Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Infection. Need Help! Hijack This


  • This topic is locked This topic is locked
3 replies to this topic

#1 cad40324

cad40324

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 14 June 2008 - 12:09 PM

After downloading a torrent file about five day ago, I observed some unusual behavior in m laptop. Soon there were popups, freezes, and I kept getting notifications that my Windows Automatic Update Service doesn't work. Also, my BitDefender Antivirus service has stopped functioning. Any help would be much appreciated. I really don't want to spend a hundred dollars at the PC repair shop. :thumbsup:
Thanks, thanks, thanks!

Deckard's System Scanner v20071014.68
Run by Cory Deskins on 2008-06-14 12:57:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
115: 2008-06-14 16:57:41 UTC - RP728 - Deckard's System Scanner Restore Point
114: 2008-06-14 00:55:28 UTC - RP727 - Removed Pure Networks Platform
113: 2008-06-14 00:54:40 UTC - RP726 - Removed Network Magic
112: 2008-06-12 02:41:54 UTC - RP725 - Installed Network Magic
111: 2008-06-12 02:41:16 UTC - RP724 - Installed Pure Networks Platform


-- First Restore Point --
1: 2008-07-08 02:19:55 UTC - RP614 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Cory Deskins.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:33 PM, on 6/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Cory Deskins\My Documents\Downloads\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Cory Deskins.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: {b72ca925-e79c-50b9-1644-bf564ea8c034} - {430c8ae4-65fb-4461-9b05-c97e529ac27b} - C:\WINDOWS\system32\fnsimkgm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {8EA86503-476F-476A-A55A-7225082DF3EB} - C:\WINDOWS\system32\pmnoMEtR.dll
O2 - BHO: (no name) - {94B171F3-9139-41DF-82E5-94BFFBA5A5EE} - C:\WINDOWS\system32\khfCUNFW.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [06e45f94] rundll32.exe "C:\WINDOWS\system32\lytiioll.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/...trolLite_EN.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer...DataManager.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1167289376197
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E8C3CD32-9717-43C8-8CFD-D947B010A5BA}: NameServer = 205.152.37.23,205.152.132.23
O20 - Winlogon Notify: pmnoMEtR - C:\WINDOWS\SYSTEM32\pmnoMEtR.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 8317 bytes

-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,71
.hlp - hlpfile - DefaultIcon - C:\WINDOWS\System32\shell32.dll,23
.ini - inifile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,69
.txt - txtfile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,70


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path ManagerŪ (32-bit)>
R3 BDSelfPr - c:\program files\bitdefender\bitdefender 2008\bdselfpr.sys <Not Verified; BitDefender S.R.L.; BitDefender>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S0 PxHelp20 - c:\windows\system32\drivers\pxhelp20.sys (file missing)
S3 LHidUsbK (Logitech SetPoint USB Receiver device driver) - c:\windows\system32\drivers\lhidusbk.sys (file missing)
S3 LMouKE (Logitech SetPoint Mouse Filter Driver) - c:\windows\system32\drivers\lmouke.sys (file missing)
S3 UIUSys (Conexant Setup API) - c:\windows\system32\drivers\uiusys.sys (file missing)
S3 XDva032 - c:\windows\system32\xdva032.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

S4 Vongo Service - c:\program files\vongo\vongoservice.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97B-E325-11CE-BFC1-08002BE10318}
Description: AQU3V1JH IDE Controller
Device ID: ACPI\PNPA000\4&5D18F2DF&0
Manufacturer: (Standard mass storage controllers)
Name: AQU3V1JH IDE Controller
PNP Device ID: ACPI\PNPA000\4&5D18F2DF&0
Service: ae5fs4tk


-- Scheduled Tasks -------------------------------------------------------------

2008-06-14 12:00:00 278 --ah----- C:\WINDOWS\Tasks\A3FCA88B918B25CB.job
2008-06-13 20:33:00 280 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2008-06-07 18:05:05 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-04-30 20:33:05 398 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job


-- Files created between 2008-05-14 and 2008-06-14 -----------------------------

2008-07-07 22:20:54 80896 -----n--- C:\WINDOWS\system32\kmwoelwq.dll
2008-07-07 22:19:44 693123 --ahs---- C:\WINDOWS\system32\WFNUCfhk.ini2
2008-07-07 22:19:38 321536 --a------ C:\WINDOWS\system32\khfCUNFW.dll
2008-07-07 22:19:14 33280 --a------ C:\WINDOWS\system32\iiffDSMD.dll
2008-07-07 22:14:35 33280 --a------ C:\WINDOWS\system32\pmnoMEtR.dll
2008-07-07 08:36:43 0 d-------- C:\Documents and Settings\Cory Deskins\Application Data\Snapfish
2008-06-14 12:08:19 0 d-------- C:\Program Files\Trend Micro
2008-06-13 20:55:37 0 d-------- C:\WINDOWS\LastGood
2008-06-13 20:49:04 99328 --a------ C:\WINDOWS\system32\fnsimkgm.dll
2008-06-13 20:46:52 80896 --a------ C:\WINDOWS\system32\lytiioll.dll
2008-06-13 20:46:45 89600 --a------ C:\WINDOWS\system32\okdgfoxa.dll
2008-06-11 22:45:37 33280 --a------ C:\WINDOWS\system32\nnnKbcya.dll
2008-06-11 22:40:56 33280 --a------ C:\WINDOWS\system32\yayvTkHa.dll
2008-06-11 22:36:51 33280 --a------ C:\WINDOWS\system32\yayvsTno.dll
2008-06-02 21:44:41 495616 -----n--- C:\WINDOWS\system32\p365vip.dll <Not Verified; Live365.com; Live365.com Embedded MP3Pro Player for IE>
2008-06-02 20:48:25 0 dr-h----- C:\Documents and Settings\Cory Deskins\Recent
2008-05-30 08:57:47 45056 --a------ C:\WINDOWS\system32\LXPRMON.DLL <Not Verified; ; Lexmark Fax Solutions Software>
2008-05-30 08:57:47 32768 --a------ C:\WINDOWS\system32\LXPMONUI.DLL <Not Verified; ; Lexmark Fax Solutions Software>
2008-05-30 08:57:27 12288 --a------ C:\WINDOWS\system32\LXPMONRC.DLL <Not Verified; Lexmark International, Inc.; Lexmark Fax Solutions Software Print Monitor>
2008-05-30 08:56:33 0 d-------- C:\Program Files\Lexmark Fax Solutions
2008-05-30 08:56:15 0 d-------- C:\Program Files\Lexmark 3400 Series
2008-05-30 08:55:58 274432 --a------ C:\WINDOWS\system32\lxcyinst.dll
2008-05-30 08:55:58 323584 --a------ C:\WINDOWS\system32\lxcyhcp.dll <Not Verified; ; Printer Communication System>
2008-05-29 00:31:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg8


-- Find3M Report ---------------------------------------------------------------

2008-06-24 15:49:11 0 d-------- C:\Program Files\lx_cats
2008-06-13 20:55:33 0 d-------- C:\Program Files\Common Files
2008-06-11 22:33:20 0 d-------- C:\Documents and Settings\Cory Deskins\Application Data\uTorrent
2008-06-04 19:20:12 0 d-------- C:\Program Files\Safari
2008-05-29 00:36:12 0 d-------- C:\Program Files\Stardock
2008-05-29 00:36:09 0 d-------- C:\Program Files\Common Files\Stardock
2008-04-26 09:30:30 0 d-------- C:\Documents and Settings\Cory Deskins\Application Data\BitDefender
2008-04-26 09:29:37 0 d-------- C:\Program Files\BitDefender
2008-04-26 09:29:29 0 d-------- C:\Program Files\Common Files\BitDefender
2008-04-26 09:17:00 81984 --a------ C:\WINDOWS\system32\bdod.bin
2008-04-25 22:51:33 0 d-------- C:\Program Files\AVG
2008-04-25 07:24:56 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-24 07:15:41 0 d-------- C:\Documents and Settings\Cory Deskins\Application Data\Vso
2008-04-22 21:24:27 0 d-------- C:\Documents and Settings\Cory Deskins\Application Data\DAEMON Tools
2008-04-20 21:34:25 0 d-------- C:\Documents and Settings\Cory Deskins\Application Data\FaxCtr
2008-04-20 15:43:05 0 d-------- C:\Documents and Settings\Cory Deskins\Application Data\DVDFab
2008-04-20 15:02:54 0 d-------- C:\Program Files\Lexmark Toolbar
2008-04-20 15:00:17 0 d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-04-19 10:30:34 0 d-------- C:\Documents and Settings\Cory Deskins\Application Data\Microsoft Games
2008-04-14 17:38:42 0 d-------- C:\Documents and Settings\Cory Deskins\Application Data\My Games
2008-04-14 16:31:24 0 d-------- C:\Program Files\Firaxis Games
2008-04-05 21:56:37 73416 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-04-04 23:24:29 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-03-30 22:56:15 34 --a------ C:\Documents and Settings\Cory Deskins\Application Data\pcouffin.log
2008-03-30 22:56:08 47360 --a------ C:\Documents and Settings\Cory Deskins\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-03-30 22:56:08 1144 --a------ C:\Documents and Settings\Cory Deskins\Application Data\pcouffin.inf
2008-03-30 22:56:08 7887 --a------ C:\Documents and Settings\Cory Deskins\Application Data\pcouffin.cat
2008-03-29 07:57:39 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-03-22 23:32:52 67 --a------ C:\WINDOWS\system32\GepmVnocX.dll
2008-03-22 22:45:26 668 --a------ C:\Documents and Settings\Cory Deskins\Application Data\vso_ts_preview.xml


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{430c8ae4-65fb-4461-9b05-c97e529ac27b}]
06/13/2008 08:49 PM 99328 --a------ C:\WINDOWS\system32\fnsimkgm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EA86503-476F-476A-A55A-7225082DF3EB}]
07/07/2008 10:14 PM 33280 --a------ C:\WINDOWS\system32\pmnoMEtR.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94B171F3-9139-41DF-82E5-94BFFBA5A5EE}]
07/07/2008 10:19 PM 321536 --a------ C:\WINDOWS\system32\khfCUNFW.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [05/04/2006 01:58 AM]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [06/17/2006 01:22 AM]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [06/23/2006 05:43 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [08/11/2005 07:30 PM]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [06/02/2006 06:21 PM]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [10/11/2005 01:23 PM]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [05/08/2007 04:24 PM]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [02/15/2008 12:46 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [02/15/2008 12:46 PM]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [02/15/2008 12:46 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37 PM]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [10/09/2007 03:46 PM]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [07/06/2008 09:42 PM]
"LXCYCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [11/21/2006 01:27 PM]
"06e45f94"="C:\WINDOWS\system32\lytiioll.dll" [06/13/2008 08:46 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [03/16/2006 12:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{8EA86503-476F-476A-A55A-7225082DF3EB}"= C:\WINDOWS\system32\pmnoMEtR.dll [07/07/2008 10:14 PM 33280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnoMEtR]
pmnoMEtR.dll 07/07/2008 10:14 PM 33280 C:\WINDOWS\system32\pmnoMEtR.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 12/06/2005 09:16 PM 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\khfCUNFW

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
"C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Vongo Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx scan sysagent


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c130cb81-93f6-11db-b879-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480




-- Hosts -----------------------------------------------------------------------

127.0.0.1 bin.errorprotector.com ## added by CiD
127.0.0.1 br.errorsafe.com ## added by CiD
127.0.0.1 br.winantivirus.com ## added by CiD
127.0.0.1 br.winfixer.com ## added by CiD
127.0.0.1 cdn.drivecleaner.com ## added by CiD
127.0.0.1 cdn.errorsafe.com ## added by CiD
127.0.0.1 cdn.winsoftware.com ## added by CiD
127.0.0.1 de.errorsafe.com ## added by CiD
127.0.0.1 de.winantivirus.com ## added by CiD
127.0.0.1 download.cdn.drivecleaner.com ## added by CiD

61 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-14 12:59:16 ------------

BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:03 AM

Posted 14 June 2008 - 03:24 PM

Hello cad40324 and welcome to BC. Let's see what we can find. Please follow the steps below in order:

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Close ALL Internet browsers (very important).
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Now download OTScanIt from here or here to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 cad40324

cad40324
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 18 June 2008 - 05:42 PM

My computer has been fixed. Thank you anyway for your time.

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:03 AM

Posted 18 June 2008 - 06:05 PM

You are very welcome cad40324, thanks for letting me know.

I will now close this topic. If you have any new malware related questions or issues in the future please start a new topic.

Cheers and Happy Computing !

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users