Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unnerving Warning Popups And More


  • This topic is locked This topic is locked
2 replies to this topic

#1 Jester75

Jester75

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 28 July 2008 - 06:14 PM

Working on a friends PC here. Several very annoying warning windows popping up from the taskbar every few minutes about "Your PC is running slowly, could be a virus" and fake Windows warnings about an infection naming a different trojan everytime the window opens. Here are the logs from DSS:


Deckard's System Scanner v20071014.68
Run by Administrator on 2008-07-28 18:59:11
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
31: 2008-07-28 22:59:26 UTC - RP1114 - Deckard's System Scanner Restore Point
30: 2008-07-28 03:05:39 UTC - RP1113 - Installed Ad-Aware
29: 2008-06-19 01:01:33 UTC - RP1112 - Removed MSXML 4.0 SP2 (KB936181)
28: 2008-06-18 23:27:41 UTC - RP1111 - System Checkpoint
27: 2008-06-17 22:27:36 UTC - RP1110 - System Checkpoint


-- First Restore Point --
1: 2008-06-05 23:49:26 UTC - RP1084 - Removed Spanlink Agent


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:00:08 PM, on 7/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\DOCUME~1\ADMINI~1\Desktop\Administrator.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = daltonu.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = daltonu.com
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 6771 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\ADMINI~1\Desktop\backups\) ------------

backup-20080728-183031-307 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,
backup-20080728-183031-693 O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
backup-20080728-183031-462 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
backup-20080728-183031-339 O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
backup-20080728-183031-161 O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
backup-20080728-183031-897 O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
backup-20080728-183031-765 O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
backup-20080728-183031-351 O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
backup-20080728-183031-106 O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
backup-20080728-183031-312 O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
backup-20080728-183031-429 O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
backup-20080728-183031-858 O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
backup-20080728-183031-569 O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
backup-20080728-183031-844 O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
backup-20080728-183031-416 O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
backup-20080728-183031-145 O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
backup-20080728-183031-191 O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
backup-20080728-183031-962 O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
backup-20080728-183031-506 O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
backup-20080728-183031-389 O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
backup-20080728-183031-210 O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
backup-20080728-183031-746 O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
backup-20080728-183031-184 O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
backup-20080728-183031-546 O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
backup-20080728-183031-660 O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
backup-20080728-183031-178 O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
backup-20080728-183031-403 O4 - HKCU\..\Run: [SearchAndDestroyT] C:\Program Files\Search And Destroy\SearchAndDestroy.exe
backup-20080728-183031-933 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
backup-20080728-183032-226 O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
backup-20080728-183032-636 O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/
backup-20080728-183032-257 O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...tup1.0.0.15.cab
backup-20080728-183033-507 O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 SPCD (Spanlink Packet Capture Driver) - c:\windows\system32\drivers\spcd.sys <Not Verified; Spanlink Communications; Spanlink spcd.sys>

S3 ALCXWDM (Service for Realtek AC97 Audio (WDM)) - c:\windows\system32\drivers\alcxwdm.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AdobeActiveFileMonitor (Adobe Active File Monitor) - c:\program files\adobe\photoshop elements 3.0\photoshopelementsfileagent.exe
R2 McAfeeFramework (McAfee Framework Service) - c:\program files\network associates\common framework\frameworkservice.exe /servicestart <Not Verified; Network Associates, Inc.; McAfee Common Framework>
R2 McTaskManager (Network Associates Task Manager) - "c:\program files\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: Multimedia Audio Controller
Device ID: PCI\VEN_8086&DEV_24C5&SUBSYS_04028086&REV_02\3&13C0B0C5&0&FD
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_8086&DEV_24C5&SUBSYS_04028086&REV_02\3&13C0B0C5&0&FD
Service:


-- Files created between 2008-06-28 and 2008-07-28 -----------------------------

2008-07-28 00:59:52 15104 --a------ C:\WINDOWS\mssys.exe
2008-07-27 23:12:53 0 d-------- C:\VundoFix Backups
2008-07-27 23:05:46 0 d-------- C:\Program Files\Lavasoft
2008-07-27 23:05:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-27 22:58:23 22272 --a------ C:\WINDOWS\y.exe
2008-07-27 22:58:23 26112 --a------ C:\WINDOWS\xplugin.dll
2008-07-27 22:58:22 13056 --a------ C:\WINDOWS\x.exe
2008-07-27 22:58:20 10496 --a------ C:\WINDOWS\winmgnt.exe
2008-07-27 22:58:19 22272 --a------ C:\WINDOWS\window.exe
2008-07-27 22:58:19 16384 --a------ C:\WINDOWS\winajbm.dll
2008-07-27 22:58:19 23296 --a------ C:\WINDOWS\win64.exe
2008-07-27 22:58:18 23296 --a------ C:\WINDOWS\win32e.exe
2008-07-27 22:58:18 20736 --a------ C:\WINDOWS\waol.exe
2008-07-27 22:58:18 8704 --a------ C:\WINDOWS\users32.exe
2008-07-27 22:58:18 22784 --a------ C:\WINDOWS\time.exe
2008-07-27 22:58:17 18944 --a------ C:\WINDOWS\systemcritical.exe
2008-07-27 22:58:17 28928 --a------ C:\WINDOWS\systeem.exe
2008-07-27 22:54:09 22016 --a------ C:\WINDOWS\olehelp.exe
2008-07-27 22:54:07 15872 --a------ C:\WINDOWS\notepad32.exe
2008-07-27 22:54:07 27136 --a------ C:\WINDOWS\mtwirl32.dll
2008-07-27 22:54:06 11776 --a------ C:\WINDOWS\loader.exe
2008-07-27 22:54:06 18688 --a------ C:\WINDOWS\iexplorer.exe
2008-07-27 22:54:05 31488 --a------ C:\WINDOWS\cpan.dll
2008-07-27 22:54:05 18176 --a------ C:\WINDOWS\clrssn.exe
2008-07-27 22:54:04 25600 --a------ C:\WINDOWS\avpcc.dll
2008-07-27 22:54:03 10496 --a------ C:\WINDOWS\accesss.exe
2008-07-27 22:49:32 2390 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-27 22:48:58 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-27 22:48:58 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-07-27 22:48:58 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-07-27 22:48:58 81920 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-07-27 22:48:58 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-27 22:48:57 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-07-27 22:22:12 0 d-------- C:\Virus-Spyware Utilities
2008-07-27 22:20:27 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-27 22:15:09 0 d--h----- C:\WINDOWS\system32\GroupPolicy


-- Find3M Report ---------------------------------------------------------------

2008-06-18 21:18:18 0 --a------ C:\WINDOWS\system32\MSVolume.dll
2008-06-18 21:17:52 0 d-------- C:\Program Files\Search And Destroy
2008-06-15 12:47:10 11264 --a------ C:\WINDOWS\svcinit.exe
2008-06-15 12:47:10 14336 --a------ C:\WINDOWS\svchost32.exe
2008-06-15 12:47:10 17408 --a------ C:\WINDOWS\sistem.exe
2008-06-15 12:47:10 21248 --a------ C:\WINDOWS\searchword.dll
2008-06-15 12:47:06 29952 --a------ C:\WINDOWS\rundll16.exe
2008-06-15 12:47:02 13568 --a------ C:\WINDOWS\quicken.exe
2008-06-15 12:47:02 9984 --a------ C:\WINDOWS\qttasks.exe
2008-06-15 12:47:00 14848 --a------ C:\WINDOWS\mswsc20.dll
2008-06-15 12:47:00 25344 --a------ C:\WINDOWS\mswsc10.dll
2008-06-15 12:46:58 17152 --a------ C:\WINDOWS\msupdate.exe
2008-06-15 12:46:56 10752 --a------ C:\WINDOWS\msspi.dll
2008-06-15 12:46:56 25344 --a------ C:\WINDOWS\msconfd.dll
2008-06-15 12:46:54 27904 --a------ C:\WINDOWS\internet.exe
2008-06-15 12:46:52 18432 --a------ C:\WINDOWS\inetinf.exe
2008-06-15 12:46:48 17152 --a------ C:\WINDOWS\iedll.exe
2008-06-15 12:46:48 14336 --a------ C:\WINDOWS\helpcvs.exe
2008-06-15 12:46:48 32768 --a------ C:\WINDOWS\gfmnaaa.dll
2008-06-15 12:46:44 16640 --a------ C:\WINDOWS\funny.exe
2008-06-15 12:46:44 24832 --a------ C:\WINDOWS\funniest.exe
2008-06-15 12:46:42 8192 --a------ C:\WINDOWS\explorer32.exe
2008-06-15 12:46:42 10240 --a------ C:\WINDOWS\explore.exe
2008-06-15 12:46:42 13824 --a------ C:\WINDOWS\editpad.exe
2008-06-15 12:46:42 15872 --a------ C:\WINDOWS\dnsrelay.dll
2008-06-15 12:46:42 17408 --a------ C:\WINDOWS\directx32.exe
2008-06-15 12:46:42 14592 --a------ C:\WINDOWS\ctrlpan.dll
2008-06-15 12:46:42 28672 --a------ C:\WINDOWS\ctfmon32.exe
2008-06-15 12:33:16 0 d-------- C:\Documents and Settings\Administrator\Application Data\??sembly
2008-06-15 12:31:20 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-06-15 12:31:08 90073 --a------ C:\WINDOWS\system32\iftuyszv.exe <Not Verified; Microsoft; XML Media>
2008-06-13 23:44:24 229516 --a------ C:\WINDOWS\system32\000070.exe
2008-06-13 23:42:40 209496 --a------ C:\WINDOWS\system32\000080.exe
2008-06-13 16:34:08 0 d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-06-13 16:34:08 0 d-------- C:\Documents and Settings\Administrator\Application Data\AdobeAUM
2008-06-13 16:34:02 0 d-------- C:\Documents and Settings\Administrator\Application Data\Leadertech
2008-06-12 23:51:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\MSN6
2008-06-12 21:27:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-06-12 21:24:38 0 d-------- C:\Program Files\DIFX
2008-06-08 02:04:28 0 d-------- C:\Program Files\Disney Interactive
2008-06-08 02:03:54 314 --a------ C:\WINDOWS\EReg515.dat
2008-06-08 01:57:46 0 d-------- C:\Program Files\The Learning Company
2008-06-08 01:00:58 0 d-------- C:\Program Files\Pokémon
2008-06-07 11:22:32 0 d-------- C:\Program Files\Microsoft Games
2008-06-06 10:30:04 0 d-------- C:\Program Files\EA GAMES
2008-06-06 10:19:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\Help
2008-06-06 02:00:24 0 d-------- C:\Program Files\Common Files\LightScribe
2008-06-06 01:54:08 0 d-------- C:\Documents and Settings\Administrator\Application Data\Ahead
2008-06-06 01:51:04 0 d-------- C:\Program Files\Nero
2008-06-06 01:51:04 0 d-------- C:\Program Files\Common Files\Ahead


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00110011-4b0b-44d5-9718-90c88817369b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{086ae192-23a6-48d6-96ec-715f53797e85}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{150fa160-130d-451f-b863-b655061432ba}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d38a51a-23c9-48a1-a33c-48675aa2b494}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2e9caff6-30c7-4208-8807-e79d4ec6f806}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5321e378-ffad-4999-8c62-03ca8155f0b3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{587dbf2d-9145-4c9e-92c2-1f953da73773}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79369d5c-2903-4b7a-ade2-d5e0dee14d24}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{799a370d-5993-4887-9df7-0a4756a77d00}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a55581dc-2cdb-4089-8878-71a080b22342}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b847676d-72ac-4393-bfff-43a1eb979352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765721306}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e2ddf680-9905-4dee-8c64-0a5de7fe133c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e7afff2a-1b57-49c7-bf6b-e5123394c970}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fd9bc004-8331-4457-b830-4759ff704c22}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [10/15/2002 11:18 PM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [10/15/2002 11:05 PM]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [03/06/2003 07:00 AM]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [02/25/2003 06:00 AM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/2005 11:46 PM]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [01/06/2006 03:07 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/14/2006 01:30 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [05/04/2007 10:59 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [04/19/2007 01:26 PM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [05/04/2007 10:39 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [04/13/2008 08:12 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 08:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/18/1999 1:05:56 AM]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [10/4/2004 1:12:18 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8a453aee-5ced-11dd-b83a-00016c24e5a0}]
AutoRun\command- E:\Autorun.exe /run
Shell00\Command- E:\Autorun.exe /run
Shell01\Command- E:\Autorun.exe /action
Shell02\Command- E:\Autorun.exe /uninstall


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"



-- End of Deckard's System Scanner: finished at 2008-07-28 19:02:30 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.50GHz
Percentage of Memory in Use: 59%
Physical Memory (total/avail): 503.48 MiB / 201.73 MiB
Pagefile Memory (total/avail): 844.38 MiB / 563.49 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1937.3 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 37.26 GiB total, 20.29 GiB free.
D: is CDROM (CDFS)
E: is Removable (FAT)

\\.\PHYSICALDRIVE0 - ST340014A - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 37.27 GiB - C:

\\.\PHYSICALDRIVE1 - LEXAR JD LIGHTNING II USB Device - 1913.99 MiB - 1 partition
\PARTITION0 - 16-bit FAT - 1915.48 MiB - E:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ERIK
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\ERIK
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G

Thanks for any help you can offer, I think my head is fixing to implode from this nasty bug!

BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:34 PM

Posted 28 July 2008 - 09:34 PM

Hello Jester75

Welcome to BleepingComputer :thumbsup:
========================
Please visit this web page for instructions for downloading and running Combofix >ComboFix Instructions
We now suggest that you install the Windows Recovery Console.
The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Post the log from ComboFix when you've accomplished all of that, along with a new HijackThis log.

(Note:If the Recovery Console fails to install then do not proceed rather alert me and post back here we will continue)
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:34 PM

Posted 16 August 2008 - 08:17 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users