Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Infected with spyware and virus Help! [RESOLVED]

Started by ckim , May 23 2008 01:13 PM

  • This topic is locked This topic is locked

#1
ckim
Posted 23 May 2008 - 01:13 PM

ckim

    Member

  • Member
  • PipPip
  • 29 posts
I think I have major spyware and virus, evertime I open up internet pop up comes up.
Please Help.

Here is log files

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:10:44 PM, on 5/23/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\w?auboot.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\DOCUME~1\LUPEDI~1\APPLIC~1\SSTEM~1\notepad.exe
F:\Spyware Removal Tools\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SE...S01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {0dd98dcc-3396-44a7-9292-e539d12b315d} - C:\WINDOWS\System32\pnadwgj.dll (file missing)
O2 - BHO: (no name) - {4F7D0787-6772-4195-B404-98478689B260} - (no file)
O2 - BHO: {b1df8cbd-d159-86eb-d124-b42746a12136} - {63121a64-724b-421d-be68-951ddbc8fd1b} - C:\WINDOWS\System32\hiyhcpci.dll
O2 - BHO: (no name) - {7D9CB362-375B-4FB9-8024-E55079CC69D1}" - (no file)
O2 - BHO: (no name) - {BB94C508-1180-5CD9-68B3-7C191A37686F} - C:\WINDOWS\Ajxrycaj.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Search - {A922F01A-8F81-E9EB-7C22-1B505071DF0C} - C:\WINDOWS\Ajxrycaj.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AntiSpywareMaster] C:\Program Files\AntiSpywareMaster\asm.exe
O4 - HKCU\..\Run: [Ussimhnd] "C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\w?auboot.exe"
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\LUPEDI~1\APPLIC~1\SSTEM~1\notepad.exe" -vt ndrv
O4 - HKCU\..\Policies\Explorer\Run: [osupsh] C:\WINDOWS\System32\osupsh.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farme...ctiveX/smsx.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - http://ml.sitexdata....ult/arview2.cab
O18 - Filter hijack: text/html - {3551784B-E99A-474f-B782-3EC814442918} - (no file)
O20 - AppInit_DLLs: ?A?C C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: hggfccd - hggfccd.dll (file missing)
O20 - Winlogon Notify: wygsnnac - wygsnnac.dll (file missing)
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Access Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

--
End of file - 5996 bytes

Thank you. :)

Edited by ckim, 23 May 2008 - 02:03 PM.

  • 0

Advertisements

#2
Essexboy
Posted 23 May 2008 - 02:26 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi and welcome, let's get you tidied up shall we :)

Firstly you are using MSJava that is so far out of date that it is fossilised

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

NOW TO START

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {0dd98dcc-3396-44a7-9292-e539d12b315d} - C:\WINDOWS\System32\pnadwgj.dll (file missing)
O2 - BHO: (no name) - {4F7D0787-6772-4195-B404-98478689B260} - (no file)
O2 - BHO: {b1df8cbd-d159-86eb-d124-b42746a12136} - {63121a64-724b-421d-be68-951ddbc8fd1b} - C:\WINDOWS\System32\hiyhcpci.dll
O2 - BHO: (no name) - {7D9CB362-375B-4FB9-8024-E55079CC69D1}" - (no file)
O2 - BHO: (no name) - {BB94C508-1180-5CD9-68B3-7C191A37686F} - C:\WINDOWS\Ajxrycaj.dll (file missing)
O3 - Toolbar: Search - {A922F01A-8F81-E9EB-7C22-1B505071DF0C} - C:\WINDOWS\Ajxrycaj.dll (file missing)
O4 - HKLM\..\Run: [AntiSpywareMaster] C:\Program Files\AntiSpywareMaster\asm.exe
O4 - HKCU\..\Run: [Ussimhnd] "C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\w?auboot.exe"
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\LUPEDI~1\APPLIC~1\SSTEM~1\notepad.exe" -vt ndrv
O4 - HKCU\..\Policies\Explorer\Run: [osupsh] C:\WINDOWS\System32\osupsh.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O20 - Winlogon Notify: hggfccd - hggfccd.dll (file missing)
O20 - Winlogon Notify: wygsnnac - wygsnnac.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.


Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

AntiSpywareMaster

Please note any other programs that you dont recognize in that list in your next response

THEN

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\System32\pnadwgj.dll 
C:\WINDOWS\System32\hiyhcpci.dll
C:\WINDOWS\Ajxrycaj.dll 
C:\Program Files\AntiSpywareMaster
C:\WINDOWS\System32\osupsh.exe
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe
C:\DOCUME~1\LUPEDI~1\APPLIC~1\SSTEM~1
Purity
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

FINALLY FOR NOW

Please download ComboFix from Here or Here to your Desktop.


**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Logs required : OTMoveit and Combofix
  • 0

#3
ckim
Posted 23 May 2008 - 03:03 PM

ckim

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Thank you very mmuch for your support.

Here is log file

ComboFix 08-05-21.3 - Lupe Diaz 2008-05-23 13:56:03.1 - FAT32x86
Running from: C:\Documents and Settings\Lupe Diaz\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Lupe Diaz\Application Data\macromedia\Flash Player\#SharedObjects\SSX8GFFW\www.broadcaster.com
C:\Documents and Settings\Lupe Diaz\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Lupe Diaz\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\SoftwareOnline
C:\WINDOWS\BM04e7363e.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\libbz2.dll
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ainomirg.dll
C:\WINDOWS\SYSTEM32\aljfmbog.ini
C:\WINDOWS\system32\behamkea.dll
C:\WINDOWS\system32\c2
C:\WINDOWS\system32\c4
C:\WINDOWS\system32\diduniko.dll
C:\WINDOWS\system32\dofkuhuh.exe
C:\WINDOWS\system32\ghbpwamq.ini
C:\WINDOWS\system32\k8
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\ncetmaxv.dll
C:\WINDOWS\system32\nt68rrtc12.sys
C:\WINDOWS\system32\orrqkgdr.dll
C:\WINDOWS\SYSTEM32\orutv.ini
C:\WINDOWS\SYSTEM32\orutv.ini2
C:\WINDOWS\system32\rkfgvykm.dll
C:\WINDOWS\system32\s7
C:\WINDOWS\system32\test.exe
C:\WINDOWS\system32\ttryasco.dll
C:\WINDOWS\SYSTEM32\uuwnpiqv.ini
C:\WINDOWS\system32\wirxvaeb.ini
C:\WINDOWS\system32\wxraatxc.dll
C:\WINDOWS\system32\x3
C:\WINDOWS\system32\xgkqcrof.dll
C:\WINDOWS\system32\xlbkhdgx.dll
C:\WINDOWS\system32\ywhoxlbm.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NAVAPSVC
-------\Legacy_NETWORK_MONITOR
-------\Service_navapsvc


((((((((((((((((((((((((( Files Created from 2008-04-23 to 2008-05-23 )))))))))))))))))))))))))))))))
.

2008-05-23 13:59 . 2008-05-23 13:59 <DIR> d-------- C:\Temp\tn3
2008-05-23 13:52 . 2008-05-23 13:52 <DIR> d-------- C:\_OTMoveIt
2008-05-23 13:42 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-05-23 13:38 . 2008-05-23 13:38 <DIR> d-------- C:\Documents and Settings\Lupe Diaz\.SunDownloadManager
2008-05-23 12:59 . 2008-05-23 12:59 <DIR> d-------- C:\VundoFix Backups
2008-05-23 11:35 . 2008-05-23 11:35 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-05-23 11:35 . 2008-05-23 11:35 <DIR> d-------- C:\Program Files\Panda Security
2008-05-23 10:27 . 2008-05-23 10:27 <DIR> d--hs---- C:\FOUND.002
2008-05-23 09:20 . 2008-05-23 09:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-23 09:20 . 2008-05-23 09:20 <DIR> d-------- C:\Documents and Settings\Lupe Diaz\Application Data\Malwarebytes
2008-05-23 09:20 . 2008-05-23 09:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-23 09:20 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-05-23 09:20 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-05-23 09:19 . 2008-05-23 09:19 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-23 09:17 . 2008-05-23 09:17 200,773 --a------ C:\WINDOWS\SYSTEM32\mcntpsdm.exe
2008-05-23 09:11 . 2008-05-23 09:12 127,488 --a------ C:\WINDOWS\SYSTEM32\jixjdudj.dll
2008-05-23 09:06 . 2008-05-23 09:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\hI2
2008-05-23 09:06 . 2008-05-23 09:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\at1
2008-05-23 09:06 . 2008-05-23 09:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\1064a
2008-05-23 09:05 . 2008-05-23 09:05 <DIR> d-------- C:\WINDOWS\SYSTEM32\vntiho01
2008-05-23 09:00 . 2008-05-23 09:00 <DIR> d-------- C:\Program Files\CleanUp!
2008-05-23 08:40 . 2008-05-23 08:40 <DIR> d-------- C:\Download
2008-05-23 08:30 . 2008-05-23 08:30 <DIR> d--hs---- C:\FOUND.001
2008-05-23 08:27 . 2008-05-23 08:27 <DIR> d-------- C:\c1b6168690abc42bce51
2008-05-23 08:23 . 2008-05-23 08:23 <DIR> d--hs---- C:\FOUND.000
2008-05-20 14:02 . 2008-05-20 14:02 32,768 --a------ C:\WINDOWS\SYSTEM32\vntiho01\vntiho011065.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-23 16:14 167,545 ------w C:\WINDOWS\system32\drivers\core.cache.dsk
2008-03-02 11:06 136,627 ----a-w C:\WINDOWS\POTA777444.exe
2008-02-29 22:00 55,606 ----a-w C:\WINDOWS\SYSTEM32\newtrafficsector-remove.exe
2006-08-10 23:55 70,312 ----a-w C:\Documents and Settings\Lupe Diaz\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

2004-08-03 22:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ip6fw.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=?A?C C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Lupe Diaz^Start Menu^Programs^Startup^Deewoo.lnk]
path=C:\Documents and Settings\Lupe Diaz\Start Menu\Programs\Startup\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Lupe Diaz^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Lupe Diaz\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Lupe Diaz^Start Menu^Programs^Startup^Zeno.lnk]
path=C:\Documents and Settings\Lupe Diaz\Start Menu\Programs\Startup\Zeno.lnk
backup=C:\WINDOWS\pss\Zeno.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Lupe Diaz^Start Menu^Programs^Startup^Z_Start.lnk]
path=C:\Documents and Settings\Lupe Diaz\Start Menu\Programs\Startup\Z_Start.lnk
backup=C:\WINDOWS\pss\Z_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\07d405a2]
C:\WINDOWS\System32\wsbacnyo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aida]
C:\DOCUME~1\LUPEDI~1\APPLIC~1\SSTEM~1\notepad.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserUpdateSched]
C:\WINDOWS\System32\mwinpsaw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2003-11-10 05:30 70816 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cchcy]
--a------ 2002-08-29 05:00 11776 C:\WINDOWS\System32\?hkdsk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access API Daemon]
--a------ 1997-09-24 00:26 22528 C:\Program Files\IBM\Client Access\cwbappcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Check Version]
--a------ 1997-09-24 00:26 33280 C:\Program Files\IBM\Client Access\cwbckver.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Service]
--a------ 1997-09-24 00:26 6144 C:\Program Files\IBM\Client Access\CwbSvStr.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Taskbar]
--a------ 1997-09-24 00:26 13312 C:\Program Files\IBM\Client Access\cwbuitsk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Welcome Wizard]
--a------ 1997-09-24 00:26 38400 C:\Program Files\IBM\Client Access\cwbwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMMan]
C:\Program Files\CMMan\CMMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Contextual Tool]
C:\WINDOWS\z00098.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
--a------ 2008-05-23 09:17 200773 C:\WINDOWS\System32\mcntpsdm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FCMan]
C:\Program Files\FCMan\FCMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-10-02 13:19 118784 C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-10-02 13:37 155648 C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\inrh95]
--a------ 2005-12-20 14:24 1244844 C:\WINDOWS\System32\inrh95

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\irassync]
C:\WINDOWS\System32\irasyncd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kqom]
C:\PROGRA~1\COMMON~1\kqom\kqomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lspins]
C:\WINDOWS\System32\igps.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-11-15 16:18 1670144 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\noC=]
C:\windows\mrjj.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwf]
C:\WINDOWS\nwf.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osupsh]
C:\WINDOWS\System32\osupsh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner]
C:\Program Files\Registry Cleaner Trial\RegClean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu572.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\services32]
C:\Program Files\Common Files\Windows\mc-110-12-0000121.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sf]
C:\Program Files\sf\sf.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snss Launcher]
C:\Program Files\snss\snss.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SOProc_SoRefRegSoAlertWxLiteNnAj]
--a------ 2006-07-13 06:46 8353280 C:\WINDOWS\SYSTEM32\shell32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.8\webbuying.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Survey Companion]
C:\Program Files\webHancer\Programs\whsurvey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win2.exeCK.exe]
--a------ 2005-12-20 14:32 1244844 C:\WINDOWS\System32\Win2.exeCK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTask driver]
C:\WINDOWS\System32\wintask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{40-05-50-0D-DW}]
c:\windows\system32\rownw64o.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{40-05-50-0D-ZN}]
C:\windows\system32\rodsrego.exe

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
Contents of the 'Scheduled Tasks' folder
"2008-03-03 17:08:24 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Lupe Diaz.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-23 13:59:18
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\cwbrw.dll
-> C:\Program Files\IBM\Client Access\Mri2924\cwbsymsg.dll
-> C:\Program Files\IBM\Client Access\Mri2924\cwbmsg.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
.
**************************************************************************
.
Completion time: 2008-05-23 14:00:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-23 21:00:22

Pre-Run: 32,775,176,192 bytes free
Post-Run: 32,923,582,464 bytes free

230 --- E O F --- 2008-05-23 15:33:39

File/Folder C:\WINDOWS\System32\pnadwgj.dll not found.
File/Folder C:\WINDOWS\System32\hiyhcpci.dll not found.
File/Folder C:\WINDOWS\Ajxrycaj.dll not found.
File/Folder C:\Program Files\AntiSpywareMaster not found.
File/Folder C:\WINDOWS\System32\osupsh.exe not found.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Flash Player\AssetCache\8VCJBZ3X moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Flash Player\AssetCache moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Flash Player moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Linguistics\Dictionaries moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Linguistics moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\AUM moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Online Services\Photoshop Album Starter Edition\clients\Photoshop Album Starter Edition\sessions moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Online Services\Photoshop Album Starter Edition\clients\Photoshop Album Starter Edition moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Online Services\Photoshop Album Starter Edition\clients moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Online Services\Photoshop Album Starter Edition\cache moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Online Services\Photoshop Album Starter Edition moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Online Services moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\ESD moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Photoshop Album\3.2\OLS moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Photoshop Album\3.2 moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Photoshop Album\3.0\OLS moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Photoshop Album\3.0 moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Photoshop Album moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Acrobat\8.0\JavaScripts moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Acrobat\8.0\Collab moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Acrobat\8.0\Preferences moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Acrobat\8.0 moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Acrobat\7.0\Updater moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Acrobat\7.0\JavaScripts moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Acrobat\7.0\Collab moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Acrobat\7.0\Preferences moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Acrobat\7.0 moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Acrobat\6.0\Security\CRLCache moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Acrobat\6.0\Security moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Acrobat\6.0\Messages\ENU moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Acrobat\6.0\Messages moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Acrobat\6.0\Updater moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Acrobat\6.0\AcroForm moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Acrobat\6.0\eBooks moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Acrobat\6.0\Collab moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Acrobat\6.0\Preferences moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Acrobat\6.0 moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe\Acrobat moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\Adobe moved successfully.
C:\DOCUME~1\LUPEDI~1\APPLIC~1\SSTEM~1\s?stem moved successfully.
C:\DOCUME~1\LUPEDI~1\APPLIC~1\SSTEM~1 moved successfully.
< Purity >
C:\Program Files\??crosoft.NET moved successfully.
C:\Program Files\Common Files\?racle moved successfully.
C:\Documents and Settings\Lupe Diaz\Application Data\?dobe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05232008_135230
  • 0

#4
Essexboy
Posted 23 May 2008 - 03:33 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets see if we can make MS files in the majority again

  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\POTA777444.exe
C:\WINDOWS\SYSTEM32\newtrafficsector-remove.exe
C:\WINDOWS\System32\wsbacnyo.dll
C:\WINDOWS\System32\mwinpsaw.exe
C:\WINDOWS\System32\?hkdsk.exe
C:\WINDOWS\z00098.exe
C:\WINDOWS\System32\mcntpsdm.exe
C:\WINDOWS\System32\irasyncd.exe
C:\PROGRA~1\COMMON~1\kqom\kqomm.exe
C:\WINDOWS\System32\igps.exe
C:\windows\mrjj.exe
C:\WINDOWS\nwf.exe
C:\WINDOWS\System32\osupsh.exe
C:\WINDOWS\mrofinu572.exe
C:\Program Files\Common Files\Windows\mc-110-12-0000121.exe
c:\windows\system32\rownw64o.exe
C:\windows\system32\rodsrego.exe
C:\WINDOWS\System32\cwbrw.dll
C:\Program Files\sf
C:\Program Files\snss
C:\WINDOWS\System32\inrh95
C:\WINDOWS\SYSTEM32\mcntpsdm.exe
C:\WINDOWS\SYSTEM32\jixjdudj.dll
C:\WINDOWS\System32\Win2.exeCK.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\SYSTEM32\hI2
C:\WINDOWS\SYSTEM32\at1
C:\WINDOWS\SYSTEM32\1064a
C:\WINDOWS\SYSTEM32\vntiho01
C:\Temp\tn3
C:\WINDOWS\SYSTEM32\vntiho01
C:\c1b6168690abc42bce51
C:\Program Files\CMMan
C:\Program Files\FCMan
C:\Program Files\Web Buying
C:\Program Files\webHancer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\07d405a2
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cchcy
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMMan
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Contextual Tool
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FCMan
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\inrh95
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\irassync
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kqom
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lspins
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\noC=
HKEY_LOCAHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osupsh
HKEY_LOCAHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwf
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\services32
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sf
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snss Launcher
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Survey Companion
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win2.exeCK.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTask driver
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{40-05-50-0D-ZN}]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{40-05-50-0D-DW}
Purity
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

THEN

Download OTScanit to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  • Check the box that says Scan All User Accounts
  • Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
  • Under Additional Scans check the following:
    • Reg - BotCheck
    • Reg - Disabled MS Config Items
    • File - Additional Folder Scans
    • File - Purity Scan
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0

#5
ckim
Posted 27 May 2008 - 12:45 PM

ckim

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Here is new log!

Attached Files


  • 0

#6
Essexboy
Posted 27 May 2008 - 01:53 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Could I have the OTScanit log please
  • 0

#7
ckim
Posted 27 May 2008 - 02:00 PM

ckim

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
When I ran otscanit, it pop up with error saying error loading process libries.
I don't know what to do next?
  • 0

#8
Essexboy
Posted 27 May 2008 - 02:53 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
We will use another tool in its place

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
  • 0

#9
ckim
Posted 27 May 2008 - 03:17 PM

ckim

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Malwarebytes' Anti-Malware 1.12
Database version: 781

Scan type: Quick Scan
Objects scanned: 35819
Time elapsed: 3 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk (Malware.Trace) -> Delete on reboot.
  • 0

#10
Essexboy
Posted 27 May 2008 - 03:20 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
One final run with OTMoveit to ensure that the bad file has gone

  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk 
Purity
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

How is your computer running now ?
  • 0

Advertisements

#11
ckim
Posted 27 May 2008 - 03:47 PM

ckim

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Here is log
File move failed. C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk scheduled to be moved on reboot.
< Purity >

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05272008_143930

Files moved on Reboot...
File move failed. C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk scheduled to be moved on reboot.

I still having pop up everytime I open explorer.
Thank you very much for your support.
  • 0

#12
Essexboy
Posted 27 May 2008 - 03:51 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK big hammer time

1. Please download The Avenger2 by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:

Files to delete:
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .
  • 0

#13
ckim
Posted 27 May 2008 - 04:20 PM

ckim

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Here is new log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:20:15 PM, on 5/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\ctfmona.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
F:\Spyware Removal Tools\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farme...ctiveX/smsx.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - http://ml.sitexdata....ult/arview2.cab
O20 - AppInit_DLLs: ?A?C C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

--
End of file - 5357 bytes





Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
  • 0

#14
Essexboy
Posted 28 May 2008 - 12:32 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Call me paranoid but I want to make sure it is gone :)

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#15
ckim
Posted 28 May 2008 - 12:41 PM

ckim

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Here is the log files and I still have popup.

Deckard's System Scanner v20071014.68
Run by Lupe Diaz on 2008-05-28 11:37:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2008-05-28 18:37:11 UTC - RP9 - Deckard's System Scanner Restore Point
2: 2008-05-28 15:34:49 UTC - RP8 - Last good restore point
1: 2008-05-28 15:34:39 UTC - RP7 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 76% (more than 75%).
Total Physical Memory: 254 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-28 11:38:17
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SYSTEM32\lexbces.exE
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Lupe Diaz\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.microsoft...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NAVShExt.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: https://eagent.farmersinsurance.com (HKCU)
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX) - https://eagent.farme...ctiveX/smsx.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - http://ml.sitexdata....ult/arview2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\SYSTEM32\lexbces.exE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\ramaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\SYSTEM32\NMSSvc.Exe
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe


--
End of file - 5613 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 ASCC - c:\windows\system32\drivers\ascc.sys
R2 NetAlrt - c:\windows\system32\drivers\netalrt.sys <Not Verified; Intel Corporation; Intel Alert on LAN® 2>
R2 PlatAlrt - c:\windows\system32\drivers\platalrt.sys <Not Verified; Intel Corporation; Intel Alert on LAN® 2>

S1 SAVRT - c:\program files\norton antivirus\savrt.sys (file missing)
S1 SAVRTPEL - c:\program files\norton antivirus\savrtpel.sys (file missing)
S3 EntDrv51 - c:\windows\system32\drivers\entdrv51.sys (file missing)
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 NMSCFG (NIC Management Service Configuration Driver) - c:\windows\system32\drivers\nmscfg.sys <Not Verified; Intel Corporation; Intel® NMSCFG Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ASFAgent (ASF Agent) - c:\program files\intel\asf agent\asfagent.exe <Not Verified; Intel Corporation; Intel® PRO Alerting Suite ASF 1.0 Compatible>

S3 NMSSvc (Intel® NMS) - c:\windows\system32\nmssvc.exe <Not Verified; Intel Corporation; NMS>
S4 SAVScan - "c:\program files\norton antivirus\savscan.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-23 20:00:02 538 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Lupe Diaz.job


-- Files created between 2008-04-28 and 2008-05-28 -----------------------------

2008-05-27 14:24:42 48 --a------ C:\WINDOWS\CwbRmDir.bat
2008-05-24 10:26:11 0 d-------- C:\WINDOWS\system32\scripting
2008-05-24 10:26:10 0 d-------- C:\WINDOWS\l2schemas
2008-05-24 10:26:09 0 d-------- C:\WINDOWS\system32\en
2008-05-24 10:21:51 0 d-------- C:\WINDOWS\network diagnostic
2008-05-24 09:21:06 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-23 21:48:43 0 d--h----- C:\Documents and Settings\LogMeInRemoteUser\Templates
2008-05-23 21:48:43 0 dr------- C:\Documents and Settings\LogMeInRemoteUser\Start Menu
2008-05-23 21:48:43 0 dr-h----- C:\Documents and Settings\LogMeInRemoteUser\SendTo
2008-05-23 21:48:43 0 dr-h----- C:\Documents and Settings\LogMeInRemoteUser\Recent
2008-05-23 21:48:43 0 d--h----- C:\Documents and Settings\LogMeInRemoteUser\PrintHood
2008-05-23 21:48:43 0 d--h----- C:\Documents and Settings\LogMeInRemoteUser\NetHood
2008-05-23 21:48:43 0 dr------- C:\Documents and Settings\LogMeInRemoteUser\My Documents
2008-05-23 21:48:43 0 d--h----- C:\Documents and Settings\LogMeInRemoteUser\Local Settings
2008-05-23 21:48:43 0 dr------- C:\Documents and Settings\LogMeInRemoteUser\Favorites
2008-05-23 21:48:43 0 d-------- C:\Documents and Settings\LogMeInRemoteUser\Desktop
2008-05-23 21:48:43 0 d---s---- C:\Documents and Settings\LogMeInRemoteUser\Cookies
2008-05-23 21:48:43 0 dr-h----- C:\Documents and Settings\LogMeInRemoteUser\Application Data
2008-05-23 21:48:43 0 d-------- C:\Documents and Settings\LogMeInRemoteUser\Application Data\Sun
2008-05-23 21:48:43 0 d---s---- C:\Documents and Settings\LogMeInRemoteUser\Application Data\Microsoft
2008-05-23 21:48:43 0 d-------- C:\Documents and Settings\LogMeInRemoteUser\Application Data\Identities
2008-05-23 21:48:42 786432 --ah----- C:\Documents and Settings\LogMeInRemoteUser\NTUSER.DAT
2008-05-23 16:23:21 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-05-23 15:13:31 0 d-------- C:\WINDOWS\peernet
2008-05-23 15:13:30 0 d-------- C:\WINDOWS\provisioning
2008-05-23 15:11:42 0 d-------- C:\WINDOWS\ServicePackFiles
2008-05-23 15:05:38 0 d-------- C:\WINDOWS\EHome
2008-05-23 15:02:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-05-23 14:54:21 0 d-------- C:\Documents and Settings\All Users\Application Data\LogMeIn
2008-05-23 14:53:48 0 d-------- C:\Program Files\LogMeIn
2008-05-23 14:00:54 0 d-------- C:\Documents and Settings\Lupe Diaz\Application Data\Adobe
2008-05-23 13:38:01 0 d-------- C:\Documents and Settings\Lupe Diaz\.SunDownloadManager
2008-05-23 11:35:26 0 d-------- C:\Program Files\Panda Security
2008-05-23 10:27:28 0 d--hs---- C:\FOUND.002
2008-05-23 09:20:31 0 d-------- C:\Documents and Settings\Lupe Diaz\Application Data\Malwarebytes
2008-05-23 09:20:07 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-23 09:20:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-23 09:19:52 0 d-------- C:\Program Files\Common Files\Download Manager
2008-05-23 08:40:12 0 d-------- C:\Download
2008-05-23 08:30:08 0 d--hs---- C:\FOUND.001
2008-05-23 08:23:44 0 d--hs---- C:\FOUND.000


-- Find3M Report ---------------------------------------------------------------

2008-04-13 17:12:36 7680 --a------ C:\WINDOWS\system32\spdwnwxp.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-05 14:24:44 0 --a------ C:\WINDOWS\ORUN32.EXE
2008-03-05 14:24:42 0 --a------ C:\WINDOWS\LRUN32.EXE
2008-03-05 14:24:40 0 --a------ C:\WINDOWS\system32\CWBVIEWR.EXE
2008-03-05 14:24:38 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 07:51 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [02/28/2008 03:31 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 11:56 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"=C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 05/19/2008 03:23 PM 87352 C:\WINDOWS\SYSTEM32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Lupe Diaz^Start Menu^Programs^Startup^Deewoo.lnk]
path=C:\Documents and Settings\Lupe Diaz\Start Menu\Programs\Startup\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Lupe Diaz^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Lupe Diaz\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Lupe Diaz^Start Menu^Programs^Startup^Zeno.lnk]
path=C:\Documents and Settings\Lupe Diaz\Start Menu\Programs\Startup\Zeno.lnk
backup=C:\WINDOWS\pss\Zeno.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Lupe Diaz^Start Menu^Programs^Startup^Z_Start.lnk]
path=C:\Documents and Settings\Lupe Diaz\Start Menu\Programs\Startup\Z_Start.lnk
backup=C:\WINDOWS\pss\Z_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aida]
"C:\DOCUME~1\LUPEDI~1\APPLIC~1\SSTEM~1\notepad.exe" -vt ndrv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access API Daemon]
"C:\Program Files\IBM\Client Access\cwbappcd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Check Version]
"C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Service]
"C:\Program Files\IBM\Client Access\CwbSvStr.Exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Taskbar]
"C:\Program Files\IBM\Client Access\cwbuitsk.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Welcome Wizard]
C:\Program Files\IBM\Client Access\cwbwiz.exe /I

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner]
"C:\Program Files\Registry Cleaner Trial\RegClean.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SOProc_SoRefRegSoAlertWxLiteNnAj]
rundll32 shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~1\soproc.exe -pack SoRefRegSoAlertWxLiteNnAj

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{40-05-50-0D-ZN}]
C:\windows\system32\rodsrego.exe CORN001

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bd355782-e709-11dc-9616-000d568ee327}]
AutoRun\command- E:\LaunchU3.exe




-- End of Deckard's System Scanner: finished at 2008-05-28 11:40:24 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.40GHz
Percentage of Memory in Use: 68%
Physical Memory (total/avail): 253.99 MiB / 78.8 MiB
Pagefile Memory (total/avail): 625.51 MiB / 421.28 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1918.46 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 37.21 GiB total, 28.6 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST340014A - 37.25 GiB - 2 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Unknown - 37.21 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is enabled.

AntivirusOverride is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Lupe Diaz\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=D9M4QW41
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Lupe Diaz
LOGONSERVER=\\D9M4QW41
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\LUPEDI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\LUPEDI~1\LOCALS~1\Temp
USERDOMAIN=D9M4QW41
USERNAME=Lupe Diaz
USERPROFILE=C:\Documents and Settings\Lupe Diaz
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Lupe Diaz (admin)
LogMeInRemoteUser (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Atmosphere Player for Acrobat and Adobe Reader --> C:\WINDOWS\atmoUn.exe
Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
ccCommon --> MsiExec.exe /I{DC367608-64A7-4BF7-92F4-8BAA25BA02DB}
CleanUp! --> C:\Program Files\CleanUp!\uninstall.exe
Conexant HSF V.9x 56K Data Fax PCI Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2013&SUBSYS_021213E0\HXFSETUP.EXE -U -IVEN_14F1&DEV_2013&SUBSYS_021213E0
Contextual Tool --> C:\WINDOWS\z00098.exe /uninstall
Dell Printer Software Uninstall --> C:\Program Files\Dell\Install\Uninstall.exe
HijackThis 2.0.2 --> "F:\Spyware Removal Tools\HijackThis.exe" /uninstall
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Intel® PRO Ethernet Adapter and Software --> Prounstl.exe
Intel® PROSet II --> MsiExec.exe /I{01A4AEDE-F219-49A2-B855-16A016EAF9A4}
Intel® Pro Alerting Agent, Version 3.2.0 --> MsiExec.exe /I{66B4F24C-BE5D-423A-B56B-4013481F6801}
Intel® PRO Network Adapters WMI Provider (2.0) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C701994-43D2-4B7B-A548-C6E6C224D9A9}\setup.exe"
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
LogMeIn --> MsiExec.exe /I{3E77CC74-82B8-4A2A-9A6C-5E45370E57C4}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Interactive Training --> C:\Program Files\MSPress\Training\lunins32_s.exe
Microsoft Office XP Media Content --> MsiExec.exe /I{90300409-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Small Business --> MsiExec.exe /I{91130409-6000-11D3-8CFE-0050048383C9}
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
MSRedist --> MsiExec.exe /I{FC37ABD0-2108-4beb-B010-1254E0662B5A}
NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Norton AntiVirus 2004 --> MsiExec.exe /X{C6F5B6CF-609C-428E-876F-CA83176C021B}
Norton AntiVirus Parent MSI --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton AntiVirus SYMLT MSI --> MsiExec.exe /I{D1FF75E7-DD42-4CFD-B052-20B3FFF4EDB8}
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Symantec Script Blocking Installer --> MsiExec.exe /I{D327AFC9-7BAA-473A-8319-6EB7A0D40138}
SymNet --> MsiExec.exe /I{E47EE8FB-ACC0-4608-859C-4E2851B18A6A}
Trafficsector Browser Optimizer --> C:\WINDOWS\System32\newtrafficsector-remove.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1182 / Error
Event Submitted/Written: 05/27/2008 02:33:29 PM
Event ID/Source: 13 / ccEvtMgr
Event Description:
ccEvtMgr: Failed to create the Trust Module.

Event Record #/Type1181 / Warning
Event Submitted/Written: 05/27/2008 02:33:29 PM
Event ID/Source: 13 / ccEvtMgr
Event Description:
ccEvtMgr: Loaded the default configuration settings.

Event Record #/Type1180 / Error
Event Submitted/Written: 05/27/2008 02:33:29 PM
Event ID/Source: 13 / ccEvtMgr
Event Description:
ccEvtMgr: Failed to load the configuration settings.

Event Record #/Type1179 / Error
Event Submitted/Written: 05/27/2008 02:33:29 PM
Event ID/Source: 13 / ccEvtMgr
Event Description:
ccEvtMgr: Settings server is not installed.

Event Record #/Type1138 / Error
Event Submitted/Written: 05/25/2008 07:14:27 PM
Event ID/Source: 1024 / MsiInstaller
Event Description:
Product: Microsoft Office XP Small Business - Update '{DA256408-A2E7-41A5-8AD6-62ACB86A0FD7}' could not be installed. Error code 1603. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft....k/?LinkId=23127



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4282 / Error
Event Submitted/Written: 05/28/2008 11:28:01 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
SAVRT
SAVRTPEL

Event Record #/Type4281 / Error
Event Submitted/Written: 05/28/2008 11:27:57 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Upload Manager service failed to start due to the following error:
%%1079

Event Record #/Type4280 / Error
Event Submitted/Written: 05/28/2008 11:27:57 AM
Event ID/Source: 7024 / Service Control Manager
Event Description:
The Symantec Settings Manager service terminated with service-specific error 4294967295 (0xFFFFFFFF).

Event Record #/Type4271 / Warning
Event Submitted/Written: 05/28/2008 11:02:53 AM
Event ID/Source: 4 / E100B
Event Description:
Adapter Intel® PRO/100 M Network Connection: Adapter Link Down

Event Record #/Type4267 / Warning
Event Submitted/Written: 05/28/2008 11:01:38 AM
Event ID/Source: 4 / E100B
Event Description:
Adapter Intel® PRO/100 M Network Connection: Adapter Link Down



-- End of Deckard's System Scanner: finished at 2008-05-28 11:40:24 ------------

Thank You..............
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP