Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


server.exe keeps coming back

  • This topic is locked This topic is locked
7 replies to this topic

#1 wooward


  • Members
  • 6 posts
  • Local time:06:30 PM

Posted 04 April 2009 - 07:21 PM

I recently got an 0x80004005 activation error on my XP Media Center 2005 computer. I changed the userinit registry data by using the following link http://forums.spybot.info/blog.php?b=14. It worked for a while but eventually I was forced to do a Recovery install over my current installation. I reactivated, using a real CD key, as I own an official version of XP Media Center 2005. My computer now boots up but the Userinit registry value is always changed after reboot. I used Spy Sweeper 5.5 and Malwarebytes' Anti-Malware 1.35. Upon startup Anti-Malware 1.35 detects the server.exe spyware and then deletes it and after a restart it is back. The Userinit registry value is


after every restart even after Anti-Malware changes it back to


The problem I am having is that after a certain period of time, none of my web browsers can connect to the internet anymore. Using a command-prompt I can ping yahoo.com so I am still connected, I just can't use my web browsers. I have attached the following hijackthis info. Thanks in advance for your help.

DDS (Ver_09-03-16.01) - NTFSx86
Run by Ed at 5:13:22.15 on Sat 04/04/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3582.2654 [GMT -8:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\Ed.WOOWARD-DUAL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Silicondust\HDHomeRun\hdhomerun_manager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\REALTEK RTL8185 Wireless LAN Driver and Utility\RtWLan.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\RhinoSoft.com\Serv-U\Serv-U.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Ed.WOOWARD-DUAL\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://rsvpn.raytheon.com/
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,"c:\windows\server.exe",
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.3.1.15.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
uRun: [Google Update] "c:\documents and settings\ed.wooward-dual\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [IDMan] "c:\program files\internet download manager\IDMan.exe" /onboot
uRun: [updates] c:\windows\server.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [JMB36X IDE Setup] c:\windows\jm\JMInsIDE.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [<NO NAME>]
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "c:\program files\google\gmail notifier\gnotify.exe"
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [Alcmtr] ALCMTR.EXE
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SpySweeper] c:\program files\webroot\spy sweeper\SpySweeperUI.exe /startintray
uExplorerRun: [updates.w] c:\windows\server.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hdhome~1.lnk - c:\program files\silicondust\hdhomerun\hdhomerun_manager.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\realte~1.lnk - c:\program files\realtek rtl8185 wireless lan driver and utility\RtWLan.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\ultramon.lnk - c:\windows\installer\{cc15a5fc-b6d3-4a2d-8a26-d8f2702a3c00}\IcoUltraMon.ico
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{14fcfe7c-ab86-428a-9d2e-bfb6f5a7aa6e}\Icon3E5562ED7.ico
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.3.1.15.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: ameritrade.com
Trusted Zone: tdameritrade.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {5BDBA960-6534-11D3-97C7-00500422B550} - hxxps://rsvpn.raytheon.com/download/,DanaInfo=ES2-MSG02.raymail.ray.com+dolcontrol.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://rsvpn.raytheon.com/,DanaInfo=ES2-MSG02.raymail.ray.com+dwa7W.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\aatp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\cenetflt.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\edc613~1.woo\applic~1\mozilla\firefox\profiles\69qsl4t8.default\
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\ed.wooward-dual\application data\idm\idmmzcc2\components\idmmzcc.dll
FF - component: c:\documents and settings\ed.wooward-dual\application data\mozilla\firefox\profiles\69qsl4t8.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\ed.wooward-dual\application data\mozilla\firefox\profiles\69qsl4t8.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\ed.wooward-dual\local settings\application data\google\update\\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\cyberlink\powerdvd\000.fcl [2008-6-2 13560]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-24 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-24 169632]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 io.sys;IO.DLL Driver;c:\windows\system32\drivers\io.sys [2008-12-13 5152]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Serv-U;Serv-U File Server;c:\program files\rhinosoft.com\serv-u\Serv-U.exe [2008-8-20 131072]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-6-15 1805552]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2008-9-14 10496]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2008-6-2 3572592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-3-27 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090404.003\naveng.sys [2009-4-3 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090404.003\navex15.sys [2009-4-3 876144]
R3 OmniTV;Cx2388x AvStream Video Capture;c:\windows\system32\drivers\OmniTV.sys [2008-6-2 401280]
R3 Ramdisk;Windows RAM Disk Driver;c:\windows\system32\drivers\ramdisk.sys [2009-3-29 20736]
S0 RRamdisk;Ramdisk Driver;c:\windows\system32\drivers\rramdisk.sys [2008-11-16 10368]
S2 AutoExNT;AutoExNT;c:\windows\system32\Autoexnt.exe [2008-6-1 5904]
S3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-7-20 84992]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-7-20 13352]
S3 GoogleDesktopManager-051608-133132;Google Desktop Manager 5.7.805.16405;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-6-10 29744]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-6-15 115952]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\f:\ntglm7x.sys --> f:\NTGLM7X.sys [?]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2009-4-3 13532]
S3 Spyder3;Datacolor Spyder3;c:\windows\system32\drivers\Spyder3.sys [2007-11-6 12288]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-04-04 02:22 <DIR> --d----- c:\program files\Trend Micro
2009-04-03 11:26 <DIR> --d----- c:\program files\REALTEK RTL8185 Wireless LAN Driver and Utility
2009-04-03 10:16 21,419 a------- c:\windows\system32\drivers\AegisP.sys
2009-04-03 10:16 13,532 a------- c:\windows\system32\drivers\SjyPkt.sys
2009-04-03 10:13 302,848 a------- c:\windows\system32\drivers\rtl8185.sys
2009-04-02 23:02 <DIR> --d----- c:\program files\FileZilla 3
2009-04-02 21:41 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-02 21:24 <DIR> --d----- C:\project
2009-04-02 21:17 <DIR> --d----- C:\MinGW
2009-04-02 20:19 <DIR> --d----- c:\program files\Crimson Editor
2009-04-02 19:49 <DIR> --d----- c:\docume~1\edc613~1.woo\applic~1\StarNet
2009-04-02 19:42 <DIR> --d----- c:\program files\StarNet
2009-04-02 13:43 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-02 13:43 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-02 13:43 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-02 13:43 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-04-02 13:14 6,066,688 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-04-02 13:14 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui
2009-04-02 13:14 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-04-02 13:14 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-04-02 13:14 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-04-02 13:14 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2009-04-02 13:14 2,455,488 -c------ c:\windows\system32\dllcache\ieapfltr.dat
2009-04-02 13:14 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2009-04-02 13:14 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2009-03-31 18:04 14,936 a------- C:\asgasglknsg.torrent
2009-03-31 17:57 14,936 a------- C:\fisdgsdggsle.torrent
2009-03-31 14:00 208,948 a------- C:\fdsgsdhildhfshdhshe.exe
2009-03-31 13:58 208,948 a------- C:\dslgkndsgdsglkndsg.exe
2009-03-30 23:04 <DIR> --d----- c:\program files\Microsoft IntelliType Pro
2009-03-30 22:47 208,948 a------- C:\filesdgdsgsd.exe
2009-03-30 22:44 208,948 a------- C:\fisdgdsgsdgle.exe
2009-03-30 16:32 196,660 a------- C:\asdldkb.exe
2009-03-30 16:31 196,660 a------- C:\filesdgdsg.exe
2009-03-30 16:28 196,660 a------- C:\asdlkb.exe
2009-03-30 16:25 196,660 a------- C:\aslkb.exe
2009-03-29 23:12 <DIR> --d----- c:\temp\tmp
2009-03-29 23:06 176,128 a------- c:\windows\Ѩ7֫
2009-03-29 23:06 176,128 a------- c:\windows\E7֫
2009-03-29 22:48 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-03-29 22:48 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-03-29 22:47 2,180,352 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-29 22:47 2,136,064 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-29 22:47 2,015,744 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-29 22:47 2,057,728 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-29 22:46 176,128 a------- c:\windows\ԧkԧkԧkԧkԧO
2009-03-29 22:45 13,646 a------- c:\windows\system32\wpa.bak
2009-03-29 22:34 40,448 ac------ c:\windows\system32\dllcache\snmpthrd.dll
2009-03-29 22:33 13,463,552 ac------ c:\windows\system32\dllcache\hwxjpn.dll
2009-03-29 22:31 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-03-29 22:31 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-03-29 22:31 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-03-29 22:31 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-03-29 22:31 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-03-29 22:31 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-03-29 22:30 16,384 ac------ c:\windows\system32\dllcache\isignup.exe
2009-03-29 22:30 32,768 ac------ c:\windows\system32\dllcache\icwdl.dll
2009-03-29 22:30 214,528 ac------ c:\windows\system32\dllcache\icwconn1.exe
2009-03-29 22:30 86,016 ac------ c:\windows\system32\dllcache\icwconn2.exe
2009-03-29 22:30 20,480 ac------ c:\windows\system32\dllcache\inetwiz.exe
2009-03-29 22:18 152,576 a------- c:\windows\system32\irftp.exe
2009-03-29 22:18 27,136 a------- c:\windows\system32\irmon.dll
2009-03-29 22:18 8,192 a------- c:\windows\system32\wshirda.dll
2009-03-29 22:10 20,736 ac------ c:\windows\system32\dllcache\ramdisk.sys
2009-03-29 22:10 20,736 a------- c:\windows\system32\drivers\ramdisk.sys
2009-03-29 20:46 <DIR> --d----- c:\docume~1\edc613~1.woo\applic~1\Malwarebytes
2009-03-29 20:46 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-29 20:46 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-29 20:46 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-03-29 20:46 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-29 20:11 16,384 a------- c:\windows\~DF1335.tmp
2009-03-29 20:11 16,384 a------- c:\windows\~DF52C1.tmp
2009-03-29 17:22 380,980 a------- C:\sdsfafknex.exe
2009-03-29 17:20 16,352 a------- C:\safknex.exe
2009-03-29 16:58 16,384 a------- c:\windows\~DF1275.tmp
2009-03-29 16:57 16,384 a------- c:\windows\~DF1B43.tmp
2009-03-29 14:25 89,828 a------- c:\windows\system32\actshell.htm
2009-03-29 14:24 13,668 a------- c:\windows\system32\wpa.dbl
2009-03-29 14:24 58,880 ac------ c:\windows\system32\dllcache\licwmi.dll
2009-03-29 14:24 58,880 a------- c:\windows\system32\licwmi.dll
2009-03-28 21:24 16,384 a------- c:\windows\~DFDE71.tmp
2009-03-28 21:24 16,384 a------- c:\windows\~DF1FF1.tmp
2009-03-27 22:51 13,216,672 a--shr-- c:\docume~1\edc613~1.woo\applic~1\server.exe
2009-03-27 22:07 16,384 a------- c:\windows\~DFA078.tmp
2009-03-27 22:07 176,128 a------- c:\windows\OKOKOKOKOKOKOKOKOKOKOKOKOKOKO
2009-03-27 22:02 0 a---h--- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2009-03-27 22:02 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-03-27 22:00 0 a---h--- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-03-26 21:03 13,970 a------- C:\filesdgsdg.torrent
2009-03-25 20:23 14,451 a------- C:\sdgsdglknmg.torrent
2009-03-25 20:22 14,451 a------- C:\sdgsdglkng.torrent
2009-03-25 17:30 14,451 a------- C:\aslfkjbsna.torrent
2009-03-24 23:18 <DIR> --d----- c:\program files\ImTOO
2009-03-24 23:16 <DIR> --d----- c:\program files\iSofter
2009-03-24 23:14 45,056 a------- c:\windows\system32\WNASPI32.DLL
2009-03-24 23:14 16,512 a------- c:\windows\system32\drivers\ASPI32.SYS
2009-03-24 22:49 14,909 a------- c:\windows\system32\A_reg.reg
2009-03-24 22:49 114,688 a------- c:\windows\system32\PropListCtrl.ocx
2009-03-24 22:48 <DIR> --d----- C:\ConverterOutput
2009-03-24 22:47 2,255,360 a------- c:\windows\system32\libavcodec.dll
2009-03-24 22:47 1,761,280 a------- c:\windows\system32\ffdshow.ax
2009-03-24 22:47 395,776 a------- c:\windows\system32\libmplayer.dll
2009-03-24 22:47 372,736 a------- c:\windows\system32\xvid.ax
2009-03-24 22:47 262,144 a------- c:\windows\system32\TomsMoComp_ff.dll
2009-03-24 22:47 112,640 a------- c:\windows\system32\libmpeg2_ff.dll
2009-03-24 22:47 34,820 a------- c:\windows\system32\ffdshow.reg
2009-03-24 22:47 <DIR> --d----- c:\program files\Cucusoft
2009-03-24 22:40 <DIR> --d----- c:\program files\Avex
2009-03-24 19:03 <DIR> --d----- C:\OPNET_license
2009-03-24 19:02 <DIR> --d----- c:\documents and settings\ed.wooward-dual\op_models
2009-03-24 19:02 <DIR> --d----- c:\documents and settings\ed.wooward-dual\op_admin
2009-03-24 15:53 16,384 a------- c:\windows\~DFB8A7.tmp
2009-03-24 15:53 176,128 a------- c:\windows\7D
2009-03-24 09:57 89,828 a------- c:\windows\system32\actshell.older
2009-03-24 09:56 423,936 a------- c:\windows\system32\licdll.older
2009-03-24 09:56 397,824 a------- c:\windows\system32\regwizc.older
2009-03-24 09:56 58,880 a------- c:\windows\system32\licwmi.older
2009-03-24 09:56 32,256 a------- c:\windows\system32\wpabaln.older
2009-03-24 09:56 2,206 a------- c:\windows\system32\wpa.older
2009-03-23 22:38 <DIR> --d----- c:\program files\OPNET EDU
2009-03-21 15:53 50,620 a------- c:\windows\system32\command.com.bak
2009-03-21 15:53 2,577 a------- c:\windows\system32\config.nt.bak
2009-03-21 15:53 1,688 a------- c:\windows\system32\autoexec.nt.bak
2009-03-21 15:45 <DIR> --d-h--- c:\windows\PIF
2009-03-20 17:44 380,980 a------- C:\fsdgs122e.exe
2009-03-18 16:02 16,384 a------- c:\windows\~DF96DE.tmp
2009-03-18 13:13 16,384 a------- c:\windows\~DF324E.tmp
2009-03-18 13:09 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-18 13:09 23,848 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-18 13:08 <DIR> --d----- c:\program files\iPod
2009-03-18 13:08 <DIR> --d----- c:\program files\iTunes
2009-03-18 13:08 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-17 14:08 16,384 a------- c:\windows\~DF831C.tmp
2009-03-12 02:17 16,384 a------- c:\windows\~DFE81D.tmp
2009-03-12 02:17 16,384 a------- c:\windows\~DF3117.tmp
2009-03-12 02:09 16,384 a------- c:\windows\~DF2812.tmp
2009-03-11 09:07 16,384 a------- c:\windows\~DFFD5F.tmp
2009-03-11 09:07 16,384 a------- c:\windows\~DF22EB.tmp
2009-03-06 23:13 16,384 a------- c:\windows\~DFF92E.tmp
2009-03-06 23:13 16,384 a------- c:\windows\~DF7E1C.tmp
2009-03-06 23:12 16,384 a------- c:\windows\~DF109A.tmp
2009-03-06 20:33 16,384 a------- c:\windows\~DFE652.tmp
2009-03-06 20:33 16,384 a------- c:\windows\~DFBD2F.tmp
2009-03-06 20:32 16,384 a------- c:\windows\~DF371A.tmp

==================== Find3M ====================

2009-04-03 03:29 73,800 a------- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-03-29 22:53 86,811 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-29 22:27 34,284 a------- c:\windows\system32\emptyregdb.dat
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-19 01:01 16,384 a------- c:\windows\~DFB87E.tmp
2009-02-09 02:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-01-26 21:59 16,384 a------- c:\windows\~DFA81D.tmp
2009-01-04 20:58 16,384 a------- c:\windows\~DF4D7C.tmp
2009-01-04 20:58 16,384 a------- c:\windows\~DFAA0C.tmp
2009-01-04 20:58 16,384 a------- c:\windows\~DFA4AA.tmp
2008-11-27 23:16 0 a------- c:\program files\error.dat
2008-11-02 22:03 14,566,424 a------- c:\docume~1\alluse~1.win\applic~1\vlc-0.9.4-win32.exe
2008-11-21 21:40 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2008-11-21 21:40 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2008-11-21 21:40 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 5:14:18.37 ===============

Attached Files

BC AdBot (Login to Remove)


#2 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:09:30 PM

Posted 09 April 2009 - 08:11 PM


You have a nasty infection on board. One of them includes a backdoor.

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

With Regards,
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 wooward

  • Topic Starter

  • Members
  • 6 posts
  • Local time:06:30 PM

Posted 10 April 2009 - 02:34 AM

I have decided the best action will be to reformat and reinstall the OS. I need to save files off this hard drive and am copying them to another drive. Will doing this also copy the trojan as well?

#4 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:09:30 PM

Posted 10 April 2009 - 09:18 AM


I would use a removable drive. Best if it's a CD, but if not a flash-drive or an external hard-drive would work. Also, you should format the WHOLE computer if your drives are partitioned. The trojan can be anywhere so to be safe you should format all the drives on the computer.

Run this tool first with the flash-drive/external-harddrive plugged in if you are going to use that.

Download and Run FlashDisinfector
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Regarding backup:

When backing up files and datas there are mainly 2 general guidelines:

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

Note: Some may want to be safe, wondering if their data files are infected or not so to make sure you should scan those files using an anti-virus scanner and an anti-malware/anti-spyware scanner making sure they are free from malware before transfering it to your new formatted computer. From what I have seen the results were always CLEAN, meaning they were not infected at all.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 wooward

  • Topic Starter

  • Members
  • 6 posts
  • Local time:06:30 PM

Posted 10 April 2009 - 11:01 AM

I am currently unable to use external media to save my data to. However, I have multiple hard drives installed in my computer (not partitions, actual physical drives). Will Flash_disinfector work on them and then can I save to those drives?

#6 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:09:30 PM

Posted 10 April 2009 - 11:08 AM


Although you have many drives on your computer like C:\ drive, D:\ drive, E:\ drive etc... the trojan can be anywhere in any of those drives so you will still need to format those drives as well.

Flash-drive disinfector does not protect you against all kinds of malware. Flash-drive disinfector is ONLY used to prevent those annoying autorun.inf worms other than that it won't help you at all.

If you have a big flash-drive or something you can transfer it to that and the transfer it to another computer if you have one. Then after the format of the infected computer you can put transfer it back.

All drives on the computer should be formatted.

With Regards,
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:09:30 PM

Posted 12 April 2009 - 03:45 PM


Below are just some prevention tips. I will close off this topic soon. Good luck on the format!

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smrgsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :thumbup2:

With Regards,

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:09:30 PM

Posted 12 April 2009 - 03:46 PM


Since the problem appears to be resolved, this topic is now Closed. Glad I could help :thumbup2:
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users