Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Coolwwwsearch


  • This topic is locked This topic is locked
2 replies to this topic

#1 driverdown1982

driverdown1982

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 09 June 2008 - 10:29 PM

Norton doesn't pick anything up, but spybot picks up the coolwwwsearch and cannot remove it. I do not know if this is related, but for a while pop-ups constantly came up when connected to the internet, as well as messages whic seemed t come from my windows alerts saying automatic updates were turned off. Eventually now when I log in to the computer all I see is the background. No Task bar on the bottom, no desktop icons, just the backgrounds. I have to go through the task manager to get anything done. Please help.
Deckard's System Scanner v20071014.68
Run by Shawn on 2008-06-09 22:15:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
77: 2008-06-10 03:16:01 UTC - RP510 - Deckard's System Scanner Restore Point
76: 2008-06-10 01:36:33 UTC - RP509 - System Checkpoint
75: 2008-06-10 03:09:34 UTC - RP508 - Restore Operation
74: 2008-06-08 17:40:37 UTC - RP507 - System Checkpoint
73: 2008-06-08 20:17:22 UTC - RP506 - Restore Operation


-- First Restore Point --
1: 2008-06-03 07:24:14 UTC - RP434 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-09 22:18:11
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Norton AntiVirus\Navw32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Shawn\Local Settings\Temporary Internet Files\Content.IE5\LT7XXEDW\dss[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Common Files\Symantec Shared\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {f7b7ac50-682d-072b-7514-264c63faa799} - {997aaf36-c462-4157-b270-d28605ca7b7f} - C:\WINDOWS\system32\kjoaarql.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {E8FA0CE0-BDAA-4E34-87F5-3B6D8217A0DA} - C:\WINDOWS\system32\tuvULBUL.dll
O2 - BHO: (no name) - {ED3269C1-3877-45DD-9EF0-7EBB730D81FD} - C:\WINDOWS\system32\xxyaWPFu.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [1cf01c85] rundll32.exe "C:\WINDOWS\system32\atuoseey.dll",b
O4 - HKLM\..\Run: [BM1fc32f19] Rundll32.exe "C:\WINDOWS\system32\ensmtfam.dll",s
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKLM\..\Policies\Explorer\Run: [none] C:\Program Files\Video ActiveX Object\pmsngr.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZCYYYYYYYYUS
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shock...director/sw.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} () - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: tuvULBUL - C:\WINDOWS\system32\tuvULBUL.dll
O21 - SSODL: hirtellous - {fa19bd7e-50bc-4203-80ac-c4edc81ca9a3} - (no file)
O22 - SharedTaskScheduler: hirtellous - {fa19bd7e-50bc-4203-80ac-c4edc81ca9a3} - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


--
End of file - 11385 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S1 updatee - c:\windows\system32\drivers\updatee.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

S2 InCDsrvR (InCD Helper (read only)) - c:\program files\ahead\incd\incdsrv.exe -r <Not Verified; Nero AG; Nero AG incdsrv>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\ATK0110\1010110
Manufacturer:
Name:
PNP Device ID: ACPI\ATK0110\1010110
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-06-06 19:28:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-06-03 16:41:17 556 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Shawn.job


-- Files created between 2008-05-09 and 2008-06-09 -----------------------------

2008-06-08 21:09:33 0 --a------ C:\WINDOWS\portsv.exe
2008-06-05 00:08:41 0 d-------- C:\Program Files\IObit
2008-06-04 23:39:32 104448 --a------ C:\WINDOWS\system32\kjoaarql.dll
2008-06-04 23:35:54 97280 --a------ C:\WINDOWS\system32\atuoseey.dll
2008-06-04 23:32:54 106496 --a------ C:\WINDOWS\system32\ensmtfam.dll
2008-06-04 23:31:18 0 d-------- C:\Documents and Settings\Shawn\Application Data\Skype
2008-06-04 11:23:12 128 --a------ C:\Documents and Settings\Shawn\services.exe
2008-06-04 11:22:22 22016 -----n--- C:\WINDOWS\msupdate.exe
2008-06-04 11:22:22 14080 -----n--- C:\WINDOWS\mssys.exe
2008-06-03 19:28:30 89088 --a------ C:\WINDOWS\system32\fmiskmhp.dll
2008-06-03 19:25:31 114688 --a------ C:\WINDOWS\system32\udoxekio.dll
2008-06-03 19:19:31 103424 --a------ C:\WINDOWS\system32\ntpplpjw.dll
2008-06-03 18:27:46 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-06-03 16:34:05 0 d-------- C:\Program Files\Windows Sidebar
2008-06-03 16:34:03 0 d-------- C:\Program Files\Norton AntiVirus
2008-06-03 16:32:02 0 d-------- C:\Program Files\Symantec
2008-06-03 16:32:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-03 16:23:54 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-03 12:19:07 0 d-------- C:\WINDOWS\system32\vntiho18
2008-06-03 12:19:00 69632 --a------ C:\WINDOWS\system32\iifgFVmn.dll
2008-06-03 02:57:12 21760 -----n--- C:\WINDOWS\loader.exe
2008-06-03 02:34:28 14080 --a------ C:\WINDOWS\y.exe
2008-06-03 02:34:27 29952 --a------ C:\WINDOWS\xplugin.dll
2008-06-03 02:34:27 21504 --a------ C:\WINDOWS\x.exe
2008-06-03 02:34:27 29184 --a------ C:\WINDOWS\winmgnt.exe
2008-06-03 02:34:26 15360 --a------ C:\WINDOWS\window.exe
2008-06-03 02:34:26 23808 --a------ C:\WINDOWS\winajbm.dll
2008-06-03 02:34:26 11008 --a------ C:\WINDOWS\win64.exe
2008-06-03 02:34:26 21504 --a------ C:\WINDOWS\win32e.exe
2008-06-03 02:34:25 14336 --a------ C:\WINDOWS\waol.exe
2008-06-03 02:34:25 18176 --a------ C:\WINDOWS\users32.exe
2008-06-03 02:34:25 19456 --a------ C:\WINDOWS\time.exe
2008-06-03 02:34:25 18688 --a------ C:\WINDOWS\systemcritical.exe
2008-06-03 02:34:25 15616 --a------ C:\WINDOWS\systeem.exe
2008-06-03 02:34:24 32256 --a------ C:\WINDOWS\svcinit.exe
2008-06-03 02:34:24 19200 --a------ C:\WINDOWS\svchost32.exe
2008-06-03 02:34:24 32000 --a------ C:\WINDOWS\sistem.exe
2008-06-03 02:34:23 11776 --a------ C:\WINDOWS\searchword.dll
2008-06-03 02:34:23 18688 --a------ C:\WINDOWS\rundll16.exe
2008-06-03 02:34:23 25600 --a------ C:\WINDOWS\quicken.exe
2008-06-03 02:34:23 28672 --a------ C:\WINDOWS\qttasks.exe
2008-06-03 02:34:22 26368 --a------ C:\WINDOWS\olehelp.exe
2008-06-03 02:34:21 13056 -----n--- C:\WINDOWS\notepad32.exe
2008-06-03 02:34:21 23296 --a------ C:\WINDOWS\mtwirl32.dll
2008-06-03 02:34:21 8192 --a------ C:\WINDOWS\mswsc20.dll
2008-06-03 02:34:21 22016 --a------ C:\WINDOWS\mswsc10.dll
2008-06-03 02:34:20 9728 --a------ C:\WINDOWS\msspi.dll
2008-06-03 02:34:20 28928 --a------ C:\WINDOWS\msconfd.dll
2008-06-03 02:34:19 26368 --a------ C:\WINDOWS\internet.exe
2008-06-03 02:34:18 11008 --a------ C:\WINDOWS\inetinf.exe
2008-06-03 02:34:18 20992 --a------ C:\WINDOWS\iexplorer.exe
2008-06-03 02:34:18 15104 -----n--- C:\WINDOWS\iedll.exe
2008-06-03 02:34:18 13824 --a------ C:\WINDOWS\helpcvs.exe
2008-06-03 02:34:18 16128 --a------ C:\WINDOWS\gfmnaaa.dll
2008-06-03 02:34:18 27904 --a------ C:\WINDOWS\funny.exe
2008-06-03 02:34:18 28160 --a------ C:\WINDOWS\funniest.exe
2008-06-03 02:34:17 13312 --a------ C:\WINDOWS\explorer32.exe
2008-06-03 02:34:17 14336 --a------ C:\WINDOWS\explore.exe
2008-06-03 02:34:17 15104 --a------ C:\WINDOWS\editpad.exe
2008-06-03 02:34:17 31744 --a------ C:\WINDOWS\dnsrelay.dll
2008-06-03 02:34:16 8704 --a------ C:\WINDOWS\directx32.exe
2008-06-03 02:34:16 23296 --a------ C:\WINDOWS\ctrlpan.dll
2008-06-03 02:34:16 23808 --a------ C:\WINDOWS\ctfmon32.exe
2008-06-03 02:34:16 26112 --a------ C:\WINDOWS\cpan.dll
2008-06-03 02:34:16 16896 --a------ C:\WINDOWS\clrssn.exe
2008-06-03 02:34:15 12288 --a------ C:\WINDOWS\avpcc.dll
2008-06-03 02:34:15 25088 --a------ C:\WINDOWS\accesss.exe
2008-06-03 02:24:29 0 d-------- C:\Documents and Settings\LocalService\Application Data\Apple Computer
2008-06-03 02:24:01 724667 --ahs---- C:\WINDOWS\system32\uFPWayxx.ini2
2008-06-03 02:23:45 277504 --a------ C:\WINDOWS\system32\xxyaWPFu.dll
2008-06-03 02:19:22 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-06-03 02:19:22 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-06-03 02:19:16 860 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-06-03 02:19:01 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-06-03 02:19:00 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-06-03 02:18:58 401972 --a------ C:\WINDOWS\system32\g4.exe
2008-06-03 02:18:52 0 --a------ C:\WINDOWS\lfn.exe
2008-06-03 02:18:51 0 d--hs---- C:\WINDOWS\c2hhd24gbGFyc29u
2008-06-03 02:18:50 0 --ahs---- C:\Documents and Settings\Shawn\lsass.exe
2008-06-03 02:18:43 0 d-------- C:\WINDOWS\system32\Vco1
2008-06-03 02:18:43 0 d-------- C:\WINDOWS\system32\sTMP
2008-06-03 02:18:43 0 d-------- C:\WINDOWS\system32\Dev3
2008-06-03 02:18:43 0 d-------- C:\WINDOWS\system32\a053
2008-06-03 02:18:43 0 d-------- C:\WINDOWS\system32\6026c
2008-06-03 02:18:41 0 d-------- C:\WINDOWS\system32\vntiho05
2008-06-03 02:18:37 69632 --a------ C:\WINDOWS\system32\tuvULBUL.dll


-- Find3M Report ---------------------------------------------------------------

2008-06-04 16:01:48 0 d-------- C:\Program Files\QuickTime
2008-06-03 16:38:25 0 d-------- C:\Program Files\Common Files
2008-04-27 14:04:20 0 d-------- C:\Documents and Settings\Shawn\Application Data\AdobeUM
2008-04-27 12:47:46 0 d-------- C:\Documents and Settings\Shawn\Application Data\Real
2008-04-13 15:48:39 0 d-------- C:\Documents and Settings\Shawn\Application Data\FrostWire


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
06/03/2008 04:38 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{997aaf36-c462-4157-b270-d28605ca7b7f}]
06/04/2008 11:39 PM 104448 --a------ C:\WINDOWS\system32\kjoaarql.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E8FA0CE0-BDAA-4E34-87F5-3B6D8217A0DA}]
06/03/2008 02:18 AM 69632 --a------ C:\WINDOWS\system32\tuvULBUL.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED3269C1-3877-45DD-9EF0-7EBB730D81FD}]
06/03/2008 02:23 AM 277504 --a------ C:\WINDOWS\system32\xxyaWPFu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"1cf01c85"="C:\WINDOWS\system32\atuoseey.dll" [06/04/2008 11:35 PM]
"BM1fc32f19"="C:\WINDOWS\system32\ensmtfam.dll" [06/04/2008 11:32 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/25/2008 08:47 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [03/22/2007 07:43 PM]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [06/08/2005 02:44 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:00 AM]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [12/07/2007 02:33 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\Shawn\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [12/2/2007 5:27:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [3/22/2007 7:43:50 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"none"=C:\Program Files\Video ActiveX Object\pmsngr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E8FA0CE0-BDAA-4E34-87F5-3B6D8217A0DA}"= C:\WINDOWS\system32\tuvULBUL.dll [06/03/2008 02:18 AM 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvULBUL]
tuvULBUL.dll 06/03/2008 02:18 AM 69632 C:\WINDOWS\system32\tuvULBUL.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\xxyaWPFu




-- End of Deckard's System Scanner: finished at 2008-06-09 22:19:47 ------------

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:25 PM

Posted 10 June 2008 - 04:07 AM

Hello and welcome to BleepingComputer. :thumbsup:

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download SDFix and save it to your desktop.
  • Double-click on SDFix.exe to extract the files to C:\SDFix
  • DO NOT use it just yet.
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer.
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear.
4) Select the first option, to run Windows in Safe Mode.
5) Login to your usual account.
  • Once in Safe Mode, open the SDFix folder & double-click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt in your next reply.
-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe


=====

Along with the SDFix log, please post a ComboFix log. Follow the instructions for downloading and running ComboFix correctly HERE. Post back with the two logs :)
Hi there, stranger!

#3 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:25 PM

Posted 06 July 2008 - 04:49 AM

Due to lack of feedback, this thread has been closed. Should another issue arise, please post a New Topic.
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users