Balloon Saying "your Computer Is Infected With Spyware" Most Likely Malware

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > HijackThis Logs and Virus/Trojan/Spyware/Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

3 Pages

1 2 3 >

Balloon Saying "your Computer Is Infected With Spyware" Most Likely Malware, problems, poppup windows with errors and wont run certin programs

Options

emopants92 View Member Profile	Mar 1 2008, 10:58 PM Post #1
Member Group: Members Posts: 63 Joined: 27-February 08 Member No.: 193,014	ok i have been haveing some kinda of malware lately or spyware or something ok well after 3 days of not able to get a hijackthis log i finally got my cure! first i have a balloon popping up saying your computer is infected with spyware blah blah blah. Then it wants me to download a program to get rid of it obvioulsy fake. Also i have 2 fake icons on my desktop that are windows update and support center that take me to some website. I also get poppups all the time of errors while im working on the computer and starting up i get about 20. When i try to run hijackthis or Avg or spybot i click them to run and nothing happens and have tried to reinstall them a couple of times. here is the log Log created by WinPatrol version 14.0.2007.1:14.0.2007.1 Scan saved at 7:49:52 PM, on 3/01/2008 Platform: Windows XP SP2 Home Edition Service Pack 2 (Build 2600) MSIE: Internet Explorer (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\SYSTEM32\SMSS.EXE C:\WINDOWS\SYSTEM32\WINLOGON.EXE C:\WINDOWS\SYSTEM32\SERVICES.EXE C:\WINDOWS\SYSTEM32\LSASS.EXE C:\WINDOWS\SYSTEM32\SVCHOST.EXE C:\WINDOWS\SYSTEM32\spoolsv.exe C:\PROGRAM FILES\Bonjour\MDNSRESPONDER.EXE C:\WINDOWS\explorer.exe C:\PROGRAM FILES\ANALOG DEVICES\Core\smax4pnp.exe C:\PROGRAM FILES\2Wire\2PORTALMON.EXE C:\PROGRAM FILES\MICROSOFT XBOX 360 ACCESSORIES\XBoxStat.exe C:\PROGRAM FILES\Java\JRE1.6.0_03\bin\jusched.exe C:\PROGRAM FILES\QUICKTIME\qttask.exe C:\WINDOWS\SYSTEM32\RUNDLL32.EXE C:\WINDOWS\SYSTEM32\CTFMON.EXE C:\PROGRAM FILES\AIM6\aim6.exe C:\PROGRAM FILES\MSN MESSENGER\msnmsgr.exe C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\bin\hpobnz08.exe C:\PROGRAM FILES\Yahoo!\browser\ybrowser.exe C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\bin\hpotdd01.exe C:\PROGRAM FILES\COMMON FILES\AOL\Loader\aolload.exe C:\PROGRAM FILES\THOOSJE SIDEBAR V2.3\THOOSJE VISTA SIDEBAR.EXE C:\PROGRAM FILES\OPENOFFICE.ORG 2.3\program\soffice.exe C:\PROGRAM FILES\OPENOFFICE.ORG 2.3\program\soffice.bin C:\PROGRAM FILES\AIM6\AOLSOFTWARE.EXE C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\bin\hpoevm08.exe C:\WINDOWS\SYSTEM32\HPZipm12.exe C:\Program Files\Yahoo!\browser\ycommon.exe C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\bin\hposts08.exe C:\PROGRAM FILES\Yahoo!\browser\ybrwicon.exe C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe C:\WINDOWS\SYSTEM32\bubbles.scr C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROLEX.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com O1 - Hosts: 127.0.0. O2 - BHO: yjngchdt - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\SYSTEM32\yjngchdt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll O4 - HKLM\..\Run: [SoundMAXPnP]C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [2wSysTray]C:\Program Files\2Wire\2PortalMon.exe O4 - HKLM\..\Run: [XboxStat]c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe silentrun O4 - HKLM\..\Run: [SunJavaUpdateSched]C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task]C:\Program Files\QuickTime\qttask.exe -atboottime O4 - HKLM\..\Run: [30ff593c]C:\WINDOWS\system32\uuaxundd.dll,b O4 - HKLM\..\Run: [BM33cc6aa0]C:\WINDOWS\system32\rdtimseq.dll,s O4 - HKLM\..\Run: [WinReanimator]C:\Program Files\WinReanimator\WinReanimator.exe /hide O4 - HKLM\..\Run: [WinPatrol]C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot O4 - HKCU\..\Run: [ctfmon.exe]C:\WINDOWS\SYSTEM32\CTFMON.EXE O4 - HKCU\..\Run: [msnmsgr]C:\Program Files\MSN Messenger\msnmsgr.exe /background O4 - Global Startup: hp psc 2000 Series.lnk=C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe O4 - Global Startup: hpoddt01.exe.lnk=C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - Global Startup: OpenOffice.org 2.3.lnk=C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe O4 - Global Startup: Thoosje Vista Sidebar.lnk=C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [Java (Sun)] Java (Sun) - C:\Program Files\Java\jre1.6.0_03\bin O11 - Options group: [] - O14 - IERESET.INF: START_PAGE_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome O14 - IERESET.INF: SEARCH_PAGE_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch O14 - IERESET.INF:HKCU, Start Page = %START_PAGE_URL% O14 - IERESET.INF:HKLM, Default_Page_URL = %START_PAGE_URL% O14 - IERESET.INF:HKLM, Default_Search_URL = %SEARCH_PAGE_URL% O14 - IERESET.INF:HKLM, Search Page = %SEARCH_PAGE_URL% O14 - IERESET.INF:HKCU, Search Page = %SEARCH_PAGE_URL% O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/9/b...heckControl.cab O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shock...director/sw.cab O16 - DPF: {2DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products/Activ...ldsDownload.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (Yahoo! MailTo) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h20264.www2.hp.com/ediags/hpfix/sj/.../qdiagh.cab?326 O20 - AppInit_DLLs: cru629.dat O21 - WPDShServiceObj - WPDShServiceObj Class - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\SYSTEM32\WPDShServiceObj.dll O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: CAISafe - - C:\Program Files\Yahoo!\Antivirus\ISafe.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Intel NCS NetService - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\HPZipm12.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) - - C:\Program Files\WinPcap\rpcapd.exe -d -f C:\Program Files\WinPcap\rpcapd.ini O23 - Service: VET Message Service - - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPcservice.exe --- Additional WinPatrol Info --- Browser: Unable to find default browser. MSIE: Internet Explorer (7.00.6000.16608) 134 IE Cookies in Folder: C:\Documents and Settings\Mitchell\Cookies\ WP00 - HKLM\CS1: BootExecute = autocheck autochk * WP00 - HKLM\CCS: BootExecute = autocheck autochk * WP00 - HKLM\CS2: BootExecute = autocheck autochk * WP00 - HKLM\CS3: BootExecute = autocheck autochk * WP02 - HKLM\CCS: Command = C:\WINDOWS\system32\cmd.exe WP03 - Windows Automatic Update = 4:Automatically download recommended updates for my computer and install them. WP08 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix: Default = http:// WP08 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes: www = http:// WP31 - Scheduled Tasks: [McAfee.com Scan for Viruses - My Computer (MITCHELLS-Administrator).job]c:\program files\mcafee.com\vso\mcmnhdlr.exe Never WP31 - Scheduled Tasks: [McAfee.com Scan for Viruses - My Computer (1) (MITCHELLS-Mitchell).job]c:\program files\mcafee.com\vso\mcmnhdlr.exe Never WP31 - Scheduled Tasks: [FRU Task #Hewlett-Packard#hp psc 2200 series#1201058568.job]C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqfrucl.exe Never WP32 - Hidden File: C:\BOOT.BAK WP32 - Hidden File: C:\boot.ini WP32 - Hidden File: C:\cmldr WP32 - Hidden File: C:\DELL.SDR WP32 - Hidden File: C:\hiberfil.sys WP32 - Hidden File: C:\IO.SYS WP32 - Hidden File: C:\IPH.PH WP32 - Hidden File: C:\MSDOS.SYS WP32 - Hidden File: C:\pagefile.sys WP32 - Hidden File: C:\sqmdata00.sqm WP32 - Hidden File: C:\sqmdata01.sqm WP32 - Hidden File: C:\sqmdata02.sqm WP32 - Hidden File: C:\sqmdata03.sqm WP32 - Hidden File: C:\sqmdata04.sqm WP32 - Hidden File: C:\sqmdata05.sqm WP32 - Hidden File: C:\sqmdata06.sqm WP32 - Hidden File: C:\sqmdata07.sqm WP32 - Hidden File: C:\sqmdata08.sqm WP32 - Hidden File: C:\sqmdata09.sqm WP32 - Hidden File: C:\sqmdata10.sqm WP32 - Hidden File: C:\sqmdata11.sqm WP32 - Hidden File: C:\sqmdata12.sqm WP32 - Hidden File: C:\sqmdata13.sqm WP32 - Hidden File: C:\sqmdata14.sqm WP32 - Hidden File: C:\sqmdata15.sqm WP32 - Hidden File: C:\sqmdata16.sqm WP32 - Hidden File: C:\sqmdata17.sqm WP32 - Hidden File: C:\sqmdata18.sqm WP32 - Hidden File: C:\sqmdata19.sqm WP32 - Hidden File: C:\sqmnoopt00.sqm WP32 - Hidden File: C:\sqmnoopt01.sqm WP32 - Hidden File: C:\sqmnoopt02.sqm WP32 - Hidden File: C:\sqmnoopt03.sqm WP32 - Hidden File: C:\sqmnoopt04.sqm WP32 - Hidden File: C:\sqmnoopt05.sqm WP32 - Hidden File: C:\sqmnoopt06.sqm WP32 - Hidden File: C:\sqmnoopt07.sqm WP32 - Hidden File: C:\sqmnoopt08.sqm WP32 - Hidden File: C:\sqmnoopt09.sqm WP32 - Hidden File: C:\sqmnoopt10.sqm WP32 - Hidden File: C:\sqmnoopt11.sqm WP33 - File Type .AVI: [Video Clip]C:\Program Files\Windows Media Player\wmplayer.exe /prefetch:8 /Open %L WP33 - File Type .BAT: [MS-DOS Batch File]%1 %* WP33 - File Type .CAB: [WinRAR archive]C:\Program Files\WinRAR\WinRAR.exe %1 WP33 - File Type .CAT: [Security Catalog]rundll32.exe cryptext.dll,CryptExtOpenCAT %1 WP33 - File Type .CHM: [Compiled HTML Help file]C:\WINDOWS\hh.exe %1 WP33 - File Type .COM: [MS-DOS Application]%1 %* WP33 - File Type .CMD: [Windows NT Command Script]%1 %* WP33 - File Type .DOC: [WordPad Document]C:\Program Files\Windows NT\Accessories\WORDPAD.EXE %1 WP33 - File Type .EML: [Internet E-Mail Message]C:\Program Files\Outlook Express\msimn.exe /eml:%1 WP33 - File Type .EXE: [Application]%1 %* WP33 - File Type .INF: [Setup Information]C:\WINDOWS\System32\NOTEPAD.EXE %1 WP33 - File Type .JS: [Microsoft ® Windows Script Host]C:\WINDOWS\System32\WScript.exe %1 %* WP33 - File Type .LOG: [Text Document]C:\WINDOWS\system32\NOTEPAD.EXE %1 WP33 - File Type .MSI: [Windows Installer Package]C:\WINDOWS\System32\msiexec.exe /i %1 %* WP33 - File Type .MID: [AT&T Yahoo! Music Jukebox File]C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe -play %1 WP33 - File Type .MP3: [MediaMonkey file]C:\Program Files\MediaMonkey\MediaMonkey.exe %1 WP33 - File Type .PIF: [Shortcut to MS-DOS Program]%1 %* WP33 - File Type .RAM: [RealPlayer Presentation]C:\Program Files\Real\RealPlayer\RealPlay.exe %1 WP33 - File Type .REG: [Registration Entries]regedit.exe %1 WP33 - File Type .RTF: [Rich Text Document]C:\Program Files\Windows NT\Accessories\WORDPAD.EXE %1 WP33 - File Type .SBS: [Spyware supplemental file]C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe %1 WP33 - File Type .SCR: [Screen Saver]%1 /S WP33 - File Type .TXT: [Text Document]C:\WINDOWS\system32\NOTEPAD.EXE %1 WP33 - File Type .URL: [Internet Shortcut]rundll32.exe ieframe.dll,OpenURL %l WP33 - File Type .VBS: [VBScript Script File]C:\WINDOWS\System32\WScript.exe %1 %* WP33 - File Type .VBE: [VBScript Encoded Script File]C:\WINDOWS\System32\WScript.exe %1 %* WP33 - File Type .WSF: [Windows Script File]C:\WINDOWS\System32\WScript.exe %1 %* WP33 - File Type .WSH: [Windows Script Host Settings File]C:\WINDOWS\System32\WScript.exe %1 %* Memory currently in use: 35% Physical Memory Free: 506,008 KB Paging File Free: 766,068 KB Virtual Memory Free: 2,052,904 KB -- End of file

random/random View Member Profile	Mar 7 2008, 01:57 PM Post #2
Forum Addict Group: HJT Team Coach Posts: 2,613 Joined: 15-July 06 Member No.: 76,279	What you've posted is a log from Winpatrol. WinPatrol is a great application, but I'd like to work with HijackThis itself. Please do the following to download and install the latest version of HijackThis v2.0.2: CLICK HERE to download the HijackThis Installer: Save HJTInstall.exe to your desktop. Double-click on HJTInstall.exe to run the program. By default it will install to C:\Program Files\Trend Micro\HijackThis. Accept the license agreement by clicking the "I Accept" button. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log. Click "Save log" to save the log file and then the log will open in Notepad. Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log. Come back here to this thread and paste the log in your next reply. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required. -------------------- If I have helped you, please consider a donation (by clicking this link).

emopants92 View Member Profile	Mar 16 2008, 05:31 PM Post #3
Member Group: Members Posts: 63 Joined: 27-February 08 Member No.: 193,014	see thats wat the problem is. I cant get hijack this to run i even tried with your instructions and i still haven been able to get it to run . Winpatrol is the only thing that will run . I will save it to the desktop and click it and all i get is this. A small window pops up and i click install it installs and never get any message asking me to start and then nothing. So i figure its installed and i click to run the program and nothing i click again nothing. This post has been edited by emopants92: Mar 16 2008, 05:36 PM

random/random View Member Profile	Mar 17 2008, 02:03 PM Post #4
Forum Addict Group: HJT Team Coach Posts: 2,613 Joined: 15-July 06 Member No.: 76,279	OK, we'll see what we can do with the Winpatrol log Please download VundoFix.exe by Atribune from Atribune and save it to your desktop. Double click VundoFix.exe to run it. Click the Scan for Vundo button. Once it's done scanning, click the Fix Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will reboot your computer, click OK. Please post the contents of C:\vundofix.txt and a new Winpatrol log. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot. If you receive this error - "Run-time error '339': Component 'comdlg32.ocx' or one its dependencies not correctly registered: a file is missing or invalid" , please download this file and save it to your desktop. Right click on Comdlg32.zip and select Extract All.... Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard. On the text box above the Browse button, copy and paste in C:\Windows\system32. Click OK. Uncheck (untick) the Show extracted files box and click Finish. Click on Start > Run and copy and paste in the following into the Run box: REGSVR32 C:\Windows\system32\comdlg32.ocx Press Enter. You should receive this message - "DllRegisterServer in C:\Windows\system32\comdlg32.ocx succeeded." Click OK and restart your computer. Then try running VundoFix again. -------------------- If I have helped you, please consider a donation (by clicking this link).

emopants92 View Member Profile	Mar 17 2008, 10:21 PM Post #5
Member Group: Members Posts: 63 Joined: 27-February 08 Member No.: 193,014	ya im downloaded it and tried to run it and same thing as hijackthis no response when i click on it i tried it a couple of times, then in safe mode too . And still nothing. I didnt download the 2 nd part because i never got an error message, all i got was no response so should i try that file part and then run it again?

random/random View Member Profile	Mar 18 2008, 02:01 PM Post #6
Forum Addict Group: HJT Team Coach Posts: 2,613 Joined: 15-July 06 Member No.: 76,279	No, let's try something else Download Autoruns from here Unzip/extract it to a folder on your desktop Double click on autoruns.exe to start Autoruns Wait for it to finish scanning Under Options make sure the following options are slected Verify Code Signatures Hide Signed Microsoft Entries Click File > Refresh Click File > Save As Save it to the desktop as autoruns.txt Post the contents of autoruns.txt as a reply to this topic -------------------- If I have helped you, please consider a donation (by clicking this link).

emopants92 View Member Profile	Mar 18 2008, 08:42 PM Post #7
Member Group: Members Posts: 63 Joined: 27-February 08 Member No.: 193,014	yep sorry this is such a pain but same thing no response when i click the autoruns.exe

random/random View Member Profile	Mar 19 2008, 02:10 PM Post #8
Forum Addict Group: HJT Team Coach Posts: 2,613 Joined: 15-July 06 Member No.: 76,279	rename autoruns.exe to random.exe and try running it again -------------------- If I have helped you, please consider a donation (by clicking this link).

emopants92 View Member Profile	Mar 19 2008, 07:25 PM Post #9
Member Group: Members Posts: 63 Joined: 27-February 08 Member No.: 193,014	yeah it worked ok here is the fileVVVVVVVVVVVVVVVVVVVVV HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run + 2wSysTray HomePortal Monitor Application by 2Wire Engineering (Not verified) 2Wire, Inc. c:\program files\2wire\2portalmon.exe + BM33cc6aa0 c:\windows\system32\iafgkuct.dll + SoundMAXPnP SMax4PNP MFC Application (Not verified) Analog Devices, Inc. c:\program files\analog devices\core\smax4pnp.exe + WinPatrol WinPatrol System Monitor (Verified) BillP Studios c:\program files\billp studios\winpatrol\winpatrol.exe + XboxStat XBoxStat.exe (Not verified) Microsoft Corporation c:\program files\microsoft xbox 360 accessories\xboxstat.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup + hp psc 2000 Series.lnk HP OfficeJet COM Device Objects (Not verified) Hewlett-Packard Co. c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe + hpoddt01.exe.lnk hpotdd01 (Not verified) Hewlett-Packard c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe C:\Documents and Settings\Mitchell\Start Menu\Programs\Startup + OpenOffice.org 2.3.lnk c:\program files\openoffice.org 2.3\program\quickstart.exe + Thoosje Vista Sidebar.lnk c:\program files\thoosje sidebar v2.3\thoosje vista sidebar.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run + Aim6 AIM (Not verified) AOL LLC c:\program files\aim6\aim6.exe + Jnskdfmf9eldfd c:\documents and settings\mitchell\local settings\temp\csrssc.exe HKLM\SOFTWARE\Classes\Protocols\Filter + application/octet-stream Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll + application/x-complus Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll + application/x-msdownload Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components + n/a Microsoft .NET IE SECURITY REGISTRATION (Not verified) Microsoft Corporation c:\windows\system32\mscories.dll HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler + jhsf8d984jief8dsfus98jkefn c:\windows\system32\jfiehayd.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks + hggfgdb.dll c:\windows\system32\hggfgdb.dll + Trend Micro Anti-Spyware Shell Extension Anti-Spyware Shell Extension (Not verified) Trend Micro Incorporated c:\program files\trend micro\tmas\sshook.dll HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers + CA_AntiVirus CA Antivirus Shell Extension Handler (Verified) Computer Associates International c:\windows\avshlext.dll + PowerISO PowerISOShell DLL (Not verified) PowerISO Computing, Inc. c:\program files\poweriso\pwrisosh.dll + SASContextMenu Class SUPERAntiSpyware Context Menu Extension (Not verified) SUPERAntiSpyware.com c:\program files\superantispyware\sasctxmn.dll + WinRAR c:\program files\winrar\rarext.dll + WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll + Yahoo! Mail Yahoo! Mail (Verified) Yahoo! Inc. c:\program files\yahoo!\common\ymmapi.dll HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers + CA_AntiVirus CA Antivirus Shell Extension Handler (Verified) Computer Associates International c:\windows\avshlext.dll + PowerISO PowerISOShell DLL (Not verified) PowerISO Computing, Inc. c:\program files\poweriso\pwrisosh.dll + WinRAR c:\program files\winrar\rarext.dll + WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers + PowerISO PowerISOShell DLL (Not verified) PowerISO Computing, Inc. c:\program files\poweriso\pwrisosh.dll + SASContextMenu Class SUPERAntiSpyware Context Menu Extension (Not verified) SUPERAntiSpyware.com c:\program files\superantispyware\sasctxmn.dll + WinRAR c:\program files\winrar\rarext.dll + WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll HKCU\Software\Classes\Folder\Shellex\ColumnHandlers + {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} (Not verified) Sun Microsystems, Inc. c:\program files\openoffice.org 2.3\program\shlxthdl.dll HKLM\Software\Classes\Folder\Shellex\ColumnHandlers + PDF Shell Extension PDF Shell Extension (Not verified) Adobe Systems, Inc. c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved + CA_AntiVirus CA Antivirus Shell Extension Handler (Verified) Computer Associates International c:\windows\avshlext.dll + Display Panning CPL Extension File not found: deskpan.dll + Fusion Cache Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll + iTunes iTunes Mini Player DLL (Verified) Apple Computer, Inc. c:\program files\itunes\itunesminiplayer.dll + OpenOffice.org Column Handler (Not verified) Sun Microsystems, Inc. c:\program files\openoffice.org 2.3\program\shlxthdl.dll + OpenOffice.org Infotip Handler (Not verified) Sun Microsystems, Inc. c:\program files\openoffice.org 2.3\program\shlxthdl.dll + OpenOffice.org Property Sheet Handler (Not verified) Sun Microsystems, Inc. c:\program files\openoffice.org 2.3\program\shlxthdl.dll + OpenOffice.org Thumbnail Viewer (Not verified) Sun Microsystems, Inc. c:\program files\openoffice.org 2.3\program\shlxthdl.dll + PowerISO PowerISOShell DLL (Not verified) PowerISO Computing, Inc. c:\program files\poweriso\pwrisosh.dll + Shell Extensions for RealOne Player RealPlayer Shell Extensions (Verified) RealNetworks, Inc. c:\program files\real\realplayer\rpshell.dll + Shell Icon Handler for Application References Application Deployment Support Library (Not verified) Microsoft Corporation c:\windows\system32\dfshim.dll + ShellLink for Application References Application Deployment Support Library (Not verified) Microsoft Corporation c:\windows\system32\dfshim.dll + Trend Micro Anti-Spyware Shell Extension Anti-Spyware Shell Extension (Not verified) Trend Micro Incorporated c:\program files\trend micro\tmas\sshook.dll + WinRAR shell extension c:\program files\winrar\rarext.dll + WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll + WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll + WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll + WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll + Yahoo! Mail Yahoo! Mail (Verified) Yahoo! Inc. c:\program files\yahoo!\common\ymmapi.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects + C:\WINDOWS\system32\jfiehayd.dll c:\windows\system32\jfiehayd.dll + {70AB0A8B-8A8A-496F-A339-4CD2F3352991} c:\windows\system32\hggfgdb.dll + {D4C1697C-6EBA-47B6-ADC9-328A4C997EB1} c:\windows\system32\awtqn.dll HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks + Yahoo! Toolbar Yahoo! Toolbar (Verified) Yahoo! Inc. c:\program files\yahoo!\companion\installs\cpn2\yt.dll HKLM\Software\Microsoft\Internet Explorer\Toolbar + Yahoo! Toolbar Yahoo! Toolbar (Verified) Yahoo! Inc. c:\program files\yahoo!\companion\installs\cpn2\yt.dll Task Scheduler + FRU Task #Hewlett-Packard#hp psc 2200 series#1201058568.job FRU-Client MFC Application c:\program files\hewlett-packard\digital imaging\bin\hpqfrucl.exe + McAfee.com Scan for Viruses - My Computer (1) (MITCHELLS-Mitchell).job File not found: c:\program files\mcafee.com\vso\mcmnhdlr.exe + McAfee.com Scan for Viruses - My Computer (MITCHELLS-Administrator).job File not found: c:\program files\mcafee.com\vso\mcmnhdlr.exe HKLM\System\CurrentControlSet\Services + Bonjour Service ##Id_String2.6844F930_1628_4223_B5CC_5BB94B879762## (Not verified) Apple Computer, Inc. c:\program files\bonjour\mdnsresponder.exe + CAISafe File not found: C:\Program Files\Yahoo!\Antivirus\ISafe.exe + VETMSGNT File not found: C:\Program Files\Yahoo!\Antivirus\VetMsg.exe HKLM\System\CurrentControlSet\Services + Beep c:\windows\system32\drivers\beep.sys + BsStor B.H.A Storage Helper Driver (WindowsNT5.x) (Not verified) B.H.A Co.,Ltd. c:\windows\system32\drivers\bsstor.sys + Changer File not found: C:\WINDOWS\System32\Drivers\Changer.sys + d347bus PnP BIOS Extension (Not verified) c:\windows\system32\drivers\d347bus.sys + d347prt SCSI miniport (Not verified) c:\windows\system32\drivers\d347prt.sys + DiagnosticScan File not found: C:\Program Files\Adware Away\DiagnosticScan.SYS + GEARAspiWDM CD/DVD Class Filter Driver (Verified) GEAR Software Inc. c:\windows\system32\drivers\gearaspiwdm.sys + IFP300 iriver Internet Audio Player IFP-300 File not found: system32\DRIVERS\ifp300.sys + InCDPass File not found: system32\drivers\InCDPass.sys + InCDRm remapper (Not verified) Ahead Software AG c:\windows\system32\drivers\incdrm.sys + IPVNMon IPVNMon (Not verified) Visual Networks c:\windows\system32\drivers\ipvnmon.sys + lbrtfdc File not found: C:\WINDOWS\System32\Drivers\lbrtfdc.sys + MCSTRM RealNetworks Virtual Path Manager® (Not verified) RealNetworks, Inc. c:\windows\system32\drivers\mcstrm.sys + NPF npf (Not verified) CACE Technologies c:\windows\system32\drivers\npf.sys + npkcrypt File not found: C:\Program Files\NEXON\MapleStory\npkcrypt.sys + nuvaud2 File not found: system32\DRIVERS\nuvaud2.sys + oreans32 File not found: C:\WINDOWS\system32\drivers\oreans32.sys + Partizan Partizan - Rootkit detector (Not verified) Greatis Software c:\windows\system32\drivers\partizan.sys + PCIDump File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys + PDCOMP File not found: C:\WINDOWS\System32\Drivers\PDCOMP.sys + PDFRAME File not found: C:\WINDOWS\System32\Drivers\PDFRAME.sys + PDRELI File not found: C:\WINDOWS\System32\Drivers\PDRELI.sys + PDRFRAME File not found: C:\WINDOWS\System32\Drivers\PDRFRAME.sys + pfc Padus® ASPI Shell (Not verified) Padus, Inc. c:\windows\system32\drivers\pfc.sys + psa500 QSound Virtual Engine driver (Not verified) QSound Labs, Inc. c:\windows\system32\drivers\psa500.sys + PSSdk23 File not found: C:\WINDOWS\system32\Drivers\PsSdk23.drv + PsSdk30 File not found: C:\WINDOWS\system32\Drivers\PsSdk30.drv + PxHelp20 Px Engine Device Driver for Windows 2000/XP (Verified) Sonic Solutions c:\windows\system32\drivers\pxhelp20.sys + SCDEmu PowerISO Virtual Drive (Not verified) PowerISO Computing, Inc. c:\windows\system32\drivers\scdemu.sys + SNPSTD3 PC Camera driver c:\windows\system32\drivers\snpstd3.sys + sptd c:\windows\system32\drivers\sptd.sys + TPkd InterLok system file (Verified) PACE Anti-Piracy, Inc. c:\windows\system32\drivers\tpkd.sys + UacFlt UAC355x Filter/Support Driver (Not verified) Micronas GmbH c:\windows\system32\drivers\uacbflt.sys + VET-FILT CA Antivirus File Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\vet-filt.sys + VET-REC CA Antivirus File Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\vet-rec.sys + VETEBOOT RealTime Anti-Virus Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\veteboot.sys + VETEFILE RealTime Anti-Virus Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\vetefile.sys + VETFDDNT CA Antivirus File Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\vetfddnt.sys + VETMONNT CA Antivirus File Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\vetmonnt.sys + wanatw File not found: system32\DRIVERS\wanatw4.sys + WDICA File not found: C:\WINDOWS\System32\Drivers\WDICA.sys HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute + Partizan Partizan - First Bootwatch Anti-Rootkit (Not verified) Greatis Software c:\windows\system32\partizan.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls + cru629.dat c:\windows\system32\cru629.dat HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify + !SASWinLogon SUPERAntiSpyware WinLogon Processor (Not verified) SUPERAntiSpyware.com c:\program files\superantispyware\saswinlo.dll + __c00CAA47 c:\windows\system32\__c00caa47.dat + hggfgdb c:\windows\system32\hggfgdb.dll + vptjopus c:\windows\system32\vptjopus.dll + xxyaxxx File not found: xxyaxxx.dll + yjngchdt File not found: yjngchdt.dll HKCU\Control Panel\Desktop\Scrnsave.exe + C:\WINDOWS\system32\bubbles.scr Bubbles Screen Saver (Not verified) Microsoft Corporation c:\windows\system32\bubbles.scr HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 + CA ISafe LSP CA ISafe LSP DLL (Verified) Computer Associates International c:\windows\system32\vetredir.dll + CA ISafe LSP over [MSAFD Tcpip [RAW/IP]] CA ISafe LSP DLL (Verified) Computer Associates International c:\windows\system32\vetredir.dll + CA ISafe LSP over [MSAFD Tcpip [TCP/IP]] CA ISafe LSP DLL (Verified) Computer Associates International c:\windows\system32\vetredir.dll + CA ISafe LSP over [MSAFD Tcpip [UDP/IP]] CA ISafe LSP DLL (Verified) Computer Associates International c:\windows\system32\vetredir.dll HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages + C:\WINDOWS\system32\awtqn.dll c:\windows\system32\awtqn.dll

random/random View Member Profile	Mar 20 2008, 11:31 AM Post #10
Forum Addict Group: HJT Team Coach Posts: 2,613 Joined: 15-July 06 Member No.: 76,279	Backup Your Registry with ERUNT Please use the following link and scroll down to ERUNT and download it. http://aumha.org/freeware/freeware.php For version with the Installer: Use the setup program to install ERUNT on your computer For the zipped version: Unzip all the files into a folder of your choice. Click Erunt.exe to backup your registry to the folder of your choice. Note: to restore your registry, go to the folder and start ERDNT.exe Copy the contents of the following codebox to a notepad window CODE REGEDIT4 [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00 Save it to the desktop as fix.reg, making sure save as type is set to all files Download UnDLL by ESET from here Unzip/extact it to a folder on the desktop Double click on UNDLL.EXE to start UnDLL Click on Select infected DLL Locate and select this file: c:\windows\system32\vptjopus.dll Click Open UnDLL will now attempt to delete the DLL file If asked to restart your PC, click No Repeat the above steps for the following files: CODE c:\windows\system32\__c00caa47.dat c:\windows\system32\awtqn.dll c:\windows\system32\cru629.dat c:\windows\system32\hggfgdb.dll c:\windows\system32\iafgkuct.dll c:\windows\system32\jfiehayd.dll Once you have used UnDLL on all the files: Locate Fix.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt Restart your PC manually Locate Fix.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt Run autoruns again and post the log it produces -------------------- If I have helped you, please consider a donation (by clicking this link).

emopants92 View Member Profile	Mar 20 2008, 10:09 PM Post #11
Member Group: Members Posts: 63 Joined: 27-February 08 Member No.: 193,014	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run + 2wSysTray HomePortal Monitor Application by 2Wire Engineering (Not verified) 2Wire, Inc. c:\program files\2wire\2portalmon.exe + 30ff593c File not found: C:\WINDOWS\system32\nfdcecbm.dll + BM33cc6aa0 c:\windows\system32\hoapctic.dll + RRT-Auto A tool to remove system restrictions and defend against removable media malware! (Not verified) iSergiwa Software - www.sergiwa.com c:\documents and settings\mitchell\local settings\temp\rar$ex00.219\rrt.exe + SoundMAXPnP SMax4PNP MFC Application (Not verified) Analog Devices, Inc. c:\program files\analog devices\core\smax4pnp.exe + TkBellExe RealNetworks Scheduler (Verified) RealNetworks, Inc. c:\program files\common files\real\update_ob\realsched.exe + WinPatrol WinPatrol System Monitor (Verified) BillP Studios c:\program files\billp studios\winpatrol\winpatrol.exe + XboxStat XBoxStat.exe (Not verified) Microsoft Corporation c:\program files\microsoft xbox 360 accessories\xboxstat.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup + hp psc 2000 Series.lnk HP OfficeJet COM Device Objects (Not verified) Hewlett-Packard Co. c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe + hpoddt01.exe.lnk hpotdd01 (Not verified) Hewlett-Packard c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe C:\Documents and Settings\Mitchell\Start Menu\Programs\Startup + OpenOffice.org 2.3.lnk c:\program files\openoffice.org 2.3\program\quickstart.exe + Thoosje Vista Sidebar.lnk c:\program files\thoosje sidebar v2.3\thoosje vista sidebar.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run + Aim6 AIM (Not verified) AOL LLC c:\program files\aim6\aim6.exe + Jnskdfmf9eldfd c:\documents and settings\mitchell\local settings\temp\csrssc.exe HKLM\SOFTWARE\Classes\Protocols\Filter + application/octet-stream Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll + application/x-complus Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll + application/x-msdownload Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components + n/a Microsoft .NET IE SECURITY REGISTRATION (Not verified) Microsoft Corporation c:\windows\system32\mscories.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks + Trend Micro Anti-Spyware Shell Extension Anti-Spyware Shell Extension (Not verified) Trend Micro Incorporated c:\program files\trend micro\tmas\sshook.dll HKLM\Software\Classes\\ShellEx\ContextMenuHandlers + CA_AntiVirus CA Antivirus Shell Extension Handler (Verified) Computer Associates International c:\windows\avshlext.dll + PowerISO PowerISOShell DLL (Not verified) PowerISO Computing, Inc. c:\program files\poweriso\pwrisosh.dll + SASContextMenu Class SUPERAntiSpyware Context Menu Extension (Not verified) SUPERAntiSpyware.com c:\program files\superantispyware\sasctxmn.dll + WinRAR c:\program files\winrar\rarext.dll + WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll + Yahoo! Mail Yahoo! Mail (Verified) Yahoo! Inc. c:\program files\yahoo!\common\ymmapi.dll HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers + CA_AntiVirus CA Antivirus Shell Extension Handler (Verified) Computer Associates International c:\windows\avshlext.dll + PowerISO PowerISOShell DLL (Not verified) PowerISO Computing, Inc. c:\program files\poweriso\pwrisosh.dll + WinRAR c:\program files\winrar\rarext.dll + WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers + PowerISO PowerISOShell DLL (Not verified) PowerISO Computing, Inc. c:\program files\poweriso\pwrisosh.dll + SASContextMenu Class SUPERAntiSpyware Context Menu Extension (Not verified) SUPERAntiSpyware.com c:\program files\superantispyware\sasctxmn.dll + WinRAR c:\program files\winrar\rarext.dll + WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll HKCU\Software\Classes\Folder\Shellex\ColumnHandlers + {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} (Not verified) Sun Microsystems, Inc. c:\program files\openoffice.org 2.3\program\shlxthdl.dll HKLM\Software\Classes\Folder\Shellex\ColumnHandlers + PDF Shell Extension PDF Shell Extension (Not verified) Adobe Systems, Inc. c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved + CA_AntiVirus CA Antivirus Shell Extension Handler (Verified) Computer Associates International c:\windows\avshlext.dll + Display Panning CPL Extension File not found: deskpan.dll + Fusion Cache Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll + iTunes iTunes Mini Player DLL (Verified) Apple Computer, Inc. c:\program files\itunes\itunesminiplayer.dll + OpenOffice.org Column Handler (Not verified) Sun Microsystems, Inc. c:\program files\openoffice.org 2.3\program\shlxthdl.dll + OpenOffice.org Infotip Handler (Not verified) Sun Microsystems, Inc. c:\program files\openoffice.org 2.3\program\shlxthdl.dll + OpenOffice.org Property Sheet Handler (Not verified) Sun Microsystems, Inc. c:\program files\openoffice.org 2.3\program\shlxthdl.dll + OpenOffice.org Thumbnail Viewer (Not verified) Sun Microsystems, Inc. c:\program files\openoffice.org 2.3\program\shlxthdl.dll + PowerISO PowerISOShell DLL (Not verified) PowerISO Computing, Inc. c:\program files\poweriso\pwrisosh.dll + Shell Extensions for RealOne Player RealPlayer Shell Extensions (Verified) RealNetworks, Inc. c:\program files\real\realplayer\rpshell.dll + Shell Icon Handler for Application References Application Deployment Support Library (Not verified) Microsoft Corporation c:\windows\system32\dfshim.dll + ShellLink for Application References Application Deployment Support Library (Not verified) Microsoft Corporation c:\windows\system32\dfshim.dll + Trend Micro Anti-Spyware Shell Extension Anti-Spyware Shell Extension (Not verified) Trend Micro Incorporated c:\program files\trend micro\tmas\sshook.dll + WinRAR shell extension c:\program files\winrar\rarext.dll + WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll + WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll + WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll + WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll + Yahoo! Mail Yahoo! Mail (Verified) Yahoo! Inc. c:\program files\yahoo!\common\ymmapi.dll HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks + Yahoo! Toolbar Yahoo! Toolbar (Verified) Yahoo! Inc. c:\program files\yahoo!\companion\installs\cpn2\yt.dll HKLM\Software\Microsoft\Internet Explorer\Toolbar + Yahoo! Toolbar Yahoo! Toolbar (Verified) Yahoo! Inc. c:\program files\yahoo!\companion\installs\cpn2\yt.dll Task Scheduler + FRU Task #Hewlett-Packard#hp psc 2200 series#1201058568.job FRU-Client MFC Application c:\program files\hewlett-packard\digital imaging\bin\hpqfrucl.exe + McAfee.com Scan for Viruses - My Computer (1) (MITCHELLS-Mitchell).job File not found: c:\program files\mcafee.com\vso\mcmnhdlr.exe + McAfee.com Scan for Viruses - My Computer (MITCHELLS-Administrator).job File not found: c:\program files\mcafee.com\vso\mcmnhdlr.exe HKLM\System\CurrentControlSet\Services + Bonjour Service ##Id_String2.6844F930_1628_4223_B5CC_5BB94B879762## (Not verified) Apple Computer, Inc. c:\program files\bonjour\mdnsresponder.exe + CAISafe File not found: C:\Program Files\Yahoo!\Antivirus\ISafe.exe + VETMSGNT File not found: C:\Program Files\Yahoo!\Antivirus\VetMsg.exe HKLM\System\CurrentControlSet\Services + Beep c:\windows\system32\drivers\beep.sys + BsStor B.H.A Storage Helper Driver (WindowsNT5.x) (Not verified) B.H.A Co.,Ltd. c:\windows\system32\drivers\bsstor.sys + Changer File not found: C:\WINDOWS\System32\Drivers\Changer.sys + d347bus PnP BIOS Extension (Not verified) c:\windows\system32\drivers\d347bus.sys + d347prt SCSI miniport (Not verified) c:\windows\system32\drivers\d347prt.sys + DiagnosticScan File not found: C:\Program Files\Adware Away\DiagnosticScan.SYS + GEARAspiWDM CD/DVD Class Filter Driver (Verified) GEAR Software Inc. c:\windows\system32\drivers\gearaspiwdm.sys + IFP300 iriver Internet Audio Player IFP-300 File not found: system32\DRIVERS\ifp300.sys + InCDPass File not found: system32\drivers\InCDPass.sys + InCDRm remapper (Not verified) Ahead Software AG c:\windows\system32\drivers\incdrm.sys + IPVNMon IPVNMon (Not verified) Visual Networks c:\windows\system32\drivers\ipvnmon.sys + lbrtfdc File not found: C:\WINDOWS\System32\Drivers\lbrtfdc.sys + MCSTRM RealNetworks Virtual Path Manager® (Not verified) RealNetworks, Inc. c:\windows\system32\drivers\mcstrm.sys + NPF npf (Not verified) CACE Technologies c:\windows\system32\drivers\npf.sys + npkcrypt File not found: C:\Program Files\NEXON\MapleStory\npkcrypt.sys + nuvaud2 File not found: system32\DRIVERS\nuvaud2.sys + oreans32 File not found: C:\WINDOWS\system32\drivers\oreans32.sys + Partizan Partizan - Rootkit detector (Not verified) Greatis Software c:\windows\system32\drivers\partizan.sys + PCIDump File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys + PDCOMP File not found: C:\WINDOWS\System32\Drivers\PDCOMP.sys + PDFRAME File not found: C:\WINDOWS\System32\Drivers\PDFRAME.sys + PDRELI File not found: C:\WINDOWS\System32\Drivers\PDRELI.sys + PDRFRAME File not found: C:\WINDOWS\System32\Drivers\PDRFRAME.sys + pfc Padus® ASPI Shell (Not verified) Padus, Inc. c:\windows\system32\drivers\pfc.sys + psa500 QSound Virtual Engine driver (Not verified) QSound Labs, Inc. c:\windows\system32\drivers\psa500.sys + PSSdk23 File not found: C:\WINDOWS\system32\Drivers\PsSdk23.drv + PsSdk30 File not found: C:\WINDOWS\system32\Drivers\PsSdk30.drv + PxHelp20 Px Engine Device Driver for Windows 2000/XP (Verified) Sonic Solutions c:\windows\system32\drivers\pxhelp20.sys + SCDEmu PowerISO Virtual Drive (Not verified) PowerISO Computing, Inc. c:\windows\system32\drivers\scdemu.sys + SNPSTD3 PC Camera driver c:\windows\system32\drivers\snpstd3.sys + sptd c:\windows\system32\drivers\sptd.sys + TPkd InterLok system file (Verified) PACE Anti-Piracy, Inc. c:\windows\system32\drivers\tpkd.sys + UacFlt UAC355x Filter/Support Driver (Not verified) Micronas GmbH c:\windows\system32\drivers\uacbflt.sys + VET-FILT CA Antivirus File Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\vet-filt.sys + VET-REC CA Antivirus File Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\vet-rec.sys + VETEBOOT RealTime Anti-Virus Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\veteboot.sys + VETEFILE RealTime Anti-Virus Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\vetefile.sys + VETFDDNT CA Antivirus File Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\vetfddnt.sys + VETMONNT CA Antivirus File Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\vetmonnt.sys + wanatw File not found: system32\DRIVERS\wanatw4.sys + WDICA File not found: C:\WINDOWS\System32\Drivers\WDICA.sys HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute + Partizan Partizan - First Bootwatch Anti-Rootkit (Not verified) Greatis Software c:\windows\system32\partizan.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls + cru629.dat c:\windows\system32\cru629.dat HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify + !SASWinLogon SUPERAntiSpyware WinLogon Processor (Not verified) SUPERAntiSpyware.com c:\program files\superantispyware\saswinlo.dll + xxyaxxx File not found: xxyaxxx.dll + yjngchdt File not found: yjngchdt.dll HKCU\Control Panel\Desktop\Scrnsave.exe + C:\WINDOWS\system32\bubbles.scr Bubbles Screen Saver (Not verified) Microsoft Corporation c:\windows\system32\bubbles.scr HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 + CA ISafe LSP CA ISafe LSP DLL (Verified) Computer Associates International c:\windows\system32\vetredir.dll + CA ISafe LSP over [MSAFD Tcpip [RAW/IP]] CA ISafe LSP DLL (Verified) Computer Associates International c:\windows\system32\vetredir.dll + CA ISafe LSP over [MSAFD Tcpip [TCP/IP]] CA ISafe LSP DLL (Verified) Computer Associates International c:\windows\system32\vetredir.dll + CA ISafe LSP over [MSAFD Tcpip [UDP/IP]] CA ISafe LSP DLL (Verified) Computer Associates International c:\windows\system32\vetredir.dll This post has been edited by emopants92*: Mar 20 2008, 11:38 PM

random/random View Member Profile	Mar 21 2008, 07:38 AM Post #12
Forum Addict Group: HJT Team Coach Posts: 2,613 Joined: 15-July 06 Member No.: 76,279	Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix) Please then reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, the Advanced Options Menu should appear; Select the first option, to run Windows in Safe Mode, then press Enter. Choose your usual account. Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). Finally paste the contents of the Report.txt back on the forum with a new HijackThis log -------------------- If I have helped you, please consider a donation (by clicking this link).

emopants92 View Member Profile	Mar 21 2008, 11:55 AM Post #13
Member Group: Members Posts: 63 Joined: 27-February 08 Member No.: 193,014	ok thank you soo much i can finally get hijackthis to run! yeah the only thing next is that i also have winpatrol and get a new start up program ever 10 seconds and it wont stop when i click no even after the 100 times lol. The first log is the report then second is the hijackthis log file. SDFix: Version 1.159 Run by Mitchell on Fri 03/21/2008 at 09:34 AM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Name: pcximg pzqlp Path: \??\C:\WINDOWS\system\pcximg.pif \??\C:\WINDOWS\Help\pzqlp.chm pcximg - Deleted pzqlp - Deleted Restoring Windows Registry Values Restoring Windows Default Hosts File Resetting AppInit_DLLs value Rebooting Infected beep.sys Found! beep.sys File Locations: "C:\WINDOWS\SYSTEM32\DLLCACHE\beep.sys" 31232 02/25/2008 08:07 PM "C:\WINDOWS\SYSTEM32\DRIVERS\BEEP.SYS" 31232 02/25/2008 08:07 PM Infected File Listed Below: C:\WINDOWS\system32\DLLCACHE\beep.sys C:\WINDOWS\system32\DRIVERS\BEEP.SYS File copied to Backups Folder Attempting to replace beep.sys with original version Original beep.sys Restored "C:\WINDOWS\SYSTEM32\DLLCACHE\beep.sys" 4224 03/21/2008 12:23 AM "C:\WINDOWS\SYSTEM32\DRIVERS\BEEP.SYS" 4224 03/21/2008 12:23 AM Checking Files : Trojan Files Found: C:\Documents and Settings\All Users\Start Menu\Programs\WinReanimator\Uninstall.lnk - Deleted C:\Documents and Settings\All Users\Start Menu\Programs\WinReanimator\WinReanimator.lnk - Deleted C:\Documents and Settings\All Users\Desktop\WinReanimator.lnk - Deleted C:\Documents and Settings\All Users\Start Menu\Programs\WinReanimator\WinReanimator.lnk - Deleted C:\Program Files\Helper\1205557079.dll - Deleted C:\Program Files\Helper\1205557147.dll - Deleted C:\Program Files\WinReanimator\htmlayout.dll - Deleted C:\Program Files\WinReanimator\install.exe - Deleted C:\Program Files\WinReanimator\pthreadVC2.dll - Deleted C:\Program Files\WinReanimator\un.ico - Deleted C:\Program Files\WinReanimator\unzip32.dll - Deleted C:\Program Files\WinReanimator\WinReanimator.cfg - Deleted C:\Program Files\WinReanimator\WinReanimator.dll - Deleted C:\Program Files\WinReanimator\WinReanimator.exe - Deleted C:\Program Files\WinReanimator\data\daily.cvd - Deleted C:\Program Files\WinReanimator\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest - Deleted C:\Program Files\WinReanimator\Microsoft.VC80.CRT\msvcm80.dll - Deleted C:\Program Files\WinReanimator\Microsoft.VC80.CRT\msvcp80.dll - Deleted C:\Program Files\WinReanimator\Microsoft.VC80.CRT\msvcr80.dll - Deleted C:\DOCUME~1\Mitchell\LOCALS~1\Temp\Csrssc.exe - Deleted C:\WINDOWS\braviax.exe - Deleted C:\WINDOWS\cru629.dat - Deleted C:\WINDOWS\system32\braviax.exe - Deleted C:\WINDOWS\system32\cru629.dat - Deleted C:\WINDOWS\system32\users32.dat - Deleted C:\WINDOWS\system32\winistr.exe - Deleted C:\WINDOWS\help\pzqlp.chm - Deleted C:\WINDOWS\system\pcximg.pif - Deleted Folder C:\Documents and Settings\All Users\Start Menu\Programs\WinReanimator - Removed Folder C:\Program Files\Helper - Removed Folder C:\Program Files\WinReanimator - Removed The below files have been patched by Trojan.Agent to load users32.dat and should be replaced: C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\2Wire\2PortalMon.exe c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe C:\Program Files\AIM6\aim6.exe Removing Temp Files ADS Check : C:\WINDOWS\system32 :svchost 686 Total size: 686 bytes. system32: deleted 686 bytes in 1 streams. Checking for remaining Streams C:\WINDOWS\system32 No streams found. Final Check : catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-21 09:42:51 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40] "khjeh"=hex:20,02,00,00,21,74,73,d9,a1,6c,d5,76,f0,0d,c7,13,53,ab,5f,cd,ca,.. "hj34z0"=hex:99,a5,1b,9a,8c,aa,68,e3,6a,ca,5a,72,0b,42,ea,a7,99,2c,bd,aa,58,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41] "khjeh"=hex:20,02,00,00,57,3d,59,d2,a3,14,49,bd,9a,d8,75,b9,65,f6,8d,e5,64,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42] "khjeh"=hex:20,02,00,00,bf,39,59,d2,6b,1d,52,c0,22,b7,61,80,ed,63,cc,39,4c,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf43] "khjeh"=hex:20,02,00,00,ca,27,59,d2,bc,55,b2,fd,af,5f,ac,64,d6,31,15,77,81,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] "s0"=dword:14c02a52 "s1"=dword:aa5a74b3 "s2"=dword:b35e9d52 scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe::Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe::Enabled:AOL" "C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe::Enabled:AOL" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe::Enabled:Windows Messenger" "C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe::Enabled:Yahoo! Messenger" "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe::Enabled:Yahoo! FT Server" "C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPager.exe"="C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPager.exe::Enabled:Yahoo! Messenger" "C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"="C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe::Enabled:Yahoo! FT Server" "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe::Enabled:AOL Loader" "C:\\Program Files\\Common Files\\AOL\\1137290213\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1137290213\\ee\\aolsoftware.exe::Enabled:AOL Services" "C:\\Program Files\\Common Files\\AOL\\1137290213\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1137290213\\ee\\aim6.exe::Enabled:AIM" "C:\\Program Files\\Best Buy Rhapsody\\rhapsody.exe"="C:\\Program Files\\Best Buy Rhapsody\\rhapsody.exe::Enabled:RealNetworks Rhapsody" "C:\\Program Files\\Atari-Infogrames\\Roller Coaster Tycoon 2\\rct2.exe"="C:\\Program Files\\Atari-Infogrames\\Roller Coaster Tycoon 2\\rct2.exe::Enabled:rct2" "C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe::Enabled:BitComet - a BitTorrent Client" "C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe::Enabled:Java™ 2 Platform Standard Edition binary" "C:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"="C:\\Program Files\\Yahoo!\\browser\\ybrowser.exe::Enabled:Yahoo! Browser" "C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe::Enabled:Kodak Software Updater" "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe::Enabled:EasyShare" "C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe::Enabled:Windows Live Messenger 8.0 (Phone)" "C:\\Program Files\\Morpheus\\Morpheus.exe"="C:\\Program Files\\Morpheus\\Morpheus.exe::Enabled:M5Shell" "C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe::Enabled:AOL Instant Messenger" "C:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"="C:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe::Enabled:Microsoft Flight Simulator" "C:\\WINDOWS\\SYSTEM32\\DPNSVR.EXE"="C:\\WINDOWS\\SYSTEM32\\DPNSVR.EXE::Enabled:Microsoft DirectPlay8 Server" "G:\\GAME\\FS9.EXE"="G:\\GAME\\FS9.EXE::Enabled:Microsoft Flight Simulator" "C:\\Program Files\\BitComet\\Downloads\\Flight Simulator 2004\\No CD Crack\\fs9.exe"="C:\\Program Files\\BitComet\\Downloads\\Flight Simulator 2004\\No CD Crack\\fs9.exe::Enabled:Microsoft Flight Simulator" "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe::Enabled:RealPlayer" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\TimHillOne\\H264WebCamPro\\H264WebCamPro.exe"="C:\\Program Files\\TimHillOne\\H264WebCamPro\\H264WebCamPro.exe::Enabled:H264WebCam Microsoft MFC Class Application" "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe::Enabled:Yahoo! Messenger" "C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe::Enabled:æTorrent" "C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\Rar$EX04.000\\mem86control.exe"="C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\Rar$EX04.000\\mem86control.exe::Enabled:mem86control" "C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\Rar$EX08.484\\opserver.exe"="C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\Rar$EX08.484\\opserver.exe::Enabled:opserver" "C:\\Program Files\\JetCast Server\\JCSERVER.exe"="C:\\Program Files\\JetCast Server\\JCSERVER.exe::Enabled:jetCast Server" "C:\\Program Files\\JetAudio\\JcServer.exe"="C:\\Program Files\\JetAudio\\JcServer.exe::Enabled:jcServer" "C:\\StubInstaller.exe"="C:\\StubInstaller.exe::Enabled:LimeWire swarmed installer" "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe::Enabled:LimeWire" "C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe::Enabled:AIM" "C:\\Program Files\\Icecast2 Win32\\Icecast2.exe"="C:\\Program Files\\Icecast2 Win32\\Icecast2.exe::Enabled:Icecast2win" "C:\\Program Files\\Counter-Strike 1.6\\hl.exe"="C:\\Program Files\\Counter-Strike 1.6\\hl.exe::Enabled:Half-Life Launcher" "C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\Rar$EX03.125\\opserver.exe"="C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\Rar$EX03.125\\opserver.exe::Enabled:opserver" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe::Enabled:iTunes" "C:\\Program Files\\EA games\\Battlefield 2\\Bf2_w32ded.exe"="C:\\Program Files\\EA games\\Battlefield 2\\Bf2_w32ded.exe::Enabled:Bf2_w32ded" "C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe::Enabled:Windows Media Player" "C:\\Program Files\\XBC\\XBC_NS.exe"="C:\\Program Files\\XBC\\XBC_NS.exe::Enabled:XBConnect" "C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE"="C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE::Enabled:Yahoo! Messenger" "C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\Rar$EX07.437\\PiMPStreamer\\PimpStreamer.exe"="C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\Rar$EX07.437\\PiMPStreamer\\PimpStreamer.exe::Enabled:PimpStreamer, Streams video from PC to PSP Realtime!" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe::Enabled:Windows Live Messenger 8.1 (Phone)" "C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\.ttA.tmp"="C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\.ttA.tmp::Enabled:enable" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe::Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe::Enabled:AOL" "C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe::Enabled:AOL" "C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe::Enabled:Windows Live Messenger 8.0 (Phone)" "C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe::Enabled:AOL Instant Messenger" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe::Enabled:Windows Live Messenger 8.1 (Phone)" Remaining Files* : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Fri 25 Jan 2008 211 A.SHR --- "C:\BOOT.BAK" Tue 24 Aug 2004 155,648 A..H. --- "C:\DELL\PRIMOSDK.DLL" Tue 24 Aug 2004 360,448 A..H. --- "C:\DELL\PX.DLL" Tue 27 Jul 2004 56,832 A..H. --- "C:\DELL\PXCPYA64.EXE" Tue 27 Jul 2004 108,544 A..H. --- "C:\DELL\PXCPYI64.EXE" Tue 17 Aug 2004 389,120 A..H. --- "C:\DELL\PXDRV.DLL" Sun 1 Aug 2004 20,576 A..H. --- "C:\DELL\PXHELP20.SYS" Sun 1 Aug 2004 54,976 A..H. --- "C:\DELL\PXHELP64.SYS" Sun 1 Aug 2004 32,272 A..H. --- "C:\DELL\PXHELPER.SYS" Sun 1 Aug 2004 26,720 A..H. --- "C:\DELL\PXHLPA64.SYS" Sun 1 Aug 2004 57,344 A..H. --- "C:\DELL\PXHPINST.EXE" Sun 1 Aug 2004 53,760 A..H. --- "C:\DELL\PXINSA64.EXE" Sun 1 Aug 2004 104,960 A..H. --- "C:\DELL\PXINSI64.EXE" Tue 24 Aug 2004 159,744 A..H. --- "C:\DELL\PXMAS.DLL" Tue 27 Jul 2004 57,344 A..H. --- "C:\DELL\PXSETUP.EXE" Tue 24 Aug 2004 339,968 A..H. --- "C:\DELL\PXWAVE.DLL" Wed 19 May 2004 28,672 A..H. --- "C:\DELL\VXBLOCK.DLL" Tue 24 Aug 2004 155,648 A..H. --- "C:\DELL\MEDIAEXE\PRIMOSDK.DLL" Tue 24 Aug 2004 360,448 A..H. --- "C:\DELL\MEDIAEXE\PX.DLL" Tue 27 Jul 2004 56,832 A..H. --- "C:\DELL\MEDIAEXE\PXCPYA64.EXE" Tue 27 Jul 2004 108,544 A..H. --- "C:\DELL\MEDIAEXE\PXCPYI64.EXE" Tue 17 Aug 2004 389,120 A..H. --- "C:\DELL\MEDIAEXE\PXDRV.DLL" Sun 1 Aug 2004 20,576 A..H. --- "C:\DELL\MEDIAEXE\PXHELP20.SYS" Sun 1 Aug 2004 54,976 A..H. --- "C:\DELL\MEDIAEXE\PXHELP64.SYS" Sun 1 Aug 2004 32,272 A..H. --- "C:\DELL\MEDIAEXE\PXHELPER.SYS" Sun 1 Aug 2004 26,720 A..H. --- "C:\DELL\MEDIAEXE\PXHLPA64.SYS" Sun 1 Aug 2004 57,344 A..H. --- "C:\DELL\MEDIAEXE\PXHPINST.EXE" Sun 1 Aug 2004 53,760 A..H. --- "C:\DELL\MEDIAEXE\PXINSA64.EXE" Sun 1 Aug 2004 104,960 A..H. --- "C:\DELL\MEDIAEXE\PXINSI64.EXE" Tue 24 Aug 2004 159,744 A..H. --- "C:\DELL\MEDIAEXE\PXMAS.DLL" Tue 27 Jul 2004 57,344 A..H. --- "C:\DELL\MEDIAEXE\PXSETUP.EXE" Tue 24 Aug 2004 339,968 A..H. --- "C:\DELL\MEDIAEXE\PXWAVE.DLL" Wed 19 May 2004 28,672 A..H. --- "C:\DELL\MEDIAEXE\VXBLOCK.DLL" Fri 14 Mar 2008 16,384 ..SH. --- "C:\Program Files\Internet Explorer\setupapi.dll" Mon 12 Feb 2007 848 A.SH. --- "C:\WINDOWS\SYSTEM32\KGyGaAvL.sys" Fri 30 Dec 2005 338,891 A.SH. --- "C:\WINDOWS\SYSTEM32\nmllm.tmp" Sun 25 Dec 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Fri 7 Sep 2007 145,920 ..SHR --- "C:\Program Files\BillP Studios\WinPatrol\Setup.exe" Sun 19 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp" Sun 25 Dec 2005 4,348 A..H. --- "C:\Documents and Settings\Mitchell\My Documents\My Music\License Backup\drmv1key.bak" Sat 25 Mar 2006 20 A..H. --- "C:\Documents and Settings\Mitchell\My Documents\My Music\License Backup\drmv1lic.bak" Sun 25 Dec 2005 400 A.SH. --- "C:\Documents and Settings\Mitchell\My Documents\My Music\License Backup\drmv2key.bak" Wed 27 Apr 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp" Wed 27 Apr 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp" Sat 12 Nov 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp" Sat 12 Nov 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp" Thu 13 Dec 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp" Finished! Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:52:10 AM, on 3/21/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\2Wire\2PortalMon.exe C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\Program Files\Trend Micro\bunny\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 12.193.196.81:80 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe O4 - HKLM\..\Run: [30ff593c] rundll32.exe "C:\WINDOWS\system32\nfdcecbm.dll",b O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [RRT-Auto] C:\DOCUME~1\Mitchell\LOCALS~1\Temp\Rar$EX00.219\RRT.exe auto O4 - HKLM\..\Run: [BM33cc6aa0] Rundll32.exe "C:\WINDOWS\system32\hoapctic.dll",s O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe O4 - Startup: Thoosje Vista Sidebar.lnk = C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe O4 - Global Startup: hpoddt01.exe.lnk = ? O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {2DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products/Activ...ldsDownload.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h20264.www2.hp.com/ediags/hpfix/sj/.../qdiagh.cab?326 O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: xxyaxxx - xxyaxxx.dll (file missing) O20 - Winlogon Notify: yjngchdt - yjngchdt.dll (file missing) O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file) O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: CAISafe - Unknown owner - C:\Program Files\Yahoo!\Antivirus\ISafe.exe (file missing) O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe (file missing) O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE O24 - Desktop Component 0: (no name) - (no file) -- End of file - 7526 bytes

random/random View Member Profile	Mar 21 2008, 12:32 PM Post #14
Forum Addict Group: HJT Team Coach Posts: 2,613 Joined: 15-July 06 Member No.: 76,279	These files are legit, but they've been infected, so you'll need to reinstall the programs after this fix: C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\2Wire\2PortalMon.exe c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe C:\Program Files\AIM6\aim6.exe Backup Your Registry with ERUNT Please use the following link and scroll down to ERUNT and download it. http://aumha.org/freeware/freeware.php For version with the Installer: Use the setup program to install ERUNT on your computer For the zipped version: Unzip all the files into a folder of your choice. Click Erunt.exe to backup your registry to the folder of your choice. Note: to restore your registry, go to the folder and start ERDNT.exe Copy the contents of the following codebox to a notepad window CODE REGEDIT4 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "C:\\Program Files\\BitComet\\Downloads\\Flight Simulator 2004\\No CD Crack\\fs9.exe"=- "C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\Rar$EX04.000\\mem86control.exe"=- "C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\Rar$EX08.484\\opserver.exe"=- "C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\Rar$EX03.125\\opserver.exe"=- "C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\Rar$EX07.437\\PiMPStreamer\\PimpStreamer.exe"=- "C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\.ttA.tmp"=- Save it to the desktop as fix.reg, making sure save as type is set to all files Locate Fix.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt Please download the OTMoveIt2 by OldTimer. Save it to your desktop. Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator). Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): CODE C:\WINDOWS\system32\nfdcecbm.dll C:\WINDOWS\system32\hoapctic.dll C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\2Wire\2PortalMon.exe c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe C:\Program Files\AIM6\aim6.exe Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste. Click the red Moveit! button. Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. Close OTMoveIt2 Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter .log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles* folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post. Run HijackThis Click on do a system scan only Place a checkmark next to these lines(if still present) O4 - HKLM\..\Run: [30ff593c] rundll32.exe "C:\WINDOWS\system32\nfdcecbm.dll",b O4 - HKLM\..\Run: [RRT-Auto] C:\DOCUME~1\Mitchell\LOCALS~1\Temp\Rar$EX00.219\RRT.exe auto O4 - HKLM\..\Run: [BM33cc6aa0] Rundll32.exe "C:\WINDOWS\system32\hoapctic.dll",s O20 - Winlogon Notify: xxyaxxx - xxyaxxx.dll (file missing) O20 - Winlogon Notify: yjngchdt - yjngchdt.dll (file missing) O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file) O24 - Desktop Component 0: (no name) - (no file) Then close all windows except HijackThis and click Fix Checked Go here to run an online scannner from ESET. Note: You will need to use Internet explorer for this scan Tick the box next to YES, I accept the Terms of Use. Click Start When asked, allow the activex control to install Click Start Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked Click Scan Wait for the scan to finish Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt Copy and paste that log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems -------------------- If I have helped you, please consider a donation (by clicking this link).

emopants92 View Member Profile	Mar 21 2008, 04:20 PM Post #15
Member Group: Members Posts: 63 Joined: 27-February 08 Member No.: 193,014	this is my ot log and the second is the log from the online scanner File/Folder C:\WINDOWS\system32\nfdcecbm.dll not found. DllUnregisterServer procedure not found in C:\WINDOWS\system32\hoapctic.dll C:\WINDOWS\system32\hoapctic.dll NOT unregistered. C:\WINDOWS\system32\hoapctic.dll moved successfully. C:\Program Files\Analog Devices\Core\smax4pnp.exe moved successfully. C:\Program Files\2Wire\2PortalMon.exe moved successfully. c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe moved successfully. C:\Program Files\AIM6\aim6.exe moved successfully. OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03212008_114518 # version=4 # OnlineScanner.ocx=1.0.0.635 # OnlineScannerDLLA.dll=1, 0, 0, 79 # OnlineScannerDLLW.dll=1, 0, 0, 78 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=2966 (20080321) # vers_arch_module=1.064 (20080214) # vers_adv_heur_module=1.064 (20070717) # EOSSerial=094e458ae4794642906fcdc59fa3aeab # end=finished # remove_checked=false # unwanted_checked=true # utc_time=2008-03-21 08:15:36 # local_time=2008-03-21 01:15:36 (-0800, Pacific Daylight Time) # country="United States" # osver=5.1.2600 NT Service Pack 2 # scanned=475373 # found=29 # scan_time=4913 C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IBEOGWWV\sdferw[1].htm Win32/BHO.NCI trojan B88D8A8AE94EE4986D6FA57ADE5989EE C:\Documents and Settings\Mitchell\Local Settings\Temporary Internet Files\Content.IE5\UQ0ZR7RN\Installer[1].exe Win32/Adware.WinReanimator application 05D2E2D567DFE2B2F00C2DF7A57F1443 C:\Documents and Settings\Mitchell\Local Settings\Temporary Internet Files\Content.IE5\YM1K16J3\Binaries1[1].zip Win32/Adware.WinReanimator application 828A14150262A6A18A31B046AA350CA0 C:\Documents and Settings\Mitchell\Local Settings\Temporary Internet Files\Content.IE5\YM1K16J3\Binaries1[1].zip »ZIP »WinReanimator.exe Win32/Adware.WinReanimator application 00000000000000000000000000000000 C:\RECYCLER\S-1-5-21-817955303-2890540678-2661541813-1006\Dc7.exe Win32/Adware.WinFixer application 2D1580425AF8FB4318D6304A14F46012 C:\SDFix\backups\backups.zip multiple infiltrations 8762AD9788FC12518C97509DA1EB75E9 C:\SDFix\backups\backups.zip »ZIP »backups/1205557079.dll Win32/BHO.NCV trojan 00000000000000000000000000000000 C:\SDFix\backups\backups.zip »ZIP »backups/1205557147.dll Win32/BHO.NCI trojan 00000000000000000000000000000000 C:\SDFix\backups\backups.zip »ZIP »backups/BEEP.SYS a variant of Win32/Adware.UltimateDefender application 00000000000000000000000000000000 C:\SDFix\backups\backups.zip »ZIP »backups/braviax.exe a variant of Win32/Adware.UltimateDefender application 00000000000000000000000000000000 C:\SDFix\backups\backups.zip »ZIP »backups/cru629.dat Win32/TrojanProxy.Agent.NDN trojan 00000000000000000000000000000000 C:\SDFix\backups\backups.zip »ZIP »backups/csrssc.exe probably a variant of Win32/TrojanDownloader.Small.CYF trojan 00000000000000000000000000000000 C:\SDFix\backups\backups.zip »ZIP »backups/install.exe Win32/Adware.WinReanimator application 00000000000000000000000000000000 C:\SDFix\backups\backups.zip »ZIP »backups/winistr.exe Win32/Adware.WinReanimator application 00000000000000000000000000000000 C:\SDFix\backups\backups.zip »ZIP »backups/WinReanimator.exe Win32/Adware.WinReanimator application 00000000000000000000000000000000 C:\SDFix\backups\catchme.zip multiple infiltrations 04EFB26704921C27A4B3FDFB97876E89 C:\SDFix\backups\catchme.zip »ZIP »beep.sys a variant of Win32/Adware.UltimateDefender application 00000000000000000000000000000000 C:\SDFix\backups\catchme.zip »ZIP »beep.sys.1 a variant of Win32/Adware.UltimateDefender application 00000000000000000000000000000000 C:\SDFix\backups\catchme.zip »ZIP »pcximg.pif Win32/TrojanDownloader.Agent.JMZ trojan 00000000000000000000000000000000 C:\WINDOWS\SYSTEM32\ayaeqwxi.dll Win32/BHO.NCC trojan 4DBD8803064CE7BB50B3F020301256B5 C:\WINDOWS\SYSTEM32\BRAVIAX.EXE.del a variant of Win32/Adware.UltimateDefender application 254C82FBC79956B7D1B492E16AFE82C7 C:\WINDOWS\SYSTEM32\cwqbnjwf.dll Win32/Adware.AdMedia application FFD39115CA3A41A8D8D7D330CC83591F C:\WINDOWS\SYSTEM32\dwkvnnbj.dll Win32/Adware.Virtumonde application BD36712C0944EB8BD3CF0A3086C12960 C:\WINDOWS\SYSTEM32\ecoklfbk.dll Win32/Adware.SecToolbar application 0B3F2E02AC5C2EE57D677D63362B56F7 C:\WINDOWS\SYSTEM32\kokbthgc.dll Win32/Adware.AdMedia application FFD39115CA3A41A8D8D7D330CC83591F C:\WINDOWS\SYSTEM32\rvnhenvj.dll Win32/BHO.NCC trojan 4DBD8803064CE7BB50B3F020301256B5 C:\WINDOWS\SYSTEM32\UIFKMUKH.DLL.del Win32/Adware.AdMedia application 032EE9E686094FCB812C8BE4C7E3F4CA C:\WINDOWS\SYSTEM32\windows Win32/Adware.SecToolbar application AD249B316368039C91BC2B6B3DDFFF64 C:\WINDOWS\SYSTEM32\yjyqgici.dll Win32/Adware.Virtumonde application 0202C561364D2E57E2D277B7F70B14E4

« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »

3 Pages

1 2 3 >

2 User(s) are reading this topic (2 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 21st November 2009 - 07:19 PM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides