Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Severe Spyware Infection Including Trojans, Blocking Of Registry

  • This topic is locked This topic is locked
4 replies to this topic

#1 Cathi


  • Members
  • 2 posts
  • Local time:12:22 PM

Posted 23 May 2008 - 04:35 PM

Deckard's System Scanner v20071014.68
Run by Owner on 2008-05-23 14:01:58
Computer is in Normal Mode.

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-23 14:02:31
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Documents and Settings\Owner.YOUR-6557D6F28B\cftmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Documents and Settings\Owner.YOUR-6557D6F28B\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {1D0B1B2F-4D44-48DC-AE5A-F4BBBAE2A83F} - C:\WINDOWS\system32\tuvUMcyX.dll
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: gooochi browser optimizer - {c7f962b3-48ff-a17f-9fc0-6240ea68378b} - C:\WINDOWS\system32\{61041ac0-a632-963a-4382-383979fffd3a}.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: {3f1e1c7f-dab1-409b-66e4-9c9694b62b8d} - {d8b26b49-69c9-4e66-b904-1badf7c1e1f3} - C:\WINDOWS\system32\yonapdti.dll
O2 - BHO: (no name) - {F07E1636-9896-4B51-8B47-787BAEAAC3B1} - C:\WINDOWS\system32\vtUlKCtT.dll
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Owner.YOUR-6557D6F28B\cftmon.exe
O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{61041ac0-a632-963a-4382-383979fffd3a}.dll" DllInit
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Owner.YOUR-6557D6F28B\cftmon.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - (file missing)
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: tuvUMcyX - C:\WINDOWS\system32\tuvUMcyX.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\system32\WRLogonNTF.dll (file missing)
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\Speed Disk\NOPDB.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\system32\WLTRYSVC.EXE

End of file - 8007 bytes

-- Files created between 2008-04-23 and 2008-05-23 -----------------------------

2008-05-23 12:23:12 91700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-23 12:23:12 85860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-23 12:20:01 3104 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-23 12:20:01 1234720 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-23 12:20:00 0 d-------- C:\Program Files\Kaspersky Lab
2008-05-23 12:20:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-23 11:59:46 0 d-------- C:\kav
2008-05-21 15:16:49 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-21 14:41:58 0 d-------- C:\backups
2008-05-21 14:41:01 218112 --a------ C:\HijackThis.exe <Not Verified; Soeperman Enterprises Ltd.; HijackThis>
2008-05-15 15:47:44 0 d-------- C:\Documents and Settings\Owner.YOUR-6557D6F28B\Application Data\SpywareRemover
2008-05-15 15:47:31 0 d-------- C:\Program Files\SpywareRemover
2008-05-15 15:36:27 0 d-------- C:\Program Files\Windows Defender
2008-05-15 14:29:26 0 d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-05-15 13:43:52 24576 --a------ C:\WINDOWS\bokja.exe
2008-05-15 13:24:22 30464 --a------ C:\WINDOWS\2020search2.dll
2008-05-15 12:41:57 0 d-------- C:\Program Files\MSECACHE
2008-05-14 16:55:24 0 d-------- C:\Program Files\Symantec AntiVirus
2008-05-14 16:27:33 0 d-------- C:\SymNoNav
2008-05-08 18:28:27 0 dr-h----- C:\Documents and Settings\Owner.YOUR-6557D6F28B\Recent
2008-05-08 16:20:30 0 d--hs---- C:\WINDOWS\CSC
2008-05-08 15:45:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-02 04:40:06 105536 --a------ C:\WINDOWS\system32\yonapdti.dll
2008-05-02 04:37:04 96320 --a------ C:\WINDOWS\system32\tcirokcb.dll
2008-05-02 04:34:39 89070 --a------ C:\WINDOWS\system32\myss_sb_uninstall.exe
2008-05-02 04:34:00 105536 --a------ C:\WINDOWS\system32\qijffmkk.dll
2008-05-02 04:32:35 200769 --a------ C:\WINDOWS\system32\ncntmkdm.exe
2008-05-02 04:27:26 32768 --a------ C:\WINDOWS\system32\sockots64.dll <Not Verified; ThinkPad; ThinkPad repl>
2008-04-26 15:13:45 0 d-------- C:\Webroot
2008-04-26 15:08:09 88961 --a------ C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
2008-04-26 15:07:48 298315 --a------ C:\WINDOWS\system32\gside.exe
2008-04-26 15:05:59 49177 --a------ C:\WINDOWS\system32\jlwnw64r.exe <Not Verified; ; Browser Driver>
2008-04-26 15:01:48 200765 --a------ C:\WINDOWS\system32\ncntmkdn.exe
2008-04-26 15:01:38 400098 --a------ C:\WINDOWS\system32\g71.exe
2008-04-26 15:00:15 32000 --a------ C:\WINDOWS\stcloader.exe
2008-04-26 15:00:14 14848 --a------ C:\WINDOWS\bjam.dll
2008-04-26 14:51:22 12288 --a------ C:\Documents and Settings\LocalService\cftmon.exe
2008-04-26 14:46:40 24320 --a------ C:\WINDOWS\voiceip.dll
2008-04-26 14:46:39 14592 --a------ C:\WINDOWS\swin32.dll
2008-04-26 14:46:39 28160 --a------ C:\WINDOWS\cdsm32.dll
2008-04-26 14:46:06 27136 --a------ C:\WINDOWS\mssvr.exe
2008-04-26 14:46:05 14336 --a------ C:\WINDOWS\mspphe.dll
2008-04-26 14:46:04 10496 --a------ C:\WINDOWS\2020search.dll
2008-04-26 14:43:41 25088 --a------ C:\WINDOWS\saiemod.dll
2008-04-26 14:43:35 26880 --a------ C:\WINDOWS\msapasrc.dll
2008-04-26 14:43:35 29696 --a------ C:\WINDOWS\msa64chk.dll
2008-04-26 14:42:25 11264 --a------ C:\WINDOWS\shdocpl.dll
2008-04-26 14:42:24 22016 --a------ C:\WINDOWS\ntnut.exe
2008-04-26 14:42:23 18176 --a------ C:\WINDOWS\shdocpe.dll
2008-04-26 14:40:39 12544 --a------ C:\WINDOWS\winsb.dll
2008-04-26 14:40:39 32256 --a------ C:\WINDOWS\browserad.dll
2008-04-26 14:40:37 29184 --a------ C:\WINDOWS\aviwrap32.dll
2008-04-26 14:40:36 30464 --a------ C:\WINDOWS\avisynthex32.dll
2008-04-26 14:40:34 9216 --a------ C:\WINDOWS\avifile32.dll
2008-04-26 14:40:33 18688 --a------ C:\WINDOWS\autodisc32.dll
2008-04-26 14:40:33 18432 --a------ C:\WINDOWS\audiosrv32.dll
2008-04-26 14:40:32 23040 --a------ C:\WINDOWS\ati2dvag32.dll
2008-04-26 14:40:31 31744 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-04-26 14:40:30 9216 --a------ C:\WINDOWS\athprxy32.dll
2008-04-26 14:40:30 15104 --a------ C:\WINDOWS\asycfilt32.dll
2008-04-26 14:40:29 31232 --a------ C:\WINDOWS\asferror32.dll
2008-04-26 14:40:28 22528 --a------ C:\WINDOWS\apphelp32.dll
2008-04-26 14:40:27 8704 --a------ C:\WINDOWS\changeurl_30.dll
2008-04-26 13:43:59 522505 --ahs---- C:\WINDOWS\system32\TtCKlUtv.ini2
2008-04-26 13:43:50 283136 --a------ C:\WINDOWS\system32\vtUlKCtT.dll
2008-04-26 13:40:19 863 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-04-26 13:40:05 37376 --a------ C:\WINDOWS\mrofinu1000106.exe
2008-04-26 13:40:03 200770 --a------ C:\WINDOWS\system32\ocntmkdn.exe
2008-04-26 13:39:53 400064 --a------ C:\WINDOWS\system32\g48.exe
2008-04-26 13:39:49 32768 --a------ C:\WINDOWS\system32\sockins32.dll <Not Verified; ThinkPad; ThinkPad repl>
2008-04-26 13:39:42 49167 --a------ C:\WINDOWS\system32\rwwnw64d.exe <Not Verified; ; Browser Driver>
2008-04-26 13:39:34 86144 --a------ C:\WINDOWS\system32\drivers\imapii.sys
2008-04-26 13:39:22 0 d-------- C:\WINDOWS\system32\wTMP
2008-04-26 13:39:22 0 d-------- C:\WINDOWS\system32\n3
2008-04-26 13:39:21 0 d-------- C:\WINDOWS\system32\b1
2008-04-26 13:39:14 0 d-------- C:\WINDOWS\system32\pnVes06
2008-04-26 13:39:12 0 d-------- C:\Temp
2008-04-26 13:38:40 39424 --a------ C:\WINDOWS\system32\tuvUMcyX.dll
2008-04-26 13:38:33 12288 --a------ C:\WINDOWS\system32\drivers\spools.exe
2008-04-26 13:38:33 12288 --a------ C:\Documents and Settings\Owner.YOUR-6557D6F28B\cftmon.exe
2008-04-26 13:38:17 0 d-------- C:\WINDOWS\system32\?ppPatch
2008-04-26 13:38:04 37376 --a------ C:\WINDOWS\mrofinu72.exe
2008-04-26 13:38:02 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-04-26 13:38:02 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-04-26 13:37:55 0 d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-04-26 13:37:50 4 --a------ C:\WINDOWS\system32\winfrun32.bin
2008-04-26 13:37:50 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-04-26 13:37:35 88491 --a------ C:\WINDOWS\system32\wmsdkns.exe <Not Verified; Microsoft; XML Media>
2008-04-26 13:37:35 88491 --a------ C:\WINDOWS\lfn.exe <Not Verified; Microsoft; XML Media>
2008-04-26 13:37:25 29696 --a------ C:\WINDOWS\winself.exe

-- Find3M Report ---------------------------------------------------------------

2008-05-23 13:51:25 0 d-------- C:\Program Files\Common Files
2008-05-23 11:48:17 0 d-------- C:\Program Files\Symantec
2008-05-23 11:45:44 0 d-------- C:\Program Files\BigFix
2008-05-23 11:44:33 0 d-------- C:\Program Files\Common Files\AOL
2008-05-23 11:42:41 0 d-------- C:\Documents and Settings\Owner.YOUR-6557D6F28B\Application Data\AOL
2008-05-21 15:12:05 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-22 10:21:31 0 d-------- C:\Program Files\Sam
2008-04-21 16:07:32 0 d-------- C:\Documents and Settings\Owner.YOUR-6557D6F28B\Application Data\Yahoo!
2008-04-21 15:52:24 0 d-------- C:\Documents and Settings\Owner.YOUR-6557D6F28B\Application Data\Adobe
2008-04-21 15:51:47 0 d-------- C:\Program Files\Yahoo!
2008-04-21 15:39:15 0 d-------- C:\Program Files\Norton SystemWorks
2008-04-20 14:38:50 180 --a------ C:\Documents and Settings\Owner.YOUR-6557D6F28B\Application Data\wklnhst.dat
2008-04-11 13:44:48 187904 ---hs---- C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
2008-04-11 12:44:58 229526 --a------ C:\WINDOWS\system32\000070.exe
2008-04-11 09:46:26 334848 --a------ C:\WINDOWS\system32\myss_sb.dll
2008-04-07 10:26:30 328704 --a------ C:\WINDOWS\system32\{61041ac0-a632-963a-4382-383979fffd3a}.dll
2008-04-04 23:29:14 270694 --a------ C:\WINDOWS\system32\000080.exe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D0B1B2F-4D44-48DC-AE5A-F4BBBAE2A83F}]
04/26/2008 01:38 PM 39424 --a------ C:\WINDOWS\system32\tuvUMcyX.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c7f962b3-48ff-a17f-9fc0-6240ea68378b}]
04/07/2008 10:26 AM 328704 --a------ C:\WINDOWS\system32\{61041ac0-a632-963a-4382-383979fffd3a}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8b26b49-69c9-4e66-b904-1badf7c1e1f3}]
05/02/2008 04:40 AM 105536 --a------ C:\WINDOWS\system32\yonapdti.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F07E1636-9896-4B51-8B47-787BAEAAC3B1}]
04/26/2008 01:43 PM 283136 --a------ C:\WINDOWS\system32\vtUlKCtT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]

"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" [04/26/2008 01:38 PM]
"autoload"="C:\Documents and Settings\Owner.YOUR-6557D6F28B\cftmon.exe" [04/26/2008 01:38 PM]
"spa_start"="C:\WINDOWS\system32\{61041ac0-a632-963a-4382-383979fffd3a}.dll" [04/07/2008 10:26 AM]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [02/08/2008 06:36 PM]

"autoload"="C:\Documents and Settings\Owner.YOUR-6557D6F28B\cftmon.exe" [04/26/2008 01:38 PM]
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" [04/26/2008 01:38 PM]

"autoload"=C:\Documents and Settings\LocalService\cftmon.exe

"DisableTaskMgr"=1 (0x1)

"DisableTaskMgr"=1 (0x1)
"DisableRegistryTools"=1 (0x1)

"NoActiveDesktop"=0 (0x0)

"{1D0B1B2F-4D44-48DC-AE5A-F4BBBAE2A83F}"= C:\WINDOWS\system32\tuvUMcyX.dll [04/26/2008 01:38 PM 39424]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvUMcyX]
tuvUMcyX.dll 04/26/2008 01:38 PM 39424 C:\WINDOWS\system32\tuvUMcyX.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"Authentication Packages"= msv1_0 nwprovau C:\WINDOWS\system32\vtUlKCtT

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
rundll32 sockins32.dll,InitModule

-- End of Deckard's System Scanner: finished at 2008-05-23 14:18:19 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Turion™ 64 Mobile Technology ML-34
Percentage of Memory in Use: 20%
Physical Memory (total/avail): 958.23 MiB / 757.57 MiB
Pagefile Memory (total/avail): 2315.27 MiB / 2231.21 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1940.38 MiB

C: is Fixed (NTFS) - 104.94 GiB total, 86.74 GiB free.
D: is Fixed (FAT32) - 6.83 GiB total, 4.77 GiB free.

\\.\PHYSICALDRIVE0 - ST9120824A - 111.79 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 104.94 GiB - C:
\PARTITION1 - Unknown - 6.84 GiB - D:

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: Norton Internet Worm Protection v2006 (Symantec)
AV: Norton AntiVirus v2005 (Symantec Corporation) Disabled Outdated
AV: Symantec AntiVirus Corporate Edition v10.1.4.4000 (Symantec Corporation) Outdated


"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1153797765\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1153797765\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner.YOUR-6557D6F28B\Application Data
CommonProgramFiles=C:\Program Files\Common Files
HOMEPATH=\Documents and Settings\Owner.YOUR-6557D6F28B
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel
PROCESSOR_IDENTIFIER=x86 Family 15 Model 36 Stepping 2, AuthenticAMD
ProgramFiles=C:\Program Files
USERPROFILE=C:\Documents and Settings\Owner.YOUR-6557D6F28B

-- User Profiles ---------------------------------------------------------------

Owner.YOUR-6557D6F28B (admin)
Administrator (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
America Online (Choose which version to remove) --> C:\Program Files\Common Files\aolshare\aolunins_us.exe
American Greetings CreataCard --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAB5833D-3C28-42CA-B160-A0F5B3BDD17C}\setup.exe" -l0x9 anything
AOL Coach Version 2.0(Build:20041026.5 en) --> C:\Program Files\Common Files\AolCoach\en_en\AolCInUn.exe -lang=en_en -ext=UDP
AOL You've Got Pictures Screensaver --> C:\Program Files\Common Files\AOL\Screensaver\uninst_ygpss.exe
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Broadcom 802.11 Network Adapter --> C:\WINDOWS\system32\BCMWLU00.exe verbose
Browser Address Error Redirector --> regsvr32 /u /s "c:\windows\system32\BAE.dll"
Carmen Sandiego Word Detective v1.0.1 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Broderbund Software\Carmen Word Detective\DeIsL1.isu"
ccCommon --> MsiExec.exe /I{1248C09A-BD6B-47F5-BF3F-CD2B700D9FCB}
Conexant AC-Link Audio --> C:\Program Files\CONEXANT\CNXT_AUDIO\HXFSETUP.EXE -U -Iqta0300a.INF
Connection Keep Alive --> MsiExec.exe /I{77364F85-6219-4CB8-AAA0-6D53368D683D}
Deewoo Network Manager removal --> C:\WINDOWS\system32\ncntmkdm.exe -UPop
DVD Solution --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
Enhancement Browser Tools Gooochi --> C:\WINDOWS\system32\{61041ac0-a632-963a-4382-383979fffd3a}.dll-uninst.exe
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
gtw_logo --> C:\WINDOWS\system32\gtw_logo.scr /UNINSTALL "C:\WINDOWS\system32\gtw_logo.log"
Internet Worm Protection --> MsiExec.exe /I{2908F0CB-C1D4-447F-97A2-CFC135C9F8D4}
J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Digital Image Starter Edition 2006 --> "C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=TRIAL VERSION=11
Microsoft Money 2006 --> "C:\Program Files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Web Publishing Wizard 1.52 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,WebPostUninstall
Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSRedist --> MsiExec.exe /I{D1725BDB-BA2B-4503-A8CB-F5C835D743FA}
MySidesearch Search Assistant Adzgalore --> C:\WINDOWS\system32\myss_sb_uninstall.exe
Napster --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBBCAE4B-B416-4182-A6F2-438180894A81}\setup.exe" -l0x9
Napster Burn Engine --> MsiExec.exe /I{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}
NAVShortcut --> MsiExec.exe /I{F325CF11-27CE-4872-8022-6E9EB27DF24F}
Norton AntiVirus Parent MSI --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton Cleanup --> MsiExec.exe /I{CA31120D-2101-484D-9FF1-195DE96FE346}
Norton GoBack 4.1 --> MsiExec.exe /I{1F76ACFA-22FE-49F6-BC05-F4EC835F48CC}
Norton Protection Center --> MsiExec.exe /I{82A5BF38-8461-4A5C-B2C9-24F5256D92A6}
Norton SystemWorks --> MsiExec.exe /I{9E23C48E-5483-4971-BA50-089F2FABCD66}
Norton SystemWorks 2006 --> MsiExec.exe /I{71E7B3F5-CFAF-4C1E-B494-528E28707937}
Norton SystemWorks 2006 (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{71E7B3F5-CFAF-4C1E-B494-528E28707937}.exe" /X
Norton Utilities --> MsiExec.exe /I{6A7867BA-B7CA-4CC9-ACAB-85BA46865EE5}
Norton WMI Update --> MsiExec.exe /X{F64306A5-4C32-41bb-B153-53986527FAB4}
NSW_DRM_COLLECTION --> MsiExec.exe /I{900B1884-2D6F-4a70-A3C7-C3F4DA873FDB}
Outerinfo --> "C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe"
Power2Go 4.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\setup.exe" -uninstall
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Pure Networks Port Magic --> C:\Program Files\Pure Networks\Port Magic\PortAOL.exe -Uninstall -ShowUI
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_1002&DEV_4378&SUBSYS_0300107B\HXFSETUP.EXE -U -Iqta0300m.inf
Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
SPBBC --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
SpywareRemover --> MsiExec.exe /X{59922AF4-4769-47D4-AE87-28E6CCB2C29B}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Texas Instruments PCIxx21/x515/xx12 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{7B6CF9EB-CB2B-4A1A-81A9-BE1A9044690A} /l1033
Update Rollup 2 for Windows XP Media Center Edition 2005 --> C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Where in Time is Carmen Sandiego? v3.0 Demo --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Broderbund Software\Where in Time is Carmen Sandiego v3.0 Demo\DeIsL1.isu"
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Media Connect --> "C:\WINDOWS\$NtUninstallWMCSetup$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB919803 --> "C:\WINDOWS\$NtUninstallKB919803$\spuninst\spuninst.exe"
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

-- Application Event Log -------------------------------------------------------

Event Record #/Type15865 / Error
Event Submitted/Written: 05/23/2008 00:02:00 PM
Event ID/Source: 1008 / MsiInstaller
Event Description:
The installation of c:\kav\kis\kis.en.msi is not permitted due to an error in software restriction policy processing. The object cannot be trusted.

Event Record #/Type15864 / Error
Event Submitted/Written: 05/23/2008 00:02:00 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The server name or address could not be resolved

Event Record #/Type15863 / Error
Event Submitted/Written: 05/23/2008 00:01:59 PM
Event ID/Source: 11 / crypt32
Event Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Event Record #/Type15862 / Error
Event Submitted/Written: 05/23/2008 00:01:59 PM
Event ID/Source: 11 / crypt32
Event Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Event Record #/Type15861 / Warning
Event Submitted/Written: 05/23/2008 11:59:32 AM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x8007043C

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type24989 / Error
Event Submitted/Written: 05/23/2008 11:59:32 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service MSIServer with arguments ""
in order to run the server:

Event Record #/Type24988 / Error
Event Submitted/Written: 05/23/2008 11:58:43 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service wuauserv with arguments ""
in order to run the server:

Event Record #/Type24987 / Error
Event Submitted/Written: 05/23/2008 11:57:25 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:

Event Record #/Type24986 / Error
Event Submitted/Written: 05/23/2008 11:57:11 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:

Event Record #/Type24985 / Error
Event Submitted/Written: 05/23/2008 11:56:53 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:

-- End of Deckard's System Scanner: finished at 2008-05-23 12:08:07 ------------

Computer extremely slow. *.exe files have been disabled. Creates multiple work offline attempts. Sometimes desktop freezes before the "start" and other desktop icons are visible. Cannot update or edit the registry. Adminstrator rights have been blocked. Over 287 detected spyware attacks. I have cleaned up some but others continue to replicate. Successfully removed QDRDRIVE, QDRMODULE, QDRPACK folders and executibles.

BC AdBot (Login to Remove)


#2 thewall


  • Malware Response Team
  • 6,425 posts
  • Gender:Male
  • Location:Florida
  • Local time:02:22 PM

Posted 23 May 2008 - 05:09 PM

Hello Cathi :) Welcome to the BC HijackThis Log and Analysis forum.. I will be assisting you and will need some time to look over your log.

Please advice me of any programs you have already ran to try and fix the problems you have encountered. I would also ask that you refrain from running any tools other than those we will ask you to while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Since all of our helpers are volunteers and this is a holiday weekend I may be a little slower getting back to you, but don't despair as I won't forget. :thumbsup:


If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 Cathi

  • Topic Starter

  • Members
  • 2 posts
  • Local time:12:22 PM

Posted 24 May 2008 - 05:15 PM

I have run spy doctor, spyware remover, ccclean, dss.exe, kaspersky 7.0, sp_exe_fix, norton, and ???? I have run a lot of different things and the kaspersky is holding it right now and not allowing any more serious hits. It would be so wonderful if I could find the cd's that came with this computer because I would be rebuilding this puppy right now. This is getting frustrating. Been at this for a couple of weeks now.

#4 thewall


  • Malware Response Team
  • 6,425 posts
  • Gender:Male
  • Location:Florida
  • Local time:02:22 PM

Posted 26 May 2008 - 07:00 AM

Hello again Cathi

Hate to be the bearer of bad news :thumbsup: but your computer is severely infected as you may have suspected due to the problems you are experiencing with it. I know you posted that you cannot find your reinstall CD, but I still need to post the following warning.

One or more of the identified infections is a backdoor Trojan

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards.

If you wish to continue with the cleaning process then please perform the following. If not please let me know

1)Go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called "MsSecurity Updated (MsSecurity1.209.40". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Now do the same for this service: "Task Scheduler (Schedule) "

2)It is imperative that you do not pass up the step for installing the Recovery Console in the following. If you have any problems with it stop and let us know.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

New HijackThis log.



If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 don77


    Forum Regular

  • Members
  • 3,212 posts
  • Gender:Male
  • Location:Boston Mass
  • Local time:01:22 PM

Posted 03 June 2008 - 10:45 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users