0

Help me, every time I start my computer, 2 unknown windows will pop up which are..
1) 1st window
Title: C:\WINDOWS\System32\printer.exe
Windows cannot find 'C:\WINDOWS\System32\printer.exe'. Make sure you typed the name correctly, and then try again. To search a file, click the START button, and then click SEARCH.

2) 2nd window
Title: 16 bit MS-DOS Subsystem
Invalid program file name, please check your pif file. Choose close to terminate the application.

Thats really annoying me...and each time i access my drive C, suddenly the desktop refresh and these windows will pop up again...Please some one..help.....

2
Contributors
15
Replies
16
Views
10 Years
Discussion Span
Last Post by crunchie
0

Please download and install AVG antispyware tool

  • Close all other Applications Select language click Ok
  • Click I Agree
  • Click next
  • Click Install
  • Click Finish
  • Wait and AVG antispyware will open to the main screen automatically.
  • Wait again a few minutes and AVG antispyware Should Auto update itself. If it doesn't click update at top of screen.
  • It is very important that you get updated
  • When updating has finished. Close AVG antispyware.

If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

  • Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear use arrow up to highlight
  • Select the first option, to run Windows in Safe Mode hit enter.
  • For additional help in booting into Safe Mode, see the following site: HERE

    You MUST manage to get into Safe Mode for the fix to work.

Make sure to close all open windows/programs/folders. Have nothing else open while AVG antispyware performs its scan!

  • Run AVG antispyware.
  • Click on scanner at top of AVG antispyware screen.
  • Click on Settings.
  • Under How to Act click on Recommended Action and choose Quarantine.
  • Under How to scan all boxes should be selected.
  • Under Possibly unwanted software all boxes should be selected.
  • On right side under Reports: click on Do not automatically generate report after every scan.
  • Under What to scan select scan every file.
  • Click On scan Tab.
  • Click on Complete system scan.
  • Let the program scan the machine It can take awhile give it time.
  • When scan has finished at bottom of screen click Apply all Actions.
  • Click Save report
  • Click Save Report as (Save as window's screen should pop up.)
  • Click desktop.
  • Click Save.
  • Exit AVG antispyware.

Reboot back to normal mode.
Post the log here.

==

Download HijackThis from here. Download it to your desktop and NOT a temporary folder.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

0

Thank you, this is the log as I had scanned with the AVG antispyware..---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:57:45 PM 15/12/2007

+ Scan result:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1482476501-1592454029-682003330-500\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@4.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ads.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@adtech[1].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ads.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@as1.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@auto.search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@search.msn[2].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@revsci[1].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.


::Report end

and this is the log using HJT..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:03:21 PM, on 15/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\printer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\j6170222.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [A2598r] "C:\WINDOWS\j6170222.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [f3444Adm] "C:\WINDOWS\System32\s8787\zh592115084y.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKLM\..\Policies\Explorer\Run: [A2598r] "C:\WINDOWS\_default17022.pif"
O4 - HKCU\..\Policies\Explorer\Run: [f3444Adm] "C:\Documents and Settings\Administrator\Local Settings\Application Data\dv6211500x\yesbron.com"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 5012 bytes

0

Download
SDFix
and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the
following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the
    Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract
    All
    ,
  • Open the extracted folder and double click RunThis.bat to
    start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the
    registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool
    will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and
    display Finished, then press any key to end the script and load
    your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the
    contents of the results file Report.txt back onto the forum with
    a new HijackThis log
0

I had just dowloaded SDfix but it seems the link had broken? so I just download the document with name similar to SDFix which is /RemovalTool/SDfix.exe. Is it okay?

0

I did as what you said before...
no more annoying pop ups, but as I accessed my drive c, suddenly it wil refresh and load my desktop icons again...
this is the contents of the results using SDFix..

SDFix: Version 1.118


Run by Administrator on 17/12/2007 at 04:44 PM


Microsoft Windows XP [Version 5.1.2600]


Running From: C:\DOCUME~1\ADMINI~1\Desktop\SDFix


Safe Mode:
Checking Services:



Restoring Windows Registry Values
Restoring Windows Default Hosts File


Rebooting...



Normal Mode:
Checking Files:


Trojan Files Found:


C:\WINDOWS\SYSTEM32\NSPRS.DLL - Deleted
C:\WINDOWS\SYSTEM32\SERAUTH1.DLL - Deleted
C:\WINDOWS\SYSTEM32\SERAUTH2.DLL - Deleted



Removing Temp Files...


ADS Check:


C:\WINDOWS
No streams found.


C:\WINDOWS\system32
No streams found.


C:\WINDOWS\system32\svchost.exe
No streams found.


C:\WINDOWS\system32\ntoskrnl.exe
No streams found.


Final Check:


catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-17 16:49:44
Windows 5.1.2600 Service Pack 1 NTFS


scanning hidden processes ...


scanning hidden services & system hive ...


scanning hidden registry entries ...


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
"LastWaitTimeout"="2007.12.17 08:49:47"


scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0



Remaining Services:
------------------


Authorized Application Key Export:


Remaining Files:
---------------


File Backups: - C:\DOCUME~1\ADMINI~1\Desktop\SDFix\backups\backups.zip


Files with Hidden Attributes:


Thu 28 Jun 2007        45,120 ..SHR --- "C:\WINDOWS\j6170222.exe"
Thu 28 Jun 2007        45,120 ..SHR --- "C:\WINDOWS\o4170227.exe"
Thu 28 Jun 2007        45,120 ..SHR --- "C:\WINDOWS\_default17022.pif"
Thu 28 Jun 2007        45,120 ..SHR --- "C:\WINDOWS\system32\s8787\smss.exe"
Thu 28 Jun 2007        45,120 ..SHR --- "C:\WINDOWS\system32\s8787\zh592115084y.exe"
Mon  5 Mar 2007        34,816 A..H. --- "C:\Documents and Settings\Administrator\My Documents\PLG 800-2007-2\~WRL0001.tmp"
Sun 30 Jul 2006       148,480 A..H. --- "C:\Documents and Settings\Administrator\My Documents\PLG800-6-Betul2\~WRL2110.tmp"
Sun 30 Jul 2006       148,480 A..H. --- "C:\Documents and Settings\Administrator\My Documents\PLG800-6-Betul3\~WRL2110.tmp"
Sun 30 Jul 2006       148,480 A..H. --- "C:\Documents and Settings\Administrator\My Documents\mior2\PLG800-6-Betul3\~WRL2110.tmp"
Mon 18 Dec 2006        27,648 A..H. --- "C:\Documents and Settings\Administrator\My Documents\mior3\My Documents\~WRL0573.tmp"
Mon 18 Dec 2006        24,576 A..H. --- "C:\Documents and Settings\Administrator\My Documents\mior3\My Documents\~WRL1631.tmp"
Mon 18 Dec 2006        24,576 A..H. --- "C:\Documents and Settings\Administrator\My Documents\mior3\My Documents\~WRL2704.tmp"
Sun 30 Jul 2006       148,480 A..H. --- "C:\Documents and Settings\Administrator\My Documents\PLG 800 - PROPOSAL 15 Dis\PLG800-6-Betul2\~WRL2110.tmp"
Sun 30 Jul 2006       148,480 A..H. --- "C:\Documents and Settings\Administrator\My Documents\PLG800-6-Betul3\PLG800-6-Betul2\~WRL2110.tmp"
Sun 30 Jul 2006       148,480 A..H. --- "C:\Documents and Settings\Administrator\My Documents\Thumbdrive2007\PLG800-6-Betul2\~WRL2110.tmp"
Sun 30 Jul 2006       148,480 A..H. --- "C:\Documents and Settings\Administrator\My Documents\mior2\PLG800-6-Betul3\PLG800-6-Betul2\~WRL2110.tmp"
Sun 30 Jul 2006       148,480 A..H. --- "C:\Documents and Settings\Administrator\My Documents\mior3\My Documents\PLG800-6-Betul3\~WRL2110.tmp"
Sat  1 Jan 2000     1,457,664 A..HR --- "C:\Documents and Settings\Administrator\My Documents\My Music\My Folder (Along)\Folder Along\ninja5.part1.exe"
Sat  1 Jan 2000       801,050 A..HR --- "C:\Documents and Settings\Administrator\My Documents\My Music\My Folder (Along)\Folder Along\pokemon gold.exe"
Thu  3 Jul 2003       749,614 A..HR --- "C:\Documents and Settings\Administrator\My Documents\My Music\My Folder (Along)\Folder Along\pokemon gold.zip"
Sun 30 Jul 2006       148,480 A..H. --- "C:\Documents and Settings\Administrator\My Documents\mior3\My Documents\PLG800-6-Betul3\PLG800-6-Betul2\~WRL2110.tmp"
Mon  1 May 2000       545,792 A..HR --- "C:\Documents and Settings\Administrator\My Documents\My Music\My Folder (Along)\Folder Along\New Folder (2)\Pikachu Volleyball.exe"
Sat 28 Jan 2006        69,120 A..H. --- "C:\Documents and Settings\Administrator\My Documents\My Music\My Folder (Along)\Folder Along\New Folder (2)\Wings\ppt1A.tmp"
Mon  3 Sep 2001        67,072 A..H. --- "C:\Documents and Settings\Administrator\My Documents\mior2\PSM_LEPAS\PSM_2002\JENTERA\04\SIAP\_WRL0005.TMP"
Mon 27 Aug 2001        68,608 A..H. --- "C:\Documents and Settings\Administrator\My Documents\mior2\PSM_LEPAS\PSM_2002\JENTERA\04\SIAP\_WRL0509.TMP"
Tue  8 Jan 2002        76,800 A..H. --- "C:\Documents and Settings\Administrator\My Documents\mior2\PSM_LEPAS\PSM_2002\JENTERA\04\SIAP\_WRL1204.TMP"
Mon  3 Sep 2001        68,096 A..H. --- "C:\Documents and Settings\Administrator\My Documents\mior2\PSM_LEPAS\PSM_2002\JENTERA\04\SIAP\_WRL3092.TMP"
Mon  3 Sep 2001        68,608 A..H. --- "C:\Documents and Settings\Administrator\My Documents\mior2\PSM_LEPAS\PSM_2002\JENTERA\04\SIAP\_WRL3555.TMP"
Sun 10 Feb 2002        40,960 A..H. --- "C:\Documents and Settings\Administrator\My Documents\mior2\PSM_LEPAS\PSM_2002\JENTERA\17\PSM\_WRL3943.TMP"
Sun  9 Mar 1997        20,217 A..H. --- "C:\Documents and Settings\Administrator\My Documents\My Music\My Folder (Along)\Folder Along\New Folder (2)\Action\Super_nintendo\CWSDPMI.EXE"
Mon  3 Sep 2001        67,072 A..H. --- "C:\Documents and Settings\Administrator\My Documents\mior3\My Documents\PSM_LEPAS\PSM_2002\JENTERA\04\SIAP\_WRL0005.TMP"
Mon 27 Aug 2001        68,608 A..H. --- "C:\Documents and Settings\Administrator\My Documents\mior3\My Documents\PSM_LEPAS\PSM_2002\JENTERA\04\SIAP\_WRL0509.TMP"
Tue  8 Jan 2002        76,800 A..H. --- "C:\Documents and Settings\Administrator\My Documents\mior3\My Documents\PSM_LEPAS\PSM_2002\JENTERA\04\SIAP\_WRL1204.TMP"
Mon  3 Sep 2001        68,096 A..H. --- "C:\Documents and Settings\Administrator\My Documents\mior3\My Documents\PSM_LEPAS\PSM_2002\JENTERA\04\SIAP\_WRL3092.TMP"
Mon  3 Sep 2001        68,608 A..H. --- "C:\Documents and Settings\Administrator\My Documents\mior3\My Documents\PSM_LEPAS\PSM_2002\JENTERA\04\SIAP\_WRL3555.TMP"
Sun 10 Feb 2002        40,960 A..H. --- "C:\Documents and Settings\Administrator\My Documents\mior3\My Documents\PSM_LEPAS\PSM_2002\JENTERA\17\PSM\_WRL3943.TMP"


Finished!


and this is the HTJ log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:56:27 PM, on 17/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\j6170222.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [A2598r] "C:\WINDOWS\j6170222.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [f3444Adm] "C:\WINDOWS\System32\s8787\zh592115084y.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe


--
End of file - 4717 bytes

Thank You..

Edited by Nick Evan: Fixed formatting

0

Can you please do the following.


===============

Scan with HijackThis and then place a check next to all the following, if present:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\j6170222.exe

O4 - HKLM\..\Run: [A2598r] "C:\WINDOWS\j6170222.exe"
O4 - HKCU\..\Run: [f3444Adm] "C:\WINDOWS\System32\s8787\zh592115084y.exe"


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

==

1. Please download The Avenger by Swandog46 to your Desktop.

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text (including the 'Files to delete') contained in the code box below to your clipboard by highlighting it and pressing Ctrl+C:

Files to delete:
C:\WINDOWS\j6170222.exe
C:\WINDOWS\o4170227.exe
Folders to delete:
C:\WINDOWS\System32\s8787


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

0

Okay..

This is HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:19:33 PM, on 17/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avant Browser\avant.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\sllights.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EDA71697-FA2C-43A9-8163-185FE9CA116B}: NameServer = 202.188.0.132 202.188.0.133
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 4588 bytes

and this is the Avenger log
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\abishoxc

*******************

Script file located at: \??\C:\Documents and Settings\obfqxrdi.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\j6170222.exe deleted successfully.
File C:\WINDOWS\o4170227.exe deleted successfully.
Folder C:\WINDOWS\System32\s8787 deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Thank You...but, I still can't access my drive C..:'(

0

Try the following;

Download Dial-a-Fix and run it. Select the 'Check all' (green arrow) and then hit 'GO.'
Reboot when done and see how things are now.

==

When you say you cannot access the drive, what exactly happens?

0

hmm, same thing occured,
when I open my drive c, the window (drive C) will appear just for a few seconds, and suddenly all windows, desktop icons and the task bar disappear. After that, the desktop and all icons appear back as usual.

0

Er...Mr Crunchie, I still can't find my CD but my friend has XP CD...is it okay to use it?

0

As long as it's the same as the original install ie; if it was SP1 or SP2 etc., it should be ok. Will probably require the key too, so make sure you have that on hand.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.