Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Explorer Restarts Every 5 Seconds


  • This topic is locked This topic is locked
3 replies to this topic

#1 implodeme

implodeme

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 16 May 2008 - 11:57 PM

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-16 20:56:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
17: 2008-05-17 03:56:25 UTC - RP17 - Deckard's System Scanner Restore Point
16: 2008-05-17 03:25:21 UTC - RP16 - Removed Nero Reloaded PlugIn Pack 2.0.4 by GEAR
15: 2008-05-17 03:25:20 UTC - RP15 - Removed Nero 8
14: 2008-05-17 03:25:20 UTC - RP14 - Installed Nero 8
13: 2008-05-17 03:25:19 UTC - RP13 - Last known good configuration


-- First Restore Point --
1: 2008-05-17 03:25:14 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 2.55 GiB (less than 15%) free.


-- HijackThis (run as Administrator.exe) ---------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-16 21:04:01
Platform: Windows XP Service Pack 3 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Razer\DeathAdder\razertra.exe
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDPOP3.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\hijackthis\dss.exe
C:\Program Files\McAfee\VirusScan\mcsysmon.exe
C:\WINDOWS\system32\cmd.exe
C:\hijackthis\Administrator.exe
C:\WINDOWS\explorer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
F2 - REG:system.ini: Shell=
O1 - Hosts: 198.145.42.42 WEBWIN109
O1 - Hosts: 198.145.42.44 webwin110
O1 - Hosts: 66.11.230.111 webwin111
O1 - Hosts: 198.145.42.47 webwin112
O1 - Hosts: 66.11.225.50 webwin113
O1 - Hosts: 66.11.225.51 webwin114
O1 - Hosts: 66.11.225.53 webwin115
O1 - Hosts: 72.5.53.85 webwin07
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {7105627E-17E9-4CD1-BFD7-467259D6615D} - C:\WINDOWS\system32\byXRkjHX.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {E707216F-6AFF-4BD4-962D-EC5CDBA812A1} - C:\WINDOWS\system32\pmnnLFvT.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exe
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shock...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1173038468328
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab Class) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1180762583031
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {A8B02DCA-7648-46D6-95A8-B84EC80CA49D} (JamShellLinkX Control) - http://sitebuilder.mydomainwebhost.com/Dow...ploaderProj.cab
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{63D22F54-047A-47F1-A352-B16984E836A4}: NameServer = 68.87.69.146,68.87.85.98
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: pmnnLFvT - C:\WINDOWS\system32\pmnnLFvT.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Program Files\FileZilla
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe


--
End of file - 12628 bytes

-- HijackThis Fixed Entries (C:\hijackthis\backups\) ---------------------------

backup-20080214-190427-103 O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
backup-20080214-190427-164 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
backup-20080214-190427-208 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.alot.com/sidebar?pr=asst&...://www.msn.com/ (obfuscated)
backup-20080214-190427-264 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
backup-20080214-190427-296 O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
backup-20080214-190427-301 O4 - .DEFAULT User Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
backup-20080214-190427-335 O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
backup-20080214-190427-349 O18 - Protocol: cdefs - {B5F329B4-2BBD-48F5-ADAF-9EAF2AFE37B3} - C:\WINDOWS\System32\monki.dll
backup-20080214-190427-487 O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
backup-20080214-190427-495 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
backup-20080214-190427-616 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
backup-20080214-190427-623 O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
backup-20080214-190427-754 O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
backup-20080214-190427-843 O3 - Toolbar: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll (file missing)
backup-20080214-190427-875 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
backup-20080214-195633-650 O2 - BHO: (no name) - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - (no file)
backup-20080516-194633-525 O2 - BHO: (no name) - {69ED2A94-2DB3-441A-83A1-D360C8169C11} - C:\WINDOWS\system32\byXRkjHX.dll
backup-20080516-194633-533 O2 - BHO: (no name) - {E707216F-6AFF-4BD4-962D-EC5CDBA812A1} - C:\WINDOWS\system32\pmnnLFvT.dll
backup-20080516-194633-741 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080516-194633-753 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20080516-194633-930 O20 - Winlogon Notify: pmnnLFvT - C:\WINDOWS\SYSTEM32\pmnnLFvT.dll
backup-20080516-194811-359 O20 - Winlogon Notify: pmnnLFvT - C:\WINDOWS\SYSTEM32\pmnnLFvT.dll

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.js - unable to read key
.js - unable to read key


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 StarOpen - c:\windows\system32\drivers\staropen.sys
R3 AtcL002 (NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller) - c:\windows\system32\drivers\l251x86.sys <Not Verified; Atheros Communications, Inc.; Atheros L2 Fast Ethernet Controller>
R3 WinDriver6 - c:\windows\system32\drivers\windrvr6.sys <Not Verified; Jungo; WinDriver Device Driver>

S1 AmdK8 (AMD Processor Driver) - c:\windows\system32\drivers\amdk8.sys (file missing)
S3 CyUsb (Cypress Generic USB Driver) - c:\windows\system32\drivers\cyusb.sys <Not Verified; Cypress Semiconductor; Cypress Generic USB Device Driver>
S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 qcusbmdm (Qualcomm Proprietary USB Driver (PID 3197)) - c:\windows\system32\drivers\qcusbmdm.sys <Not Verified; QUALCOMM Incorporated; QUALCOMM Incorporated USB Modem/Serial Device Driver>
S3 qcusbser (Qualcomm Diagnostic Port 3197) - c:\windows\system32\drivers\qcusbser.sys <Not Verified; QUALCOMM Incorporated; QUALCOMM Incorporated USB Modem/Serial Device Driver>
S3 TritonPC - c:\program files\bitraider\tritonpc.sys (file missing)
S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 FileZilla Server (FileZilla Server FTP server) - c:\program files\filezilla server\filezilla server.exe
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: PS/2 Keyboard
Device ID: ACPI\PNP0303\4&2C575ACB&0
Manufacturer: Logitech
Name: PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&2C575ACB&0
Service: i8042prt


-- Scheduled Tasks -------------------------------------------------------------

2008-05-15 01:00:01 366 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2008-05-01 01:00:01 368 --a------ C:\WINDOWS\Tasks\McQcTask.job


-- Files created between 2008-04-16 and 2008-05-16 -----------------------------

2008-05-16 20:04:55 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-05-16 20:04:55 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-05-16 20:04:55 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-05-16 20:04:55 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-16 20:04:52 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-05-16 20:01:23 0 d-------- C:\VundoFix Backups
2008-05-16 17:07:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\Nero
2008-05-15 21:49:51 0 d-------- C:\Program Files\NeroInstall.bak
2008-05-15 21:35:43 1374293 --ahs---- C:\WINDOWS\system32\XHjkRXyb.ini2
2008-05-15 21:35:38 370176 --a------ C:\WINDOWS\system32\byXRkjHX.dll
2008-05-15 21:30:34 58368 --a------ C:\WINDOWS\system32\pmnnLFvT.dll
2008-05-14 21:39:44 0 d-------- C:\temp
2008-05-14 21:35:31 0 d-------- C:\WINDOWS\Prefetch
2008-05-14 21:29:51 0 d-------- C:\WINDOWS\system32\scripting
2008-05-14 21:29:51 0 d-------- C:\WINDOWS\l2schemas
2008-05-14 21:29:50 0 d-------- C:\WINDOWS\system32\en
2008-05-14 21:29:50 0 d-------- C:\WINDOWS\system32\bits
2008-05-14 21:28:04 0 d-------- C:\WINDOWS\ServicePackFiles
2008-05-14 21:26:09 0 d-------- C:\WINDOWS\network diagnostic
2008-05-14 20:29:45 0 d-------- C:\Program Files\Microsoft Research
2008-05-12 11:21:15 0 d-------- C:\Program Files\ComcastUI
2008-05-11 16:18:07 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-05-11 14:50:45 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-05-11 00:16:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-03 20:57:09 0 d-------- C:\Program Files\FRONTIER GROOVE
2008-05-03 18:30:19 0 d-------- C:\Program Files\GardenOrgDeluxe2.7
2008-05-03 18:30:19 0 d-------- C:\Program Files\Common Files\Borland Shared


-- Find3M Report ---------------------------------------------------------------

2008-05-16 17:42:23 0 d-------- C:\Program Files\Common Files\Nero
2008-05-16 17:27:06 0 d-------- C:\Program Files\RogueRemover FREE
2008-05-15 21:04:38 0 d-------- C:\Program Files\PowerArchiver
2008-05-15 20:43:11 0 d-------- C:\Program Files\Common Files
2008-05-15 20:43:11 41724 ---hs---- C:\Program Files\Common Files\Yazzle1848OinUninstaller.exe
2008-05-15 14:39:35 0 d---s---- C:\Program Files\Xfire
2008-05-14 21:34:58 0 d-------- C:\Program Files\Messenger
2008-05-14 21:29:50 0 d-------- C:\Program Files\Movie Maker
2008-05-14 21:27:48 0 d-------- C:\Program Files\Windows NT
2008-05-13 23:23:43 0 d-------- C:\Program Files\Trillian
2008-05-11 18:17:51 0 d-------- C:\Program Files\Logitech
2008-05-11 18:17:50 0 d-------- C:\Program Files\Common Files\LogiShrd
2008-05-11 14:50:45 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-05-11 00:17:01 0 d-------- C:\Program Files\Google
2008-05-07 14:57:28 1984 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-05-04 18:09:07 0 d-------- C:\Program Files\McAfee
2008-05-03 20:58:30 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-21 21:49:42 0 d-------- C:\Program Files\Windows Live
2008-04-21 21:49:27 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-13 19:03:48 0 d-------- C:\Program Files\Disney
2008-04-05 19:55:57 0 d-------- C:\Program Files\WinImage
2008-04-05 19:15:52 0 d-------- C:\Program Files\ASUS
2008-03-01 16:27:15 23 --a------ C:\WINDOWS\popcinfot.dat
2008-02-21 22:10:02 53040 --ah----- C:\WINDOWS\system32\mlfcache.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7105627E-17E9-4CD1-BFD7-467259D6615D}]
2008-05-15 21:35 370176 --a------ C:\WINDOWS\system32\byXRkjHX.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E707216F-6AFF-4BD4-962D-EC5CDBA812A1}]
2008-05-15 21:30 58368 --a------ C:\WINDOWS\system32\pmnnLFvT.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 16:44 C:\WINDOWS\KHALMNPR.Exe]
"CTHelper"="CTHELPER.EXE" [2006-08-11 15:56 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 15:56 C:\WINDOWS\system32\CTXFIHLP.EXE]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33]
"NWEReboot"="" []
"DeathAdder"="C:\Program Files\Razer\DeathAdder\razerhid.exe" [2007-09-07 16:54]
"Launch LCDMon"="C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe" [2007-04-26 17:54]
"Launch LGDCore"="C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" [2007-04-26 18:22]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 15:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 15:30]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-11 00:16]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 21:16:50]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-05-11 00:16:07]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E707216F-6AFF-4BD4-962D-EC5CDBA812A1}"= C:\WINDOWS\system32\pmnnLFvT.dll [2008-05-15 21:30 58368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnLFvT]
pmnnLFvT.dll 2008-05-15 21:30 58368 C:\WINDOWS\system32\pmnnLFvT.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\byXRkjHX

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LCDMon]
"C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LGDCore]
"C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{112530DC-F1D2-CF7D-5202-72B7B931636E}]
C:\WINDOWS\system32:hyprtrml.exe



-- Hosts -----------------------------------------------------------------------




-- End of Deckard's System Scanner: finished at 2008-05-16 21:06:53 ------------

BC AdBot (Login to Remove)

 


m

#2 implodeme

implodeme
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 18 May 2008 - 12:43 PM

Wow... not having GUI(explorer) to navigate around made me go retro to old DOS days. -- I was able to clean this up by brute force. !!Not for the novice.

This appeared to be but not confirmed Vundo instance, as no virus/malware tool would detect it!, hooked into lsass and winlogon. Explorer would load on login but then disappear. Using TaskMan > Run... explorer it launches but then ends up restarting every time a explorer process/subprocess is initiated. Using ProcessExplorer I was able to view what processes had these hooks in them, always in lsass and winlogon upon launching other programs it would hook into those as well, including taskman, procexp, and even hijackthis. Knowing what modules had the hook active in them was key to being able to close them, stopping the hooks enough to allow me to delete the files. I found that starting explorer and letting it cycle every 5 seconds allowed me to launch other programs without the hook being active in them.

With 2 cmd windows open, taskman, procexp I started off to battle. I say battle because in 3 attempts I got blue screens by not letting this virus do its thing.
1) stop lsass with procexp. as soon as you do this, windows will start a 60 second count down to restart so you have to be fast.
2) Run unreg.bat - This removed byXRkjHX.dll but pmnnLFvT.dll was still in use by winlogon
3) Run unreg.reg it wont get all of them(as it will immediately write them back but it got some.
4) type unreg.bat in the cmd window but wait... Make sure the cmd window is not obscured by procexp.
5) stop winlogon with procexp and then immediately click on the cmd window and hit ENTER to execute unreg.bat
The machine immediately rebooted.

Explorer no longer failed on boot and machine seemed stable. The files were removed but some of the keys remained. I removed what I could find and everything appears to be working correctly.

Some of the key KEYS in registry that were removed among others.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7105627E-17E9-4CD1-BFD7-467259D6615D}]
2008-05-15 21:35 370176 --a------ C:\WINDOWS\system32\byXRkjHX.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E707216F-6AFF-4BD4-962D-EC5CDBA812A1}]
2008-05-15 21:30 58368 --a------ C:\WINDOWS\system32\pmnnLFvT.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnLFvT]
pmnnLFvT.dll 2008-05-15 21:30 58368 C:\WINDOWS\system32\pmnnLFvT.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\byXRkjHX


I wrote two files, unreg.bat and unreg.reg
unreg.bat
del C:\WINDOWS\system32\byXRkjHX.dll
del C:\WINDOWS\system32\pmnnLFvT.dll

unreg.reg
this contained the keys listed above with - to delete them.

#3 drex23

drex23

    Bleeping Existence


  • Members
  • 456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:21 PM

Posted 11 June 2008 - 07:45 PM

Hi, I'm not certain if you are saying you no longer need assistance. If you would like to proceed, please do the following.
  • Click Start and then Run to bring up the Run box.
  • Copy and paste the contents of this quote box into the run box:

    "%userprofile%\desktop\dss.exe" /config

  • Close all other open windows.
  • Click OK.
  • A window will now open. Click Check All and then click Scan!.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
Next


Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You may need multiple posts for all that information.

#4 drex23

drex23

    Bleeping Existence


  • Members
  • 456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:21 PM

Posted 20 June 2008 - 06:17 PM

Due to the lack of feedback, this topic is closed.

If you need this topic reopened due to continuation of your original problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin your own topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users