win32.zafi.b

I have the win32.zafi.b. trojan can you please help me remove it.

Here is the Hijack this log...... below that is the uninstall list


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:50 AM, on 1/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark 2600 Series\lxdnmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Lexmark 2600 Series\ezprint.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lxdncoms.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: DeviceVM Url Search Hook - {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GEST] =
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [lxdnmon.exe] "C:\Program Files\Lexmark 2600 Series\lxdnmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2600 Series\ezprint.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139504547984
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxdnCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdnserv.exe
O23 - Service: lxdn_device - - C:\WINDOWS\system32\lxdncoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6729 bytes


here is the unistall list

Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.1.0
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI HYDRAVISION
ATI Parental Control & Encoder
ATI Problem Report Wizard
Before You Know It 3.6
Bonjour
Browser Configuration Utility
Call of Duty(R) 4 - Modern Warfare(TM)
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
Catalyst Control Center - Branding
Compatibility Pack for the 2007 Office system
Complete Italian
EAX Unified
El Matador
Energy Saver Advance B8.1015.1
FEARCombat
Gigabyte Raid Configurer
Google Talk (remove only)
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
J2SE Runtime Environment 5.0 Update 3
Lexmark 2600 Series
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2000 SR-1 Premium
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Need2Find Bar
Nero 7 Ultra Edition
NovaBACKUP 7.1
NVIDIA Drivers
PokerStars
PokerStars.net
PrimoPDF
Realtek AC'97 Audio
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Risk II
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB960714)
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
System Requirements Lab
Trader Workstation 4.0
Ulead DVD MovieFactory 3 Suite
Ulead VideoStudio 7 SE DVD
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Vuze
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Xvid 1.1.3 final uninstall

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  R3 - URLSearchHook: DeviceVM Url Search Hook - {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll
  O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
  O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL (file missing)
  O18 - Filter hijack: text/html - (no CLSID) - (no file)
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Delete this file in bold:
C:\WINDOWS\system32\dvmurl.dll

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Belahzur,

Here are the results from the Malwarebyte. the results look a little empty I think because I ran the malwarebyte earlier because I had a another virus. That one cleaned out 5 files that were infected. i didn't know that there would be any relation between the two. sorry if this doesn't confirm your diagnosis. I believe you were spot on. I am no longer getting the microsoft warning about the virus being present. You guys are a great help!!!
Botto


Malwarebytes' Anti-Malware 1.32
Database version: 1626
Windows 5.1.2600 Service Pack 3

1/7/2009 8:52:19 AM
mbam-log-2009-01-07 (08-52-19).txt

Scan type: Quick Scan
Objects scanned: 52299
Time elapsed: 3 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

B,

I think I ran it correctly some of the file extensions didn't match but i think I muddled through it. here are the results. Please let me know if I goofed. I will repeat process if necessary . Thanks as always.


DDS (Ver_09-01-07.01) - NTFSx86
Run by Todd at 20:33:57.20 on Wed 01/07/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2791 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Lexmark 2600 Series\lxdnmon.exe
C:\Program Files\Lexmark 2600 Series\ezprint.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lxdncoms.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Todd\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_03\bin\jusched.exe
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [GEST] =
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [lxdnmon.exe] "c:\program files\lexmark 2600 series\lxdnmon.exe"
mRun: [EzPrint] "c:\program files\lexmark 2600 series\ezprint.exe"
mRun: [vinclock] "c:\documents and settings\todd\application data\google\ocboo1892823.exe" 2
StartupFolder: c:\docume~1\todd\startm~1\programs\startup\checkf~1.lnk - c:\jts\WiseUpdt.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Yeah, I think you did.
The log should look like this:
http://www.geekpolice.net/malware-removal-hijackthis-logs-f11/win32zafib-t5579.htm#32478

But nevermind for now, because this zafi.b that's flooded this forum, is able to hide from Hijack This, so I we can't see it using HJT or MBAM, but DDS can see it.

Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it.
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :processes
  explorer.exe
  
  :files
  c:\documents and settings\todd\application data\google\ocboo1892823.exe
  
  :reg
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "vinclock"=-
  
  :commands
  [purity]
  [emptytemp]
  [start explorer]
  [reboot]
  
  
  
  
• Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

B,


here is my log from OT move it


========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
File/Folder c:\documents and settings\todd\application data\google\ocboo1892823.exe not found.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vinclock deleted successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Todd\LOCALS~1\Temp\etilqs_whmbyYxgeXwE3vzF2iZ7 scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Todd\LOCALS~1\Temp\Perflib_Perfdata_ca4.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_20c.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Todd\Local Settings\Application Data\Mozilla\Firefox\Profiles\9y4lpc19.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Todd\Local Settings\Application Data\Mozilla\Firefox\Profiles\9y4lpc19.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Todd\Local Settings\Application Data\Mozilla\Firefox\Profiles\9y4lpc19.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Todd\Local Settings\Application Data\Mozilla\Firefox\Profiles\9y4lpc19.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Todd\Local Settings\Application Data\Mozilla\Firefox\Profiles\9y4lpc19.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Todd\Local Settings\Application Data\Mozilla\Firefox\Profiles\9y4lpc19.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01092009_152749

Hello.
That has removed the run value of the zafi problem, please run DDS again, we need a full log.

DDS (Ver_09-01-07.01) - NTFSx86
Run by Todd at 8:50:04.40 on Tue 01/13/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2701 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\javaw.exe
C:\Documents and Settings\Todd\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_03\bin\jusched.exe
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [GEST] =
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
StartupFolder: c:\docume~1\todd\startm~1\programs\startup\checkf~1.lnk - c:\jts\WiseUpdt.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\todd\applic~1\mozilla\firefox\profiles\9y4lpc19.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - component: c:\program files\mozilla firefox\components\iamfamous.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJPI150_03.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

============= SERVICES / DRIVERS ===============

R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-12-21 89600]
R4 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2008-12-21 68136]
S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\system32\drivers\asushwio.sys --> c:\windows\system32\drivers\ASUSHWIO.sys [?]
S3 mdxgthkn;mdxgthkn;\??\c:\docume~1\todd\locals~1\temp\mdxgthkn.sys --> c:\docume~1\todd\locals~1\temp\mdxgthkn.sys [?]

=============== Created Last 30 ================

2009-01-09 15:26 --d----- C:\_OTMoveIt
2009-01-08 16:57 664 a------- c:\windows\system32\d3d9caps.dat
2009-01-08 16:54 4,096 a------- c:\windows\system32\crash
2009-01-07 00:25 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-07 00:25 --d----- c:\docume~1\todd\applic~1\Malwarebytes
2009-01-07 00:25 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-07 00:25 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-07 00:25 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-07 00:04 --d----- c:\program files\Trend Micro
2009-01-06 18:05 --d----- c:\docume~1\todd\applic~1\GetRightToGo
2009-01-06 17:27 319 a------- c:\windows\game.ini
2009-01-06 17:17 --d----- c:\program files\Alcohol Soft
2009-01-06 16:40 --d----- c:\program files\DAEMON Tools Lite
2009-01-05 18:06 --d----- c:\docume~1\todd\applic~1\DAEMON Tools Pro
2009-01-05 18:06 --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-01-05 18:05 --d----- c:\docume~1\todd\applic~1\DAEMON Tools Lite
2009-01-02 14:53 --d----- c:\program files\EA GAMES
2008-12-31 20:01 79 a------- c:\windows\wininit.ini
2008-12-30 12:27 --d----- c:\documents and settings\all users\Lx_cats
2008-12-30 12:27 --d----- C:\logs
2008-12-30 12:26 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys
2008-12-30 12:26 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2008-12-30 12:26 87,040 ac------ c:\windows\system32\dllcache\wiafbdrv.dll
2008-12-30 12:26 87,040 a------- c:\windows\system32\wiafbdrv.dll
2008-12-30 12:26 --d----- c:\program files\Lexmark Toolbar
2008-12-30 12:26 --d----- C:\drivers
2008-12-30 11:16 25,856 ac------ c:\windows\system32\dllcache\usbprint.sys
2008-12-30 11:16 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2008-12-25 15:00 1,686,016 a------- c:\windows\system32\clinetsuitex6.ocx
2008-12-25 15:00 427,864 a------- c:\windows\system32\XceedZip.dll
2008-12-25 14:44 --d----- C:\NEC Superscript 870
2008-12-25 14:21 --d----- C:\unzip
2008-12-21 11:06 --d----- c:\program files\Prey
2008-12-21 10:38 --d----- C:\TEXCACHE
2008-12-21 10:31 --d----- c:\program files\Cenega
2008-12-21 09:35 0 a------- c:\windows\ativpsrm.bin
2008-12-21 09:29 --d----- c:\program files\common files\ATI Technologies
2008-12-21 09:25 89,600 a----r-- c:\windows\system32\drivers\AtiHdmi.sys
2008-12-21 09:25 593,920 -------- c:\windows\system32\ati2sgag.exe
2008-12-21 09:25 307,200 a----r-- c:\windows\system32\atiiiexx.dll
2008-12-21 09:25 14,144 a----r-- c:\windows\atiogl.xml
2008-12-21 09:25 425,984 a----r-- c:\windows\system32\ATIDEMGX.dll
2008-12-21 09:25 7,167 a----r-- c:\windows\system32\atifglpf.xml
2008-12-21 09:25 887,724 a----r-- c:\windows\system32\ativva6x.dat
2008-12-21 09:25 3,107,788 a----r-- c:\windows\system32\ativva5x.dat
2008-12-21 09:25 3,107,788 a----r-- c:\windows\system32\ativvaxx.dat
2008-12-21 09:25 174,818 a----r-- c:\windows\system32\atiicdxx.dat
2008-12-21 09:24 --d----- c:\program files\ATI Technologies
2008-12-21 09:14 111,360 a----r-- c:\windows\system32\drivers\Rtenicxp.sys
2008-12-21 09:14 9,728 a----r-- c:\windows\system32\RtNicProp32.dll
2008-12-21 09:14 --d----- C:\RaidTool
2008-12-21 09:14 1,966,080 -----r-- c:\windows\system32\xRaidSetup.exe
2008-12-21 09:14 151,552 -----r-- c:\windows\system32\xRaidAPI.dll
2008-12-21 09:14 79,960 a----r-- c:\windows\system32\drivers\jraid.sys
2008-12-21 09:14 --d----- c:\windows\RaidTool
2008-12-21 09:14 --d----- c:\windows\OPTIONS
2008-12-21 09:11 --d----- c:\program files\Realtek
2008-12-21 09:08 53,248 a----r-- c:\windows\system32\CSVer.dll
2008-12-21 09:07 --d----- C:\Intel
2008-12-21 09:07 146,528 a------- c:\windows\system32\dvmurl.dll
2008-12-21 09:07 --d----- c:\program files\Browser Configuration Utility
2008-12-21 09:07 --d----- c:\program files\GIGABYTE
2008-12-21 09:07 3,218 a------- c:\windows\system32\PerfStringBackup.TMP
2008-12-21 09:06 16,608 a------- c:\windows\gdrv.sys
2008-12-21 09:03 14,592 ac------ c:\windows\system32\dllcache\kbdhid.sys
2008-12-21 09:03 14,592 a------- c:\windows\system32\drivers\kbdhid.sys
2008-12-21 08:51 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2008-12-21 08:51 21,504 a------- c:\windows\system32\hidserv.dll
2008-12-21 07:57 10,368 ac------ c:\windows\system32\dllcache\hidusb.sys
2008-12-21 07:57 10,368 a------- c:\windows\system32\drivers\hidusb.sys
2008-12-21 07:54 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2008-12-21 07:45 20,608 ac------ c:\windows\system32\dllcache\usbuhci.sys
2008-12-21 07:45 20,608 a------- c:\windows\system32\drivers\usbuhci.sys

==================== Find3M ====================

Hello.
Were gonna use OTMoveIt again.

• Please double-click OTMoveIt3.exe to run it.
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :processes
  explorer.exe
  
  :services
  mdxgthkn
  
  :files
  c:\documents and settings\todd\application data\google\*.*
  
  :commands
  [purity]
  [emptytemp]
  [start explorer]
  [reboot]
  
  
  
• Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

Due to lack of feedback, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.