Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Removal Help


  • This topic is locked This topic is locked
8 replies to this topic

#1 ibesethro

ibesethro

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 29 June 2008 - 04:42 AM

Okay...so, my wife's old dell dimension 2400...slow slow slow, didnt run spyware protection only because that makes it just as slow as well, having a virus.

(what it is) the "windows vista antivirus" or system32 something and insits to be installed on my PC.
(symptoms) everythings so slow...i can tolerate the dell-nish...but now its ridiculous. i can slowly surf the web thru the search menu out of start menu...with firefox and IE out of search mode it will load pages like weather.com or yahoo but once you try to use the site...it eternally loads. furthermore, it will randomly pop up its windows and fake scan my computer and the whole nine yards to con me.
(countermeasures in place) i have Ad-aware, Spyware doctor (registered) , avg free, and spybot S&D running and ran and scanned and deleted and so forth. done the hijack this thing, removed malicious this and that...to no avail. SO im turning it on to you all that are smarter than me. fair enough i hope? thanks for the help if you so choose to bless me with it


-seth



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:30:59 PM, on 6/29/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Documents and Settings\Nikki\lsass.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\mjc\mjc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Nikki\lsass.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [BMb30f6ba4] Rundll32.exe "C:\WINDOWS\System32\hmrstbhb.dll",s
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [mjc] C:\Program Files\mjc\mjc.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1163994147187
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 3038 bytes

BC AdBot (Login to Remove)

 


#2 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:23 AM

Posted 29 June 2008 - 06:06 AM

Hello Ibesethro

Please rename your C:\Program Files\Trend Micro\HijackThis\HijackThis.exe to Ibesethro.exe.
Then run HijackThis (Ibesethro.exe) and post the log back here :thumbsup:

Edited by Baabiouz, 29 June 2008 - 06:09 AM.

Posted Image

#3 ibesethro

ibesethro
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 29 June 2008 - 10:26 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:25:07 PM, on 6/30/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\Nikki\lsass.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\mjc\mjc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\ibesethro.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0185D01F-12F9-4622-AD9B-D76579DF763A} - (no file)
O2 - BHO: (no name) - {0E5E90E4-B50D-405B-8DE8-3BDF2BD917FE} - C:\WINDOWS\System32\mlJDSIxY.dll (file missing)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {336CED39-3950-4FE5-9FE9-FF74CC14593A} - C:\WINDOWS\System32\geBuTLDv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5E0A4988-69C7-46B5-9638-3DBDDDB86EA2} - C:\WINDOWS\System32\ddcDstSL.dll (file missing)
O2 - BHO: (no name) - {6984527F-01C1-4398-A9FB-418DFF422355} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {B8831D3D-F6E7-4612-8731-6E654CD13FFF} - (no file)
O2 - BHO: (no name) - {CF9A8145-0424-491C-A2EA-75A83F04DCC3} - (no file)
O2 - BHO: (no name) - {D3F901B9-7C4B-4B7D-9836-F21F8E68FDC2} - C:\WINDOWS\System32\iifedcyy.dll
O2 - BHO: (no name) - {D7D5A651-19C9-4F90-AE3A-5CBB1277DC20} - C:\WINDOWS\System32\mlJDvTKA.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Nikki\lsass.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [BMb30f6ba4] Rundll32.exe "C:\WINDOWS\System32\yrbjodrw.dll",s
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [mjc] C:\Program Files\mjc\mjc.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1163994147187
O20 - Winlogon Notify: iifedcyy - C:\WINDOWS\SYSTEM32\iifedcyy.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 4688 bytes

#4 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:23 AM

Posted 30 June 2008 - 08:05 AM

Hello :thumbsup:

Step #1
You have the program Spybot S&D (Teatimer option) running on your machine and that is good. But prior to doing the fix below with Combofix it needs to be turned off. Please do the following:
  • Right click the running icon of Spybot's Teatimer, and choose Exit.
Unless it is turned off it could interfere with the fix by Combofix.

Step #2
Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Step #3
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download SDFix by AndyManchesta and save it to your desktop.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Double click SDFix.exe and it will extract the files to %systemdrive%
  • (this is the drive that contains the Windows Directory, typically C:\SDFix).
  • DO NOT use it just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Copy and paste the contents of the results file Report.txt in your next replyalong with a new HijackThis log.
-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe


Step #4
You are missing one important program on that computer: An antivirus.
This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as you can and run a complete scan of the computer:Install it and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.

Step #5
Please post Combofix log, Sdfix log and a fresh HijackThis log back here :)

Edited by Baabiouz, 30 June 2008 - 08:09 AM.

Posted Image

#5 ibesethro

ibesethro
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 01 July 2008 - 06:38 AM

SDFix: Version 1.199
Run by Administrator on Tue 07/01/2008 at 08:11 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\ADMINI~1\Desktop\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\iifedcyy.dll - Deleted
C:\Program Files\mjc\mjc.exe - Deleted
C:\Program Files\Web Technologies\iebr.dll - Deleted
C:\Program Files\Web Technologies\iebt.dll - Deleted
C:\Program Files\Web Technologies\iebtmm.exe - Deleted
C:\Program Files\Web Technologies\iebtu.exe - Deleted
C:\Program Files\Web Technologies\iebu.exe - Deleted
C:\Program Files\Web Technologies\myd.ico - Deleted
C:\Program Files\Web Technologies\mym.ico - Deleted
C:\Program Files\Web Technologies\myp.ico - Deleted
C:\Program Files\Web Technologies\myv.ico - Deleted
C:\Program Files\Web Technologies\ot.ico - Deleted
C:\Program Files\Web Technologies\ts.ico - Deleted
C:\Program Files\Web Technologies\wcm.exe - Deleted
C:\Program Files\Web Technologies\wcs.exe - Deleted
C:\Program Files\Web Technologies\wcu.exe - Deleted



Folder C:\Program Files\mjc - Removed
Folder C:\Program Files\Web Technologies - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-01 20:25:53
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"="C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"="C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"

Remaining Files :


File Backups: - C:\DOCUME~1\ADMINI~1\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 25 Jun 2008 52,224 ..SH. --- "C:\Documents and Settings\Nikki\lsass.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

Finished!

#6 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:23 AM

Posted 01 July 2008 - 07:51 AM

Please post Combofix log and a fresh hijackthis log :thumbsup:
Posted Image

#7 ibesethro

ibesethro
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 05 July 2008 - 12:32 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:31:05 PM, on 7/5/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Trend Micro\HijackThis\ibesethro.exe.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0185D01F-12F9-4622-AD9B-D76579DF763A} - (no file)
O2 - BHO: (no name) - {0E5E90E4-B50D-405B-8DE8-3BDF2BD917FE} - C:\WINDOWS\System32\mlJDSIxY.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {47A742A6-B0D0-43CF-B676-1CE6739505AA} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5E0A4988-69C7-46B5-9638-3DBDDDB86EA2} - C:\WINDOWS\System32\ddcDstSL.dll (file missing)
O2 - BHO: (no name) - {6984527F-01C1-4398-A9FB-418DFF422355} - (no file)
O2 - BHO: (no name) - {7BC9C2E2-73A6-4FCF-B73D-CBAA20B31C9B} - (no file)
O2 - BHO: (no name) - {86D86323-F8CA-4A5C-9EA7-678785BAA24B} - C:\WINDOWS\System32\geBuTLDv.dll (file missing)
O2 - BHO: WarningBHO Class - {9989F1F6-70DE-4244-AC9F-6672983681A0} - C:\Program Files\AntiSpyCheck 2.1\IEWarning32.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {B8301AF7-D00E-4EA4-87C1-5FF4644FBBA1} - C:\Program Files\Web Technologies\iebt.dll (file missing)
O2 - BHO: (no name) - {B8831D3D-F6E7-4612-8731-6E654CD13FFF} - (no file)
O2 - BHO: (no name) - {CF9A8145-0424-491C-A2EA-75A83F04DCC3} - (no file)
O2 - BHO: (no name) - {D3F901B9-7C4B-4B7D-9836-F21F8E68FDC2} - (no file)
O2 - BHO: (no name) - {D7D5A651-19C9-4F90-AE3A-5CBB1277DC20} - C:\WINDOWS\System32\mlJDvTKA.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BMb30f6ba4] Rundll32.exe "C:\WINDOWS\System32\ffdtflad.dll",s
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [mjc] C:\Program Files\mjc\mjc.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1163994147187
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O20 - Winlogon Notify: iifedcyy - C:\WINDOWS\
O22 - SharedTaskScheduler: dysmenorrhoea - {2a7a8ce2-1eaf-4fc0-9158-958bb6bfa5c4} - C:\WINDOWS\System32\jhzpcn.dll (file missing)
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 5941 bytes


what does it all mean? thanks a bunch for your help you just helped me get 6 more months out of this CPU

#8 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:23 AM

Posted 05 July 2008 - 03:30 AM

Hello ibesethro. Have you ran Combofix? Can you please post contents of C:\Combofix.txt here?
Have you downloaded any antivirus? (I have asked you to download)

Edited by Baabiouz, 05 July 2008 - 03:30 AM.

Posted Image

#9 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:23 AM

Posted 11 July 2008 - 07:32 AM

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users