Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

nsmss.exe [RESOLVED]

Started by MargiRose , Sep 24 2007 10:12 AM

  • This topic is locked This topic is locked

#1
MargiRose
Posted 24 September 2007 - 10:12 AM

MargiRose

    Member

  • Member
  • PipPip
  • 52 posts
I'm not really sure where to begin so I'll give a little background. Over the past few months, I was having problems with windows popping up on me, and the system running very slowly, so I did several things....I updated my Spybot S&D, ran a scan, found and fixed several problems it found.

The popups didn't stop, so I also installed Ad-Aware/Lavasoft as well as Windows Defender....scanned/found problems/fixed. I noticed a feature on Windows Defender where you can see what programs run at startup, and what's currently running. There were several .exe files that had been recently installed, so i assumed these were the culprits. Using My Computer/Explore, I would find the file, highlight and delete. This seemed to be working for several weeks...no more popups and things were running faster. But lo and behold....my system is very slow again although nothing is popping up on me.

One of the .exe files that keeps showing as running, even though I've repeatedly deleted it, is nsmss.exe. So...I'm obviously not getting rid of things by just deleting the file.

I would appreciate help on getting rid of this file, as well as trying to figure out what else has infected my system.

Thanks!! :) :wave:
  • 0

Advertisements

#2
don77
Posted 24 September 2007 - 07:59 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hello MargiRose :)

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
MargiRose
Posted 25 September 2007 - 02:51 PM

MargiRose

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
Thanks Don! (Can I call you Donzo? :) Hehe) Anywho, looks like alot of mumbo jumbo, but here you go:


Deckard's System Scanner v20070905.67
Run by HP_Owner on 2007-09-25 16:40:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
65: 2007-09-25 20:40:47 UTC - RP383 - Deckard's System Scanner Restore Point
64: 2007-09-24 19:53:26 UTC - RP382 - Removed STOPzilla. Available with Windows Installer version 1.2 and later.
63: 2007-09-23 19:27:39 UTC - RP381 - Installed STOPzilla. Available with Windows Installer version 1.2 and later.
62: 2007-09-22 21:07:36 UTC - RP380 - Software Distribution Service 3.0
61: 2007-09-22 15:04:52 UTC - RP379 - Software Distribution Service 3.0


-- First Restore Point --
1: 2007-06-27 17:15:58 UTC - RP319 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-09-25 16:42:29
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16512)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\security\msiexec.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\hp\KBD\kbd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\VirusScan\mcsysmon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\HP_Owner\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...&pf=desktop
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
F0 - system.ini: Shell=Explorer.exe C:\system32\nsmss.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\system32\nsmss.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\system32\nsmss.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: (no name) - {E906D9EB-1077-48A1-8490-06BE89EDFFB8} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: (no name) - - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: (no name) - SITEguard - (no file)
O4 - HKEY_LOCAL_MACHINE\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKEY_LOCAL_MACHINE\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKEY_LOCAL_MACHINE\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKEY_LOCAL_MACHINE\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKEY_LOCAL_MACHINE\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKEY_LOCAL_MACHINE\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKEY_LOCAL_MACHINE\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.micr...heckControl.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.ma...t/ultrashim.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...125/mcfscan.cab
O16 - DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} (CheckersZPA Object) -
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - "C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - "c:\Program Files\Common Files\LightScribe\LSSrvc.exe"
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
O23 - Service: Windows Network Service Monitor (nsmss) - Unknown owner - C:\system32\nsmss.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WINDOWS MSI Installer Application (WIN_MSIEXEC) - Unknown owner - "C:\WINDOWS\Security\msiexec.exe"


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
R3 LVPrcMon (Logitech LVPrcMon Driver) - c:\windows\system32\drivers\lvprcmon.sys
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S3 SQTECH905C (DualCamera) - c:\windows\system32\drivers\capt905c.sys <Not Verified; Service & Quality Technology.; SQ905c>
S3 SYMIDSCO - c:\progra~1\common~1\symant~1\symcdata\idsdefs\20070531.001\symidsco.sys (file missing)

Deckard's System Scanner v20070905.67
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 45%
Physical Memory (total/avail): 1015.29 MiB / 554.3 MiB
Pagefile Memory (total/avail): 2443.31 MiB / 2080.46 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1966.89 MiB

C: is Fixed (NTFS) - 225.9 GiB total, 210.8 GiB free.
D: is Fixed (FAT32) - 6.96 GiB total, 1.84 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD2500JD-00HBB0 - 232.88 GiB - 2 partitions
\PARTITION0 - Unknown - 6.97 GiB - D:
\PARTITION1 (bootable) - Installable File System - 225.9 GiB - C:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: McAfee Personal Firewall v (McAfee)
AV: McAfee VirusScan v (McAfee)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%ProgramFiles%\\iTunes\\iTunes.exe"="%ProgramFiles%\\iTunes\\iTunes.exe:*:enabled:iTunes"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe:*:Enabled:BackWeb for Pavilion"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\WINDOWS\\system32\\rjgbnxll.exe"="C:\\WINDOWS\\system32\\rjg"
"C:\\WINDOWS\\system32\\jrldbynu.exe"="C:\\WINDOWS\\system32\\jrl"
"C:\\system32\\nsmss.exe"="C:\\system32\\nsmss.exe:*:Enabled:Microsoft ® Windows Network Service Monitor"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\HP_Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GODSKIDS
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\HP_Owner
LOGONSERVER=\\GODSKIDS
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\;C:\Program Files\QuickTime\QTSystem\;;C:\PROGRA~1\COMMON~1\MUVEET~130625
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0403
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\HP_Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\HP_Owner\LOCALS~1\Temp
USERDOMAIN=GODSKIDS
USERNAME=HP_Owner
USERPROFILE=C:\Documents and Settings\HP_Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

HP_Owner (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /X{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat - Reader 6.0.2 Update --> MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Agere Systems PCI Soft Modem --> agrsmdel
AIM 6 --> C:\Program Files\AIM6\uninst.exe
Apple Software Update --> MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}
Comcast High-Speed Internet Install Wizard --> C:\Program Files\support.com\uninstall\chsi_uninstaller.exe
Gibraltar Pool Manual --> MsiExec.exe /I{82FD5AF0-6964-4C90-87A0-E1EB21E59A74}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Help and Support Additions --> C:\PROGRA~1\HELPAN~1\UNWISE.EXE C:\PROGRA~1\HELPAN~1\INSTALL.LOG
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HP Deskjet Preloaded Printer Drivers --> MsiExec.exe /X{F419D20A-7719-4639-8E30-C073A040D878}
HP Image Zone 4.5.3 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Image Zone Plus 4.5.3 --> C:\Program Files\HP\Digital Imaging\{D0420D64-8D33-4374-A2B2-9225C7925CA6}\setup\hpzscr01.exe -datfile hpdscr01.dat
HP Organize --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0122362-6333-4DE4-93F6-A5A2F3CC101A}\Setup.exe" UNINSTALL
HP Photosmart Cameras 4.0 --> C:\Program Files\HP\Digital Imaging\{4C04DF1B-6A39-4299-9DD1-1FA60000266E}\setup\hpzscr01.exe -datfile hpiscr01.dat
HP PSC & OfficeJet 4.0 --> "C:\Program Files\HP\Digital Imaging\{A1062847-0846-427A-92A1-BB8251A91E91}\setup\hpzscr01.exe" -datfile hposcr04.dat
HP Software Update --> MsiExec.exe /X{64FC0C98-B035-4530-B15D-3D30610B6DF1}
HPIZplus450 --> MsiExec.exe /X{7B98685A-4E21-4A4F-A2D6-DC557042BADA}
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2782 PCI\VEN_8086&DEV_2582
IntelliMover Data Transfer Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14589F05-C658-4594-9429-D437BA688686}\Setup.exe" -l0x9
InterVideo DiscLabel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C3F058C0-A21C-452D-8D99-95B1A45F417D}\setup.exe" REMOVEALL
InterVideo WinDVD Creator --> "C:\Program Files\InstallShield Installation Information\{2FCE4FC5-6930-40E7-A4F1-F862207424EF}\setup.exe" REMOVEALL
InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
KBD --> C:\HP\KBD\KBD.EXE uninstalled
Logitech Desktop Messenger --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}\setup.exe" -l0x9 UNINSTALL
Logitech QuickCam Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C191BE7C-8542-4A61-973A-714EF76C5995}\setup.exe" -l0x9
Logitech® Camera Driver --> "C:\Program Files\Common Files\Logitech\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft Office Word Viewer 2003 --> MsiExec.exe /I{90850409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Standard --> MsiExec.exe /I{90120409-6000-11D3-8CFE-0050048383C9}
Microsoft Plus! Dancer LE --> MsiExec.exe /X{1A103D70-5C9B-4E1A-B306-5106C68F9914}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\HP_Owner\Application Data\Move Networks\ie_bin\Uninst.exe
Move Networks Player for Internet Explorer --> "C:\Documents and Settings\HP_Owner\Application Data\Move Networks\ie_bin\unins000.exe"
Musicnotes Player V1.22.3 --> "C:\Program Files\Musicnotes\Player\unins000.exe"
muvee autoProducer 3.5 magicMoments - HPD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B103C8A7-D1CC-4B1A-BD41-883F652E097D}\setup.exe" -l0x9
PC-Doctor for Windows --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{0C66761E-497A-4BE3-AE0D-8EC30FC9A9AA} /l1033
PS2 --> C:\WINDOWS\system32\ps2.exe uninstall
Python 2.2 pywin32 extensions (build 203) --> "C:\Python22\Removepywin32.exe" -u "C:\Python22\pywin32-wininst.log"
Python 2.2.3 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody Player Engine --> MsiExec.exe /I{84F1DE76-C48C-4281-87A0-CC9548D1E7F9}
Road Ready Streetwise from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\6B60434A-ABE1-48FF-906B-0EA67087AB25\Uninstall.exe"
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Skype 2.0 --> "C:\Program Files\Skype\Phone\unins000.exe"
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Tradewinds from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\F5215F01-DFC0-475D-A910-6F1AF94E807E\Uninstall.exe"
Updates from HP --> C:\WINDOWS\BWUnin-6.3.2.62.exe -AppId 309731
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT


-- Application Event Log -------------------------------------------------------

Event Record #/Type30265 / Success
Event Submitted/Written: 09/25/2007 04:32:31 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type30254 / Warning
Event Submitted/Written: 09/24/2007 09:48:55 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type30244 / Warning
Event Submitted/Written: 09/24/2007 07:55:06 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type30235 / Success
Event Submitted/Written: 09/24/2007 05:35:07 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type30233 / Error
Event Submitted/Written: 09/24/2007 03:56:19 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application rundll32.exe, version 5.1.2600.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type85033 / Warning
Event Submitted/Written: 09/25/2007 04:42:45 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%GODSKIDS27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %GODSKIDS27 can't undo changes that you allow.

For more information please see the following:
%GODSKIDS275

Scan ID: {9B59FF4F-28F2-4ACA-A9DA-17C9741681CC}

User: GODSKIDS\HP_Owner

Name: %GODSKIDS271

ID: %GODSKIDS272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %GODSKIDS276

Alert Type: %GODSKIDS278

Detection Type: 1.1.1593.02

Event Record #/Type85032 / Warning
Event Submitted/Written: 09/25/2007 04:42:45 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%GODSKIDS27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %GODSKIDS27 can't undo changes that you allow.

For more information please see the following:
%GODSKIDS275

Scan ID: {5C565ADC-2E0F-4CE0-8CF0-69BFB58A4F62}

User: GODSKIDS\HP_Owner

Name: %GODSKIDS271

ID: %GODSKIDS272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %GODSKIDS276

Alert Type: %GODSKIDS278

Detection Type: 1.1.1593.02

Event Record #/Type85031 / Warning
Event Submitted/Written: 09/25/2007 04:42:45 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%GODSKIDS27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %GODSKIDS27 can't undo changes that you allow.

For more information please see the following:
%GODSKIDS275

Scan ID: {7F911838-CA29-4DAD-81B6-A594AB0C3093}

User: GODSKIDS\HP_Owner

Name: %GODSKIDS271

ID: %GODSKIDS272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %GODSKIDS276

Alert Type: %GODSKIDS278

Detection Type: 1.1.1593.02

Event Record #/Type85030 / Warning
Event Submitted/Written: 09/25/2007 04:42:45 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%GODSKIDS27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %GODSKIDS27 can't undo changes that you allow.

For more information please see the following:
%GODSKIDS275

Scan ID: {016BE209-C410-407D-9D7C-E556BAED8300}

User: GODSKIDS\HP_Owner

Name: %GODSKIDS271

ID: %GODSKIDS272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %GODSKIDS276

Alert Type: %GODSKIDS278

Detection Type: 1.1.1593.02

Event Record #/Type85029 / Warning
Event Submitted/Written: 09/25/2007 04:42:42 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%GODSKIDS27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %GODSKIDS27 can't undo changes that you allow.

For more information please see the following:
%GODSKIDS275

Scan ID: {4C0E7CDD-2DAF-4211-BB96-04972FDFF53D}

User: GODSKIDS\HP_Owner

Name: %GODSKIDS271

ID: %GODSKIDS272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %GODSKIDS276

Alert Type: %GODSKIDS278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2007-09-25 16:44:47 ------------
  • 0

#4
MargiRose
Posted 26 September 2007 - 04:11 AM

MargiRose

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
One other quick thing...not sure if this matters, but....my system was running so painfully slow on Monday that I once again found and deleted the nsmss.exe file in question. So now, whenever I turn the computer on, I get the message below. I guess it's trying to run the file even though I deleted the application?

Attached Thumbnails

  • error_msg2.JPG

Edited by MargiRose, 26 September 2007 - 04:13 AM.

  • 0

#5
don77
Posted 26 September 2007 - 08:45 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
You can call me anything you like :)

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.exe and choose Run,
  • Navigate to the folder SDFix located in C: open the folder click on the RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

  • 0

#6
MargiRose
Posted 27 September 2007 - 04:22 AM

MargiRose

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
Donzo it is then. :)

THANK YOU!


SDFix: Version 1.107

Run by HP_Owner on Thu 09/27/2007 at 06:08 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\aol.exe - Deleted
C:\aol-updates.exe - Deleted
C:\aolsoftware.exe - Deleted
C:\WINDOWS\system32\r.exe - Deleted


Folder C:\Temp\fse - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe:*:Enabled:BackWeb for Pavilion"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\WINDOWS\\system32\\rjgbnxll.exe"="C:\\WINDOWS\\system32\\rjg"
"C:\\WINDOWS\\system32\\jrldbynu.exe"="C:\\WINDOWS\\system32\\jrl"
"C:\\system32\\nsmss.exe"="C:\\system32\\nsmss.exe:*:Enabled:Microsoft ® Windows Network Service Monitor"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%ProgramFiles%\\iTunes\\iTunes.exe"="%ProgramFiles%\\iTunes\\iTunes.exe:*:enabled:iTunes"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 28 Sep 2005 213 A.SHR --- "C:\BOOT.BAK"
Wed 6 Jun 2007 89,600 ..SHR --- "C:\WINDOWS\security\msiexec.exe"
Tue 18 Sep 2007 51,200 ..SHR --- "C:\WINDOWS\system32\wkssvc.exe"
Fri 10 Aug 2007 1,739,391 ..SH. --- "C:\WINDOWS\system32\ybadd.tmp"
Sat 11 Aug 2007 1,696,002 ..SH. --- "C:\WINDOWS\system32\ybadd.bak2"
Sun 2 Apr 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 13 Sep 2007 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Thu 13 Sep 2007 211 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"

Finished!
  • 0

#7
don77
Posted 27 September 2007 - 06:17 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts

Donzo it is then.

:)

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#8
MargiRose
Posted 28 September 2007 - 05:36 AM

MargiRose

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
Donzo.....I'm not quite sure what you mean by posting this long AND a HiJackhis log. Here's the log that popped up:


ComboFix 07-09-21.2 - "HP_Owner" 2007-09-28 7:25:19.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.400 [GMT -4:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\B1
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\jrldbynu.exe
C:\WINDOWS\system32\ripiyrxc.exe
C:\WINDOWS\system32\rjgbnxll.exe
C:\WINDOWS\system32\win
C:\WINDOWS\system32\Y1
C:\WINDOWS\system32\Y2
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-28 )))))))))))))))))))))))))))))))
.

2007-09-28 07:29 104,448 --a------ C:\WINDOWS\system32\sxy.exe
2007-09-28 07:22 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-28 07:18 104,448 --a------ C:\WINDOWS\system32\nyfoxfduojj.exe
2007-09-27 06:12 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-09-27 06:06 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-25 16:40 <DIR> d-------- C:\Deckard
2007-09-24 16:16 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-09-23 15:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2007-09-21 18:08 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-09-19 06:02 91,136 --a------ C:\WINDOWS\bootini.exe
2007-09-18 19:51 51,200 -r-hs---- C:\WINDOWS\system32\wkssvc.exe
2007-09-17 07:37 <DIR> d--h----- C:\system32
2007-09-16 20:22 49,411 --a------ C:\prx.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-28 07:29 0 --a------ C:\WINDOWS\system32\drivers\lvuvc.hs
2007-09-22 19:41 --------- d--h----- C:\DOCUME~1\HP_Owner\APPLIC~1\Move Networks
2007-09-14 08:07 --------- d-------- C:\Program Files\McAfee
2007-08-23 20:08 --------- d-------- C:\Program Files\Windows Live Safety Center
2007-08-14 20:45 --------- d-------- C:\Program Files\MSXML 4.0
2007-08-12 18:59 103424 --a------ C:\updates9453.exe
2007-08-11 20:40 1694590 ---hs---- C:\WINDOWS\system32\ybadd.ini2
2007-08-11 20:37 --------- d-------- C:\Program Files\Windows Defender
2007-08-11 20:10 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-11 20:10 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-11 14:46 103424 --a------ C:\aolupdates.exe
2007-08-11 09:56 --------- d-------- C:\Program Files\Lavasoft
2007-08-11 09:56 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-11 09:54 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-11 08:57 1696002 ---hs---- C:\WINDOWS\system32\ybadd.bak2
2007-08-07 20:09 87040 --a------ C:\WINDOWS\system32\ssidd.exe
2007-08-06 15:43 --------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\McAfee
2007-08-06 15:43 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-07-30 19:27 --------- d-------- C:\Program Files\Common Files\McAfee
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-28 19:39 --------- d-------- C:\Program Files\QuickTime
2007-07-28 19:38 --------- d-------- C:\Program Files\Apple Software Update
2007-07-28 19:38 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-28 17:03 214016 --a------ C:\WINDOWS\system32\zxcugzp.exe
2007-07-25 21:22 164864 --a------ C:\aolx.exe
2007-07-19 02:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-13 19:09 1409 --a------ C:\WINDOWS\Fonts.\OPUSTEXT.FOT
2007-07-13 19:09 1409 --a------ C:\WINDOWS\Fonts.\OPUSS___.FOT
2007-07-13 19:09 1409 --a------ C:\WINDOWS\Fonts.\OPUSROMC.FOT
2007-07-13 19:09 1409 --a------ C:\WINDOWS\Fonts.\OPUSPC__.FOT
2007-07-13 19:09 1409 --a------ C:\WINDOWS\Fonts.\OPUSP___.FOT
2007-07-13 19:09 1409 --a------ C:\WINDOWS\Fonts.\OPUSM___.FOT
2007-07-13 19:09 1409 --a------ C:\WINDOWS\Fonts.\OPUSJAPC.FOT
2007-07-13 19:09 1409 --a------ C:\WINDOWS\Fonts.\OPUSFBE_.FOT
2007-07-13 19:09 1409 --a------ C:\WINDOWS\Fonts.\OPUSFB__.FOT
2007-07-13 19:09 1409 --a------ C:\WINDOWS\Fonts.\OPUSC___.FOT
2007-07-13 19:09 1409 --a------ C:\WINDOWS\Fonts.\OPUS____.FOT
2007-07-13 19:09 1409 --a------ C:\WINDOWS\Fonts.\INKPEN2_.FOT
2007-07-13 19:09 1409 --a------ C:\WINDOWS\Fonts.\INK2TEXT.FOT
2007-07-13 19:09 1409 --a------ C:\WINDOWS\Fonts.\INK2SPEC.FOT
2007-07-13 19:09 1409 --a------ C:\WINDOWS\Fonts.\INK2SCRI.FOT
2007-07-13 19:09 1409 --a------ C:\WINDOWS\Fonts.\INK2METR.FOT
2007-07-13 19:09 1409 --a------ C:\WINDOWS\Fonts.\INK2CHOR.FOT
2007-07-13 19:09 1409 --a------ C:\WINDOWS\Fonts.\HELST___.FOT
2007-07-13 19:09 1409 --a------ C:\WINDOWS\Fonts.\HELSS___.FOT
2007-07-13 19:09 1409 --a------ C:\WINDOWS\Fonts.\HELSM___.FOT
2007-07-13 19:09 1409 --a------ C:\WINDOWS\Fonts.\HELSINKI.FOT
2007-07-13 18:59 115712 --a------ C:\WINDOWS\system32\akkbgonzvm.exe
2007-07-12 19:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-07-10 19:17 78848 --a------ C:\WINDOWS\system32\kstvs.exe
2007-07-09 07:08 103424 --a------ C:\WINDOWS\system32\nwjenftpncfq.exe
2007-06-29 19:55 119808 --a------ C:\WINDOWS\system32\rl.exe
C:\WINDOWS\spool.exe
2007-06-06 23:48:33 89,600 --sh--r C:\WINDOWS\security\msiexec.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E906D9EB-1077-48A1-8490-06BE89EDFFB8}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2005-03-05 12:29]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 05:04]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 20:10 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 04:59]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 06:06 C:\WINDOWS\AGRSMMSG.exe]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 08:02]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-03-05 12:50]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 09:43]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2004-10-25 10:17]
"SoundMan"="SOUNDMAN.EXE" [2004-10-13 10:01 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-13 12:17 C:\WINDOWS\ALCWZRD.EXE]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 10:54]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-12-09 15:32]
"LogitechCameraAssistant"="C:\Program Files\Logitech\Video\CameraAssistant.exe" [2005-12-07 10:26]
"LogitechVideo[inspector]"="C:\Program Files\Logitech\Video\InstallHelper.exe" [2005-12-07 10:33]
"LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [2004-11-01 17:22]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"nyfoxfduojj"="C:\WINDOWS\system32\nyfoxfduojj.exe" [2007-09-28 07:18]
"sxy"="C:\WINDOWS\system32\sxy.exe" [2007-09-28 07:29]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-11 18:03]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"nyfoxfduojj"=C:\WINDOWS\system32\nyfoxfduojj.exe
"sxy"=C:\WINDOWS\system32\sxy.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 23:28:24]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-03-11 18:03:04]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2007-01-25 14:44:25]

C:\DOCUME~1\HP_Owner\STARTM~1\Programs\Startup\
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2004-06-23 13:23:00]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R2 WIN_MSIEXEC;WINDOWS MSI Installer Application;"C:\WINDOWS\Security\msiexec.exe"
R3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys
S2 cupui4yynpaareir;Print Spooler Service;C:\WINDOWS\system32\sxy.exe /service
S2 nsmss;Windows Network Service Monitor;C:\system32\nsmss.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
AutoRun\command- D:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-14 13:22:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-06-08 21:02:58 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-06-08 21:02:57 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-09-28 11:12:09 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-09-28 11:30:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-28 07:29:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-28 7:31:18 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-28 07:31
.
--- E O F ---
  • 0

#9
don77
Posted 28 September 2007 - 06:54 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
I need a fresh HJT log please we still have some cleaning left to do
  • 0

#10
MargiRose
Posted 29 September 2007 - 06:40 PM

MargiRose

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
Donzo....I guess you didn't see the question at the beginning of my last post. I'm not sure what a HJT log is. Should I have run DSS again? If so, here's the log:

Thanks! :)

Deckard's System Scanner v20070905.67
Run by HP_Owner on 2007-09-29 20:35:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as HP_Owner.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:36:32 PM, on 9/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\bycs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Security\msiexec.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Logitech\Video\VideoEffectsWatcher.exe
C:\Documents and Settings\HP_Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\HP_Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {E906D9EB-1077-48A1-8490-06BE89EDFFB8} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nyfoxfduojj] C:\WINDOWS\system32\nyfoxfduojj.exe
O4 - HKLM\..\Run: [sxy] C:\WINDOWS\system32\sxy.exe
O4 - HKLM\..\Run: [bycs] C:\WINDOWS\system32\bycs.exe
O4 - HKLM\..\RunServices: [nyfoxfduojj] C:\WINDOWS\system32\nyfoxfduojj.exe
O4 - HKLM\..\RunServices: [sxy] C:\WINDOWS\system32\sxy.exe
O4 - HKLM\..\RunServices: [bycs] C:\WINDOWS\system32\bycs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...125/mcfscan.cab
O16 - DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} (CheckersZPA Object) -
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Print Spooler Service (cupui4yynpaareir) - Unknown owner - C:\WINDOWS\system32\qm.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Windows Network Service Monitor (nsmss) - Unknown owner - C:\system32\nsmss.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WINDOWS MSI Installer Application (WIN_MSIEXEC) - Unknown owner - C:\WINDOWS\Security\msiexec.exe

--
End of file - 11445 bytes

-- Files created between 2007-08-29 and 2007-09-29 -----------------------------

2007-09-29 20:36:20 0 d-------- C:\Program Files\Trend Micro
2007-09-29 20:21:07 104448 --a------ C:\WINDOWS\system32\qm.exe
2007-09-28 08:44:16 104448 --a------ C:\WINDOWS\system32\bycs.exe
2007-09-28 07:29:56 104448 --a------ C:\WINDOWS\system32\sxy.exe
2007-09-28 07:18:30 104448 --a------ C:\WINDOWS\system32\nyfoxfduojj.exe
2007-09-27 06:12:53 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-09-27 06:06:56 0 d-------- C:\WINDOWS\ERUNT
2007-09-24 16:16:38 0 d-------- C:\WINDOWS\SxsCaPendDel
2007-09-23 15:29:13 0 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2007-09-21 18:08:26 0 d-------- C:\WINDOWS\McAfee.com
2007-09-19 06:02:47 91136 --a------ C:\WINDOWS\bootini.exe
2007-09-18 19:51:15 51200 -r-hs---- C:\WINDOWS\system32\wkssvc.exe
2007-09-17 07:37:38 0 d--h----- C:\system32
2007-09-16 20:22:22 49411 --a------ C:\prx.exe


-- Find3M Report ---------------------------------------------------------------

2007-09-27 18:56:36 22122 --a------ C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2007-09-24 15:53:37 0 d-------- C:\Program Files\Common Files
2007-09-22 19:41:46 0 d--h----- C:\Documents and Settings\HP_Owner\Application Data\Move Networks
2007-09-14 08:07:59 0 d-------- C:\Program Files\McAfee
2007-08-23 20:08:22 0 d-------- C:\Program Files\Windows Live Safety Center
2007-08-14 20:45:09 0 d-------- C:\Program Files\MSXML 4.0
2007-08-12 18:59:08 103424 --a------ C:\updates9453.exe
2007-08-11 20:40:18 1694590 ---hs---- C:\WINDOWS\system32\ybadd.ini2
2007-08-11 20:37:43 0 d-------- C:\Program Files\Windows Defender
2007-08-11 14:46:03 103424 --a------ C:\aolupdates.exe
2007-08-11 09:56:04 0 d-------- C:\Program Files\Lavasoft
2007-08-11 09:54:52 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-11 08:57:19 1696002 ---hs---- C:\WINDOWS\system32\ybadd.bak2
2007-08-07 20:09:24 87040 --a------ C:\WINDOWS\system32\ssidd.exe
2007-08-06 15:43:24 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\McAfee
2007-07-30 19:27:06 0 d-------- C:\Program Files\Common Files\McAfee
2007-07-28 17:03:35 214016 --a------ C:\WINDOWS\system32\zxcugzp.exe
2007-07-25 21:22:29 164864 --a------ C:\aolx.exe
2007-07-13 18:59:46 115712 --a------ C:\WINDOWS\system32\akkbgonzvm.exe
2007-07-10 19:17:05 78848 --a------ C:\WINDOWS\system32\kstvs.exe
2007-07-09 07:08:10 103424 --a------ C:\WINDOWS\system32\nwjenftpncfq.exe
2007-06-29 19:55:57 119808 --a------ C:\WINDOWS\system32\rl.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E906D9EB-1077-48A1-8490-06BE89EDFFB8}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [03/05/2005 12:29 PM]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 05:04 AM]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [03/17/2004 08:10 PM C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [11/02/2004 04:59 AM]
"AGRSMMSG"="AGRSMMSG.exe" [06/29/2004 06:06 AM C:\WINDOWS\AGRSMMSG.exe]
"KBD"="C:\HP\KBD\KBD.EXE" [02/11/2003 08:02 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [03/05/2005 12:50 PM]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [04/14/2004 09:43 AM]
"PS2"="C:\WINDOWS\system32\ps2.exe" [10/25/2004 10:17 AM]
"SoundMan"="SOUNDMAN.EXE" [10/13/2004 10:01 AM C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [10/13/2004 12:17 PM C:\WINDOWS\ALCWZRD.EXE]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [10/14/2004 10:54 AM]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [12/09/2005 03:32 PM]
"LogitechCameraAssistant"="C:\Program Files\Logitech\Video\CameraAssistant.exe" [12/07/2005 10:26 AM]
"LogitechVideo[inspector]"="C:\Program Files\Logitech\Video\InstallHelper.exe" [12/07/2005 10:33 AM]
"LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [11/01/2004 05:22 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [10/30/2006 10:36 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 06:24 AM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [08/04/2007 02:33 AM]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"nyfoxfduojj"="C:\WINDOWS\system32\nyfoxfduojj.exe" [09/28/2007 07:18 AM]
"sxy"="C:\WINDOWS\system32\sxy.exe" [09/28/2007 07:29 AM]
"bycs"="C:\WINDOWS\system32\bycs.exe" [09/28/2007 08:44 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:00 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [03/11/2007 06:03 PM]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"nyfoxfduojj"=C:\WINDOWS\system32\nyfoxfduojj.exe
"sxy"=C:\WINDOWS\system32\sxy.exe
"bycs"=C:\WINDOWS\system32\bycs.exe

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [6/23/2004 1:23:00 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [11/4/2004 11:28:24 PM]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [3/11/2007 6:03:04 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [1/25/2007 2:44:25 PM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
AutoRun\command- D:\setup.exe




-- End of Deckard's System Scanner: finished at 2007-09-29 20:37:26 ------------
  • 0

Advertisements

#11
don77
Posted 29 September 2007 - 07:08 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts

Hello again MargiRose

the forum is acting up so I will need to wrap the instructions in a quote :)

HJT is hijackthis,

Please print out or copy these instructions to notepad save them some place handy like your desktop so you have them handy

First

We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make. It can be enabled when your clean.

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

Next
Please copy (Ctrl C) and paste (Ctrl V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat. Please save it on your desktop.

sc stop Print Spooler Service
sc stop Windows Network Service Monitor
sc delete Print Spooler Service
sc delete Windows Network Service Monitor

exit

Double click FixServices.bat. A window will open and close. This is normal.





Next
Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [nyfoxfduojj] C:\WINDOWS\system32\nyfoxfduojj.exe
O4 - HKLM\..\Run: [sxy] C:\WINDOWS\system32\sxy.exe
O4 - HKLM\..\Run: [bycs] C:\WINDOWS\system32\bycs.exe
O4 - HKLM\..\RunServices: [nyfoxfduojj] C:\WINDOWS\system32\nyfoxfduojj.exe
O4 - HKLM\..\RunServices: [sxy] C:\WINDOWS\system32\sxy.exe
O4 - HKLM\..\RunServices: [bycs] C:\WINDOWS\system32\bycs.exe
O23 - Service: Print Spooler Service (cupui4yynpaareir) - Unknown owner - C:\WINDOWS\system32\qm.exe
O23 - Service: Windows Network Service Monitor (nsmss) - Unknown owner - C:\system32\nsmss.exe (file missing)


Close out HJT

Next
Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\nyfoxfduojj.exe
    C:\WINDOWS\system32\sxy.exe
    C:\WINDOWS\system32\bycs.exe
    C:\WINDOWS\system32\qm.exe
    C:\system32\nsmss.exe
    C:\WINDOWS\bootini.exe
    C:\prx.exe
    C:\updates9453.exe
    C:\WINDOWS\system32\ybadd.ini2
    C:\aolupdates.exe
    C:\WINDOWS\system32\ybadd.bak2
    C:\WINDOWS\system32\ssidd.exe
    C:\WINDOWS\system32\zxcugzp.exe
    C:\aolx.exe
    C:\WINDOWS\system32\akkbgonzvm.exe
    C:\WINDOWS\system32\kstvs.exe
    C:\WINDOWS\system32\nwjenftpncfq.exe
    C:\WINDOWS\system32\rl.exe

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.
**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.



Post back a fresh DS log for me when done please


  • 0

#12
MargiRose
Posted 30 September 2007 - 01:39 PM

MargiRose

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
Thanks for sticking with me on this Donzo! :wave: Hopefully I've done everything right. :) Here are the rsults from OTMoveIt:

C:\WINDOWS\system32\nyfoxfduojj.exe moved successfully.
C:\WINDOWS\system32\sxy.exe moved successfully.
C:\WINDOWS\system32\bycs.exe moved successfully.
C:\WINDOWS\system32\qm.exe moved successfully.
File/Folder C:\system32\nsmss.exe not found.
C:\WINDOWS\bootini.exe moved successfully.
C:\prx.exe moved successfully.
C:\updates9453.exe moved successfully.
C:\WINDOWS\system32\ybadd.ini2 moved successfully.
C:\aolupdates.exe moved successfully.
C:\WINDOWS\system32\ybadd.bak2 moved successfully.
C:\WINDOWS\system32\ssidd.exe moved successfully.
C:\WINDOWS\system32\zxcugzp.exe moved successfully.
C:\aolx.exe moved successfully.
C:\WINDOWS\system32\akkbgonzvm.exe moved successfully.
C:\WINDOWS\system32\kstvs.exe moved successfully.
C:\WINDOWS\system32\nwjenftpncfq.exe moved successfully.
C:\WINDOWS\system32\rl.exe moved successfully.

Created on 09/30/2007 15:36:52



*Not sure I did this next part right....was I supposed to run dss.exe to get a fresh DS log? If so.....


Deckard's System Scanner v20070905.67
Run by HP_Owner on 2007-09-30 15:39:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as HP_Owner.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:39:59 PM, on 9/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Security\msiexec.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\HP_Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\HP_Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {E906D9EB-1077-48A1-8490-06BE89EDFFB8} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...125/mcfscan.cab
O16 - DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} (CheckersZPA Object) -
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Print Spooler Service (cupui4yynpaareir) - Unknown owner - C:\WINDOWS\system32\dst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Windows Network Service Monitor (nsmss) - Unknown owner - C:\system32\nsmss.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WINDOWS MSI Installer Application (WIN_MSIEXEC) - Unknown owner - C:\WINDOWS\Security\msiexec.exe

--
End of file - 10910 bytes

-- Files created between 2007-08-30 and 2007-09-30 -----------------------------

2007-09-30 15:24:55 154 --a------ C:\WINDOWS\FixServices.bat <FIXSER~1.BAT>
2007-09-30 15:04:59 104448 --a------ C:\WINDOWS\system32\dst.exe
2007-09-29 20:36:20 0 d-------- C:\Program Files\Trend Micro
2007-09-27 06:12:53 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-09-27 06:06:56 0 d-------- C:\WINDOWS\ERUNT
2007-09-24 16:16:38 0 d-------- C:\WINDOWS\SxsCaPendDel
2007-09-23 15:29:13 0 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2007-09-21 18:08:26 0 d-------- C:\WINDOWS\McAfee.com
2007-09-18 19:51:15 51200 -r-hs---- C:\WINDOWS\system32\wkssvc.exe
2007-09-17 07:37:38 0 d--h----- C:\system32


-- Find3M Report ---------------------------------------------------------------

2007-09-27 18:56:36 22122 --a------ C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2007-09-24 15:53:37 0 d-------- C:\Program Files\Common Files
2007-09-22 19:41:46 0 d--h----- C:\Documents and Settings\HP_Owner\Application Data\Move Networks
2007-09-14 08:07:59 0 d-------- C:\Program Files\McAfee
2007-08-23 20:08:22 0 d-------- C:\Program Files\Windows Live Safety Center
2007-08-14 20:45:09 0 d-------- C:\Program Files\MSXML 4.0
2007-08-11 20:37:43 0 d-------- C:\Program Files\Windows Defender
2007-08-11 09:56:04 0 d-------- C:\Program Files\Lavasoft
2007-08-11 09:54:52 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-06 15:43:24 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\McAfee
2007-07-30 19:27:06 0 d-------- C:\Program Files\Common Files\McAfee


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E906D9EB-1077-48A1-8490-06BE89EDFFB8}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [03/05/2005 12:29 PM]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 05:04 AM]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [03/17/2004 08:10 PM C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [11/02/2004 04:59 AM]
"AGRSMMSG"="AGRSMMSG.exe" [06/29/2004 06:06 AM C:\WINDOWS\AGRSMMSG.exe]
"KBD"="C:\HP\KBD\KBD.EXE" [02/11/2003 08:02 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [03/05/2005 12:50 PM]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [04/14/2004 09:43 AM]
"PS2"="C:\WINDOWS\system32\ps2.exe" [10/25/2004 10:17 AM]
"SoundMan"="SOUNDMAN.EXE" [10/13/2004 10:01 AM C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [10/13/2004 12:17 PM C:\WINDOWS\ALCWZRD.EXE]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [10/14/2004 10:54 AM]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [12/09/2005 03:32 PM]
"LogitechCameraAssistant"="C:\Program Files\Logitech\Video\CameraAssistant.exe" [12/07/2005 10:26 AM]
"LogitechVideo[inspector]"="C:\Program Files\Logitech\Video\InstallHelper.exe" [12/07/2005 10:33 AM]
"LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [11/01/2004 05:22 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [10/30/2006 10:36 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 06:24 AM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [08/04/2007 02:33 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:00 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [03/11/2007 06:03 PM]
"Aim6"="" []

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [6/23/2004 1:23:00 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [11/4/2004 11:28:24 PM]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [3/11/2007 6:03:04 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [1/25/2007 2:44:25 PM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
AutoRun\command- D:\setup.exe




-- End of Deckard's System Scanner: finished at 2007-09-30 15:40:25 ------------

Edited by MargiRose, 30 September 2007 - 01:43 PM.

  • 0

#13
don77
Posted 30 September 2007 - 02:19 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
yes you did fine :)

Please disable windows defender again please

Please copy (Ctrl C) and paste (Ctrl V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat. Please save it on your desktop.

sc stop Windows Network Service Monitor
sc delete Windows Network Service Monitor
exit

Double click FixServices.bat. A window will open and close. This is normal.



Next
Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E906D9EB-1077-48A1-8490-06BE89EDFFB8} - (no file)
O23 - Service: Windows Network Service Monitor (nsmss) - Unknown owner - C:\system32\nsmss.exe (file missing)


Close out HJT and restart your computer

Next
Once back in normal mode

  • Please go to Jotti's malware scan
  • Copy and paste the following file path C:\WINDOWS\system32\dst.exe
    into the box on the top of the page:

  • Click on the submit button
  • Please post the results in your next reply.

Post back a fresh DSS log for me please
  • 0

#14
MargiRose
Posted 30 September 2007 - 03:42 PM

MargiRose

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
Is it soup yet? :)


Scan taken on 30 Sep 2007 21:38:52 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found Heur.W32
Avast Found nothing
AVG Antivirus Found Downloader.Generic6.LCG
BitDefender Found nothing
ClamAV Found Trojan.IRCBot-1185
CPsecure Found nothing
Dr.Web Found Trojan.Spambot.2464
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found DLoader.DRKO
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found Trojan.Spambot.2464


Deckard's System Scanner v20070905.67
Run by HP_Owner on 2007-09-30 17:42:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as HP_Owner.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:42:40 PM, on 9/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\z.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Security\msiexec.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\HP_Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\HP_Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [z] C:\WINDOWS\system32\z.exe
O4 - HKLM\..\RunServices: [z] C:\WINDOWS\system32\z.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...125/mcfscan.cab
O16 - DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} (CheckersZPA Object) -
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Print Spooler Service (cupui4yynpaareir) - Unknown owner - C:\WINDOWS\system32\nphvauvhc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Windows Network Service Monitor (nsmss) - Unknown owner - C:\system32\nsmss.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WINDOWS MSI Installer Application (WIN_MSIEXEC) - Unknown owner - C:\WINDOWS\Security\msiexec.exe

--
End of file - 10901 bytes

-- Files created between 2007-08-30 and 2007-09-30 -----------------------------

2007-09-30 17:36:51 104448 --a------ C:\WINDOWS\system32\nphvauvhc.exe
2007-09-30 17:23:16 104448 --a------ C:\WINDOWS\system32\z.exe
2007-09-30 15:24:55 154 --a------ C:\WINDOWS\FixServices.bat <FIXSER~1.BAT>
2007-09-30 15:04:59 104448 --a------ C:\WINDOWS\system32\dst.exe
2007-09-29 20:36:20 0 d-------- C:\Program Files\Trend Micro
2007-09-27 06:12:53 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-09-27 06:06:56 0 d-------- C:\WINDOWS\ERUNT
2007-09-24 16:16:38 0 d-------- C:\WINDOWS\SxsCaPendDel
2007-09-23 15:29:13 0 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2007-09-21 18:08:26 0 d-------- C:\WINDOWS\McAfee.com
2007-09-18 19:51:15 51200 -r-hs---- C:\WINDOWS\system32\wkssvc.exe
2007-09-17 07:37:38 0 d--h----- C:\system32


-- Find3M Report ---------------------------------------------------------------

2007-09-27 18:56:36 22122 --a------ C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2007-09-24 15:53:37 0 d-------- C:\Program Files\Common Files
2007-09-22 19:41:46 0 d--h----- C:\Documents and Settings\HP_Owner\Application Data\Move Networks
2007-09-14 08:07:59 0 d-------- C:\Program Files\McAfee
2007-08-23 20:08:22 0 d-------- C:\Program Files\Windows Live Safety Center
2007-08-14 20:45:09 0 d-------- C:\Program Files\MSXML 4.0
2007-08-11 20:37:43 0 d-------- C:\Program Files\Windows Defender
2007-08-11 09:56:04 0 d-------- C:\Program Files\Lavasoft
2007-08-11 09:54:52 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-06 15:43:24 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\McAfee
2007-07-30 19:27:06 0 d-------- C:\Program Files\Common Files\McAfee


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [03/05/2005 12:29 PM]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 05:04 AM]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [03/17/2004 08:10 PM C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [11/02/2004 04:59 AM]
"AGRSMMSG"="AGRSMMSG.exe" [06/29/2004 06:06 AM C:\WINDOWS\AGRSMMSG.exe]
"KBD"="C:\HP\KBD\KBD.EXE" [02/11/2003 08:02 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [03/05/2005 12:50 PM]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [04/14/2004 09:43 AM]
"PS2"="C:\WINDOWS\system32\ps2.exe" [10/25/2004 10:17 AM]
"SoundMan"="SOUNDMAN.EXE" [10/13/2004 10:01 AM C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [10/13/2004 12:17 PM C:\WINDOWS\ALCWZRD.EXE]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [10/14/2004 10:54 AM]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [12/09/2005 03:32 PM]
"LogitechCameraAssistant"="C:\Program Files\Logitech\Video\CameraAssistant.exe" [12/07/2005 10:26 AM]
"LogitechVideo[inspector]"="C:\Program Files\Logitech\Video\InstallHelper.exe" [12/07/2005 10:33 AM]
"LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [11/01/2004 05:22 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [10/30/2006 10:36 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 06:24 AM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [08/04/2007 02:33 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"z"="C:\WINDOWS\system32\z.exe" [09/30/2007 05:23 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:00 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [03/11/2007 06:03 PM]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"z"=C:\WINDOWS\system32\z.exe

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [6/23/2004 1:23:00 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [11/4/2004 11:28:24 PM]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [3/11/2007 6:03:04 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [1/25/2007 2:44:25 PM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
AutoRun\command- D:\setup.exe




-- End of Deckard's System Scanner: finished at 2007-09-30 17:43:04 ------------

Edited by MargiRose, 30 September 2007 - 03:44 PM.

  • 0

#15
don77
Posted 01 October 2007 - 07:10 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
OK a bit more to go

Please disable windows defender again please

Next
Please copy (Ctrl C) and paste (Ctrl V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat. Please save it on your desktop.

sc stop WINDOWS MSI Installer Application
sc delete WINDOWS MSI Installer Application
exit

Double click FixServices.bat. A window will open and close. This is normal.

Next
Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”

O4 - HKLM\..\Run: [z] C:\WINDOWS\system32\z.exe
O4 - HKLM\..\RunServices: [z] C:\WINDOWS\system32\z.exe
O23 - Service: Windows Network Service Monitor (nsmss) - Unknown owner - C:\system32\nsmss.exe (file missing)
O23 - Service: WINDOWS MSI Installer Application (WIN_MSIEXEC) - Unknown owner - C:\WINDOWS\Security\msiexec.exe


Close out HJT

Next
Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\wkssvc.exe
    C:\WINDOWS\system32\dst.exe
    C:\WINDOWS\system32\dst.exe
    C:\WINDOWS\system32\nphvauvhc.exe
    C:\WINDOWS\system32\z.exe
    C:\WINDOWS\Security\msiexec.exe



  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Next rescan with DSS again please and post back the fresh log
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP