Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Computer Will Not let me run HiJackThis[RESOLVED]

  • This topic is locked This topic is locked




  • Member
  • PipPipPip
  • 387 posts
I started a thread in another area and was told that I probably had a trojan or some sort of malware and was told to start one here. (here is the link to my other thread

I tried running hijackthis so I could put the log here but my computer will not let me run it. I cant even install Hijackthis on my pc. I was hopeing someone could walk me through how to do it another way. Thanks
  • 0





  • Topic Starter
  • Member
  • PipPipPip
  • 387 posts
Also everytime I restart my computer I get this pop-up message that says found new hardware and it asking me to install "Apoint.EXE" but it can't find where it wants to install it. I'm really not sure what that is.

My computer will also not let me click on anything. For example I wanted to go to the properties of my computer I click properties and nothing happens, if I click control panel it doesnt take me there nothing happens.
  • 0




  • Topic Starter
  • Member
  • PipPipPip
  • 387 posts
Also just noticed that when I firs start the machine and check my process's I have about 30 processes calles "spools.exe" running I'm thinking that is probably the problem with my computer. If anyone knows away to remove the spools thing please let me know. Thanks
  • 0



    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,

Welcome to GeeksToGo. My name is RatHat, and I will help you get through the process of cleaning the malware from your computer.

OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with. Please ensure you turn off word wrap in Notepad. To do this, open Notepad, choose Format, then Un-check Word Wrap. (Word Wrap makes reading your log difficult).

Next, I would like to make sure that you can view hidden files and folders;
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading SELECT Show hidden files and folders.
  • UNCHECK the Hide protected operating system files (recommended) option.
  • UNCHECK the Hide extensions for known file types option.
  • Click Yes to confirm.
  • Click OK.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, DSS will open two Notepad files: main.txt and extra.txt
  • Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Note: A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\


So in your next reply, please include the following logs:
  • The DSS main.txt
  • The DSS extra.txt

  • 0




  • Topic Starter
  • Member
  • PipPipPip
  • 387 posts
RatHat thanks for replying I really appreciate it. I have attached both the notepad files as you requested. Thanks again

Attached Files

  • 0



    Ex Malware Expert

  • Expert
  • 7,829 posts
For clarity, and to make it easier to research, I am posting your DSS log here:

Deckard's System Scanner v20071014.68
Run by jesse wool on 2008-04-15 12:38:47
Computer is in Normal Mode.

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
52: 2008-04-15 16:38:58 UTC - RP52 - Deckard's System Scanner Restore Point
51: 2008-04-15 14:55:19 UTC - RP51 - Installed SUPERAntiSpyware Free Edition
50: 2008-04-15 13:16:26 UTC - RP50 - Installed AVG 7.5
49: 2008-04-15 08:39:15 UTC - RP49 - Installed Windows Media Player 10 KB917734_WMP10.
48: 2008-04-15 08:38:17 UTC - RP48 - Installed Windows XP KB899587.

-- First Restore Point --
1: 2008-04-14 16:26:12 UTC - RP1 - Removed AVG 7.5

Backed up registry hives.
Performed disk cleanup.

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-15 12:40:57
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\Program Files\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Rosetta Stone\SMS v3.1.0hs\wrapper.exe
C:\Documents and Settings\All Users\Application Data\wdkbqdwn\wvezedol.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\jesse wool\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.mywa...idebar.jsp?p=DE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R3 - Default URLSearchHook is missing
F0 - win.ini: load=C:\WINDOWS\system32\vtsqq.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
F3 - REG:win.ini: Load=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: (no name) - {c5af49a2-94f3-42bd-f434-2604812c897d} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: (no name) - {41B15C1C-2C15-49E4-B6A4-C940F885290E} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
O4 - HKLM\..\Policies\Explorer\Run: [cKHI1O14Xz] C:\Documents and Settings\All Users\Application Data\wdkbqdwn\wvezedol.exe
O4 - HKLM\..\Policies\Explorer\Run: [3RDhGzmOOi] C:\Documents and Settings\All Users\Application Data\wdkbqdwn\wvezedol.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [jdgf894jrghoiiskd] C:\WINDOWS\TEMP\winlogan.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [jdgf894jrghoiiskd] C:\WINDOWS\TEMP\winlogan.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Wireless Connection Manager Update.lnk = C:\Program Files\Novatel Wireless\WirelessConnectionManager\WiseUpdt.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra button: Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.ma...t/ultrashim.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.to...5.44/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: iSecurity.cpl
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: awtqnkhe - C:\WINDOWS\system32\awtqnkhe.dll (file missing)
O20 - Winlogon Notify: efccbba - C:\WINDOWS\system32\efccbba.dll (file missing)
O20 - Winlogon Notify: mljhiji - C:\WINDOWS\system32\mljhiji.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: KernelPrx - {d1f822ca-1c3a-4a6d-a27b-5e6efe4fb1c9} - C:\WINDOWS\Installer\{d1f822ca-1c3a-4a6d-a27b-5e6efe4fb1c9}\KernelPrx.dll (file missing)
O21 - SSODL: VwuteM - {3CCD5AFF-9667-F055-8394-A32E67FCB051} - (no file)
O21 - SSODL: pmsoarbf - {7E911AFC-2226-4BF7-A787-90177E86C184} - (no file)
O21 - SSODL: omlbpkaw - {329ABE1D-3A7A-4BEB-8991-8C7FF852F728} - (no file)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (avg7alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (avg7updsvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (avgems) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSysInterv (mssysinterv1) - Unknown owner - C:\WINDOWS\winself.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug and Play (RPC) (plugplayrpc) - Unknown owner - C:\WINDOWS\winsysxz.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: SMS_v3_1_0 - Unknown owner - C:\Program Files\Rosetta Stone\SMS v3.1.0hs\wrapper.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe

End of file - 12554 bytes

-- File Associations -----------------------------------------------------------

.scr - scrfile - shell\open\command - "%1" %*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 nwlnknbb - c:\windows\system32\drivers\nwlnknbb.sys
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>
R1 sasdifsv - c:\program files\superantispyware\sasdifsv.sys
R1 saskutil - c:\program files\superantispyware\saskutil.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.1.0.1) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R2 SprintPort (SprintPort Serial Driver) - c:\program files\novatel wireless\sprintport\winport.sys <Not Verified; 3Com; 3Com -- winport.sys>
R3 sasenum - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
R3 Tosrfbd (Bluetooth RFBUS from TOSHIBA) - c:\windows\system32\drivers\tosrfbd.sys <Not Verified; TOSHIBA CORPORATION; Bluetooth BUS Driver(WindowsXP,Windows2000)>
R3 Tosrfhid (Bluetooth RFHID from TOSHIBA) - c:\windows\system32\drivers\tosrfhid.sys <Not Verified; TOSHIBA Corporation.; Bluetooth HID Driver from TOSHIBA>
R3 Tosrfusb (Bluetooth USB Controller) - c:\windows\system32\drivers\tosrfusb.sys <Not Verified; TOSHIBA CORPORATION; Bluetooth USB Miniport Driver(Windows2000,WindowsXP)>

S1 Tosrfcom - c:\windows\system32\drivers\tosrfcom.sys <Not Verified; TOSHIBA Corporation; Bluetooth RFCOMM Driver>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 mssysinterv1 (MSSysInterv) - c:\windows\winself.exe service
R2 NICCONFIGSVC - c:\program files\dell\nicconfigsvc\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
R2 plugplayrpc (Plug and Play (RPC)) - c:\windows\winsysxz.exe service
R2 RegSrvc - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>
R2 SMS_v3_1_0 - "c:\program files\rosetta stone\sms v3.1.0hs\wrapper.exe" -s "c:\program files\rosetta stone\sms v3.1.0hs\service\wrapper.conf"
R2 WLANKEEPER - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSOFSet Service>

S2 ICF - c:\windows\system32\svchost.exe:exe.exe (file missing)
S2 Schedule (Task Scheduler) - c:\windows\system32\drivers\spools.exe (file missing)

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\2DA54501344FC000
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\2DA54501344FC000
Service: NIC1394

-- Scheduled Tasks -------------------------------------------------------------

2008-03-25 19:31:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-01-26 07:59:27 352 --a------ C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1161214978.job

-- Files created between 2008-03-15 and 2008-04-15 -----------------------------

2008-04-15 12:36:26 0 dr-h----- C:\Documents and Settings\jesse wool\Recent
2008-04-15 10:55:36 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-15 10:55:21 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-15 10:55:21 0 d-------- C:\Documents and Settings\jesse wool\Application Data\SUPERAntiSpyware.com
2008-04-15 09:17:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-15 08:26:34 0 d-------- C:\WINDOWS\system32\spool
2008-04-15 02:08:36 0 d-------- C:\Program Files\cjb
2008-04-14 17:07:00 0 d-------- C:\Documents and Settings\jesse wool\Application Data\TmpRecentIcons
2008-04-14 16:38:47 0 d-------- C:\WINDOWS\ServicePackFiles
2008-04-14 15:24:50 0 d-------- C:\Documents and Settings\All Users\Application Data\wdkbqdwn
2008-04-14 15:23:40 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-04-14 15:23:39 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-04-14 14:27:34 0 d-------- C:\Documents and Settings\ADMIN\Application Data\Macromedia
2008-04-14 14:26:27 0 d---s---- C:\Documents and Settings\ADMIN\UserData
2008-04-14 14:25:53 0 d-------- C:\Documents and Settings\ADMIN\Application Data\Adobe
2008-04-14 14:23:44 0 d--hs---- C:\Documents and Settings\ADMIN\Application Data\wsnpoem
2008-04-14 14:20:36 0 d-------- C:\Documents and Settings\ADMIN\Application Data\Identities
2008-04-14 14:20:36 0 d-------- C:\Documents and Settings\ADMIN\Application Data\Gtek
2008-04-14 14:20:35 0 d--h----- C:\Documents and Settings\ADMIN\Templates
2008-04-14 14:20:35 0 dr------- C:\Documents and Settings\ADMIN\Start Menu
2008-04-14 14:20:35 0 dr-h----- C:\Documents and Settings\ADMIN\SendTo
2008-04-14 14:20:35 0 dr-h----- C:\Documents and Settings\ADMIN\Recent
2008-04-14 14:20:35 0 d--h----- C:\Documents and Settings\ADMIN\PrintHood
2008-04-14 14:20:35 786432 --ah----- C:\Documents and Settings\ADMIN\NTUSER.DAT
2008-04-14 14:20:35 0 d--h----- C:\Documents and Settings\ADMIN\NetHood
2008-04-14 14:20:35 0 dr------- C:\Documents and Settings\ADMIN\My Documents
2008-04-14 14:20:35 0 d--h----- C:\Documents and Settings\ADMIN\Local Settings
2008-04-14 14:20:35 0 dr------- C:\Documents and Settings\ADMIN\Favorites
2008-04-14 14:20:35 0 dr------- C:\Documents and Settings\ADMIN\Desktop
2008-04-14 14:20:35 0 d---s---- C:\Documents and Settings\ADMIN\Cookies
2008-04-14 14:20:35 0 dr-h----- C:\Documents and Settings\ADMIN\Application Data
2008-04-14 14:20:35 0 d-------- C:\Documents and Settings\ADMIN\Application Data\Sun
2008-04-14 14:20:35 0 d---s---- C:\Documents and Settings\ADMIN\Application Data\Microsoft
2008-04-14 14:20:35 0 d-------- C:\Documents and Settings\ADMIN\Application Data\Jasc Software Inc
2008-04-14 14:20:35 0 d-------- C:\Documents and Settings\ADMIN\Application Data\Intel
2008-04-14 14:16:42 0 d-------- C:\WINDOWS\system32\bits
2008-04-14 13:45:08 96320 --a------ C:\WINDOWS\system32\ucifuqwh.dll
2008-04-14 12:37:23 0 d-------- C:\Program Files\??sks
2008-04-14 12:04:35 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-14 11:31:54 0 d-------- C:\Program Files\iSecurity
2008-04-14 11:31:39 346112 --a------ C:\WINDOWS\system32\ssqomnm.dll
2008-04-14 11:31:31 0 d-------- C:\Program Files\IE Extensions
2008-04-14 11:30:30 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-14 11:30:11 0 d-------- C:\WINDOWS\system32\403445
2008-04-14 11:29:55 2 --a------ C:\1020091134
2008-04-14 11:29:51 55218 --a------ C:\WINDOWS\qaszpurn.sys
2008-04-14 11:29:50 61952 --a------ C:\icjamlp.exe
2008-04-14 11:29:28 28160 --a------ C:\WINDOWS\winself.exe
2008-04-14 11:29:27 35336 --a------ C:\WINDOWS\antispl.exe <Not Verified; Microsoft; cmx>
2008-04-14 11:29:22 55808 --a------ C:\WINDOWS\winsysxz.exe
2008-04-14 11:08:05 0 d-------- C:\WINDOWS\system32\4847
2008-04-14 10:49:17 24576 --a------ C:\WINDOWS\system32\xpsp1hfm.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-10 15:47:16 0 d-------- C:\WINDOWS\system32\3541
2008-04-10 15:46:55 55218 --a------ C:\WINDOWS\zeqbqwp.sys
2008-04-10 15:46:45 25088 --a------ C:\WINDOWS\gavurjjf.exe
2008-04-10 15:46:45 1086376 --a------ C:\Documents and Settings\jesse wool\Application Data\Install.dat
2008-04-10 15:46:44 25088 --a------ C:\gavurjjf.exe
2008-04-10 15:43:43 31 --a------ C:\smp.bat
2008-04-10 15:42:49 0 d-------- C:\Documents and Settings\jesse wool\Application Data\Anti-Virus-Pro.com
2008-04-10 15:42:43 0 d-------- C:\Program Files\AntiVirusPro
2008-04-10 12:33:10 0 d-------- C:\Documents and Settings\jesse wool\Application Data\Viewpoint
2008-03-28 12:44:06 0 d-------- C:\Program Files\Bonjour
2008-03-28 11:41:51 173563 --a------ C:\WINDOWS\system32\msram.dll

-- Find3M Report ---------------------------------------------------------------

2008-04-15 10:54:01 0 d-------- C:\Program Files\QuickTime
2008-04-15 10:53:56 0 d-------- C:\Program Files\Common Files
2008-04-15 10:53:45 0 d-------- C:\Program Files\iTunes
2008-04-15 10:53:44 0 d-------- C:\Program Files\??sks
2008-04-15 10:53:44 0 d-------- C:\Program Files\?ecurity
2008-04-15 09:52:37 0 d-------- C:\Documents and Settings\jesse wool\Application Data\AVG7
2008-04-15 09:34:58 280204 --ahs---- C:\WINDOWS\system32\qqstv.ini2
2008-04-15 08:00:24 0 d-------- C:\Program Files\Dell Support
2008-04-14 16:37:51 0 d-------- C:\Program Files\Movie Maker
2008-04-14 16:37:35 0 d-------- C:\Program Files\Windows NT
2008-04-14 16:34:28 23268 --a------ C:\WINDOWS\system32\nvModes.dat
2008-04-14 15:50:07 0 d-------- C:\Documents and Settings\jesse wool\Application Data\Starware316
2008-04-14 12:22:54 0 d--h----- C:\Program Files\WindowsUpdate
2008-04-14 11:45:55 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-14 10:41:35 23428 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-03-28 12:56:49 0 d-------- C:\Documents and Settings\jesse wool\Application Data\Apple Computer
2008-03-26 10:25:14 0 d-------- C:\Program Files\WB06D2SE
2008-02-23 11:18:26 513 --a------ C:\logfile.dat
2008-02-23 11:00:04 0 d-------- C:\Program Files\DIFX
2008-02-23 10:58:46 0 d-------- C:\Program Files\LeapFrog

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af49a2-94f3-42bd-f434-2604812c897d}]

"@"="" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/15/2008 09:17 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [06/20/2005 04:34 PM]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/27/2007 12:39 PM]

"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\jesse wool\Start Menu\Programs\Startup\
Wireless Connection Manager Update.lnk - C:\Program Files\Novatel Wireless\WirelessConnectionManager\WiseUpdt.exe [10/30/2005 2:20:20 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [9/26/2005 3:38:19 PM]

"DisableTaskMgr"=0 (0x0)

"DisableRegistryTools"=1 (0x1)

"start"=C:\Program Files\NetProject\sbmntr.exe
"cKHI1O14Xz"=C:\Documents and Settings\All Users\Application Data\wdkbqdwn\wvezedol.exe
"3RDhGzmOOi"=C:\Documents and Settings\All Users\Application Data\wdkbqdwn\wvezedol.exe

"NoActiveDesktop"=0 (0x0)
"ForceActiveDesktopOn"=1 (0x1)

"NoFolderOptions"=1 (0x1)

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

"KernelPrx"= {d1f822ca-1c3a-4a6d-a27b-5e6efe4fb1c9} - C:\WINDOWS\Installer\{d1f822ca-1c3a-4a6d-a27b-5e6efe4fb1c9}\KernelPrx.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 02/27/2007 12:39 PM 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnkhe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efccbba]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 09/07/2004 05:08 PM 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljhiji]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtsqq


@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3ccd5a51]
rundll32.exe "C:\WINDOWS\System32\ugtjhtao.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bm3ffe69cd]
Rundll32.exe "C:\WINDOWS\System32\ucifuqwh.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\drivesystem]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\myspaceim]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcpldaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask .exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

-- End of Deckard's System Scanner: finished at 2008-04-15 12:41:38 ------------
  • 0




  • Topic Starter
  • Member
  • PipPipPip
  • 387 posts
What is the next thing I do? I don't really understand your last post?
  • 0



    Ex Malware Expert

  • Expert
  • 7,829 posts
OK Jesse, lets start cleaning this machine!

Please uninstall the following programs:

MyWay Search Assistant
Viewpoint Media Player

  • Go to Start then Settings, then Control Panel
  • Choose Add or Remove Programs
  • Remove all of the above

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.


    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.


  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


So in your next reply, please include the following logs:
  • The contents of SDFix's Report.txt
  • The contents of Combofix.txt
  • The contents of the MBAM log
  • A fresh DSS log taken after completing the above

Note that you may need to break this into two or three posts to get everything in.

  • 0




  • Topic Starter
  • Member
  • PipPipPip
  • 387 posts
Thanks again Rathat I will do what you said and post back shortly.
  • 0




  • Topic Starter
  • Member
  • PipPipPip
  • 387 posts
Rathat I removed what you said to from add/remove programs then downloaded the programs to my flash drive. I then restarted my computer and selected safe mode and it then looks like its going to work but it just stops at once it goes to the black screen it just hangs up an move like its frozen. Do you know what might be causing this? It works fine when I dont choose Safemode
  • 0





  • Topic Starter
  • Member
  • PipPipPip
  • 387 posts
I tried doing it again and I noticed it stops everytime at "multi(0)disk(0)rdisk(0)partition(2)\WINDOWS\System32\Drivers\Mup.sys" I wasn't sure if you might know what that means.
  • 0



    Ex Malware Expert

  • Expert
  • 7,829 posts
Download SafeBootKeyRepair.exe and save it to your desktop.

Double-click SafeBootKeyRepair.exe to run it. Follow all prompts, then try to boot into Safe Mode again and run SDFix.

By the way, please do not use your flash drive on any clean computer as this may be infected.
  • 0




  • Topic Starter
  • Member
  • PipPipPip
  • 387 posts
Thanks again I'll give that a try and then go through the steps you said before.
  • 0




  • Topic Starter
  • Member
  • PipPipPip
  • 387 posts
Rathat I'm sorry to bother you again but I have tried running the safebootkeyrepair.exe twice and I still get stuck at the same place everytime I choose to boot in safemode.

I know when you told me to run the safebootkeyrepair.exe you said to follow the prompts I never got any prompts all it did was go to black dos screen and it said please wait then once it finished a notepad file would appear with waht looks like a bunch of windows registry keys. Do you know what the problem might be?
  • 0



    Ex Malware Expert

  • Expert
  • 7,829 posts
Could you post me the Notepad file it produced.

Also lets skip SDFix for now, and move on to Combofix. Run that then post me the log it produces.
  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP