Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Explorer Keeps Shutting Down


  • This topic is locked This topic is locked
8 replies to this topic

#1 natts133

natts133

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 29 July 2008 - 08:54 AM

Hello folks...
Windows explorer keeps shutting down on me, and after attempting to fix it myself i realized that I'm in a bit over my head.
The following files seemed suspicious to me and i tried (perhaps stupidly) to delete them using hijackthis and killbox, and after restart on both, but neither worked.
O2 - BHO: (no name) - {59CF8D60-F8D7-42F5-9808-CD4594816FD0} - C:\WINDOWS\system32\jkkHWMcc.dll
O2 - BHO: (no name) - {F97B70D0-222C-47B6-9319-E9B0ADED2419} - C:\WINDOWS\system32\fccaYOhe.dll
O20 - Winlogon Notify: jkkHWMcc - jkkHWMcc.dll (file missing)

Heres my logfile

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:34:32 AM, on 7/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Launchy\Launchy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Documents and Settings\Natts133\Desktop\H.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O1 - Hosts file is located at: C:\WINDOWS\System32\drivers\etc\hosts
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {59CF8D60-F8D7-42F5-9808-CD4594816FD0} - C:\WINDOWS\system32\jkkHWMcc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {F97B70D0-222C-47B6-9319-E9B0ADED2419} - C:\WINDOWS\system32\fccaYOhe.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KONICA MINOLTA PagePro 1350WStatusDisplay] C:\WINDOWS\system32\MSTMON_Q.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: jkkHWMcc - jkkHWMcc.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Control Server (RCSERVER) - Unknown owner - C:\PROGRA~1\REMOTE~1\REMOTE~1.EXE
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9077 bytes

BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:28 PM

Posted 29 July 2008 - 11:17 AM

Hello natts133

Welcome to BleepingComputer :thumbsup:
========================
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 natts133

natts133
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 30 July 2008 - 10:20 PM

Thank you, extra.txt did not appear, but here is the main.txt

Deckard's System Scanner v20071014.68
Run by Natts133 on 2008-07-30 23:14:23
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 4.7 GiB (less than 15%) free.


-- HijackThis (run as Natts133.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:01 PM, on 7/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\MSTMON_Q.EXE
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\REMOTE~1\REMOTE~1.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
D:\dss.exe
C:\DOCUME~1\Natts133\Desktop\Natts133.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\explorer.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {59CF8D60-F8D7-42F5-9808-CD4594816FD0} - C:\WINDOWS\system32\jkkHWMcc.dll
O2 - BHO: (no name) - {64597F82-C793-4CB6-BF75-ED2B499AF886} - C:\WINDOWS\system32\fccaYOhe.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KONICA MINOLTA PagePro 1350WStatusDisplay] C:\WINDOWS\system32\MSTMON_Q.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: jkkHWMcc - C:\WINDOWS\SYSTEM32\jkkHWMcc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Control Server (RCSERVER) - Unknown owner - C:\PROGRA~1\REMOTE~1\REMOTE~1.EXE
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9020 bytes

-- Files created between 2008-06-30 and 2008-07-30 -----------------------------

2008-07-24 15:02:51 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2008-07-24 15:02:33 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-07-24 15:01:25 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-24 15:01:25 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-24 15:01:25 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-24 15:01:25 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-07-24 15:01:25 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-24 15:01:25 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-24 15:01:25 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-24 15:01:25 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-07-24 15:01:25 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-24 15:01:25 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-07-24 15:01:25 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-24 15:01:25 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-07-24 15:01:25 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-24 15:01:25 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-24 15:01:05 0 d-------- C:\WINDOWS\CSC
2008-07-22 12:27:02 0 d-------- C:\!KillBox
2008-07-22 12:10:48 0 d-------- C:\WINDOWS\pss
2008-07-22 11:41:24 0 d-------- C:\VundoFix Backups
2008-07-22 11:29:56 0 d-------- C:\Program Files\Trend Micro
2008-07-22 11:29:41 0 d-------- C:\Program Files\FeedStation
2008-07-22 11:29:37 0 d-------- C:\Program Files\FeedDemon
2008-07-22 11:28:09 0 d-------- C:\Program Files\AmazonPriceWatch
2008-07-21 17:37:17 923494 --ahs---- C:\WINDOWS\system32\ehOYaccf.ini2
2008-07-21 17:37:12 245760 -----n--- C:\WINDOWS\system32\fccaYOhe.dll
2008-07-21 17:35:39 33152 --a------ C:\WINDOWS\system32\fccYRLBu.dll
2008-07-21 17:35:39 33152 --a------ C:\WINDOWS\system32\byXOhFWM.dll
2008-07-21 17:33:29 0 d-------- C:\tt7-stuff
2008-07-21 17:32:09 26112 --a------ C:\WINDOWS\system32\vtUmLebC.dll
2008-07-21 17:32:09 26112 -----n--- C:\WINDOWS\system32\jkkHWMcc.dll
2008-07-21 17:32:07 0 d-------- C:\WINDOWS\TomTom.Navigator
2008-07-18 00:01:14 0 d-------- C:\Documents and Settings\Natts133\Application Data\dvdcss
2008-07-17 23:53:17 0 d-------- C:\Program Files\InterActual
2008-07-17 14:58:09 44544 -ra------ C:\WINDOWS\system32\MSXML4a.dll <Not Verified; Microsoft Corporation; Microsoft® MSXML 4.0 SP1>
2008-07-17 14:58:09 626960 -ra------ C:\WINDOWS\system32\hpvaut32.dll <Not Verified; Microsoft Corporation; >
2008-07-17 14:57:39 10752 --a------ C:\WINDOWS\system32\PSS938A5.DLL <Not Verified; Pharos Systems International; PHAROS>
2008-07-17 14:55:50 2655 -----n--- C:\WINDOWS\hphmdl03.dat
2008-07-17 14:55:50 93391 --a------ C:\WINDOWS\HPHins03.dat
2008-07-17 14:55:33 659456 --a------ C:\WINDOWS\system32\hphmon06.exe <Not Verified; Hewlett-Packard; HP Photosmart>
2008-07-17 14:55:21 9505 --a------ C:\WINDOWS\system32\hphmon06.dat
2008-07-17 02:30:39 0 d-------- C:\Documents and Settings\Natts133\Application Data\hIq Inc
2008-07-17 01:44:37 0 d-------- C:\ttn240mfg
2008-07-17 01:36:57 0 d-------- C:\Program Files\PPCkitchen.org
2008-07-10 12:36:23 10752 --a------ C:\WINDOWS\system32\PSS143DA.DLL <Not Verified; Pharos Systems International; PHAROS>


-- Find3M Report ---------------------------------------------------------------

2008-07-30 23:07:37 0 d-------- C:\Documents and Settings\Natts133\Application Data\Launchy
2008-07-21 23:02:21 162934 --a------ C:\WINDOWS\system32\nvModes.dat
2008-07-17 19:49:30 0 d-------- C:\Program Files\Intel
2008-07-17 19:47:55 0 d-------- C:\Program Files\DIFX
2008-07-17 14:58:07 0 d-------- C:\Program Files\HP
2008-07-16 03:27:02 0 d-------- C:\Documents and Settings\Natts133\Application Data\BitTorrent
2008-07-11 01:00:23 0 d-------- C:\Documents and Settings\Natts133\Application Data\LimeWire
2008-07-01 17:40:28 0 d-------- C:\Program Files\Realtime Landscaping Architect Trial
2008-06-29 12:09:13 0 d-------- C:\Program Files\Realtime Landscaping Architect
2008-06-26 19:22:43 0 d-------- C:\Documents and Settings\Natts133\Application Data\GetRightToGo
2008-06-17 16:06:40 0 d-------- C:\Program Files\LimeWire


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59CF8D60-F8D7-42F5-9808-CD4594816FD0}]
07/21/2008 05:32 PM 26112 --------- C:\WINDOWS\system32\jkkHWMcc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64597F82-C793-4CB6-BF75-ED2B499AF886}]
07/21/2008 05:37 PM 245760 --------- C:\WINDOWS\system32\fccaYOhe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [12/15/2007 11:28 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 05:25 AM]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [05/10/2007 12:22 PM]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [11/30/2006 08:50 AM]
"nwiz"="nwiz.exe" [11/17/2007 05:03 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [11/17/2007 05:03 AM]
"NVHotkey"="nvHotkey.dll" [11/17/2007 05:03 AM C:\WINDOWS\system32\nvhotkey.dll]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [11/17/2007 05:03 AM]
"KONICA MINOLTA PagePro 1350WStatusDisplay"="C:\WINDOWS\system32\MSTMON_Q.EXE" [11/21/2004 09:42 PM]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [07/19/2006 12:03 PM C:\WINDOWS\KHALMNPR.Exe]
"HPHUPD06"="C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [01/07/2006 01:09 AM]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [01/07/2006 01:09 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/12/2004 01:38 PM]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [05/12/2004 03:18 PM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/04/2004 08:00 AM C:\WINDOWS\system32\bthprops.cpl]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [11/18/2005 5:46:00 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/28/2004 10:31:38 PM]
Launchy.lnk - C:\Program Files\Launchy\Launchy.exe [5/29/2007 6:35:58 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{59CF8D60-F8D7-42F5-9808-CD4594816FD0}"= C:\WINDOWS\system32\jkkHWMcc.dll [07/21/2008 05:32 PM 26112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkHWMcc]
jkkHWMcc.dll 07/21/2008 05:32 PM 26112 C:\WINDOWS\system32\jkkHWMcc.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\fccaYOhe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59bfb017-f45e-11dc-88a7-001422f6b191}]
AutoRun\command- D:\PStart.exe




-- End of Deckard's System Scanner: finished at 2008-07-30 23:17:00 ------------

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:28 PM

Posted 31 July 2008 - 12:50 PM

Please download the OTMoveIt2 by OldTimer.
Save it to your desktop.
=======================================
After that please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

O2 - BHO: (no name) - {59CF8D60-F8D7-42F5-9808-CD4594816FD0} - C:\WINDOWS\system32\jkkHWMcc.dll
O2 - BHO: (no name) - {64597F82-C793-4CB6-BF75-ED2B499AF886} - C:\WINDOWS\system32\fccaYOhe.dll
O20 - Winlogon Notify: jkkHWMcc - C:\WINDOWS\SYSTEM32\jkkHWMcc.dll



Now click on Fix Checked and then close Hijackthis.
====================================
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\WINDOWS\system32\ehOYaccf.ini2
    C:\WINDOWS\system32\fccaYOhe.dll
    C:\WINDOWS\system32\fccYRLBu.dll
    C:\WINDOWS\system32\byXOhFWM.dll
    C:\WINDOWS\system32\vtUmLebC.dll
    C:\WINDOWS\system32\jkkHWMcc.dll
    D:\PStart.exe
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59bfb017-f45e-11dc-88a7-001422f6b191}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{59CF8D60-F8D7-42F5-9808-CD4594816FD0}
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
======================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=========================
Please post these logs in your next reply:
New dss log
OtMove it log
Malware Bytes log

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 natts133

natts133
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 31 July 2008 - 10:00 PM

Thank you, here are the scans

Deckard's System Scanner v20071014.68
Run by Natts133 on 2008-07-31 22:57:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 4.59 GiB (less than 15%) free.


-- HijackThis (run as Natts133.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:34 PM, on 7/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\MSTMON_Q.EXE
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\REMOTE~1\REMOTE~1.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Natts133\Desktop\dss.exe
C:\DOCUME~1\Natts133\Desktop\Natts133.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F4017BC-D852-4193-8848-BF17421F3E63} - C:\WINDOWS\system32\rqRKbYss.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {64597F82-C793-4CB6-BF75-ED2B499AF886} - C:\WINDOWS\system32\fccaYOhe.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KONICA MINOLTA PagePro 1350WStatusDisplay] C:\WINDOWS\system32\MSTMON_Q.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - C:\Program Files\MozyHome\mozybackup.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Control Server (RCSERVER) - Unknown owner - C:\PROGRA~1\REMOTE~1\REMOTE~1.EXE
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9418 bytes

-- Files created between 2008-06-30 and 2008-07-31 -----------------------------

2008-07-31 22:41:21 345 --ahs---- C:\WINDOWS\system32\ssYbKRqr.ini2
2008-07-31 22:39:40 0 d-------- C:\Documents and Settings\Natts133\Application Data\Malwarebytes
2008-07-31 22:39:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-31 22:39:29 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-30 23:58:42 0 d-------- C:\Program Files\MozyHome
2008-07-24 15:02:51 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2008-07-24 15:02:33 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-07-24 15:01:25 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-24 15:01:25 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-24 15:01:25 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-24 15:01:25 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-07-24 15:01:25 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-24 15:01:25 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-24 15:01:25 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-24 15:01:25 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-07-24 15:01:25 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-24 15:01:25 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-07-24 15:01:25 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-24 15:01:25 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-07-24 15:01:25 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-24 15:01:25 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-24 15:01:05 0 d-------- C:\WINDOWS\CSC
2008-07-22 12:27:02 0 d-------- C:\!KillBox
2008-07-22 12:10:48 0 d-------- C:\WINDOWS\pss
2008-07-22 11:41:24 0 d-------- C:\VundoFix Backups
2008-07-22 11:29:56 0 d-------- C:\Program Files\Trend Micro
2008-07-22 11:29:41 0 d-------- C:\Program Files\FeedStation
2008-07-22 11:29:37 0 d-------- C:\Program Files\FeedDemon
2008-07-22 11:28:09 0 d-------- C:\Program Files\AmazonPriceWatch
2008-07-21 17:33:29 0 d-------- C:\tt7-stuff
2008-07-21 17:32:07 0 d-------- C:\WINDOWS\TomTom.Navigator
2008-07-18 00:01:14 0 d-------- C:\Documents and Settings\Natts133\Application Data\dvdcss
2008-07-17 23:53:17 0 d-------- C:\Program Files\InterActual
2008-07-17 14:58:09 44544 -ra------ C:\WINDOWS\system32\MSXML4a.dll <Not Verified; Microsoft Corporation; Microsoft® MSXML 4.0 SP1>
2008-07-17 14:58:09 626960 -ra------ C:\WINDOWS\system32\hpvaut32.dll <Not Verified; Microsoft Corporation; >
2008-07-17 14:57:39 10752 --a------ C:\WINDOWS\system32\PSS938A5.DLL <Not Verified; Pharos Systems International; PHAROS>
2008-07-17 14:55:50 2655 -----n--- C:\WINDOWS\hphmdl03.dat
2008-07-17 14:55:50 93391 --a------ C:\WINDOWS\HPHins03.dat
2008-07-17 14:55:33 659456 --a------ C:\WINDOWS\system32\hphmon06.exe <Not Verified; Hewlett-Packard; HP Photosmart>
2008-07-17 14:55:21 9505 --a------ C:\WINDOWS\system32\hphmon06.dat
2008-07-17 02:30:39 0 d-------- C:\Documents and Settings\Natts133\Application Data\hIq Inc
2008-07-17 01:44:37 0 d-------- C:\ttn240mfg
2008-07-17 01:36:57 0 d-------- C:\Program Files\PPCkitchen.org
2008-07-10 12:36:23 10752 --a------ C:\WINDOWS\system32\PSS143DA.DLL <Not Verified; Pharos Systems International; PHAROS>


-- Find3M Report ---------------------------------------------------------------

2008-07-31 22:55:53 0 d-------- C:\Documents and Settings\Natts133\Application Data\Launchy
2008-07-21 23:02:21 162934 --a------ C:\WINDOWS\system32\nvModes.dat
2008-07-17 19:49:30 0 d-------- C:\Program Files\Intel
2008-07-17 19:47:55 0 d-------- C:\Program Files\DIFX
2008-07-17 14:58:07 0 d-------- C:\Program Files\HP
2008-07-16 03:27:02 0 d-------- C:\Documents and Settings\Natts133\Application Data\BitTorrent
2008-07-11 01:00:23 0 d-------- C:\Documents and Settings\Natts133\Application Data\LimeWire
2008-07-01 17:40:28 0 d-------- C:\Program Files\Realtime Landscaping Architect Trial
2008-06-29 12:09:13 0 d-------- C:\Program Files\Realtime Landscaping Architect
2008-06-26 19:22:43 0 d-------- C:\Documents and Settings\Natts133\Application Data\GetRightToGo
2008-06-17 16:06:40 0 d-------- C:\Program Files\LimeWire


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F4017BC-D852-4193-8848-BF17421F3E63}]
C:\WINDOWS\system32\rqRKbYss.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64597F82-C793-4CB6-BF75-ED2B499AF886}]
C:\WINDOWS\system32\fccaYOhe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [12/15/2007 11:28 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 05:25 AM]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [05/10/2007 12:22 PM]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [11/30/2006 08:50 AM]
"nwiz"="nwiz.exe" [11/17/2007 05:03 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [11/17/2007 05:03 AM]
"NVHotkey"="nvHotkey.dll" [11/17/2007 05:03 AM C:\WINDOWS\system32\nvhotkey.dll]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [11/17/2007 05:03 AM]
"KONICA MINOLTA PagePro 1350WStatusDisplay"="C:\WINDOWS\system32\MSTMON_Q.EXE" [11/21/2004 09:42 PM]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [07/19/2006 12:03 PM C:\WINDOWS\KHALMNPR.Exe]
"HPHUPD06"="C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [01/07/2006 01:09 AM]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [01/07/2006 01:09 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/12/2004 01:38 PM]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [05/12/2004 03:18 PM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/04/2004 08:00 AM C:\WINDOWS\system32\bthprops.cpl]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/2007 09:41 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [11/18/2005 5:46:00 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/28/2004 10:31:38 PM]
Launchy.lnk - C:\Program Files\Launchy\Launchy.exe [5/29/2007 6:35:58 PM]
MozyHome Status.lnk - C:\Program Files\MozyHome\mozystat.exe [7/30/2008 11:58:43 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\rqRKbYss

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- End of Deckard's System Scanner: finished at 2008-07-31 22:58:00 ------------


_______________________________________________________________________________________________________________________________________



Explorer killed successfully
File move failed. C:\WINDOWS\system32\ehOYaccf.ini2 scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\fccaYOhe.dll
C:\WINDOWS\system32\fccaYOhe.dll NOT unregistered.
C:\WINDOWS\system32\fccaYOhe.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\fccYRLBu.dll
C:\WINDOWS\system32\fccYRLBu.dll NOT unregistered.
C:\WINDOWS\system32\fccYRLBu.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\byXOhFWM.dll
C:\WINDOWS\system32\byXOhFWM.dll NOT unregistered.
C:\WINDOWS\system32\byXOhFWM.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\vtUmLebC.dll
C:\WINDOWS\system32\vtUmLebC.dll NOT unregistered.
C:\WINDOWS\system32\vtUmLebC.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\jkkHWMcc.dll
C:\WINDOWS\system32\jkkHWMcc.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\jkkHWMcc.dll scheduled to be moved on reboot.
File/Folder D:\PStart.exe not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59bfb017-f45e-11dc-88a7-001422f6b191} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59bfb017-f45e-11dc-88a7-001422f6b191}\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{59CF8D60-F8D7-42F5-9808-CD4594816FD0} >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{59CF8D60-F8D7-42F5-9808-CD4594816FD0} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{59CF8D60-F8D7-42F5-9808-CD4594816FD0}\ deleted successfully.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07312008_223423

Files moved on Reboot...
C:\WINDOWS\system32\ehOYaccf.ini2 moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\jkkHWMcc.dll
C:\WINDOWS\system32\jkkHWMcc.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\jkkHWMcc.dll scheduled to be moved on reboot.

_____________________________________________________________________________________________________________


Malwarebytes' Anti-Malware 1.24
Database version: 1014
Windows 5.1.2600 Service Pack 2

10:52:41 PM 7/31/2008
mbam-log-7-31-2008 (22-52-41).txt

Scan type: Quick Scan
Objects scanned: 46930
Time elapsed: 11 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\jkkHWMcc.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rqRKbYss.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{59cf8d60-f8d7-42f5-9808-cd4594816fd0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59cf8d60-f8d7-42f5-9808-cd4594816fd0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jkkhwmcc (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{59cf8d60-f8d7-42f5-9808-cd4594816fd0} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\jkkHWMcc.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rqRKbYss.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Natts133\Local Settings\Temporary Internet Files\Content.IE5\25MIYSLM\CAJMAX7F (Trojan.Vundo) -> Quarantined and deleted successfully.

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:28 PM

Posted 01 August 2008 - 04:01 AM

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

First, we need to backup your registry:
Please go to Start > Run
Paste in the following line:regedit /e c:\registrybackup.reg
Click OK.
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

Please open up Notepad and copy all of the items in the code box below.
Change the "Save As Type" to "All Files". Save it as fixthis.reg on your Desktop.
REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0F4017BC-D852-4193-8848-BF17421F3E63}

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{64597F82-C793-4CB6-BF75-ED2B499AF886}
Now double-click fixthis.reg.
A window will come up asking if you want to let it merge with the registry.
Click yes.
=================
====================================
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\ssYbKRqr.ini2
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=======================
After that post a new dss log and the OT MOve it log and let me know how things are running?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 natts133

natts133
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 01 August 2008 - 07:52 AM

C:\WINDOWS\system32\ssYbKRqr.ini2 moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08012008_084358


Deckard's System Scanner v20071014.68
Run by Natts133 on 2008-08-01 08:46:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 4.31 GiB (less than 15%) free.


-- HijackThis (run as Natts133.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:47:03 AM, on 8/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Natts133\Desktop\dss.exe
C:\DOCUME~1\Natts133\Desktop\Natts133.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F4017BC-D852-4193-8848-BF17421F3E63} - C:\WINDOWS\system32\rqRKbYss.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {64597F82-C793-4CB6-BF75-ED2B499AF886} - C:\WINDOWS\system32\fccaYOhe.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KONICA MINOLTA PagePro 1350WStatusDisplay] C:\WINDOWS\system32\MSTMON_Q.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - C:\Program Files\MozyHome\mozybackup.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Control Server (RCSERVER) - Unknown owner - C:\PROGRA~1\REMOTE~1\REMOTE~1.EXE
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9395 bytes

-- Files created between 2008-07-01 and 2008-08-01 -----------------------------

2008-08-01 08:41:37 126779062 --a------ C:\registrybackup.reg
2008-07-31 22:39:40 0 d-------- C:\Documents and Settings\Natts133\Application Data\Malwarebytes
2008-07-31 22:39:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-31 22:39:29 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-30 23:58:42 0 d-------- C:\Program Files\MozyHome
2008-07-24 15:02:51 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2008-07-24 15:02:33 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-07-24 15:01:25 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-24 15:01:25 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-24 15:01:25 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-24 15:01:25 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-07-24 15:01:25 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-24 15:01:25 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-24 15:01:25 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-24 15:01:25 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-07-24 15:01:25 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-24 15:01:25 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-07-24 15:01:25 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-24 15:01:25 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-07-24 15:01:25 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-24 15:01:25 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-24 15:01:05 0 d-------- C:\WINDOWS\CSC
2008-07-22 12:27:02 0 d-------- C:\!KillBox
2008-07-22 12:10:48 0 d-------- C:\WINDOWS\pss
2008-07-22 11:41:24 0 d-------- C:\VundoFix Backups
2008-07-22 11:29:56 0 d-------- C:\Program Files\Trend Micro
2008-07-22 11:29:41 0 d-------- C:\Program Files\FeedStation
2008-07-22 11:29:37 0 d-------- C:\Program Files\FeedDemon
2008-07-22 11:28:09 0 d-------- C:\Program Files\AmazonPriceWatch
2008-07-21 17:33:29 0 d-------- C:\tt7-stuff
2008-07-21 17:32:07 0 d-------- C:\WINDOWS\TomTom.Navigator
2008-07-18 00:01:14 0 d-------- C:\Documents and Settings\Natts133\Application Data\dvdcss
2008-07-17 23:53:17 0 d-------- C:\Program Files\InterActual
2008-07-17 14:58:09 44544 -ra------ C:\WINDOWS\system32\MSXML4a.dll <Not Verified; Microsoft Corporation; Microsoft® MSXML 4.0 SP1>
2008-07-17 14:58:09 626960 -ra------ C:\WINDOWS\system32\hpvaut32.dll <Not Verified; Microsoft Corporation; >
2008-07-17 14:57:39 10752 --a------ C:\WINDOWS\system32\PSS938A5.DLL <Not Verified; Pharos Systems International; PHAROS>
2008-07-17 14:55:50 2655 -----n--- C:\WINDOWS\hphmdl03.dat
2008-07-17 14:55:50 93391 --a------ C:\WINDOWS\HPHins03.dat
2008-07-17 14:55:33 659456 --a------ C:\WINDOWS\system32\hphmon06.exe <Not Verified; Hewlett-Packard; HP Photosmart>
2008-07-17 14:55:21 9505 --a------ C:\WINDOWS\system32\hphmon06.dat
2008-07-17 02:30:39 0 d-------- C:\Documents and Settings\Natts133\Application Data\hIq Inc
2008-07-17 01:44:37 0 d-------- C:\ttn240mfg
2008-07-17 01:36:57 0 d-------- C:\Program Files\PPCkitchen.org
2008-07-10 12:36:23 10752 --a------ C:\WINDOWS\system32\PSS143DA.DLL <Not Verified; Pharos Systems International; PHAROS>


-- Find3M Report ---------------------------------------------------------------

2008-08-01 08:39:52 0 d-------- C:\Documents and Settings\Natts133\Application Data\Launchy
2008-07-31 23:43:57 0 d-------- C:\Documents and Settings\Natts133\Application Data\LimeWire
2008-07-21 23:02:21 162934 --a------ C:\WINDOWS\system32\nvModes.dat
2008-07-17 19:49:30 0 d-------- C:\Program Files\Intel
2008-07-17 19:47:55 0 d-------- C:\Program Files\DIFX
2008-07-17 14:58:07 0 d-------- C:\Program Files\HP
2008-07-16 03:27:02 0 d-------- C:\Documents and Settings\Natts133\Application Data\BitTorrent
2008-07-01 17:40:28 0 d-------- C:\Program Files\Realtime Landscaping Architect Trial
2008-06-29 12:09:13 0 d-------- C:\Program Files\Realtime Landscaping Architect
2008-06-26 19:22:43 0 d-------- C:\Documents and Settings\Natts133\Application Data\GetRightToGo
2008-06-17 16:06:40 0 d-------- C:\Program Files\LimeWire


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F4017BC-D852-4193-8848-BF17421F3E63}]
C:\WINDOWS\system32\rqRKbYss.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64597F82-C793-4CB6-BF75-ED2B499AF886}]
C:\WINDOWS\system32\fccaYOhe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [12/15/2007 11:28 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 05:25 AM]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [05/10/2007 12:22 PM]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [11/30/2006 08:50 AM]
"nwiz"="nwiz.exe" [11/17/2007 05:03 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [11/17/2007 05:03 AM]
"NVHotkey"="nvHotkey.dll" [11/17/2007 05:03 AM C:\WINDOWS\system32\nvhotkey.dll]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [11/17/2007 05:03 AM]
"KONICA MINOLTA PagePro 1350WStatusDisplay"="C:\WINDOWS\system32\MSTMON_Q.EXE" [11/21/2004 09:42 PM]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [07/19/2006 12:03 PM C:\WINDOWS\KHALMNPR.Exe]
"HPHUPD06"="C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [01/07/2006 01:09 AM]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [01/07/2006 01:09 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/12/2004 01:38 PM]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [05/12/2004 03:18 PM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/04/2004 08:00 AM C:\WINDOWS\system32\bthprops.cpl]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/2007 09:41 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [11/18/2005 5:46:00 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/28/2004 10:31:38 PM]
Launchy.lnk - C:\Program Files\Launchy\Launchy.exe [5/29/2007 6:35:58 PM]
MozyHome Status.lnk - C:\Program Files\MozyHome\mozystat.exe [7/30/2008 11:58:43 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- End of Deckard's System Scanner: finished at 2008-08-01 08:47:21 ------------








Things are running quite well again, at least on the surface. The rogue files still appear in the hijcakthis scan but say "file missing" next to them. These pose no threat do they?

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:28 PM

Posted 01 August 2008 - 11:03 AM

No they are leftovers in the registry no threats left.
===================
Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

O2 - BHO: (no name) - {0F4017BC-D852-4193-8848-BF17421F3E63} - C:\WINDOWS\system32\rqRKbYss.dll (file missing)
O2 - BHO: (no name) - {64597F82-C793-4CB6-BF75-ED2B499AF886} - C:\WINDOWS\system32\fccaYOhe.dll (file missing)



Now click on Fix Checked and then close Hijackthis.
==================================
Cleanup::
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
===============
Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 7 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
======================
Use a Firewall:

Install and use a firewall with outbound protection
While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
I therefore strongly recommend that you install one of the following free firewalls: Comodo Firewall or Zonealarm
See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here
Note: You should only have one firewall installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.


=============================
Delete\uninstall anything else that we have used.

System Restore
Then I will need you to reset your System Restore points.
The link below shows how to create a clean restore point.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/kb/310405/en-us

If you are using Vista then see this link > http://www.bleepingcomputer.com/tutorials/...143.html#manual
=====================================
After that your log is clean. :thumbsup:

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

IE-SPYAD- puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Tony Klein article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:28 PM

Posted 16 August 2008 - 08:28 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :thumbsup:

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users