Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Faux Windows Security Center (SystemDefender) [CLOSED]


  • This topic is locked This topic is locked

#1
NottaTechGuy

NottaTechGuy

    New Member

  • Member
  • Pip
  • 2 posts
My boss brought in this infected computer from home. Not only was it infested, the faux program System Defender had been fully installed - ouch. I had my boss cancel his credit card right away. (FYI, calling the System Defender helpline results in a very sophisticated voicemail system - you would swear you were really on hold for tech support!)

I have burned a UBCD4WIN 3.13 boot disk, with recent antivirus/antimalware updates, and eradicated most of the infections (a LOT of Trojans). I have run just about every program under the sun (from the boot disk), and I installed Spyware Doctor on the hard disk itself. Spyware Doctor, run from the hard disk, does not take care of the infection either. When I boot from the hard disk, the first thing to pop up is the faux Windows Security Center, enticing the user to download one of it's three trojans.

Specific programs run from UBCD4WIN boot disk: Adaware, Spy Bot, Super Antispyware, AVG, AVPersonal, McAfee Stinger.

My final option is to back up what files I can and use his Dell disks to bring the PC back to factory conditions (reinstalling Windows).

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:10:26 PM, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jeff.AMY\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: DVA Gate - {5BFC1E05-8287-420E-8526-F6D76E1FEBB8} - C:\WINDOWS\gndarmblsnv.dll (file missing)
O2 - BHO: DVA Gate - {AEAFB69D-EDE2-47C8-BDBA-D8938DE059D3} - C:\WINDOWS\qnmargolewk.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: dpevflbg - {CE66268D-0208-4D9E-8BC7-12D91072A34D} - C:\WINDOWS\dpevflbg.dll (file missing)
O3 - Toolbar: wxdbpfvo - {C3169036-557E-45E1-840F-C845DC406C55} - C:\WINDOWS\wxdbpfvo.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [BM43e16768] Rundll32.exe "C:\WINDOWS\system32\gwkjytds.dll",s
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [A00F4565646.exe] C:\DOCUME~1\Jeff.AMY\LOCALS~1\Temp\_A00F4565646.exe
O4 - HKCU\..\Run: [hpobpthu] C:\WINDOWS\system32\slmnobaf.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [dwDDoyhevo] C:\Documents and Settings\All Users\Application Data\tslgpivg\fejspkxg.exe
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsu...Fix/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O20 - Winlogon Notify: caeuocun - C:\WINDOWS\SYSTEM32\caeuocun.dll
O20 - Winlogon Notify: qoMggDvv - qoMggDvv.dll (file missing)
O20 - Winlogon Notify: urqonli - urqonli.dll (file missing)
O20 - Winlogon Notify: __c001A0A9 - C:\WINDOWS\system32\__c001A0A9.dat (file missing)
O20 - Winlogon Notify: __c0036B6E - C:\WINDOWS\system32\__c0036B6E.dat (file missing)
O20 - Winlogon Notify: __c003BE07 - C:\WINDOWS\system32\__c003BE07.dat (file missing)
O20 - Winlogon Notify: __c0081A90 - C:\WINDOWS\system32\__c0081A90.dat (file missing)
O20 - Winlogon Notify: __c008700C - C:\WINDOWS\system32\__c008700C.dat (file missing)
O20 - Winlogon Notify: __c00B4A2C - C:\WINDOWS\system32\__c00B4A2C.dat (file missing)
O20 - Winlogon Notify: __c00CDE30 - C:\WINDOWS\system32\__c00CDE30.dat (file missing)
O20 - Winlogon Notify: __c00D2AFA - C:\WINDOWS\system32\__c00D2AFA.dat (file missing)
O20 - Winlogon Notify: __c00DA7A9 - C:\WINDOWS\system32\__c00DA7A9.dat (file missing)
O20 - Winlogon Notify: __c00E64D9 - C:\WINDOWS\system32\__c00E64D9.dat (file missing)
O20 - Winlogon Notify: __c00EBD2D - C:\WINDOWS\system32\__c00EBD2D.dat (file missing)
O21 - SSODL: vadokmxt - {8360D30B-CA36-44E1-B0AC-E7E714F6BA03} - C:\WINDOWS\vadokmxt.dll (file missing)
O21 - SSODL: wdpoefan - {52920808-B077-48B1-8ED5-126C0D93443B} - C:\WINDOWS\wdpoefan.dll (file missing)
O21 - SSODL: DriveWin - {15084020-74de-40d8-9cbe-0f3421337cfc} - C:\WINDOWS\Resources\DriveWin.dll (file missing)
O21 - SSODL: RunOnceWin - {893230bc-bec0-4467-8dfa-d2f218e25636} - C:\WINDOWS\Resources\RunOnceWin.dll (file missing)
O21 - SSODL: bdkpfxqw - {60F08CB1-E0B0-4CAE-883A-9AC2295404E3} - C:\WINDOWS\bdkpfxqw.dll (file missing)
O23 - Service: Microsoft DDE+ server (40d2545b) - Unknown owner - C:\WINDOWS\system32\.40d2545b\40d2545b.exe (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 9326 bytes



Uninstall List

2Wire Wireless Client
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe® Photoshop® Album Starter Edition 3.2
AOLIcon
Apple Software Update
Brother HL-2070N
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Support Center
DellSupport
EarthLink setup files
Get High Speed Internet!
Google Toolbar for Internet Explorer
GPS Image Tracker
HijackThis 2.0.2
Intel® 537EP V9x DF PCI Modem
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet for Wired Connections
Internet Explorer Default Page
iPod for Windows 2005-09-23
iTunes
J2SE Runtime Environment 5.0 Update 9
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Java 2 Runtime Environment, SE v1.4.2_03
Learn2 Player (Uninstall Only)
LiveUpdate Notice (Symantec Corporation)
Macromedia Flash Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Office Professional Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Modem Event Monitor
Modem Helper
Modem On Hold
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Musicmatch® Jukebox
MyWay Search Assistant
NetZeroInstallers
Picture Package Music Transfer
PowerDVD 5.5
QuickTime
Reader Rabbit's Reading Ages 6-9
RealPlayer Basic
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Sonic DLA
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sony Picture Utility
Sony USB Driver
Spyware Doctor 5.5
Star Words Reading Practice
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
WebCyberCoach 3.2 Dell
Windows Defender
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB893086
Yahoo! Toolbar
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

You may uninstall MyWay via the Add/Remove Programs panel.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: DVA Gate - {5BFC1E05-8287-420E-8526-F6D76E1FEBB8} - C:\WINDOWS\gndarmblsnv.dll (file missing)
O2 - BHO: DVA Gate - {AEAFB69D-EDE2-47C8-BDBA-D8938DE059D3} - C:\WINDOWS\qnmargolewk.dll (file missing)
O3 - Toolbar: dpevflbg - {CE66268D-0208-4D9E-8BC7-12D91072A34D} - C:\WINDOWS\dpevflbg.dll (file missing)
O3 - Toolbar: wxdbpfvo - {C3169036-557E-45E1-840F-C845DC406C55} - C:\WINDOWS\wxdbpfvo.dll (file missing)
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe
O4 - HKLM\..\Run: [BM43e16768] Rundll32.exe "C:\WINDOWS\system32\gwkjytds.dll",s
O4 - HKCU\..\Run: [A00F4565646.exe] C:\DOCUME~1\Jeff.AMY\LOCALS~1\Temp\_A00F4565646.exe
O4 - HKCU\..\Run: [hpobpthu] C:\WINDOWS\system32\slmnobaf.exe
O4 - HKLM\..\Policies\Explorer\Run: [dwDDoyhevo] C:\Documents and Settings\All Users\Application Data\tslgpivg\fejspkxg.exe
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O20 - Winlogon Notify: caeuocun - C:\WINDOWS\SYSTEM32\caeuocun.dll
O20 - Winlogon Notify: qoMggDvv - qoMggDvv.dll (file missing)
O20 - Winlogon Notify: urqonli - urqonli.dll (file missing)
O20 - Winlogon Notify: __c001A0A9 - C:\WINDOWS\system32\__c001A0A9.dat (file missing)
O20 - Winlogon Notify: __c0036B6E - C:\WINDOWS\system32\__c0036B6E.dat (file missing)
O20 - Winlogon Notify: __c003BE07 - C:\WINDOWS\system32\__c003BE07.dat (file missing)
O20 - Winlogon Notify: __c0081A90 - C:\WINDOWS\system32\__c0081A90.dat (file missing)
O20 - Winlogon Notify: __c008700C - C:\WINDOWS\system32\__c008700C.dat (file missing)
O20 - Winlogon Notify: __c00B4A2C - C:\WINDOWS\system32\__c00B4A2C.dat (file missing)
O20 - Winlogon Notify: __c00CDE30 - C:\WINDOWS\system32\__c00CDE30.dat (file missing)
O20 - Winlogon Notify: __c00D2AFA - C:\WINDOWS\system32\__c00D2AFA.dat (file missing)
O20 - Winlogon Notify: __c00DA7A9 - C:\WINDOWS\system32\__c00DA7A9.dat (file missing)
O20 - Winlogon Notify: __c00E64D9 - C:\WINDOWS\system32\__c00E64D9.dat (file missing)
O20 - Winlogon Notify: __c00EBD2D - C:\WINDOWS\system32\__c00EBD2D.dat (file missing)
O21 - SSODL: vadokmxt - {8360D30B-CA36-44E1-B0AC-E7E714F6BA03} - C:\WINDOWS\vadokmxt.dll (file missing)
O21 - SSODL: wdpoefan - {52920808-B077-48B1-8ED5-126C0D93443B} - C:\WINDOWS\wdpoefan.dll (file missing)
O21 - SSODL: DriveWin - {15084020-74de-40d8-9cbe-0f3421337cfc} - C:\WINDOWS\Resources\DriveWin.dll (file missing)
O21 - SSODL: RunOnceWin - {893230bc-bec0-4467-8dfa-d2f218e25636} - C:\WINDOWS\Resources\RunOnceWin.dll (file missing)
O21 - SSODL: bdkpfxqw - {60F08CB1-E0B0-4CAE-883A-9AC2295404E3} - C:\WINDOWS\bdkpfxqw.dll (file missing)
O23 - Service: Microsoft DDE+ server (40d2545b) - Unknown owner - C:\WINDOWS\system32\.40d2545b\40d2545b.exe (file missing)
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)


Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

sc stop 40d2545b
sc delete 40d2545b
sc stop Schedule
sc delete Schedule
del delete.bat


Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.


Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\Program Files\MyWaySA\
C:\WINDOWS\system32\gwkjytds.dll
C:\WINDOWS\system32\slmnobaf.exe
C:\Documents and Settings\All Users\Application Data\tslgpivg\
C:\Documents and Settings\LocalService\cftmon.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\SYSTEM32\caeuocun.dll


Don't worry if any of the above are giving you problems deleting them. Just take down which ones you can't delete and post back saying that (do the below scan also so there is no delay).

1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe or http://download.blee...Bs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#3
NottaTechGuy

NottaTechGuy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Yahoo, I think this worked!

The system crashed after the first "Fix Checked" run of HijackThis. After restart, I began from scratch. The second scan of HijackThis turned up two duplicate items, the ones with "cftmon.exe" and "caeuocun.dll". I ended up going through a few runs of HijackThis and rebooting. Checking either of the two items crashed the system.

So I skipped to the delete.bat section, which ran without a hitch.

Manually deleted these files/folders:
C:\Program Files\MyWaySA\
C:\Documents and Settings\All Users\Application Data\tslgpivg\
(The other files didn't exist. FYI, searching hidden files/folders is not on by default in windows, so I had to enable it.)

Trying to delete C:\WINDOWS\SYSTEM32\caeuocun.dll didn't work, as the file was in use. I know you didn't give specific instructions to do this, but I went ahead and booted from my UBCD4WIN disk and deleted the file that way. After rebooting Windows from the hard disk, the faux Windows Security Center was finally gone!

Started over. HijackThis finally ran with no duplicates (log below). Ran Combofix. Had to run twice, as Spyware Doctor caused it to crash the first time (so I disabled it).

I think the system is good now, but here is the Combofix log and HijackThis log. FYI, I saved a copy of the caeuocon.dll file, just because I was curious. Opened it in Notepad. Most of it was encrypted, but a large part was in some easy to read markup language. The text of all the false popups was there - nailed it!

ComboFix 08-05-12.1 - Jeff 2008-05-14 13:30:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.222 [GMT -7:00]
Running from: C:\Documents and Settings\Jeff.AMY\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\smp.bat
C:\WINDOWS\pskt.ini
C:\WINDOWS\rs.txt
C:\WINDOWS\system32\amqraojj.ini
C:\WINDOWS\system32\ENnUDcfe.ini
C:\WINDOWS\system32\ENnUDcfe.ini2
C:\WINDOWS\system32\fgqosqnc.ini
C:\WINDOWS\system32\hPrsAyxx.ini
C:\WINDOWS\system32\hPrsAyxx.ini2
C:\WINDOWS\system32\IkTuwGgh.ini
C:\WINDOWS\system32\IkTuwGgh.ini2
C:\WINDOWS\system32\jmppAcfe.ini
C:\WINDOWS\system32\jmppAcfe.ini2
C:\WINDOWS\system32\LTsuDfhk.ini
C:\WINDOWS\system32\LTsuDfhk.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\qtvwa.ini2
C:\WINDOWS\system32\stBaJRqr.ini
C:\WINDOWS\system32\stBaJRqr.ini2
C:\WINDOWS\system32\uBKloXyb.ini
C:\WINDOWS\system32\uBKloXyb.ini2
C:\WINDOWS\system32\xgucbewq.ini
C:\WINDOWS\system32\XyHQBJlm.ini
C:\WINDOWS\system32\XyHQBJlm.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-12 12:35 . 2008-05-12 12:56 2,634 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-12 12:20 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-12 12:20 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-12 12:20 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-12 12:20 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-12 12:20 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-12 12:20 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-12 12:20 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-12 12:20 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-08 11:46 . 2008-05-08 11:47 <DIR> dr-h----- C:\$VAULT$.AVG
2008-05-07 11:11 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-05-07 11:11 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll
2008-05-07 11:11 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-05-07 11:11 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-05-07 11:10 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-05-07 11:10 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-05-01 08:44 . 2008-05-01 08:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-30 10:46 . 2008-04-30 11:12 6,914,048 --a------ C:\avg_free_stf_en_8_100a1295.exe
2008-04-30 10:09 . 2008-03-31 16:24 6,342,680 --a------ C:\SUPERAntiSpyware.exe
2008-04-30 10:05 . 2008-05-07 11:10 109,734 --a------ C:\WINDOWS\BM43e16768.xml
2008-04-30 09:56 . 2008-05-01 08:44 <DIR> d-------- C:\WINDOWS\LMI1.tmp
2008-04-23 14:09 . 2008-05-08 10:59 <DIR> d-------- C:\WINDOWS\system32\382077
2008-04-23 13:47 . 2008-05-01 08:44 <DIR> d-------- C:\Documents and Settings\Jeff.AMY\Application Data\TmpRecentIcons
2008-04-23 08:09 . 2008-05-08 10:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\tqdevmvm
2008-04-22 09:08 . 2008-04-25 12:43 <DIR> d--h----- C:\WINDOWS\system32\.40d2545b
2008-04-22 00:45 . 2008-05-08 10:59 <DIR> d-------- C:\WINDOWS\system32\Client
2008-04-20 12:18 . 2008-05-08 10:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\wdkvctcv
2008-04-20 12:18 . 2008-04-20 12:18 131,072 --a------ C:\WINDOWS\system32\mntset.dll
2008-04-19 13:28 . 2008-05-14 13:30 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-19 13:27 . 2008-04-25 13:13 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-19 13:27 . 2008-04-19 13:27 <DIR> d-------- C:\Documents and Settings\Jeff.AMY\Application Data\PC Tools
2008-04-19 13:27 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-19 13:27 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-19 13:27 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-19 13:27 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-04-19 10:45 . 2008-04-19 10:45 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-17 22:03 . 2008-04-17 22:03 2 --a------ C:\WINDOWS\msoffice.ini
2008-04-17 21:37 . 2008-04-17 21:37 <DIR> d-------- C:\Documents and Settings\Jeff~AMY\LOCALS~1
2008-04-17 21:37 . 2008-04-17 21:37 <DIR> d-------- C:\Documents and Settings\Jeff~AMY

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-01 15:44 --------- d-----w C:\Program Files\Norton AntiVirus
2008-05-01 15:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-25 22:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-18 05:04 --------- d-----w C:\Program Files\Common Files\AOL
2008-04-18 05:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-04-18 05:01 --------- d-----w C:\Documents and Settings\Jeff.AMY\Application Data\ICAClient
2008-04-18 04:58 --------- d-----w C:\Program Files\Common Files\Intuit
2008-04-18 04:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-18 04:44 --------- d-----w C:\Program Files\THQ
2008-04-18 04:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Knowledge Adventure
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-16 22:29 3,059,712 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-15 09:23 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-07-31 01:43 62,984 ----a-w C:\Program Files\setuplog.txt
2007-07-31 01:43 56,332 ----a-w C:\Program Files\uninstal.log
2008-02-13 20:26 56 --sh--r C:\WINDOWS\system32\020EB588CD.sys
2004-08-04 10:00 4,096 --sha-w C:\WINDOWS\system32\1112.dat
2008-02-13 20:26 1,890 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-28 20:37 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 17:42 1404928]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 18:12 221184]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 14:19 53248]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 14:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 14:50 81920]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 11:55 1103240]

C:\Documents and Settings\Jeff.AMY\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-07-09 12:03:35 229376]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless USB 2.0 WLAN Card Utility.lnk - C:\Program Files\Dell Wireless\PRISMCFG.exe [2005-08-20 05:45:03 917611]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\caeuocun]
caeuocun.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\40d2545b]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

S4 PRISMSVC;PRISMSVC;C:\WINDOWS\system32\PRISMSVC.EXE [2004-10-04 12:12]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\subsystems]
"Windows"= basepgq32.dll

.
Contents of the 'Scheduled Tasks' folder
"2008-04-16 13:28:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-14 19:43:29 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-23 18:23:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 13:33:51
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\csrss.exe
-> C:\WINDOWS\system32\basepgq32.dll
.
Completion time: 2008-05-14 13:36:15
ComboFix-quarantined-files.txt 2008-05-14 20:35:58

Pre-Run: 23,568,195,584 bytes free
Post-Run: 23,556,083,712 bytes free

172 --- E O F --- 2008-05-07 18:20:36






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:09:15 PM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jeff.AMY\Desktop\HiJackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsu...Fix/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O20 - Winlogon Notify: caeuocun - caeuocun.dll (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 5878 bytes
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

- Download the latest version of Java Runtime Environment (get JDK) from http://java.sun.com/...loads/index.jsp and save it to your desktop.
- Just click on the Download button to the right.
- Read the License Agreement and then check the box that says Accept License Agreement. The page will refresh.
- Click on the link to download Windows Offline Installation and save the file to your desktop.
- Close any programs you may have running - especially your web browser.
- Go to Start->Settings->Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
- Click (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
- Click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove all the older Java versions.
- Reboot your computer once all Java components are removed.
- Then from your desktop double-click on Java installer file you downloaded earlier to install the newest version.

- After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
- Applications and Applets
- Trace and Log Files
- Click OK on Delete Temporary Files window
Note: This deletes ALL the Downloaded Java Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.


Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

http://www.geekstogo...er-t198062.html
KILLALL::
Collect::
C:\WINDOWS\system32\basepgq32.dll
Driver::
40d2545b
File::
C:\WINDOWS\BM43e16768.xml
C:\WINDOWS\system32\mntset.dll
C:\WINDOWS\msoffice.ini
C:\WINDOWS\system32\basepgq32.dll
Folder::
C:\WINDOWS\LMI1.tmp
C:\WINDOWS\system32\382077
C:\Documents and Settings\Jeff.AMY\Application Data\TmpRecentIcons
C:\Documents and Settings\All Users\Application Data\tqdevmvm
C:\WINDOWS\system32\.40d2545b
C:\Documents and Settings\All Users\Application Data\wdkvctcv
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\caeuocun]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\40d2545b]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
"Windows"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,\
32,5c,63,73,72,73,73,2e,65,78,65,20,4f,62,6a,65,63,74,44,69,72,65,63,74,6f,\
72,79,3d,5c,57,69,6e,64,6f,77,73,20,53,68,61,72,65,64,53,65,63,74,69,6f,6e,\
3d,31,30,32,34,2c,33,30,37,32,2c,35,31,32,20,57,69,6e,64,6f,77,73,3d,4f,6e,\
20,53,75,62,53,79,73,74,65,6d,54,79,70,65,3d,57,69,6e,64,6f,77,73,20,53,65,\
72,76,65,72,44,6c,6c,3d,62,61,73,65,67,73,6a,6e,75,33,32,2c,31,20,53,65,72,\
76,65,72,44,6c,6c,3d,77,69,6e,73,72,76,3a,55,73,65,72,53,65,72,76,65,72,44,\
6c,6c,49,6e,69,74,69,61,6c,69,7a,61,74,69,6f,6e,2c,33,20,53,65,72,76,65,72,\
44,6c,6c,3d,77,69,6e,73,72,76,3a,43,6f,6e,53,65,72,76,65,72,44,6c,6c,49,6e,\
69,74,69,61,6c,69,7a,61,74,69,6f,6e,2c,32,20,50,72,6f,66,69,6c,65,43,6f,6e,\
74,72,6f,6c,3d,4f,66,66,20,4d,61,78,52,65,71,75,65,73,74,54,68,72,65,61,64,\
73,3d,31,36,00

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

Combofix will need to submit a file online. Please allow it to do so....

That should do it. Let me know how the system is running...
  • 0

#5
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP