Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Desktop Flashing And Disappearing


  • Please log in to reply
8 replies to this topic

#1 Daravon

Daravon

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 15 April 2008 - 02:38 PM

My computer boots up fine and windows loads, but as soon as the desktop is done loading/initializing it begins to flash. By this I mean all the icons disappear and reappear. Also during this time any programs or windows I have open get closed as well (except task manger). This repeats until eventually I'm just left with my wallpaper and my right clicking function on desktop no longer works. Now I have had task manager open while this happens and under the processes tab I'll see imapi.exe pop (when the icons return for a second) and then go off the list as well as my icons redisappearing. At once point I also saw the process verclsd.exe pop up, but only once. Hope this info helps.

Here's my dss log:
Deckard's System Scanner v20071014.68
Run by Owner on 2008-04-15 15:09:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
6: 2008-04-15 19:08:27 UTC - RP204 - Deckard's System Scanner Restore Point
5: 2008-04-15 18:21:38 UTC - RP203 - Last known good configuration
4: 2008-04-15 18:21:34 UTC - RP202 - Last known good configuration
3: 2008-04-15 18:21:34 UTC - RP201 - ComboFix created restore point
2: 2008-04-15 18:21:34 UTC - RP200 - Advanced WindowsCare RestorePoint


-- First Restore Point --
1: 2008-04-15 18:21:34 UTC - RP199 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:11:11 PM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\DOCUME~1\Owner\Desktop\Owner.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {6DC2D282-D414-435E-8A26-FF3C23AC36EF} - C:\WINDOWS\system32\ddcabcdb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {BFF75E41-08C2-4D72-ABB6-8EC6EC7E3E04} - C:\WINDOWS\system32\fccbxyyv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] ; RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] ; nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] ; RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] ; "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [RecordPadRun] ; "C:\Program Files\NCH Swift Sound\RecordPad\recordpad.exe" -logon
O4 - HKLM\..\Run: [RmbNotes] ; C:\Program Files\RememberNotes\RememberNotes.exe SHOWPUBLIC
O4 - HKLM\..\Run: [SBDrvDet] ; C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] ; C:\WINDOWS\UpdReg.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [MsnMsgr] ; "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Begone] ; "C:\Program Files\begone\SpywareBeGone.exe" -FastScan
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ddcabcdb - C:\WINDOWS\SYSTEM32\ddcabcdb.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


-- HijackThis Fixed Entries (C:\DOCUME~1\Owner\Desktop\backups\) ---------------

backup-20070404-193313-178 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
backup-20070404-193313-655 O2 - BHO: (no name) - {D5E8DF6E-E987-4979-8CAD-1F6320A90266} - C:\Program Files\Internet Explorer\hokew.dll (file missing)
backup-20070404-193313-876 O2 - BHO: 0 - {16BB0513-375E-47EC-DDAC-466516EEDE74} - C:\Program Files\Online Services\lavuqal.dll (file missing)
backup-20070404-204832-424 O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T3duZXI\command.exe (file missing)
backup-20070404-204842-930 O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T3duZXI\command.exe (file missing)
backup-20070404-204934-951 O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T3duZXI\command.exe (file missing)
backup-20070420-025416-801 O23 - Service: Client IP-IPX - Unknown owner - ".exe (file missing)
backup-20070420-025416-884 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20070624-164056-153 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
backup-20070624-164056-432 O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
backup-20070624-164056-642 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
backup-20070624-164056-653 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
backup-20070624-164056-673 O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
backup-20070624-164056-789 O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
backup-20070624-164056-797 O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
backup-20070624-164056-828 O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
backup-20070624-164056-933 O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
backup-20070624-164057-801 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20070624-164057-849 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20070624-164131-276 R3 - Default URLSearchHook is missing
backup-20070624-164210-663 O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
backup-20070624-164229-373 O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
backup-20070624-164346-757 O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
backup-20080204-021253-593 O2 - BHO: IE - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\WinBudget\bin\matrix.dll
backup-20080204-021353-600 O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2
backup-20080315-051213-703 O2 - BHO: IE - {D83A7B12-A4D4-4984-8F72-D41C6B4C1E6E} - C:\Program Files\eSoftware\studio.dll
backup-20080315-051214-647 O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
backup-20080315-051217-176 O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580
backup-20080315-051218-487 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192044723937
backup-20080415-030008-961 O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Owner\lsass.exe
backup-20080415-030049-734 O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
backup-20080415-034600-355 O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
backup-20080415-034600-662 O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{cf099ffa-63d6-c8d3-ebd3-7ad9f5798e75}.dll" DllInit
backup-20080415-052917-406 O2 - BHO: nextads browser optimizer - {cc541a79-2d0e-eee2-b93d-9f5d4d7b5676} - C:\WINDOWS\system32\{cf099ffa-63d6-c8d3-ebd3-7ad9f5798e75}.dll
backup-20080415-052917-626 O2 - BHO: (no name) - {6DC2D282-D414-435E-8A26-FF3C23AC36EF} - C:\WINDOWS\system32\ddcabcdb.dll
backup-20080415-052917-677 O20 - Winlogon Notify: ddcabcdb - C:\WINDOWS\SYSTEM32\ddcabcdb.dll
backup-20080415-052917-709 O2 - BHO: (no name) - {5B595640-5DFE-4C04-88B1-86805AD912B3} - C:\WINDOWS\system32\jkkiigfd.dll (file missing)
backup-20080415-052932-220 O2 - BHO: (no name) - {6DC2D282-D414-435E-8A26-FF3C23AC36EF} - C:\WINDOWS\system32\ddcabcdb.dll
backup-20080415-052932-918 O20 - Winlogon Notify: ddcabcdb - C:\WINDOWS\SYSTEM32\ddcabcdb.dll
backup-20080415-063947-293 O2 - BHO: (no name) - {6DC2D282-D414-435E-8A26-FF3C23AC36EF} - C:\WINDOWS\system32\ddcabcdb.dll
backup-20080415-063947-865 O20 - Winlogon Notify: ddcabcdb - C:\WINDOWS\SYSTEM32\ddcabcdb.dll
backup-20080415-064636-249 O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
backup-20080415-133247-154 O4 - HKCU\..\Run: [WebBuying] ; C:\Program Files\Web Buying\v1.6.8\webbuying.exe
backup-20080415-133247-236 O4 - HKCU\..\Run: [BitTorrent] ; "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
backup-20080415-133247-304 O4 - HKLM\..\Run: [spa_start] ; C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{cf099ffa-63d6-c8d3-ebd3-7ad9f5798e75}.dll" DllInit
backup-20080415-133247-452 O4 - HKLM\..\Run: [IMJPMIG8.1] ; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
backup-20080415-133247-484 O4 - HKLM\..\Run: [outlook] ; C:\Program Files\outlook\outlook.exe /auto
backup-20080415-133247-511 O4 - HKCU\..\Run: [IpWins] ; C:\Program Files\Ipwindows\ipwins.exe
backup-20080415-133247-550 O4 - HKLM\..\Run: [SoundMan] ; SOUNDMAN.EXE
backup-20080415-133247-556 O4 - HKLM\..\Run: [runner1] ; C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
backup-20080415-133247-564 O4 - HKLM\..\Run: [WorksFUD] ; C:\Program Files\Microsoft Works\wkfud.exe
backup-20080415-133247-661 O4 - HKLM\..\Run: [Microsoft Works Update Detection] ; C:\Program Files\Microsoft Works\WkDetect.exe
backup-20080415-133247-672 O4 - HKLM\..\Run: [DeluxeCommunications] ; C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20080415-133247-751 O4 - HKLM\..\Run: [QuickTime Task] ; "C:\Program Files\QuickTime\bak\bak\qttask.exe" -atboottime
backup-20080415-133247-817 O4 - HKLM\..\Run: [Alcmtr] ; ALCMTR.EXE
backup-20080415-133247-847 O4 - HKLM\..\Run: [Microsoft Works Portfolio] ; C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
backup-20080415-133247-950 O4 - HKLM\..\Run: [RTHDCPL] ; RTHDCPL.EXE
backup-20080415-133247-994 O4 - HKLM\..\Run: [{D0-05-5A-A2-DW}] ; c:\windows\system32\jlwnw64q.exe DWram
backup-20080415-133419-797 O4 - HKLM\..\Run: [LSA Shellu] ; C:\Documents and Settings\Owner\lsass.exe
backup-20080415-133419-876 O4 - HKLM\..\Run: [New.net Startup] ; rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 giveio - c:\windows\system32\giveio.sys
R0 speedfan - c:\windows\system32\speedfan.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R3 catchme - c:\docume~1\owner\locals~1\temp\catchme.sys (file missing)
R3 NVR0Dev - c:\windows\nvoclock.sys <Not Verified; NVidia Corp.; NVidia System Utility Driver>

S3 IntcAzAudAddService (Service for Realtek HD Audio (WDM)) - c:\windows\system32\drivers\rtkhdaud.sys (file missing)
S3 PciCon - d:\pcicon.sys (file missing)
S3 pfsvgae - c:\docume~1\owner\locals~1\temp\pfsvgae.sys (file missing)
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 nTuneService (nTune Service) - c:\program files\nvidia corporation\ntune\ntuneservice.exe /startservice <Not Verified; NVIDIA; NVIDIA nTune>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Audio Device on High Definition Audio Bus
Device ID: HDAUDIO\FUNC_01&VEN_10EC&DEV_0882&SUBSYS_10430000&REV_1001\4&9DE81E8&0&0001
Manufacturer:
Name: Audio Device on High Definition Audio Bus
PNP Device ID: HDAUDIO\FUNC_01&VEN_10EC&DEV_0882&SUBSYS_10430000&REV_1001\4&9DE81E8&0&0001
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_8086&DEV_27DA&SUBSYS_81791043&REV_01\3&11583659&0&FB
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_8086&DEV_27DA&SUBSYS_81791043&REV_01\3&11583659&0&FB
Service:


-- Files created between 2008-03-15 and 2008-04-15 -----------------------------

2008-04-15 14:38:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-15 14:38:40 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-15 14:38:39 0 d-------- C:\WINDOWS\LastGood
2008-04-15 14:21:24 8037 --ahs---- C:\WINDOWS\system32\vyyxbccf.ini2
2008-04-15 14:18:27 370688 -----n--- C:\WINDOWS\system32\yayaxyya.dll
2008-04-15 14:13:09 68096 --a------ C:\WINDOWS\zip.exe
2008-04-15 14:13:09 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-15 14:13:09 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-15 14:13:09 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-15 14:13:09 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-15 14:13:09 98816 --a------ C:\WINDOWS\sed.exe
2008-04-15 14:13:09 80412 --a------ C:\WINDOWS\grep.exe
2008-04-15 14:13:09 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-15 06:39:56 370688 -----n--- C:\WINDOWS\system32\fccbxyyv.dll
2008-04-15 06:24:35 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-15 06:24:35 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-15 06:24:35 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-15 06:24:35 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-04-15 06:24:35 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-15 06:24:35 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-15 06:24:35 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-04-15 06:24:35 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-15 06:24:35 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-04-15 06:24:35 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-15 06:24:35 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-04-15 06:24:35 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-15 06:24:35 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-15 06:24:34 1572864 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-15 05:26:14 8192 --a------ C:\WINDOWS\Rpoint.exe
2008-04-15 03:49:28 1138 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-15 02:52:46 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-04-15 02:44:32 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2008-04-15 02:41:04 936 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-04-15 02:40:57 0 d--hs---- C:\WINDOWS\T3duZXI
2008-04-15 02:40:56 196669 --a------ C:\WINDOWS\system32\ocntmkdn.exe
2008-04-15 02:40:50 0 d-------- C:\WINDOWS\system32\sFi
2008-04-15 02:40:50 0 d-------- C:\WINDOWS\system32\pinz1
2008-04-15 02:40:50 0 d-------- C:\WINDOWS\system32\IDE2
2008-04-15 02:40:50 0 d-------- C:\WINDOWS\system32\ExTmp
2008-04-15 02:40:48 0 d-------- C:\WINDOWS\system32\bharebio18
2008-04-15 02:40:39 30720 --a------ C:\WINDOWS\system32\ddcabcdb.dll
2008-04-15 01:35:50 25600 --a------ C:\WINDOWS\system32\dzwrapper.dll
2008-04-15 01:35:48 9105408 --a------ C:\WINDOWS\system32\dzcore.dll
2008-04-15 01:35:48 65536 --a------ C:\WINDOWS\system32\dzcarrara.dll
2008-04-15 01:35:47 32256 --a------ C:\WINDOWS\system32\dzbryce6.dll
2008-04-15 01:35:47 2076672 --a------ C:\WINDOWS\system32\dz3delight.dll
2008-04-15 01:35:46 6131712 --a------ C:\WINDOWS\system32\daz-qt-mt.dll
2008-04-15 01:35:45 1785856 --a------ C:\WINDOWS\system32\daz-qsa.dll
2008-04-15 01:34:01 0 d-------- C:\Program Files\Common Files\DAZ
2008-04-15 01:34:00 0 d-------- C:\Program Files\DAZ
2008-04-03 14:52:26 384 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000001-00000000-00000001-00001102-00000004-20021102}.dat
2008-04-03 14:52:26 384 --a------ C:\WINDOWS\system32\DVCState-{00000001-00000000-00000001-00001102-00000004-20021102}.dat
2008-03-31 17:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX>
2008-03-31 17:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX>
2008-03-31 17:25:46 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-03-31 17:25:46 831488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 17:25:46 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX>
2008-03-25 22:40:34 0 d-------- C:\Program Files\PCPitstop
2008-03-21 16:30:08 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 16:28:54 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-03-21 16:28:54 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-03-21 16:28:20 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-15 05:45:16 52736 --a------ C:\WINDOWS\ipuninst.exe <Not Verified; Interplay Productions; Interplay Uninstaller for Windows 95>
2008-03-15 05:34:52 0 d-------- C:\Program Files\Fallout


-- Find3M Report ---------------------------------------------------------------

2008-04-15 14:15:45 0 d-------- C:\Program Files\Common Files
2008-04-15 05:45:43 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-13 18:44:07 0 d-------- C:\Program Files\EverQuest
2008-04-13 00:26:23 0 d-------- C:\Program Files\Sony
2008-04-13 00:26:22 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-12 19:53:13 0 d-------- C:\Program Files\DivX
2008-04-08 17:12:37 0 d-------- C:\Program Files\Lavalys
2008-03-25 15:15:58 384 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000001-00000000-00000002-00001102-00000004-20021102}.dat
2008-03-25 15:15:58 384 --a------ C:\WINDOWS\system32\DVCState-{00000001-00000000-00000002-00001102-00000004-20021102}.dat
2008-03-12 17:55:28 0 d-------- C:\Program Files\NVIDIA Corporation
2008-03-12 17:54:57 0 d-------- C:\Program Files\NVIDIA nTune Performance Application
2008-03-12 17:45:58 0 d-------- C:\Program Files\SpeedFan
2008-03-12 02:12:45 0 d-------- C:\Program Files\QuickTime
2008-03-11 21:01:30 0 d-------- C:\Program Files\SystemRequirementsLab
2008-03-11 11:14:58 0 d-------- C:\Program Files\eSoftware
2008-03-08 16:43:51 0 d-------- C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-03-08 16:43:28 0 d-------- C:\Program Files\NCH Swift Sound
2008-03-08 16:43:28 0 d-------- C:\Documents and Settings\Owner\Application Data\NCH Swift Sound
2008-03-08 16:41:00 0 d-------- C:\Program Files\RememberNotes
2008-03-08 16:40:00 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-08 16:39:33 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-08 16:39:21 0 d-------- C:\Program Files\Lavasoft
2008-03-08 16:36:43 0 d-------- C:\Program Files\MediaCoder
2008-03-08 16:34:45 0 d-------- C:\Program Files\Sonic Foundry
2008-03-08 16:30:18 0 d-------- C:\Program Files\begone
2008-03-04 17:57:43 0 d-------- C:\Program Files\EQGSR3
2008-03-02 03:06:26 0 d-------- C:\Documents and Settings\Owner\Application Data\DivX
2008-02-28 16:08:56 0 d-------- C:\Program Files\ICQ6
2008-02-23 15:06:29 0 d-------- C:\Program Files\Trillian
2008-02-19 06:23:56 0 d-------- C:\Program Files\DOSBox-0.65
2008-02-04 02:32:34 13 --a------ C:\WINDOWS\C36D-58B0-F22D-EB58.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DC2D282-D414-435E-8A26-FF3C23AC36EF}]
04/15/2008 02:40 AM 30720 --a------ C:\WINDOWS\system32\ddcabcdb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFF75E41-08C2-4D72-ABB6-8EC6EC7E3E04}]
04/15/2008 06:39 AM 370688 --------- C:\WINDOWS\system32\fccbxyyv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [10/06/2003 02:57 AM C:\WINDOWS\system32\CTHELPER.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/05/2007 01:41 AM]
"nwiz"="nwiz.exe" [12/05/2007 01:41 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/05/2007 01:41 AM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [10/04/2007 03:32 AM]
"RecordPadRun"="C:\Program Files\NCH Swift Sound\RecordPad\recordpad.exe" [07/31/2007 02:38 PM]
"RmbNotes"="C:\Program Files\RememberNotes\RememberNotes.exe" []
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" []
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/11/2000 01:00 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 06:43 PM]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [09/04/2007 07:25 PM]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"Spyware Begone"="C:\Program Files\begone\SpywareBeGone.exe" [12/07/2006 03:20 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
"{88ED05A2-0C8B-1033-0320-060226060001}"="C:\Program Files\Common Files\{88ED05A2-0C8B-1033-0320-060226060001}\Update.exe" mc-110-12-0000140

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}"= C:\Program Files\Trend Micro\Tmas\sshook.dll [07/28/2006 03:51 AM 77824]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 02:55 PM 77824]
"{6DC2D282-D414-435E-8A26-FF3C23AC36EF}"= C:\WINDOWS\system32\ddcabcdb.dll [04/15/2008 02:40 AM 30720]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 02:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcabcdb]
ddcabcdb.dll 04/15/2008 02:40 AM 30720 C:\WINDOWS\system32\ddcabcdb.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\fccbxyyv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Trend Micro Anti-Spyware.lnk
backup=C:\WINDOWS\pss\Trend Micro Anti-Spyware.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Deewoo.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVG Anti-Spyware Guard"=2 (0x2)
"cmdService"=2 (0x2)




-- End of Deckard's System Scanner: finished at 2008-04-15 15:11:58 ------------



Here's my Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:27:48 PM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\taskmgr.exe
C:\DOCUME~1\Owner\Desktop\Owner.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
C:\WINDOWS\explorer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] ; RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] ; nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] ; RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] ; "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [RecordPadRun] ; "C:\Program Files\NCH Swift Sound\RecordPad\recordpad.exe" -logon
O4 - HKLM\..\Run: [RmbNotes] ; C:\Program Files\RememberNotes\RememberNotes.exe SHOWPUBLIC
O4 - HKLM\..\Run: [SBDrvDet] ; C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] ; C:\WINDOWS\UpdReg.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [MsnMsgr] ; "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Begone] ; "C:\Program Files\begone\SpywareBeGone.exe" -FastScan
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{88ED05A2-0C8B-1033-0320-060226060001}] "C:\Program Files\Common Files\{88ED05A2-0C8B-1033-0320-060226060001}\Update.exe" mc-110-12-0000140 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{88ED05A2-0C8B-1033-0320-060226060001}] "C:\Program Files\Common Files\{88ED05A2-0C8B-1033-0320-060226060001}\Update.exe" mc-110-12-0000140 (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5203 bytes


Again any help that could be provided would be appreciated, thanks.

-Daravon

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 15 April 2008 - 03:31 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today. Without meaning to sound condescending, please don't fix entries yourself with HijackThis; it can actually do more harm than good because the main bulk of the log lists legitimate items.

Please download VundoFix to your Desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove.
VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please include VundoFix.txt and a new HijackThis log in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 Daravon

Daravon
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 15 April 2008 - 04:54 PM

Hi you didn't sound condencending at all. I can usually fix most things/viruses myself on my comp, but this one has me baffled, why I posted here. So any and all help/advice you have I'm more then happy to recieve and thank you for helping me with this by the way =).

I downloaded Vundofix and ran the scan and it didn't find any files, so there was nothing for me to remove. But I did get another Hijackthis log after running the vundofix, just incase, here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:51:07 PM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] ; RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] ; nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] ; RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] ; "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [RecordPadRun] ; "C:\Program Files\NCH Swift Sound\RecordPad\recordpad.exe" -logon
O4 - HKLM\..\Run: [RmbNotes] ; C:\Program Files\RememberNotes\RememberNotes.exe SHOWPUBLIC
O4 - HKLM\..\Run: [SBDrvDet] ; C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] ; C:\WINDOWS\UpdReg.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [MsnMsgr] ; "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Begone] ; "C:\Program Files\begone\SpywareBeGone.exe" -FastScan
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{88ED05A2-0C8B-1033-0320-060226060001}] "C:\Program Files\Common Files\{88ED05A2-0C8B-1033-0320-060226060001}\Update.exe" mc-110-12-0000140 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{88ED05A2-0C8B-1033-0320-060226060001}] "C:\Program Files\Common Files\{88ED05A2-0C8B-1033-0320-060226060001}\Update.exe" mc-110-12-0000140 (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5027 bytes


Again thanks for helping me with this.

-Daravon

#4 Daravon

Daravon
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 15 April 2008 - 08:41 PM

I ran vundofix twice incase (superanti spyware was finding a vundo.varient trojan)

But here's the vundofixtxt you requested:


VundoFix V7.0.3

Scan started at 5:37:47 PM 4/15/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V7.0.3

Scan started at 5:55:14 PM 4/15/2008

Listing files found while scanning....

No infected files were found.

Hope this helps as well, again thanks!

-Daravon

#5 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 16 April 2008 - 04:24 PM

Using My Computer, navigate to where you have HijackThis saved.
Right-click on the HijackThis.exe file.
Select "Rename", call it fluffybunny and press enter.
Use fluffybunny.exe and post a new log, please. :thumbsup:

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#6 Daravon

Daravon
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 16 April 2008 - 04:38 PM

Ok, here's the log from fluffybunny:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:21 PM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\fluffybunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {6DC2D282-D414-435E-8A26-FF3C23AC36EF} - C:\WINDOWS\system32\ddcabcdb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {DC62686A-6864-4D4F-90FF-2B54FE0AFF7A} - C:\WINDOWS\system32\fccbxyyv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [RecordPadRun] ; "C:\Program Files\NCH Swift Sound\RecordPad\recordpad.exe" -logon
O4 - HKLM\..\Run: [RmbNotes] ; C:\Program Files\RememberNotes\RememberNotes.exe SHOWPUBLIC
O4 - HKLM\..\Run: [SBDrvDet] ; C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{88ED05A2-0C8B-1033-0320-060226060001}] "C:\Program Files\Common Files\{88ED05A2-0C8B-1033-0320-060226060001}\Update.exe" mc-110-12-0000140 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{88ED05A2-0C8B-1033-0320-060226060001}] "C:\Program Files\Common Files\{88ED05A2-0C8B-1033-0320-060226060001}\Update.exe" mc-110-12-0000140 (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ddcabcdb - C:\WINDOWS\SYSTEM32\ddcabcdb.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5143 bytes


According to superantispyware the file that it recognizes at vundo is fccbxyyv.dll, which is located in c:\windows\system32, adding that in there incase it helps.

-Daravon

Edited by Daravon, 16 April 2008 - 04:40 PM.


#7 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 17 April 2008 - 03:20 AM

Hi Daravon,
  • Open a new Notepad window
  • Paste the list of files from the quote box below into the notepad window.

    C:\WINDOWS\system32\ddcabcdb.dll
    C:\WINDOWS\system32\fccbxyyv.dll

  • Save this as vundofix.vft and Save as type "all files".
  • Double-click VundoFix.exe to run it.
  • Drag vundofix.vft onto the listbox (white box) of VundoFix.
  • Click the "Remove Vundo" button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click YES, your Desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HijackThis log in a reply to this thread.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#8 Daravon

Daravon
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 17 April 2008 - 01:07 PM

Hi, I actually ended up getting rid of those files last night myself and my computer does look clean now. Thank you for your help, I really appreciate it.

-Daravon

#9 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 18 April 2008 - 03:56 AM

Do you want me to check your HijackThis log just to make sure they have gone?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users