Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Your Computer Is Infected With Spyware


  • This topic is locked This topic is locked
11 replies to this topic

#1 Jack2008

Jack2008

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 19 June 2008 - 08:15 PM

Simply put... my computer's condom failed and I have an infection!

My spyware can't seem to clean the problem. My wallpaper has been replaced with a SPYWARE advertisemnet. The pop-ups all take me to the website listed int the topic description. Taskmanager has been disabled. System Restore has been diabled. Whenever Internet explorer is open... new and varied websites keep opening up in new windows faster than I can close them.

A Google search on the topic description string led me to your site and work one of your administrators did for somebody else who had identical problems. I downloaded SmitfraudFix and ran it with no improvement. DSS has been run and I have the results to upload.

Deckard's System Scanner v20071014.68
Run by Jack on 2008-06-19 18:47:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Jack.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:47:19, on 6/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\windows\system32\jnwnw64o.exe
C:\WINDOWS\system32\pcntokdm.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\YSTEM~1\ati2evxx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\SmFjayBFLiAgU3RvbmU\command.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\hpbpro.exe
C:\WINDOWS\system32\hpboid.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Jack\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Jack.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=37139
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {299FB497-9C1B-4BD6-AC85-C02BE92CB2B1} - C:\WINDOWS\system32\ddcDtrRh.dll
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {9C28EAFB-FF50-4F42-8D39-A006129CC907} - C:\WINDOWS\system32\efcBrolK.dll
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {AF459638-22D3-242B-AA3D-7DA296EB49C7} - C:\WINDOWS\system32\htcipj.dll
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: gooochi browser optimizer - {f478f97a-75e7-c41b-252e-913d01fbeb23} - C:\WINDOWS\system32\{201d6619-7dd4-902a-4118-daf475ddcf3a}.dll
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [{68-83-35-52-DW}] C:\windows\system32\jnwnw64o.exe DWram1
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\pcntokdm.exe DWram1
O4 - HKLM\..\Run: [{b89e33aa-b0e2-9aff-2615-5607f0770f22}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{201d6619-7dd4-902a-4118-daf475ddcf3a}.dll" DllStart
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Amse] "C:\WINDOWS\system32\YSTEM~1\ati2evxx.exe" -vt yazb
O4 - HKCU\..\Run: [Sbkcn] "C:\Documents and Settings\Jack\My Documents\S?mantec\?canregw.exe"
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\pcntokdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jnwnw64o.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1202230274248
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\Documents and Settings\Jack\Local Settings\Temp\EI40_\msxml4.cab
O20 - Winlogon Notify: efcBrolK - C:\WINDOWS\SYSTEM32\efcBrolK.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmFjayBFLiAgU3RvbmU\command.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.470.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7501 bytes

-- Files created between 2008-05-19 and 2008-06-19 -----------------------------

2008-06-19 18:44:47 25376 --a------ C:\WINDOWS\system32\yayxwxxu.dll
2008-06-19 18:30:55 20736 --a------ C:\WINDOWS\iexplorer.exe
2008-06-19 18:25:16 12800 --a------ C:\WINDOWS\y.exe
2008-06-19 18:25:15 20736 --a------ C:\WINDOWS\xplugin.dll
2008-06-19 18:25:15 22272 --a------ C:\WINDOWS\x.exe
2008-06-19 18:25:15 19712 --a------ C:\WINDOWS\winmgnt.exe
2008-06-19 18:25:15 31488 --a------ C:\WINDOWS\window.exe
2008-06-19 18:25:14 18432 --a------ C:\WINDOWS\winajbm.dll
2008-06-19 18:25:14 32256 --a------ C:\WINDOWS\win64.exe
2008-06-19 18:25:13 19968 --a------ C:\WINDOWS\win32e.exe
2008-06-19 18:25:13 23808 --a------ C:\WINDOWS\waol.exe
2008-06-19 18:25:12 12032 --a------ C:\WINDOWS\users32.exe
2008-06-19 18:25:12 20992 --a------ C:\WINDOWS\time.exe
2008-06-19 18:25:12 27392 --a------ C:\WINDOWS\systemcritical.exe
2008-06-19 18:25:11 30976 --a------ C:\WINDOWS\systeem.exe
2008-06-19 18:25:11 27392 --a------ C:\WINDOWS\olehelp.exe
2008-06-19 18:25:10 32000 --a------ C:\WINDOWS\notepad32.exe
2008-06-19 18:25:10 27904 --a------ C:\WINDOWS\mtwirl32.dll
2008-06-19 18:25:09 12032 --a------ C:\WINDOWS\loader.exe
2008-06-19 18:25:09 26112 --a------ C:\WINDOWS\cpan.dll
2008-06-19 18:25:08 31744 --a------ C:\WINDOWS\clrssn.exe
2008-06-19 18:25:08 28416 --a------ C:\WINDOWS\avpcc.dll
2008-06-19 18:25:06 27648 --a------ C:\WINDOWS\accesss.exe
2008-06-19 18:23:58 2816 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-19 18:23:12 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-19 18:23:12 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-19 18:23:12 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-19 18:23:12 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-19 18:23:12 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-19 18:23:12 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-19 18:23:12 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-19 18:23:12 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-06-19 17:34:02 0 d-------- C:\Program Files\Trend Micro
2008-06-19 17:15:25 49196 --a------ C:\WINDOWS\system32\jnwnw64o.exe <Not Verified; ; Browser Driver>
2008-06-19 17:05:49 200768 --a------ C:\WINDOWS\system32\pcntokdm.exe
2008-06-19 17:05:43 401972 --a------ C:\WINDOWS\system32\g35.exe
2008-06-19 17:01:51 10240 --a------ C:\WINDOWS\searchword.dll
2008-06-19 17:01:50 26368 --a------ C:\WINDOWS\rundll16.exe
2008-06-19 17:01:50 17664 --a------ C:\WINDOWS\quicken.exe
2008-06-19 17:01:50 17152 --a------ C:\WINDOWS\qttasks.exe
2008-06-19 17:01:49 24064 --a------ C:\WINDOWS\mswsc20.dll
2008-06-19 17:01:49 32000 --a------ C:\WINDOWS\mswsc10.dll
2008-06-19 17:01:49 28672 --a------ C:\WINDOWS\msupdate.exe
2008-06-19 17:01:49 16384 --a------ C:\WINDOWS\mssys.exe
2008-06-19 17:01:49 9728 --a------ C:\WINDOWS\msspi.dll
2008-06-19 17:01:48 14336 --a------ C:\WINDOWS\msconfd.dll
2008-06-19 17:01:48 26880 --a------ C:\WINDOWS\internet.exe
2008-06-19 17:01:48 22016 --a------ C:\WINDOWS\inetinf.exe
2008-06-19 17:01:48 32000 --a------ C:\WINDOWS\iedll.exe
2008-06-19 17:01:47 17408 --a------ C:\WINDOWS\helpcvs.exe
2008-06-19 17:01:47 13568 --a------ C:\WINDOWS\gfmnaaa.dll
2008-06-19 17:01:47 11008 --a------ C:\WINDOWS\funny.exe
2008-06-19 17:01:47 19968 --a------ C:\WINDOWS\funniest.exe
2008-06-19 17:01:47 23552 --a------ C:\WINDOWS\explorer32.exe
2008-06-19 17:01:47 31744 --a------ C:\WINDOWS\explore.exe
2008-06-19 17:01:47 24064 --a------ C:\WINDOWS\editpad.exe
2008-06-19 17:01:46 24832 --a------ C:\WINDOWS\dnsrelay.dll
2008-06-19 17:01:46 16896 --a------ C:\WINDOWS\directx32.exe
2008-06-19 17:01:46 11008 --a------ C:\WINDOWS\ctrlpan.dll
2008-06-19 17:01:46 32512 --a------ C:\WINDOWS\ctfmon32.exe
2008-06-19 16:57:09 18432 --a------ C:\WINDOWS\svcinit.exe
2008-06-19 16:57:09 28160 --a------ C:\WINDOWS\svchost32.exe
2008-06-19 16:57:09 29696 --a------ C:\WINDOWS\sistem.exe
2008-06-19 16:48:14 0 d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2008-06-19 16:44:56 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-19 16:44:56 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-19 16:44:56 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-19 16:44:56 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-06-19 16:44:56 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-19 16:44:56 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-19 16:44:56 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-19 16:44:56 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-06-19 16:44:56 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-19 16:44:56 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-06-19 16:44:56 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-19 16:44:56 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-06-19 16:44:56 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-19 16:44:56 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-19 16:40:56 49187 --a------ C:\WINDOWS\system32\vlwnw64.exe <Not Verified; ; Browser Driver>
2008-06-19 16:37:26 0 d-------- C:\Program Files\Outerinfo
2008-06-19 16:37:26 0 d-------- C:\Program Files\Data Recovery Wizard
2008-06-19 15:55:48 3026944 --a------ C:\Documents and Settings\Jack\ntuser.dat
2008-06-19 15:55:33 911 --ahs---- C:\WINDOWS\system32\hRrtDcdd.ini2
2008-06-19 15:55:29 322048 --a------ C:\WINDOWS\system32\ddcDtrRh.dll
2008-06-19 15:53:50 0 d-------- C:\Program Files\AntiSpywareMaster
2008-06-19 15:53:49 25088 --a------ C:\WINDOWS\system32\ljJYRIBU.dll
2008-06-19 15:51:04 687592 --a------ C:\WINDOWS\system32\atmtd.dll
2008-06-19 15:51:00 0 d-------- C:\Documents and Settings\LocalService\Application Data\NetMon
2008-06-19 15:50:59 1989 --a------ C:\WINDOWS\uninstall_nmon.vbs
2008-06-19 15:50:59 0 d--hs---- C:\WINDOWS\SmFjayBFLiAgU3RvbmU
2008-06-19 15:50:59 0 d-------- C:\Program Files\Network Monitor
2008-06-19 15:50:45 860 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-06-19 15:50:45 60928 --a------ C:\WINDOWS\system32\htcipj.dll
2008-06-19 15:50:44 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-06-19 15:50:43 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-06-19 15:50:40 88537 --a------ C:\WINDOWS\system32\iftuyszv.exe <Not Verified; Microsoft; XML Media>
2008-06-19 15:50:40 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-06-19 15:50:40 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-06-19 15:50:38 200774 --a------ C:\WINDOWS\system32\mcntmadm.exe
2008-06-19 15:50:35 49167 --a------ C:\WINDOWS\system32\rwwnw64d.exe <Not Verified; ; Browser Driver>
2008-06-19 15:50:34 86144 --a------ C:\WINDOWS\system32\drivers\hidbattt.sys
2008-06-19 15:50:32 0 d-------- C:\WINDOWS\system32\eb10
2008-06-19 15:50:32 0 d-------- C:\WINDOWS\system32\bgi
2008-06-19 15:50:32 0 d-------- C:\WINDOWS\system32\axc
2008-06-19 15:50:32 0 d-------- C:\WINDOWS\system32\1049a
2008-06-19 15:50:29 41723 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2008-06-19 15:50:28 0 d-------- C:\WINDOWS\system32\?ystem
2008-06-19 15:50:26 0 d-------- C:\WINDOWS\system32\netrax01
2008-06-19 15:50:26 25088 --a------ C:\WINDOWS\system32\efcBrolK.dll
2008-05-27 07:45:48 373248 --a------ C:\WINDOWS\system32\{201d6619-7dd4-902a-4118-daf475ddcf3a}.dll


-- Find3M Report ---------------------------------------------------------------

2008-06-19 17:19:42 0 d-------- C:\Documents and Settings\Jack\Application Data\Spyware Terminator
2008-06-19 17:05:04 0 d-------- C:\Program Files\PDF995
2008-06-19 17:04:38 0 d-------- C:\Program Files\Social Security Calculator
2008-06-19 16:48:30 0 d-------- C:\Program Files\Spyware Terminator
2008-06-19 16:37:26 0 d-------- C:\Program Files\Common Files
2008-05-27 08:15:13 0 d-------- C:\Program Files\qbridge7
2008-05-17 19:47:04 0 d-------- C:\Program Files\ACBL Score
2008-04-22 09:53:00 0 d-------- C:\Program Files\Dealmaster
2008-04-01 09:12:01 25016 --a------ C:\Documents and Settings\Jack\Application Data\GDIPFONTCACHEV1.DAT
2008-03-30 12:54:08 286720 --a------ C:\WINDOWS\iun506.exe <Not Verified; Indigo Rose Corporation; Setup Factory 5.0 Uninstaller>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00110011-4b0b-44d5-9718-90c88817369b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{086ae192-23a6-48d6-96ec-715f53797e85}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{150fa160-130d-451f-b863-b655061432ba}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{299FB497-9C1B-4BD6-AC85-C02BE92CB2B1}]
06/19/2008 15:55 322048 --a------ C:\WINDOWS\system32\ddcDtrRh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d38a51a-23c9-48a1-a33c-48675aa2b494}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2e9caff6-30c7-4208-8807-e79d4ec6f806}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5321e378-ffad-4999-8c62-03ca8155f0b3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{587dbf2d-9145-4c9e-92c2-1f953da73773}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79369d5c-2903-4b7a-ade2-d5e0dee14d24}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{799a370d-5993-4887-9df7-0a4756a77d00}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C28EAFB-FF50-4F42-8D39-A006129CC907}]
06/19/2008 15:50 25088 --a------ C:\WINDOWS\system32\efcBrolK.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a55581dc-2cdb-4089-8878-71a080b22342}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF459638-22D3-242B-AA3D-7DA296EB49C7}]
05/29/2008 12:34 60928 --a------ C:\WINDOWS\system32\htcipj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b847676d-72ac-4393-bfff-43a1eb979352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765721306}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e2ddf680-9905-4dee-8c64-0a5de7fe133c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e7afff2a-1b57-49c7-bf6b-e5123394c970}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f478f97a-75e7-c41b-252e-913d01fbeb23}]
05/27/2008 07:45 373248 --a------ C:\WINDOWS\system32\{201d6619-7dd4-902a-4118-daf475ddcf3a}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fd9bc004-8331-4457-b830-4759ff704c22}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [12/10/2005 05:06]
"nwiz"="nwiz.exe" [12/10/2005 05:06 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [12/10/2005 05:06]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 13:50]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [03/18/2004 09:33]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [05/01/2002 11:50]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe" [06/25/2004 18:32]
"{68-83-35-52-DW}"="C:\windows\system32\jnwnw64o.exe" [06/19/2008 17:15]
"runner1"="C:\WINDOWS\mrofinu572.exe" []
"ExploreUpdSched"="C:\WINDOWS\system32\pcntokdm.exe" [06/19/2008 17:05]
"{b89e33aa-b0e2-9aff-2615-5607f0770f22}"="C:\WINDOWS\system32\{201d6619-7dd4-902a-4118-daf475ddcf3a}.dll" [05/27/2008 07:45]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 20:05]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56]
"Amse"="C:\WINDOWS\system32\YSTEM~1\ati2evxx.exe" [06/19/2008 15:50]
"Sbkcn"="C:\Documents and Settings\Jack\My Documents\S?mantec\?canregw.exe" []

C:\Documents and Settings\Jack\Start Menu\Programs\Startup\
Deewoo.lnk - C:\WINDOWS\system32\pcntokdm.exe [6/19/2008 5:05:49 PM]
DW_Start.lnk - C:\WINDOWS\system32\jnwnw64o.exe [6/19/2008 5:15:25 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{9C28EAFB-FF50-4F42-8D39-A006129CC907}"= C:\WINDOWS\system32\efcBrolK.dll [06/19/2008 15:50 25088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcBrolK]
efcBrolK.dll 06/19/2008 15:50 25088 C:\WINDOWS\system32\efcBrolK.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddcDtrRh

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-06-19 18:48:30 ------------

BC AdBot (Login to Remove)

 


#2 Jack2008

Jack2008
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 19 June 2008 - 10:23 PM

I don't see a method of removing this post... so will simply update the post in the form of a reply. While waiting for help from a "trained technician" I found another post that indicated their problem had been solved by the downloading and running of Malwarebytes' Anti-Malware and had an attached link. This appears to have solved my problem as well. I am sure there are backups and copies lurking... but at least I am able to work again.

#3 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 20 June 2008 - 03:45 AM

Hi there Jack2008,
It is unlikely that MBAM removed all of the malware present so therefore there is a danger that you may be reinfected soon in the future. Please can you post another HijackThis log, which we'll check and get rid of any additional pieces of malware that are still hiding?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#4 Jack2008

Jack2008
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 20 June 2008 - 09:28 AM

Good Morning rookie147. Here are the results of a new scan:

Deckard's System Scanner v20071014.68
Run by Jack on 2008-06-20 08:22:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Jack.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:22:58, on 6/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hpbpro.exe
C:\WINDOWS\system32\hpboid.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Malware Tools\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Jack.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=37139
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1202230274248
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\Documents and Settings\Jack\Local Settings\Temp\EI40_\msxml4.cab
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 3572 bytes

-- Files created between 2008-05-20 and 2008-06-20 -----------------------------

2008-06-20 08:22:46 0 d-------- C:\Program Files\Trend Micro
2008-06-20 08:21:07 0 d-------- C:\Program Files\Malware Tools
2008-06-19 21:33:53 0 d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-06-19 19:48:08 0 d-------- C:\Documents and Settings\Jack\Application Data\Malwarebytes
2008-06-19 19:47:57 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-19 19:47:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-19 18:23:58 2816 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-19 18:23:12 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-19 18:23:12 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-19 18:23:12 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-19 18:23:12 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-19 18:23:12 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-19 18:23:12 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-19 18:23:12 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-19 18:23:12 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-06-19 17:05:43 401972 --a------ C:\WINDOWS\system32\g35.exe
2008-06-19 16:48:14 0 d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2008-06-19 16:44:56 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-19 16:44:56 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-19 16:44:56 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-19 16:44:56 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-06-19 16:44:56 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-19 16:44:56 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-19 16:44:56 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-19 16:44:56 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-06-19 16:44:56 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-19 16:44:56 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-06-19 16:44:56 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-19 16:44:56 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-06-19 16:44:56 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-19 16:44:56 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-19 15:55:48 3026944 --a------ C:\Documents and Settings\Jack\ntuser.dat
2008-06-19 15:50:59 0 d--hs---- C:\WINDOWS\SmFjayBFLiAgU3RvbmU
2008-06-19 15:50:45 60928 -----n--- C:\WINDOWS\system32\htcipj.dll
2008-06-19 15:50:44 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-06-19 15:50:43 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-06-19 15:50:40 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-06-19 15:50:40 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-06-19 15:50:28 0 d-------- C:\WINDOWS\system32\?ystem
2008-06-19 15:50:26 0 d-------- C:\WINDOWS\system32\netrax01


-- Find3M Report ---------------------------------------------------------------

2008-06-19 20:59:38 0 d-------- C:\Program Files\TaxCut07
2008-06-19 20:30:31 0 d-------- C:\Program Files\Spyware Terminator
2008-06-19 20:22:59 0 d-------- C:\Documents and Settings\Jack\Application Data\Spyware Terminator
2008-06-19 20:05:24 0 d-------- C:\Program Files\Common Files
2008-06-19 17:04:38 0 d-------- C:\Program Files\Social Security Calculator
2008-05-17 19:47:04 0 d-------- C:\Program Files\ACBL Score
2008-04-22 09:53:00 0 d-------- C:\Program Files\Dealmaster
2008-04-01 09:12:01 25016 --a------ C:\Documents and Settings\Jack\Application Data\GDIPFONTCACHEV1.DAT
2008-03-30 12:54:08 286720 --a------ C:\WINDOWS\iun506.exe <Not Verified; Indigo Rose Corporation; Setup Factory 5.0 Uninstaller>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [12/10/2005 05:06]
"nwiz"="nwiz.exe" [12/10/2005 05:06 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [12/10/2005 05:06]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 13:50]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [03/18/2004 09:33]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [05/01/2002 11:50]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe" [06/25/2004 18:32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 20:05]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-06-20 08:23:18 ------------

#5 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 20 June 2008 - 03:12 PM

Hello there! :thumbsup:
Please print off a copy of these instructions, and also save them to a Notepad file on your Desktop, so they are easily accessible.
We are going to boot into Safe Mode, and there is no internet access.

Reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Set your system to show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Find and delete the following files (if present):

C:\WINDOWS\system32\g35.exe
C:\WINDOWS\system32\htcipj.dll
C:\WINDOWS\system32\hljwugsf.bin

And these folders:

C:\WINDOWS\SmFjayBFLiAgU3RvbmU
C:\WINDOWS\system32\?ystem
C:\WINDOWS\system32\netrax01

Reboot into Normal Mode again.

Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.

Please post that log in your reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#6 Jack2008

Jack2008
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 20 June 2008 - 06:49 PM

rookie147, the 3 files specified were present and deleted. Two of the folders were deleted, but \windows\system32\?ystem WAS NOT present. I just want to confirm that you hadn't made a typo and wanted me to delte \windows\system32\system.



ComboFix 08-06-20.1 - Jack 2008-06-20 17:39:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.739 [GMT -6:00]
Running from: C:\Program Files\Malware Tools\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Jack\My Documents\SMANTE~1
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\ystem~1
C:\WINDOWS\system32\ystem~1\?ystem\
C:\WINDOWS\system32\ystem~1\ati2evxx.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_MSSECURITY1.209.4
-------\Legacy_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2008-05-20 to 2008-06-20 )))))))))))))))))))))))))))))))
.

2008-06-20 08:22 . 2008-06-20 08:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-20 08:22 . 2008-06-20 08:22 <DIR> d-------- C:\Deckard
2008-06-20 08:21 . 2008-06-20 17:37 <DIR> d-------- C:\Program Files\Malware Tools
2008-06-19 21:53 . 2008-06-13 07:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-19 21:33 . 2008-06-19 21:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-06-19 20:47 . 2008-06-19 20:47 96,894 --a------ C:\TEMP\Q-UNINST.EXE
2008-06-19 19:48 . 2008-06-19 19:48 <DIR> d-------- C:\Documents and Settings\Jack\Application Data\Malwarebytes
2008-06-19 19:47 . 2008-06-19 19:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-19 19:47 . 2008-06-19 19:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-19 19:47 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-19 19:47 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-19 18:23 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-19 18:23 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-19 18:23 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-19 18:23 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-06-19 18:23 . 2008-06-15 15:28 81,920 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-06-19 18:23 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-06-19 18:23 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-06-19 18:23 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-19 18:23 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-19 18:23 . 2008-06-19 18:23 2,816 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-19 16:59 . 2008-06-20 17:41 26 --a------ C:\WINDOWS\iTouch.ini
2008-06-19 16:48 . 2008-06-19 16:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2008-06-19 16:44 . 2008-06-19 16:44 <DIR> d-------- C:\Documents and Settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 02:59 --------- d-----w C:\Program Files\TaxCut07
2008-06-20 02:30 --------- d-----w C:\Program Files\Spyware Terminator
2008-06-20 02:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-06-20 02:22 --------- d-----w C:\Documents and Settings\Jack\Application Data\Spyware Terminator
2008-06-19 23:04 --------- d-----w C:\Program Files\Social Security Calculator
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-18 01:47 --------- d-----w C:\Program Files\ACBL Score
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-22 15:53 --------- d-----w C:\Program Files\Dealmaster
2008-04-01 15:12 25,016 ----a-w C:\Documents and Settings\Jack\Application Data\GDIPFONTCACHEV1.DAT
2008-03-30 18:54 286,720 ----a-w C:\WINDOWS\iun506.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-12-10 05:06 7311360]
"nwiz"="nwiz.exe" [2005-12-10 05:06 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-12-10 05:06 86016]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 13:50 155648]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 09:33 892928]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-05-01 11:50 28672]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2004-06-25 18:32 172032]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\msiexec.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 ES1370;Creative AudioPCI (ES1370), SB PCI 64/128 (WDM);C:\WINDOWS\system32\drivers\ES1370MP.sys [2002-08-05 13:17]
S1 hidbattt;hidbattt;C:\WINDOWS\system32\drivers\hidbattt.sys []
S3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys []

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-20 17:41:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2008-06-20 17:43:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-20 23:42:59

Pre-Run: 72,701,554,688 bytes free
Post-Run: 72,698,085,376 bytes free

116

#7 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 21 June 2008 - 12:11 PM

No problem, the folder was deleted anyway by Combofix.

Before we begin, please visit the page below, scroll down to the part which says "How to install and use the Windows XP Recovery Console," and follow those instructions:

How to download and use ComboFix

Then please run another scan with Combofix and post back the new log, along with a HijackThis log
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#8 Jack2008

Jack2008
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 21 June 2008 - 08:36 PM

Rookie147, Recovery console installed and here are the two logs:

ComboFix 08-06-20.1 - Jack 2008-06-21 19:20:50.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.727 [GMT -6:00]
Running from: C:\Program Files\Malware Tools\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jack\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-05-22 to 2008-06-22 )))))))))))))))))))))))))))))))
.

2008-06-20 08:22 . 2008-06-20 08:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-20 08:22 . 2008-06-20 08:22 <DIR> d-------- C:\Deckard
2008-06-20 08:21 . 2008-06-20 17:37 <DIR> d-------- C:\Program Files\Malware Tools
2008-06-19 21:53 . 2008-06-13 07:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-19 21:33 . 2008-06-19 21:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-06-19 20:47 . 2008-06-19 20:47 96,894 --a------ C:\TEMP\Q-UNINST.EXE
2008-06-19 19:48 . 2008-06-19 19:48 <DIR> d-------- C:\Documents and Settings\Jack\Application Data\Malwarebytes
2008-06-19 19:47 . 2008-06-19 19:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-19 19:47 . 2008-06-19 19:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-19 19:47 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-19 19:47 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-19 18:23 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-19 18:23 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-19 18:23 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-19 18:23 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-06-19 18:23 . 2008-06-15 15:28 81,920 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-06-19 18:23 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-06-19 18:23 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-06-19 18:23 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-19 18:23 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-19 18:23 . 2008-06-19 18:23 2,816 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-19 16:59 . 2008-06-21 19:08 26 --a------ C:\WINDOWS\iTouch.ini
2008-06-19 16:48 . 2008-06-19 16:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2008-06-19 16:44 . 2008-06-19 16:44 <DIR> d-------- C:\Documents and Settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 02:59 --------- d-----w C:\Program Files\TaxCut07
2008-06-20 02:30 --------- d-----w C:\Program Files\Spyware Terminator
2008-06-20 02:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-06-20 02:22 --------- d-----w C:\Documents and Settings\Jack\Application Data\Spyware Terminator
2008-06-19 23:04 --------- d-----w C:\Program Files\Social Security Calculator
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-18 01:47 --------- d-----w C:\Program Files\ACBL Score
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-22 15:53 --------- d-----w C:\Program Files\Dealmaster
2008-04-01 15:12 25,016 ----a-w C:\Documents and Settings\Jack\Application Data\GDIPFONTCACHEV1.DAT
2008-03-30 18:54 286,720 ----a-w C:\WINDOWS\iun506.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-12-10 05:06 7311360]
"nwiz"="nwiz.exe" [2005-12-10 05:06 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-12-10 05:06 86016]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 13:50 155648]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 09:33 892928]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-05-01 11:50 28672]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2004-06-25 18:32 172032]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\msiexec.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 ES1370;Creative AudioPCI (ES1370), SB PCI 64/128 (WDM);C:\WINDOWS\system32\drivers\ES1370MP.sys [2002-08-05 13:17]
S1 hidbattt;hidbattt;C:\WINDOWS\system32\drivers\hidbattt.sys []
S3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys []

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-21 19:21:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-21 19:22:28
ComboFix-quarantined-files.txt 2008-06-22 01:22:26
ComboFix2.txt 2008-06-20 23:43:02

Pre-Run: 72,541,106,176 bytes free
Post-Run: 72,656,379,904 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

101


Deckard's System Scanner v20071014.68
Run by Jack on 2008-06-21 19:24:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Jack.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:24:50, on 6/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Malware Tools\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Jack.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=37139
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1202230274248
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\Documents and Settings\Jack\Local Settings\Temp\EI40_\msxml4.cab
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 3791 bytes

-- Files created between 2008-05-21 and 2008-06-21 -----------------------------

2008-06-21 19:20:38 0 d-------- C:\cmdcons
2008-06-20 17:38:26 68096 --a------ C:\WINDOWS\zip.exe
2008-06-20 17:38:26 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-20 17:38:26 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-20 17:38:26 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-20 17:38:26 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-20 17:38:26 98816 --a------ C:\WINDOWS\sed.exe
2008-06-20 17:38:26 80412 --a------ C:\WINDOWS\grep.exe
2008-06-20 17:38:26 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-20 08:22:46 0 d-------- C:\Program Files\Trend Micro
2008-06-20 08:21:07 0 d-------- C:\Program Files\Malware Tools
2008-06-19 21:33:53 0 d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-06-19 19:48:08 0 d-------- C:\Documents and Settings\Jack\Application Data\Malwarebytes
2008-06-19 19:47:57 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-19 19:47:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-19 18:23:58 2816 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-19 18:23:12 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-19 18:23:12 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-19 18:23:12 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-19 18:23:12 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-19 18:23:12 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-19 18:23:12 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-19 18:23:12 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-19 18:23:12 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-06-19 16:48:14 0 d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2008-06-19 16:44:56 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-19 16:44:56 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-19 16:44:56 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-19 16:44:56 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-06-19 16:44:56 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-19 16:44:56 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-19 16:44:56 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-19 16:44:56 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-06-19 16:44:56 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-19 16:44:56 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-06-19 16:44:56 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-19 16:44:56 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-06-19 16:44:56 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-19 16:44:56 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-19 15:55:48 3026944 --a------ C:\Documents and Settings\Jack\ntuser.dat
2008-06-19 15:50:44 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-06-19 15:50:43 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-06-19 15:50:40 0 dr------- C:\Documents and Settings\LocalService\Favorites


-- Find3M Report ---------------------------------------------------------------

2008-06-19 20:59:38 0 d-------- C:\Program Files\TaxCut07
2008-06-19 20:30:31 0 d-------- C:\Program Files\Spyware Terminator
2008-06-19 20:22:59 0 d-------- C:\Documents and Settings\Jack\Application Data\Spyware Terminator
2008-06-19 20:05:24 0 d-------- C:\Program Files\Common Files
2008-06-19 17:04:38 0 d-------- C:\Program Files\Social Security Calculator
2008-05-17 19:47:04 0 d-------- C:\Program Files\ACBL Score
2008-04-22 09:53:00 0 d-------- C:\Program Files\Dealmaster
2008-04-01 09:12:01 25016 --a------ C:\Documents and Settings\Jack\Application Data\GDIPFONTCACHEV1.DAT
2008-03-30 12:54:08 286720 --a------ C:\WINDOWS\iun506.exe <Not Verified; Indigo Rose Corporation; Setup Factory 5.0 Uninstaller>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [12/10/2005 05:06]
"nwiz"="nwiz.exe" [12/10/2005 05:06 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [12/10/2005 05:06]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 13:50]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [03/18/2004 09:33]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [05/01/2002 11:50]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe" [06/25/2004 18:32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 20:05]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

*Newly Created Service* - CATCHME



-- End of Deckard's System Scanner: finished at 2008-06-21 19:25:10 ------------

#9 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 23 June 2008 - 02:55 PM

The logs are coming back clean, can you just clarify that everything is running okay?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#10 Jack2008

Jack2008
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 23 June 2008 - 11:03 PM

Rookie147,
I am thrilled that the logs are clean. Everything is running and windows is stable... however it certainly seems to be slower. Should I uninstall combofix, dss, & hijack this? Maybe the only way to resolve the speed issue is to reformat & reinstall everything?

Jack

#11 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 24 June 2008 - 01:42 AM

There are a few steps I want you to complete to try and resolve the slow down on your computer.
A whole host of reasons might account for this slow down, but I will highlight the most prominent ones below.
On most computers malware is the most common cause, but at the moment I do not think this is the case.
You might like to limit the programs that are loading when your computer starts; you might have unnecessary software loading when you boot your computer which is eating away at your CPU and ultimately slowing down your computer. Many programs install a quick launch feature which is not needed; if you want to use the program you can start it up manually. The easiest way to see whether a program is needed at startup, you can use bleeping computer's own list, which gives an indication of whether the program is required/optional etc. Note that essential processes such as those for your anti-virus or your modem must be kept.
So, firstly click on Start | Run and type msconfig. Then hit enter.
Click on the 'startup' tab and a list of programs will appear.
You can compare the startup name with those on the startup list. The link is below:
www.bleepingcomputer.com/startups
To stop a program loading at boot, just remove the tick.
Click 'OK', and choose to restart.

You might like to try and clear clutter off your computer, and free up some space on your hard drive.
Old games, unwanted photos and unused programs could be a starting point.
You can also clear clutter such as temporary files by doing the following:
Go to Start | Run.
Type the following in the box: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
Press OK to remove them.

Windows puts new files in any available open space and defragging will cluster files closer together making your hard drive more efficient. This saves wear and tear while speeding up programs.
1. Open My Computer.
2. Right-click the local disk volume that you want to defragment, and then click Properties.
3. On the Tools tab, click Defragment Now.
4. Click Defragment.
5. This process takes quite a long time, so be patient.

You might also like to read the following tutorial as additional information to the above:
These self-help instructions can be found here

Also try running the Windows repair facility:
Go to Start | Run and type in sfc.exe /scannow and press enter. It may ask for your XP Installation CD. Once it's done, please visit Windows Update to ensure that you've got the latest hotfixes and updates (sfc.exe replaces system files when it runs).

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 16 July 2008 - 04:26 PM

Due to lack of feedback, this topic is now closed.
If you need this topic reopened, please request this by sending me a Personal Message including a link to your thread.
This applies only to the original topic starter. Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users