Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan Horse help [RESOLVED]

Started by x__CRASH__x , Apr 26 2008 12:08 PM

  • This topic is locked This topic is locked

#1
x__CRASH__x
Posted 26 April 2008 - 12:08 PM

x__CRASH__x

    Member

  • Member
  • PipPip
  • 29 posts
I've used this service before for my own computer and had good results, so am asking for help again. I rebuilt an old computer of mine for my mother-in-law so she could access the internet. She got broadband and everything was fine... until my brother-in-law decided to surf some naughty stuff. They are all new to the internet, so when a pop-up warned my BIL that he was infected with spyware, and to click their to take care of it, he did. Then he paid them $50 for their program because he felt so bad for potentially ruining the computer. Needless to say, he opened a floodgate of problems. I have AVG and AdAware on the box. But he didn't realize what he was doing.

So, I ran both, and go rid of quite a bit. But I'm still getting a lot of Trohan Horse warnings from AVG. I can run a scan and it will find problems, and I will put them in the vault and delete them, but they will reappear.

I didn't run a HJT or anything else yet because I wanted some expert advise on how to kill the problems. Some of the reoccurent problems are listed below. I copied them as they appear on AVG. (These aren't all of them, just a sample of the most common)

Trojan Horse Downloader.Obfuskated
Trojan Horse BackDoor.Generic9.JWU
Trojan Horse IRC/BackDoor.SdBot3.TQG
Trojan Horse BackDoor.Generic.WZX
Trojan Horse Proxy.BIH

All help is greatly appreciated!
  • 0

Advertisements

#2
Essexboy
Posted 26 April 2008 - 12:16 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi I will need to see what the problems are. So I would like you to download Hijackthis, just install it for now and then run an analysis programme for me

Download & Run HijackThis.exe

  • Download HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Close Hijackthis.

THEN

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
x__CRASH__x
Posted 26 April 2008 - 12:27 PM

x__CRASH__x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Deckard's System Scanner v20071014.68
Run by Mike n Jen on 2008-04-26 11:24:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
25: 2008-04-26 18:25:01 UTC - RP46 - Deckard's System Scanner Restore Point
24: 2008-04-12 11:44:09 UTC - RP45 - Last known good configuration
23: 2008-04-12 11:44:06 UTC - RP44 - System Checkpoint
22: 2008-04-12 11:44:06 UTC - RP43 - System Checkpoint
21: 2008-04-12 11:44:06 UTC - RP42 - Installed Creative Software AutoUpdate


-- First Restore Point --
1: 2008-04-12 11:44:05 UTC - RP22 - Unsigned driver install


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Mike n Jen.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:20 AM, on 4/26/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\lqtejqta\jebktqly.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Documents and Settings\Mike n Jen\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Mike n Jen.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Content Manager Subsystem] cmss.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [MS DLL Library Manager] C:\WINDOWS\System32\dllsys64.exe
O4 - HKLM\..\Run: [wlsass] C:\WINDOWS\System32\wlsass.exe
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [DevconDefaultDB] C:\WINDOWS\READREG /PSCONV={NO}
O4 - HKLM\..\Run: [MS Task Manager 32] C:\WINDOWS\System32\mstskmgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Microsoft® System Manager] C:\WINDOWS\system32\sysmgr.exe
O4 - HKLM\..\RunServices: [Content Manager Subsystem] cmss.exe
O4 - HKCU\..\Run: [Content Manager Subsystem] cmss.exe
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\DOCUME~1\MIKENJ~1\LOCALS~1\Temp\ie.exe
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
O4 - HKCU\..\RunServices: [Content Manager Subsystem] cmss.exe
O4 - HKLM\..\Policies\Explorer\Run: [qgpdQwojTQ] C:\Documents and Settings\All Users\Application Data\lqtejqta\jebktqly.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Content Manager Subsystem] cmss.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ttool] C:\WINDOWS\9129837.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [Content Manager Subsystem] cmss.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Content Manager Subsystem] cmss.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [Content Manager Subsystem] cmss.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1133915814190
O20 - Winlogon Notify: fccyyVND - fccyyVND.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BusinessC (BusinessContinuity) - Unknown owner - C:\WINDOWS\msstl.exe (file missing)
O23 - Service: ClipBook ClipSrvRpcSs (ClipSrvRpcSs) - Unknown owner - C:\WINDOWS\System32\advapi32k.exe (file missing)
O23 - Service: Google Online Services - Unknown owner - C:\Documents and Settings\Mike n Jen\ie_updates3r.exe (file missing)
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: MsLS32 - Unknown owner - C:\WINDOWS\MsLS32.exe (file missing)
O23 - Service: microsoft update (msnupdate) - Unknown owner - C:\WINDOWS\windupdate.exe (file missing)
O23 - Service: MSSysInterv (MSSysInterv1) - Unknown owner - C:\WINDOWS\winself.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: sysmgr64 - Unknown owner - C:\WINDOWS\sysmgr64.exe (file missing)
O23 - Service: Upload Manager uploadmgr Smart (uploadmgr Smart) - Unknown owner - C:\WINDOWS\system32\htjt522.exe (file missing)

--
End of file - 5611 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080426-100818-156 O2 - BHO: (no name) - {02715E47-5A8E-495B-8F63-0D30470B8E72} - C:\WINDOWS\System32\fccyyVND.dll (file missing)
backup-20080426-100818-189 O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
backup-20080426-100818-323 O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
backup-20080426-100818-366 O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
backup-20080426-100818-377 O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
backup-20080426-100818-456 O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
backup-20080426-100818-472 O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
backup-20080426-100818-531 O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
backup-20080426-100818-540 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
backup-20080426-100818-552 O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
backup-20080426-100818-595 O23 - Service: BusinessC (BusinessContinuity) - Unknown owner - C:\WINDOWS\msstl.exe (file missing)
backup-20080426-100818-613 O2 - BHO: (no name) - {AF2B603C-3365-41E8-B797-2AB32112B7F4} - C:\WINDOWS\System32\nnnlkjJd.dll (file missing)
backup-20080426-100818-654 O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
backup-20080426-100818-758 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\wmsdkns.exe,
backup-20080426-100818-786 O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
backup-20080426-100818-866 O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
backup-20080426-100818-888 O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
backup-20080426-100818-902 O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
backup-20080426-100818-949 O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 ctac32k (Creative AC3 Software Decoder) - c:\windows\system32\drivers\ctac32k.sys (file missing)
S3 ctaud2k (Creative Audio Driver (WDM)) - c:\windows\system32\drivers\ctaud2k.sys (file missing)
S3 ctdvda2k (Creative DVD-Audio Device Driver) - c:\windows\system32\drivers\ctdvda2k.sys (file missing)
S3 ctgame (Game Port) - c:\windows\system32\drivers\ctgame.sys (file missing)
S3 ctprxy2k (Creative Proxy Driver) - c:\windows\system32\drivers\ctprxy2k.sys (file missing)
S3 emupia (E-mu Plug-in Architecture Driver) - c:\windows\system32\drivers\emupia2k.sys (file missing)
S3 ha10kx2k (Creative Hardware Abstract Layer Driver) - c:\windows\system32\drivers\ha10kx2k.sys (file missing)
S3 hap16v2k (Creative P16V HAL Driver) - c:\windows\system32\drivers\hap16v2k.sys (file missing)
S3 new_drv (!!!!) - c:\windows\new_drv.sys (file missing)
S3 rdriv - c:\windows\system32\rdriv.sys (file missing)
S3 remon - c:\windows\system32\remon.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 aawservice (Ad-Aware 2007 Service) - c:\program files\lavasoft\ad-aware 2007\aawservice.exe <Not Verified; Lavasoft AB; Ad-Aware 2007 Service>

S2 BusinessContinuity (BusinessC) - "c:\windows\msstl.exe" (file missing)
S2 ClipSrvRpcSs (ClipBook ClipSrvRpcSs) - c:\windows\system32\advapi32k.exe srv (file missing)
S2 Google Online Services - c:\documents and settings\mike n jen\ie_updates3r.exe -a (file missing)
S2 lsass (Local Security Authority Subsystem Service) - "c:\windows\lsass.exe" (file missing)
S2 MsLS32 - "c:\windows\msls32.exe" (file missing)
S2 msnupdate (microsoft update) - "c:\windows\windupdate.exe" (file missing)
S2 MSSysInterv1 (MSSysInterv) - c:\windows\winself.exe service (file missing)
S2 sysmgr64 - "c:\windows\sysmgr64.exe" (file missing)
S2 uploadmgr Smart (Upload Manager uploadmgr Smart) - c:\windows\system32\htjt522.exe srv (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_1106&DEV_3104&SUBSYS_31041106&REV_82\3&61AAA01&0&83
Manufacturer:
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_1106&DEV_3104&SUBSYS_31041106&REV_82\3&61AAA01&0&83
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_1106&DEV_3059&SUBSYS_18411019&REV_50\3&61AAA01&0&8D
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_1106&DEV_3059&SUBSYS_18411019&REV_50\3&61AAA01&0&8D
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: VIA PCI 10/100Mb Fast Ethernet Adapter
Device ID: PCI\VEN_1106&DEV_3065&SUBSYS_01021106&REV_74\3&61AAA01&0&90
Manufacturer: VIA Technologies, Inc.
Name: VIA PCI 10/100Mb Fast Ethernet Adapter
PNP Device ID: PCI\VEN_1106&DEV_3065&SUBSYS_01021106&REV_74\3&61AAA01&0&90
Service: FETNDIS


-- Files created between 2008-03-26 and 2008-04-26 -----------------------------

2008-04-26 10:01:53 0 d-------- C:\Program Files\Trend Micro
2008-04-26 09:57:55 2954 --a------ C:\WINDOWS\System32\tmp.reg
2008-04-26 09:57:09 25600 --a------ C:\WINDOWS\System32\WS2Fix.exe
2008-04-26 09:57:09 289144 --a------ C:\WINDOWS\System32\VCCLSID.exe <Not Verified; S!Ri; >
2008-04-26 09:57:09 86528 --a------ C:\WINDOWS\System32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-26 09:57:09 288417 --a------ C:\WINDOWS\System32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-04-26 09:57:09 53248 --a------ C:\WINDOWS\System32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-26 09:57:09 82944 --a------ C:\WINDOWS\System32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-26 09:57:09 51200 --a------ C:\WINDOWS\System32\dumphive.exe
2008-04-26 09:57:09 82944 --a------ C:\WINDOWS\System32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-12 07:53:01 102810 --a------ C:\WINDOWS\System32\msvcrt2.dll
2008-04-12 04:43:55 195562 --ahs---- C:\WINDOWS\System32\dJjklnnn.ini2
2008-04-12 04:33:43 161 --a-s---- C:\WINDOWS\System32\3661538103.dat
2008-04-12 04:32:45 0 d-------- C:\Documents and Settings\All Users\Application Data\lqtejqta
2008-04-12 04:32:04 2 --a------ C:\-2132154866
2008-04-12 04:31:26 11008 --a------ C:\WINDOWS\stcloader.exe
2008-04-12 04:31:25 19200 --a------ C:\WINDOWS\voiceip.dll
2008-04-12 04:31:25 11008 --a------ C:\WINDOWS\mssvr.exe
2008-04-12 04:31:25 28672 --a------ C:\WINDOWS\mspphe.dll
2008-04-12 04:31:25 18688 --a------ C:\WINDOWS\cdsm32.dll
2008-04-12 04:31:25 26112 --a------ C:\WINDOWS\bokja.exe
2008-04-12 04:31:24 10752 --a------ C:\WINDOWS\bjam.dll
2008-04-12 04:31:24 31488 --a------ C:\WINDOWS\2020search2.dll
2008-04-12 04:31:24 30976 --a------ C:\WINDOWS\2020search.dll
2008-04-12 04:31:20 24576 --a------ C:\WINDOWS\saiemod.dll
2008-04-12 04:31:19 29696 --a------ C:\WINDOWS\msapasrc.dll
2008-04-12 04:31:19 15360 --a------ C:\WINDOWS\msa64chk.dll
2008-04-12 04:31:18 16384 --a------ C:\WINDOWS\shdocpl.dll
2008-04-12 04:31:18 22016 --a------ C:\WINDOWS\ntnut.exe
2008-04-12 04:31:17 29440 --a------ C:\WINDOWS\winsb.dll
2008-04-12 04:31:17 23040 --a------ C:\WINDOWS\shdocpe.dll
2008-04-12 04:31:17 23296 --a------ C:\WINDOWS\browserad.dll
2008-04-12 04:31:17 32000 --a------ C:\WINDOWS\aviwrap32.dll
2008-04-12 04:31:16 19712 --a------ C:\WINDOWS\avisynthex32.dll
2008-04-12 04:31:16 26624 --a------ C:\WINDOWS\avifile32.dll
2008-04-12 04:31:16 11776 --a------ C:\WINDOWS\autodisc32.dll
2008-04-12 04:31:16 16640 --a------ C:\WINDOWS\audiosrv32.dll
2008-04-12 04:31:16 21504 --a------ C:\WINDOWS\ati2dvag32.dll
2008-04-12 04:31:16 31488 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-04-12 04:31:15 15616 --a------ C:\WINDOWS\athprxy32.dll
2008-04-12 04:31:15 28672 --a------ C:\WINDOWS\asycfilt32.dll
2008-04-12 04:31:15 26880 --a------ C:\WINDOWS\asferror32.dll
2008-04-12 04:31:15 15104 --a------ C:\WINDOWS\apphelp32.dll
2008-04-12 04:31:14 20480 --a------ C:\WINDOWS\changeurl_30.dll
2008-04-12 04:29:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-04-11 19:25:12 0 d-------- C:\WINDOWS\Sun
2008-04-11 19:25:11 0 d-------- C:\Documents and Settings\Mike n Jen\Application Data\Sun
2008-04-04 22:29:14 270694 --a------ C:\WINDOWS\System32\000090.exe


-- Find3M Report ---------------------------------------------------------------

2008-04-13 14:54:00 0 d-------- C:\Documents and Settings\Mike n Jen\Application Data\AVG7
2008-03-10 16:42:19 0 d-------- C:\Documents and Settings\Mike n Jen\Application Data\LimeWire


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [08/12/2005 02:43 PM]
"Content Manager Subsystem"="cmss.exe" []
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" []
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" []
"MS DLL Library Manager"="C:\WINDOWS\System32\dllsys64.exe" []
"wlsass"="C:\WINDOWS\System32\wlsass.exe" []
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" []
"CTStartup"="C:\Program Files\Creative\Splash Screen\CTEaxSpl.exe" []
"DevconDefaultDB"="C:\WINDOWS\READREG /PSCONV={NO}" []
"MS Task Manager 32"="C:\WINDOWS\System32\mstskmgr.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/26/2008 09:45 AM]
"P17Helper"="P17.dll" [05/03/2005 04:38 AM C:\WINDOWS\system32\P17.dll]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/11/2000 01:00 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"Microsoft® System Manager"="C:\WINDOWS\system32\sysmgr.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Content Manager Subsystem"="cmss.exe" []
"Microsoft Windows Installer"="C:\DOCUME~1\MIKENJ~1\LOCALS~1\Temp\ie.exe" []
"ttool"="C:\WINDOWS\9129837.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices]
"Content Manager Subsystem"=cmss.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Content Manager Subsystem"=cmss.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"Content Manager Subsystem"=cmss.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Content Manager Subsystem"=cmss.exe
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"ttool"=C:\WINDOWS\9129837.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"qgpdQwojTQ"=C:\Documents and Settings\All Users\Application Data\lqtejqta\jebktqly.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccyyVND]
fccyyVND.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\nnnlkjJd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-04-26 11:25:52 ------------
  • 0

#4
x__CRASH__x
Posted 26 April 2008 - 12:28 PM

x__CRASH__x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600)
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP 2400+
Percentage of Memory in Use: 40%
Physical Memory (total/avail): 1023.48 MiB / 604.37 MiB
Pagefile Memory (total/avail): 2462.69 MiB / 2088.86 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1935.12 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.26 GiB total, 30.07 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD400BB-75CLB0 - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.26 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Mike n Jen\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HOME
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Mike n Jen
LOGONSERVER=\\HOME
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\MIKENJ~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\MIKENJ~1\LOCALS~1\Temp
USERDOMAIN=HOME
USERNAME=Mike n Jen
USERPROFILE=C:\Documents and Settings\Mike n Jen
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Mike n Jen (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative\SBAudigy\Program\Setup.exe" /S /U /W
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88B1984E-36F0-47B8-B8DC-728966807A9C}\SETUP.EXE" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /X{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> MsiExec.exe /I{702F1CE2-2751-4E8A-AB2D-53262AE0EF05}
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Creative Software AutoUpdate --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88B1984E-36F0-47B8-B8DC-728966807A9C}\SETUP.EXE" -l0x9 /remove
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hyper Lobby Pro Client version 3.9.111 --> "C:\WINDOWS\lsb_un20.exe" /C=UC /N=Hyper Lobby Pro Client version 3.9.111
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
LimeWire 4.14.5 --> "C:\Program Files\LimeWire\uninstall.exe"
Logitech iTouch Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{036AA4D4-6D32-11D4-9875-00105ACE7734}\setup.exe" -l0x9 UNINSTALL
Logitech MouseWare 9.42 .1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5809E7CF-4DCF-11D4-9875-00105ACE7734}\setup.exe" -l0x9 -l0009 UNINSTALL
Logitech User's Guide --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CBE0FCA1-4E95-11D4-9875-00105ACE7734}\Setup.exe" -l0x9 UNINSTALL
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
MSN Messenger 7.5 --> MsiExec.exe /I{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5}
Sound Blaster Audigy --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1B1DDAD2-C704-49F8-8FC2-18DAAD9A87C5}\SETUP.EXE" -l0x9 /remove


-- Application Event Log -------------------------------------------------------

Event Record #/Type1029 / Error
Event Submitted/Written: 04/26/2008 10:10:47 AM
Event ID/Source: 8193 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

Event Record #/Type1028 / Error
Event Submitted/Written: 04/26/2008 10:10:47 AM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Event Record #/Type1025 / Error
Event Submitted/Written: 04/26/2008 09:44:33 AM
Event ID/Source: 2002 / Perflib
Event Description:
The open procedure for service "WmiApRpl" in DLL "C:\WINDOWS\System32\wbem\wmiaprpl.dll" has taken longer than
the established wait time to complete. There may be a problem with
this extensible counter or the service it is collecting data from or the
system may have been very busy when this call was attempted.

Event Record #/Type1024 / Error
Event Submitted/Written: 04/26/2008 09:44:28 AM
Event ID/Source: 2002 / Perflib
Event Description:
The open procedure for service "WmiApRpl" in DLL "C:\WINDOWS\System32\wbem\wmiaprpl.dll" has taken longer than
the established wait time to complete. There may be a problem with
this extensible counter or the service it is collecting data from or the
system may have been very busy when this call was attempted.

Event Record #/Type1018 / Error
Event Submitted/Written: 04/13/2008 04:17:54 PM
Event ID/Source: 2002 / Perflib
Event Description:
The open procedure for service "WmiApRpl" in DLL "C:\WINDOWS\System32\wbem\wmiaprpl.dll" has taken longer than
the established wait time to complete. There may be a problem with
this extensible counter or the service it is collecting data from or the
system may have been very busy when this call was attempted.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type112717 / Error
Event Submitted/Written: 04/26/2008 10:20:58 AM / 04/26/2008 10:20:59 AM
Event ID/Source: 11 / Disk
Event Description:
The driver detected a controller error on \Device\Harddisk0\D.

Event Record #/Type112716 / Error
Event Submitted/Written: 04/26/2008 10:20:58 AM / 04/26/2008 10:20:59 AM
Event ID/Source: 5 / atapi
Event Description:
A parity error was detected on \Device\Ide\IdePort0.

Event Record #/Type112715 / Error
Event Submitted/Written: 04/26/2008 10:20:58 AM / 04/26/2008 10:20:59 AM
Event ID/Source: 11 / Disk
Event Description:
The driver detected a controller error on \Device\Harddisk0\D.

Event Record #/Type112714 / Error
Event Submitted/Written: 04/26/2008 10:20:57 AM / 04/26/2008 10:20:59 AM
Event ID/Source: 11 / Disk
Event Description:
The driver detected a controller error on \Device\Harddisk0\D.

Event Record #/Type112713 / Error
Event Submitted/Written: 04/26/2008 10:20:57 AM / 04/26/2008 10:20:59 AM
Event ID/Source: 11 / Disk
Event Description:
The driver detected a controller error on \Device\Harddisk0\D.



-- End of Deckard's System Scanner: finished at 2008-04-26 11:25:52 ------------
  • 0

#5
Essexboy
Posted 26 April 2008 - 03:44 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here
Apply the update, reboot, and post a fresh DSS log.
  • 0

#6
x__CRASH__x
Posted 26 April 2008 - 04:36 PM

x__CRASH__x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Oh my goodness, I didn't realize I hadn't updated windows XP. Well, that's pretty embarrassing that I forgot that part. Let me go get all the updates.
  • 0

#7
x__CRASH__x
Posted 26 April 2008 - 05:44 PM

x__CRASH__x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Well, this isn't good at all. I installed SP2 and had to reboot. Now, when Windows tries to start up it reboots right at the point the Desktop should come up. I can't even get into Safe mode because it does the same thing.

ugh
  • 0

#8
Essexboy
Posted 27 April 2008 - 05:30 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Ah you should have taken SP1 first - I should have made that clear. As SP2 does not play well with infections. Can you get into safe mode with networking ? If so then ...

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

If you cannot get into safe mode with network but can get into safe mode then try the following

Go to Control panel
Add/Remove
And uninstall service pack 2
  • 0

#9
x__CRASH__x
Posted 27 April 2008 - 09:25 AM

x__CRASH__x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts

Ah you should have taken SP1 first - I should have made that clear. As SP2 does not play well with infections.

I was never given the option at the MS update center. It only gave me SP2.

Here is where I currently at with trying to get Windows to boot up. If you can offer any advice to move me along, I'd appreciate it. I'll remove SP2 if you you think I ought to, but I'll need to know where or how to get SP1a


http://www.geekstogo...te-t196246.html


Thanks for your help so far!
  • 0

#10
Essexboy
Posted 27 April 2008 - 10:09 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Yes uninstall sp2 and here is the link for SP1 http://www.microsoft...p1/default.mspx
  • 0

Advertisements

#11
x__CRASH__x
Posted 27 April 2008 - 10:54 AM

x__CRASH__x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Any ideas on how to get Windows to boot up for me? I included the link where I'm trying to get there, but haven't heard back from the bloke who was helping me.
  • 0

#12
Essexboy
Posted 27 April 2008 - 03:14 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Having read the other thread go to this link and follow the instructions http://www.geekstogo...ws-t173729.html
  • 0

#13
x__CRASH__x
Posted 27 April 2008 - 04:31 PM

x__CRASH__x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Cheers mate, thanks for the help.
  • 0

#14
Essexboy
Posted 28 April 2008 - 01:09 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Sorry I could not be of more help in this case :)
  • 0

#15
x__CRASH__x
Posted 28 April 2008 - 05:59 PM

x__CRASH__x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
No worries. Luckily there wasn't anything on her computer I couldn't reload. And with a format, I'm sure all the crap is now gone. So, I reloaded and got it all updated with the lastest SP2 and all other updates, AVG 8.0, and AdAware. So it's set. Now I just have to instruct them with what to do in case a threat does pop up in the future.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP