?
A good part of the problem is you refuse to follow instructions as given but insist on doing it your own way.
Why didn't you follow the instructions I gave you? Why did you insist on running it in safe mode after I specifically told you not to do so?
I may be done with this and leave you on your own. Even after I told you to follow instructions you didn't. If you know everything why then did you come here and ask for help?
jholland1964
Posting Expert
Moderator
5,785 posts since Jul 2008
Reputation Points: 725
Solved Threads: 340
any ways the windows installer runs ok now that i have been able to install symantec antivirus and updated it.
Please tell me what to do now as i got your instructions later then i had acted upon them but right now i am awaiting your orders.
Please look at these comments from Malwarebytes' Anti-Malware.org
Safe mode doesn't let MBAM load all it's drivers which are often necessary for the best detection and removal results. MBAM works in safe mode but is crippled, so if at all possible it should be used in normal mode in an admin account.
Now look at your scans....the first scan done in Safe Mode DID NOT FIND
Files Infected:
C:\WINDOWS\system32\drivers\HBKernel32.sys (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\Nskhelper2.sys (Spyware.OnlineGames) -> Delete on reboot.
WHY? Because it was run in SAFE MODE. In Safe mode that scan took 36 minute(s), 35 second(s)
Now you ran the second scan in Normal Mode and those two files were found...because it was run in Normal Mode.
BUT for some reason that scan only took 16 minute(s), 15 second(s). Not normal time for a Full Scan.
See why I don't know what you are doing or what you have done correctly?
DID you reboot the computer afterBOTH MBA-M scans and BEFORE you ran HJT?
jholland1964
Posting Expert
Moderator
5,785 posts since Jul 2008
Reputation Points: 725
Solved Threads: 340
jholland1964
Posting Expert
Moderator
5,785 posts since Jul 2008
Reputation Points: 725
Solved Threads: 340
no it is not i got this laptop from my moms office as a gift.
i think some of the settings from there
Are those LANDesk Software programs yours or from your Mom's office? Do they have to stay on there if they are from the office, in other words, are you allowed to remove them?
jholland1964
Posting Expert
Moderator
5,785 posts since Jul 2008
Reputation Points: 725
Solved Threads: 340
This question has already been solved
You
© 2012 DaniWeb® LLC
