Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Desktop hijack AND computer ceasing to function


  • Please log in to reply

#1
jeti

jeti

    New Member

  • Member
  • Pip
  • 9 posts
So. About a month or two ago, I was on break from school and was playing around with my darling desktop computer which I haven't really used since getting a laptop (the laptop is about three years old; my desktop, five). After noticing how woefully out-of-date I was (Netscape? Mozilla? Firefox 1.6? Whut?) I opened up ol' IE6 and went on a quest for WinXP Service Pack 2. (I was unsuccessful, validation issues.)

After giving up I just putzed around the internet looking for reference pictures of cat skulls or something (art student) and I ended up with some nasty malware that hijacked my desktop and turned it into a giant link for some sort of questionable "anti-spyware" product. From glancing at a few previous threads, this appears to be a somewhat common problem.

Unfortunately, my situation has... escalated, to put it lightly. The first thing I do whenever I get some malware is disconnect from the internet, so I unplugged my wireless. I attempted a few scans (which weren't terribly helpful since all the program files were a couple years out of date) and scrutinized some questionable entries in my system32. But all the problems were still there--whenever I tried to change the desktop, on the next reboot it would revert. My task manager remained inaccessible (ctrl+alt+delete useless). Safe mode barely helped.

As of today, I've just tried again (I couldn't since the initial infection because I was away at school) and things are looking less and less hopeful. Because I couldn't connect to the internet in safemode (I was trying to see if I could get WinXP SP1a) I held my breath, and tried to connect to the internet in normal mode. My computer was unable to locate any browsers (I had to go find Mozilla.exe for it) and even then, it could not connect. Meanwhile, Norton Antivirus was warning me about some Bloodhound Virus it had detected but couldn't acess (gee, thanks), and my computer could barely open up folders before it froze.

When I rebooted again in safemode, I no longer had a start menu or a desktop. The first thing that loaded was something that looked like the command prompt (different file path, though... can't remember because it disappeared pretty quick) and thankfully, My Computer... so I was at least able to run HijackThis. However, in safemode it no longer even recognized my flashdrive (only way I can get the logfile without the internet), informing me that services encountered an error or something. So, I was forced to reboot normal again.

In normal reboot, I appear to have gained another user account--nimda. (Admin backwards, complete with the admin user picture). When I login (I decided not to click on nimda, and instead opted for my normal account) I face the same problems as safemode--with the command prompt and My Computer folder loading, and a complete lack of desktop icons or start menu. (Also, within seconds Zapotec backround turned into that stupid ad again).

My computer has become... pretty much unusable. Is there anything at all I can do? Watching my computer behave like this feels like watching someone strangling a puppy.

Here's the HijackThis log that took me, like, 4 reboots to get:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:40:40 PM, on 6/13/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\drivers\services.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Administrator.DDHM0V31\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://livesecuritycenter.com/?aid=444
F2 - REG:system.ini: Shell=C:\WINDOWS\system32\drivers\services.exe Explorer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\services.exe,C:\WINDOWS\System32\wsnpoema.exe,
O2 - BHO: BhoApp Class - {0cb66ba8-5e1f-4963-93d1-e1d6b78fe9a2} - C:\Program Files\syscmd\mscmp32.dll
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:\Program Files\Bat\Bat.dll
O2 - BHO: (no name) - {AA62ED19-278C-5E77-AE3D-0EA2EDE91FC2} - C:\WINDOWS\System32\wijh.dll
O2 - BHO: C:\WINDOWS\System32\jfiehayd.dll - {c5af49a2-94f3-42bd-f434-2604812c897d} - C:\WINDOWS\System32\jfiehayd.dll
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\NASDAK\OmniMouse Driver\4.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Documents and Settings\jeti\My Documents\spyware\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Documents and Settings\jeti\My Documents\spyware\gcasServ.exe"
O4 - HKLM\..\Run: [ktehijcv] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ktehijcv.dll"
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\jeti\cftmon.exe
O4 - HKLM\..\Run: [PromoReg] C:\WINDOWS\System32\alt.exe.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\jeti\LOCALS~1\Temp\winlogan.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\wind32.exe
O4 - HKLM\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKLM\..\Run: [winlogon] C:\Documents and Settings\Administrator.DDHM0V31\svchost.exe
O4 - HKLM\..\Run: [service.exe] C:\WINDOWS\System32\service.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Administrator.DDHM0V31\cftmon.exe
O4 - HKCU\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKCU\..\Run: [winlogon] C:\Documents and Settings\Administrator.DDHM0V31\svchost.exe
O4 - HKLM\..\Policies\Explorer\Run: [xDF12SVEBo] C:\Documents and Settings\All Users\Application Data\zexcxahy\pafsbglg.exe
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - Startup: userinit.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\jeti\My Documents\aim\aim.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1207423612044
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1207423600263
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol hijack: mhtml -
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\System32\jfiehayd.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\System32\svchost.exe:exe.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Maya 6 PLE Documentation Server (mple6docserver) - Unknown owner - C:\Documents and Settings\jeti\My Documents\spyware\docs\wrapper.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Procedure Call (RPC) Extensions (RpcxSs) - Unknown owner - C:\WINDOWS\system32\rpcxss.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\services.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9579 bytes


Also, two quick questions:

1) Is safemode supposed to make my keyboard... not work?

2) Where can I find my computer's certificate of authenticity? Evidentally the family computer (that I'm currently using) needs WinXP SP2 re-installed, and I don't know where to find the verification code it wants.

Edited by jeti, 13 June 2008 - 12:40 PM.

  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello jeti

Welcome to G2Go. :)
=====================
Please run the MGA Diagnostic Tool and post back the report it shall produce:
  • Download MGADiag to your desktop.
  • Double-click on MGADiag.exe to launch the program
  • Click "Continue"
  • Ensure that the "Windows" tab is selected (it should be by default).
  • Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
  • Paste the MGA Diagnostic Report back here in your next reply.

  • 0

#3
jeti

jeti

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thank you for the prompt reply, and sorry that I could not do the same; I had some stuff to take care of.

I did as you requested, here is what the diagnostic returned:

=====

Diagnostic Report (1.7.0095.0):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-GD6GR-K6DP3-4C8MT
Windows Product Key Hash: s2kt66ZJWfV4nS1wFD5F9bxTSDw=
Windows Product ID: 55277-OEM-2111907-00102
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.1.0.hom
CSVLK Server: N/A
CSVLK PID: N/A
ID: {1763A25B-9D60-4028-A468-5AAAB8CABA5E}(1)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.7.59.1
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1_16E0B333-156-80004005_E2AD56EA-338-8009_E2AD56EA-339-2ee7_16E0B333-89-80004005_78155E4D-373-80004005
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Standard Edition 2003 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-171-1_E2AD56EA-338-8009_E2AD56EA-339-2ee7_16E0B333-89-80004005_B4D0AA8B-1029-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\WINDOWS\system32\oembios.bin[hr = 0x80070714]
File Mismatch: C:\WINDOWS\system32\oembios.dat[hr = 0x80070714]
File Mismatch: C:\WINDOWS\system32\oembios.sig[hr = 0x80070714]

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{1763A25B-9D60-4028-A468-5AAAB8CABA5E}</UGUID><Version>1.7.0095.0</Version><OS>5.1.2600.2.00010300.1.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-4C8MT</PKey><PID>55277-OEM-2111907-00102</PID><PIDType>2</PIDType><SID>S-1-5-21-2489331937-3544296680-1633050623</SID><SYSTEM><Manufacturer>Dell Computer Corporation</Manufacturer><Model>Dimension 8300 </Model></SYSTEM><BIOS><Manufacturer>Dell Computer Corporation</Manufacturer><Version>A03</Version><SMBIOSVersion major="2" minor="3"/><Date>20030919******.******+***</Date><SLPBIOS>Dell System,Dell Computer,Dell System,Dell System</SLPBIOS></BIOS><HWID>A1033C6F01848053</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Dell Computer Corporation</name><model>Dell DIMENSION 8300</model></SBID><OEM/><BRT/></MachineData> <Software><Office><Result>100</Result><Products><Product GUID="{91120409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Standard Edition 2003</Name><Ver>11</Ver><Val>6AC43713DE5D064</Val><Hash>7d6NGQDr8ZZ6DNeyryT38Gu+gLs=</Hash><Pid>70141-050-5349043-56653</Pid><PidType>1</PidType></Product></Products><Applications><App Id="16" Version="11" Result="100"/><App Id="18" Version="11" Result="100"/><App Id="1A" Version="11" Result="100"/><App Id="1B" Version="11" Result="100"/></Applications></Office></Software></GenuineResults>

=====

This time when I logged in, three of those command prompts I mentioned earlier popped up. I think they were called "netsh.exe" and located in my system32 (but I'm not certain because I have a very poor short-term memory and I somehow managed to almost completely forget while going down the flight of stairs separating this computer from mine). They're really worrying me, especially since I still fail to have a desktop or a start menu.
  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
See if you can do the folowing:

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

  • 0

#5
jeti

jeti

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I tried to do as you said, but when my computer restarted the FixTool did not run again...? My desktop background has changed to the default WinXP field, though. When it restarted, should I have put it into safemode again, or normal (as I let it)? Should I run SDFix again? Is it ok that SDFix did not extract itself to the desktop, but to C:\ instead?
  • 0

#6
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
It extracts to a folder called C:\Sdfix.
Inside it will have a file called runthis.bat double click on it and follow the prompts.
Post that log and a new Hijackthis log.
  • 0

#7
jeti

jeti

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Er... perhaps I didn't word my response properly, sorry. I installed SDFix, restarted in Safe Mode, and followed the instructions (then waited about 20 minutes or so as the program ran). When it was done, I pressed any key to reboot as indicated. However, when the computer started up again, the FixTool did not run again as you said it would, so it never showed that it was finished, nor did my desktop icons ever load. What I mean to ask is, is that too much of a problem?

The C:\SDFix folder is now filled with various files, so I know that it did something. One of them is labeled report, I can only assume that this might be what you want me to post?

=====

SDFix: Version 1.193
Run by jeti on Sun 06/15/2008 at 11:32 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
ICF
narqwe
service.sys

Path :
C:\WINDOWS\System32\svchost.exe:exe.exe
\??\C:\WINDOWS\system32\narqwe.sys
\??\C:\WINDOWS\System32\service.sys

ICF - Deleted
narqwe - Deleted
service.sys - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper

=====

If I'm meant to post something other than that, please tell me, I'm just a little unsure about whether or not SDFix actually finished properly.

I did, however, run a new scan on HijackThis:

=====

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:19:30 PM, on 6/16/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Documents and Settings\jeti\My Documents\spyware\docs\wrapper.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Documents and Settings\jeti\My Documents\spyware\docs\jre\bin\java.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\jeti\Desktop\NOW\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=C:\WINDOWS\system32\drivers\services.exe Explorer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\services.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.co...ntl/xx-hacker/"); (C:\Documents and Settings\JETI\Application Data\Mozilla\Profiles\default\as2mxmwy.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\JETI\Application Data\Mozilla\Profiles\default\as2mxmwy.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\NASDAK\OmniMouse Driver\4.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Documents and Settings\jeti\My Documents\spyware\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Documents and Settings\jeti\My Documents\spyware\gcasServ.exe"
O4 - HKLM\..\Run: [ktehijcv] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ktehijcv.dll"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKLM\..\Run: [winlogon] C:\Documents and Settings\LocalService\svchost.exe
O4 - HKLM\..\RunOnce: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\System32\STEM32~1\chkntfs.exe" -vt yazb
O4 - HKCU\..\Run: [Hjcpizq] C:\WINDOWS\SYSTEM32\?racle\wucrtupd.exe
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\DOCUME~1\jeti\LOCALS~1\Temp\ie.exe
O4 - HKCU\..\Run: [yygivpqv] C:\WINDOWS\system32\vudodghk.exe
O4 - HKCU\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKUS\S-1-5-18\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [winlogon] C:\Documents and Settings\LocalService\svchost.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe (User 'Default user')
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
O4 - Startup: userinit.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\jeti\My Documents\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1207423612044
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1207423600263
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol hijack: mhtml -
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Maya 6 PLE Documentation Server (mple6docserver) - Unknown owner - C:\Documents and Settings\jeti\My Documents\spyware\docs\wrapper.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Procedure Call (RPC) Extensions (RpcxSs) - Unknown owner - C:\WINDOWS\system32\rpcxss.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\services.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9481 bytes

=====

Thank you.
  • 0

#8
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
No problem you have a badly infected machine.
It did actually run it's just that it didn't complete.
so on to the next step.

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#9
jeti

jeti

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
For some reason, the second I installed ComboFix, the SDFix finishing window finally popped up. I'm baffled, but pleased. Here is the report it eventually spat out at me:

=====

SDFix: Version 1.193
Run by jeti on Sun 06/15/2008 at 11:32 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
ICF
narqwe
service.sys

Path :
C:\WINDOWS\System32\svchost.exe:exe.exe
\??\C:\WINDOWS\system32\narqwe.sys
\??\C:\WINDOWS\System32\service.sys

ICF - Deleted
narqwe - Deleted
service.sys - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting

Service Vqki45 - Deleted

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\jfiehayd.dll - Deleted
C:\~GLHTTP1.TMP - Deleted
C:\188167~1 - Deleted
C:\Documents and Settings\Administrator.DDHM0V31\cftmon.exe - Deleted
C:\Documents and Settings\jeti\cftmon.exe - Deleted
C:\Documents and Settings\LocalService\cftmon.exe - Deleted
C:\WINDOWS\uprjiefj\1.png - Deleted
C:\WINDOWS\uprjiefj\2.png - Deleted
C:\WINDOWS\uprjiefj\3.png - Deleted
C:\WINDOWS\uprjiefj\4.png - Deleted
C:\WINDOWS\uprjiefj\5.png - Deleted
C:\WINDOWS\uprjiefj\6.png - Deleted
C:\WINDOWS\uprjiefj\7.png - Deleted
C:\WINDOWS\uprjiefj\8.png - Deleted
C:\WINDOWS\uprjiefj\9.png - Deleted
C:\WINDOWS\uprjiefj\bottom-rc.gif - Deleted
C:\WINDOWS\uprjiefj\config.png - Deleted
C:\WINDOWS\uprjiefj\content.png - Deleted
C:\WINDOWS\uprjiefj\download.gif - Deleted
C:\WINDOWS\uprjiefj\frame-bg.gif - Deleted
C:\WINDOWS\uprjiefj\frame-bottom-left.gif - Deleted
C:\WINDOWS\uprjiefj\frame-h1bg.gif - Deleted
C:\WINDOWS\uprjiefj\head.png - Deleted
C:\WINDOWS\uprjiefj\icon.png - Deleted
C:\WINDOWS\uprjiefj\indexwp.html - Deleted
C:\WINDOWS\uprjiefj\main.css - Deleted
C:\WINDOWS\uprjiefj\memory-prots.png - Deleted
C:\WINDOWS\uprjiefj\net.png - Deleted
C:\WINDOWS\uprjiefj\pc.gif - Deleted
C:\WINDOWS\uprjiefj\pc-mag.gif - Deleted
C:\WINDOWS\uprjiefj\poloska1.png - Deleted
C:\WINDOWS\uprjiefj\poloska2.png - Deleted
C:\WINDOWS\uprjiefj\poloska3.png - Deleted
C:\WINDOWS\uprjiefj\promowp1.html - Deleted
C:\WINDOWS\uprjiefj\promowp2.html - Deleted
C:\WINDOWS\uprjiefj\promowp3.html - Deleted
C:\WINDOWS\uprjiefj\promowp4.html - Deleted
C:\WINDOWS\uprjiefj\promowp5.html - Deleted
C:\WINDOWS\uprjiefj\reg.png - Deleted
C:\WINDOWS\uprjiefj\repair.png - Deleted
C:\WINDOWS\uprjiefj\scr-1.png - Deleted
C:\WINDOWS\uprjiefj\scr-2.png - Deleted
C:\WINDOWS\uprjiefj\start.png - Deleted
C:\WINDOWS\uprjiefj\styles.css - Deleted
C:\WINDOWS\uprjiefj\top-rc.gif - Deleted
C:\WINDOWS\uprjiefj\vline.gif - Deleted
C:\WINDOWS\uprjiefj\wp.png - Deleted
C:\Documents and Settings\jeti\Local Settings\Temp\1.dllb - Deleted
C:\Documents and Settings\jeti\Local Settings\Temp\2.dllb - Deleted
C:\Documents and Settings\jeti\Local Settings\Temp\5.dllb - Deleted
C:\Documents and Settings\jeti\Local Settings\Temp\6.dllb - Deleted
C:\Documents and Settings\jeti\Local Settings\Temp\7.dllb - Deleted
C:\WINDOWS\FLEOK\180ax.exe - Deleted
C:\WINDOWS\PerfInfo\xDF12SVEBowp.exe - Deleted
C:\Program Files\180searchassistant\saap.exe - Deleted
C:\Program Files\180searchassistant\sac.exe - Deleted
C:\Program Files\180search assistant\180sa.exe - Deleted
C:\Program Files\180search assistant\sau.exe - Deleted
C:\Program Files\180solutions\sais.exe - Deleted
C:\Program Files\seekmo\seekmohook.dll - Deleted
C:\Program Files\Sysmnt\Ssmgr.exe - Deleted
C:\Program Files\zango\zango.exe - Deleted
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe - Deleted
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe - Deleted
C:\d.exe - Deleted
C:\WINDOWS\system32\O.BAT - Deleted
C:\WINDOWS\system32\dllgh8jkd1q1.exe - Deleted
C:\WINDOWS\system32\dllgh8jkd1q2.exe - Deleted
C:\WINDOWS\system32\dllgh8jkd1q5.exe - Deleted
C:\WINDOWS\system32\dllgh8jkd1q6.exe - Deleted
C:\WINDOWS\system32\dllgh8jkd1q7.exe - Deleted
C:\WINDOWS\system32\dllgh8jkd1q8.exe - Deleted
C:\Program Files\stc\csv5p070.exe - Deleted
C:\Documents and Settings\jeti\svchost.exe - Deleted
C:\DOCUME~1\jeti\LOCALS~1\Temp\Csrssc.exe - Deleted
C:\DOCUME~1\jeti\LOCALS~1\Temp\printsrv32.exe - Deleted
C:\DOCUME~1\jeti\LOCALS~1\Temp\win32.exe - Deleted
C:\DOCUME~1\jeti\LOCALS~1\Temp\winlogan.exe - Deleted
C:\WINDOWS\123messenger.per - Deleted
C:\WINDOWS\180ax.exe - Deleted
C:\WINDOWS\2020search.dll - Deleted
C:\WINDOWS\2020search2.dll - Deleted
C:\WINDOWS\apphelp32.dll - Deleted
C:\WINDOWS\asferror32.dll - Deleted
C:\WINDOWS\asycfilt32.dll - Deleted
C:\WINDOWS\athprxy32.dll - Deleted
C:\WINDOWS\ati2dvaa32.dll - Deleted
C:\WINDOWS\ati2dvag32.dll - Deleted
C:\WINDOWS\audiosrv32.dll - Deleted
C:\WINDOWS\autodisc32.dll - Deleted
C:\WINDOWS\avifile32.dll - Deleted
C:\WINDOWS\avisynthex32.dll - Deleted
C:\WINDOWS\aviwrap32.dll - Deleted
C:\WINDOWS\bjam.dll - Deleted
C:\WINDOWS\bokja.exe - Deleted
C:\WINDOWS\browserad.dll - Deleted
C:\WINDOWS\cdsm32.dll - Deleted
C:\WINDOWS\changeurl_30.dll - Deleted
C:\WINDOWS\didduid.ini - Deleted
C:\WINDOWS\Installer\id53.exe - Deleted
C:\WINDOWS\licencia.txt - Deleted
C:\WINDOWS\msa64chk.dll - Deleted
C:\WINDOWS\msapasrc.dll - Deleted
C:\WINDOWS\mspphe.dll - Deleted
C:\WINDOWS\mssvr.exe - Deleted
C:\WINDOWS\ntnut.exe - Deleted
C:\WINDOWS\saiemod.dll - Deleted
C:\WINDOWS\salm.exe - Deleted
C:\WINDOWS\shdocpe.dll - Deleted
C:\WINDOWS\shdocpl.dll - Deleted
C:\WINDOWS\stcloader.exe - Deleted
C:\WINDOWS\system32\kr_done1 - Deleted
C:\WINDOWS\system32\MSIXU.DLL - Deleted
C:\WINDOWS\system32\MSNSA32.dll - Deleted
C:\WINDOWS\system32\ntnut32.exe - Deleted
C:\WINDOWS\system32\oins.exe - Deleted
C:\WINDOWS\system32\service.exe - Deleted
C:\WINDOWS\system32\shdocpe.dll - Deleted
C:\WINDOWS\system32\SIPSPI32.dll - Deleted
C:\WINDOWS\system32\WER8274.DLL - Deleted
C:\WINDOWS\system32\wind32.exe - Deleted
C:\WINDOWS\system32\wmsdkns.exe - Deleted
C:\WINDOWS\telefonos.txt - Deleted
C:\WINDOWS\Temp\SALM.EXE - Deleted
C:\WINDOWS\textos.txt - Deleted
C:\WINDOWS\updatetc.exe - Deleted
C:\WINDOWS\voiceip.dll - Deleted
C:\WINDOWS\winsb.dll - Deleted
C:\WINDOWS\system32\drivers\spools.exe - Deleted
C:\WINDOWS\system32\narqwe.sys - Deleted
C:\WINDOWS\system32\service.sys - Deleted
C:\WINDOWS\system32\wsnpoema.exe - Deleted
C:\WINDOWS\system32\wsnpoema\audio.dll - Deleted
C:\WINDOWS\system32\wsnpoema\video.dll - Deleted
C:\WINDOWS\system32\drivers\Vqki45.sys - Deleted
C:\WINDOWS\SYSTEM32\wsnpoema\video.dll - Deleted
C:\WINDOWS\SYSTEM32\wsnpoema\audio.dll - Deleted



Folder C:\Program Files\180searchassistant - Removed
Folder C:\Program Files\180search assistant - Removed
Folder C:\Program Files\180solutions - Removed
Folder C:\Program Files\seekmo - Removed
Folder C:\Program Files\stc - Removed
Folder C:\Program Files\Sysmnt - Removed
Folder C:\Program Files\zango - Removed
Folder C:\WINDOWS\FLEOK - Removed
Folder C:\WINDOWS\PerfInfo - Removed
Folder C:\WINDOWS\system32\wsnpoema - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-16 16:35:41
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions]
"_%d%[%^%V%h%"=".."
"\x2019%\xa6\3\20%\xb4\3]%\xab?"="Kellin Kim"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 9 Aug 2003 49,237 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Sat 9 Aug 2003 36,953 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Sat 9 Aug 2003 40,960 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Sat 9 Aug 2003 233,553 A..H. --- "C:\Program Files\America Online 9.0\waol.exe"
Wed 25 May 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 5 Apr 2008 89,088 ..SHR --- "C:\WINDOWS\SYSTEM32\??stem32\chkntfs.exe"
Thu 29 May 2008 230,400 ..SHR --- "C:\WINDOWS\SYSTEM32\?racle\wucrtupd.exe"
Thu 15 May 2003 43,008 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Tue 20 Jan 2004 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Tue 20 Jan 2004 12,368 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Sat 9 Aug 2003 111,824 A..H. --- "C:\Program Files\Common Files\aolshare\shell\us\shellext.dll"
Sat 11 Jun 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Sat 11 Jun 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Sat 11 Jun 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Sat 11 Jun 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"

Finished!

=====

Next, I ran ComboFix as advised:

=====

ComboFix 08-06-15.4 - jeti 2008-06-16 18:12:47.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.275 [GMT -4:00]
Running from: C:\Documents and Settings\jeti\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator.DDHM0V31\Start Menu\Programs\Startup\userinit.exe
C:\Documents and Settings\Administrator.DDHM0V31\svchost.exe
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Application Data\Rabio
C:\Documents and Settings\All Users\Start Menu\Programs\Anti Virus Pro spyware remover
C:\Documents and Settings\jeti\Application Data\sp1
C:\Documents and Settings\jeti\My Documents\FNTS~1
C:\Documents and Settings\jeti\Start Menu\Programs\Outerinfo
C:\Documents and Settings\jeti\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\jeti\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\jeti\Start Menu\Programs\Startup\userinit.exe
C:\Documents and Settings\LocalService\svchost.exe
C:\Program Files\AntiVirusPro
C:\Program Files\AntiVirusPro\AntiVirusPro.exe
C:\Program Files\AntiVirusPro\AntiVirusPro.exe.local
C:\Program Files\AntiVirusPro\Core.dll
C:\Program Files\AntiVirusPro\database.pkg
C:\Program Files\AntiVirusPro\Localization.dll
C:\Program Files\AntiVirusPro\msvcp71.dll
C:\Program Files\AntiVirusPro\msvcr71.dll
C:\Program Files\AntiVirusPro\Uninstall.exe
C:\Program Files\AntiVirusPro\WndSystem.dll
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\syscmd
C:\Program Files\syscmd\mscmp.inf
C:\Program Files\syscmd\mscmp32.dll
C:\Program Files\syscmd\uninstall.bat
C:\WINDOWS\Downloaded Program Files\ygw1.dll
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\bmf.cs
C:\WINDOWS\system32\ccs.so
C:\WINDOWS\system32\drivers\services.exe
C:\WINDOWS\system32\ho.ln
C:\WINDOWS\system32\ko.o
C:\WINDOWS\system32\mn.n
C:\WINDOWS\system32\ntpl.bin
C:\WINDOWS\system32\nvrsma.dll
C:\WINDOWS\system32\racle~1
C:\WINDOWS\system32\racle~1\wucrtupd.exe
C:\WINDOWS\system32\stem32~1
C:\WINDOWS\system32\stem32~1\??stem32\
C:\WINDOWS\system32\stem32~1\chkntfs.exe
C:\WINDOWS\system32\wijh.dll

----- BITS: Possible infected sites -----

hxxp://updatecube.com
.
((((((((((((((((((((((((( Files Created from 2008-05-16 to 2008-06-16 )))))))))))))))))))))))))))))))
.

2008-06-16 16:23 . 2008-06-16 16:18 1,262,900 --a------ C:\ComboFix.exe
2008-06-15 23:28 . 2008-06-15 23:28 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-15 23:24 . 2008-06-16 16:31 190 --a------ C:\WINDOWS\SYSTEM32\1.vbs
2008-06-15 23:22 . 2008-06-16 16:40 <DIR> d-------- C:\SDFix
2008-06-15 22:45 . 2008-06-15 22:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-06-13 13:46 . 2008-06-13 13:22 12,800 --a------ C:\userinit.exe
2008-06-13 13:28 . 2008-06-13 13:28 93,696 --a------ C:\kdfgjoro.exe
2008-06-13 13:28 . 2008-06-13 13:28 14,848 --a------ C:\kvbktit.exe
2008-06-13 13:26 . 2008-06-13 13:26 41,984 --a------ C:\WINDOWS\SYSTEM32\YGWUninstaller.exe
2008-06-13 13:25 . 2008-06-13 13:25 7,680 --a------ C:\voxmajpw.exe
2008-06-13 13:24 . 2008-06-13 13:24 69,120 --a------ C:\uvjnee.exe
2008-06-13 13:23 . 2008-06-13 13:22 561,152 --a------ C:\WINDOWS\SYSTEM32\vdzgpxeuu
2008-06-13 13:22 . 2008-06-13 13:22 93,696 --a------ C:\vlwy.exe
2008-06-13 13:22 . 2008-06-13 13:22 69,120 --a------ C:\nihml.exe
2008-06-13 13:22 . 2008-06-13 13:22 35,840 --a------ C:\d1.exe
2008-06-13 13:22 . 2008-06-13 13:22 14,848 --a------ C:\stfjhqpx.exe
2008-06-13 13:22 . 2008-06-13 13:22 7,680 --a------ C:\raati.exe
2008-06-13 13:09 . 2008-06-13 13:09 <DIR> d-------- C:\Documents and Settings\Administrator.DDHM0V31\Application Data\Talkback
2008-06-13 12:24 . 2008-06-13 12:24 <DIR> d--hs---- C:\found.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 17:24 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-13 17:06 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-05 22:27 12,800 ----a-w C:\GX3L.exe
2008-04-05 22:15 67,584 ----a-w C:\Documents and Settings\All Users\Application Data\ktehijcv.dll
2003-12-28 16:26 62,000 ----a-w C:\Documents and Settings\jeti\Application Data\GDIPFONTCACHEV1.DAT
1999-07-07 00:00 6 --sh--r C:\WINDOWS\@[email protected]
2003-11-25 13:00 32 --sha-w C:\WINDOWS\{60740A8D-A2CA-4DEA-A366-9178FBB715C1}.dat
2003-11-25 13:00 32 --sha-w C:\WINDOWS\SYSTEM32\{B2EE84CB-C981-477A-8648-9450CA3C6F92}.dat
.
C:\WINDOWS\system32\user32.dll ... is infected !! (additional data below)
577,024 2005-03-02 18:09:30 C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\user32.dll
577,024 2005-03-02 18:19:56 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
528,896 2002-11-01 22:26:46 C:\WINDOWS\$NtUninstallKB824141$\user32.dll
560,128 2002-08-29 11:00:00 C:\WINDOWS\$NtUninstallKB826939$\user32.dll
560,128 2003-09-25 16:49:02 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
577,024 2004-08-04 07:56:46 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\user32.dll
561,152 2005-03-02 18:20:03 C:\WINDOWS\SoftwareDistribution\Download\58bffe479c581eda56fcf7412cce5cc0\sp1qfe\user32.dll
561,152 2008-06-13 17:22:29 C:\WINDOWS\SYSTEM32\user32.DLL
561,152 2008-06-13 17:22:29 C:\WINDOWS\SYSTEM32\DLLCACHE\user32.dll


------- Sigcheck -------

2005-03-02 14:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\user32.dll
2005-03-02 14:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2002-11-01 18:26 528896 68e1f4ef02df52ca9c5e157045d23582 C:\WINDOWS\$NtUninstallKB824141$\user32.dll
2002-08-29 07:00 560128 dd9269230c21ee8fb7fd3fccc3b1cfcb C:\WINDOWS\$NtUninstallKB826939$\user32.dll
2003-09-25 12:49 560128 32173306185f603e75c477e117f3bb8d C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2004-08-04 03:56 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\user32.dll
2005-03-02 14:20 561152 74202eb1bd67e8be9509e38c8d2234b0 C:\WINDOWS\SoftwareDistribution\Download\58bffe479c581eda56fcf7412cce5cc0\sp1qfe\user32.dll
2008-06-13 13:22 561152 359754dcf06b38c1e7489fe3b538da3e C:\WINDOWS\SYSTEM32\user32.DLL
2008-06-13 13:22 561152 359754dcf06b38c1e7489fe3b538da3e C:\WINDOWS\SYSTEM32\DLLCACHE\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 13:00 200767]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2004-07-19 08:51 306688]
"Hjcpizq"="C:\WINDOWS\SYSTEM32\?racle\wucrtupd.exe" [ ]
"yygivpqv"="C:\WINDOWS\system32\vudodghk.exe" [ ]
"[system]"="C:\WINDOWS\system32\drivers\services.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18 1670144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-04-24 18:58 4616192]
"BCMSMMSG"="BCMSMMSG.exe" [2003-06-02 07:00 122880 C:\WINDOWS\BCMSMMSG.exe]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 03:04 114741]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 03:01 155648]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 12:27 28672]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 21:47 204800]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 03:01 135264]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 03:00 90112]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 17:11 54296]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 17:11 58392]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-11-25 09:00 151597]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2004-04-20 13:24 131072]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-02 20:46 270336]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [2004-02-22 23:44 32881]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2004-04-20 13:24 53248]
"WildTangent CDA"="C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll" [ ]
"LWBMOUSE"="C:\Program Files\NASDAK\OmniMouse Driver\4.0\MOUSE32A.EXE" [2001-11-09 02:47 356352]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-29 22:07 98304]
"iTunesHelper"="C:\Documents and Settings\jeti\My Documents\spyware\iTunesHelper.exe" [2005-06-24 15:16 278528]
"gcasServ"="C:\Documents and Settings\jeti\My Documents\spyware\gcasServ.exe" [2005-07-12 15:35 473928]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]
"[system]"="C:\WINDOWS\system32\drivers\services.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"[system]"="C:\WINDOWS\system32\drivers\services.exe" [ ]
"winlogon"="C:\Documents and Settings\LocalService\svchost.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2003-11-25 08:58:14 36953]
TabUserW.exe.lnk - C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe [2005-08-22 13:29:15 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm

R2 mple6docserver;Maya 6 PLE Documentation Server;"C:\Documents and Settings\jeti\My Documents\spyware\docs\wrapper.exe" -s "C:\Documents and Settings\jeti\My Documents\spyware\docs\Wrapper.conf" []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S2 RpcxSs;Remote Procedure Call (RPC) Extensions;C:\WINDOWS\system32\rpcxss -k rpcxss []
S3 PRISM_USB;Dell TrueMobile 1180 Wireless USB Adapter;C:\WINDOWS\System32\DRIVERS\DELUSB_51.sys [2002-08-09 02:46]

.
Contents of the 'Scheduled Tasks' folder
"2004-01-20 21:48:04 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-06-16 22:25:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-16 18:16:33
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RpcxSs]
"ImagePath"="%SystemRoot%\system32\rpcxss -k rpcxss"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\SYSTEM32\CTsvcCDA.EXE
C:\Documents and Settings\jeti\My Documents\spyware\docs\wrapper.exe
C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\Documents and Settings\jeti\My Documents\spyware\docs\jre\bin\java.exe
C:\WINDOWS\SYSTEM32\Tablet.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\jeti\My Documents\spyware\gcasDtServ.exe
C:\Program Files\Bat\X_Bat.exe
C:\WINDOWS\SYSTEM32\CSCRIPT.EXE
.
**************************************************************************
.
Completion time: 2008-06-16 18:27:21 - machine was rebooted [jeti]
ComboFix-quarantined-files.txt 2008-06-16 22:27:03

Pre-Run: 97,369,509,888 bytes free
Post-Run: 97,512,017,920 bytes free

212

=====

After ComboFix rebooted, I finally have a start menu and desktop again! Though Norton Antivirus was pretty intent on not letting ComboFix finish up, what a pain. Finally, I ran another HijackThis:

=====

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:29:22 PM, on 6/16/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Documents and Settings\jeti\My Documents\spyware\docs\wrapper.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Documents and Settings\jeti\My Documents\spyware\docs\jre\bin\java.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\NASDAK\OmniMouse Driver\4.0\MOUSE32A.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\jeti\My Documents\spyware\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\jeti\My Documents\spyware\gcasDtServ.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
C:\;Program Files\Bat\X_Bat.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\jeti\Desktop\NOW\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.co...ntl/xx-hacker/"); (C:\Documents and Settings\JETI\Application Data\Mozilla\Profiles\default\as2mxmwy.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\JETI\Application Data\Mozilla\Profiles\default\as2mxmwy.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\NASDAK\OmniMouse Driver\4.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Documents and Settings\jeti\My Documents\spyware\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Documents and Settings\jeti\My Documents\spyware\gcasServ.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Hjcpizq] C:\WINDOWS\SYSTEM32\?racle\wucrtupd.exe
O4 - HKCU\..\Run: [yygivpqv] C:\WINDOWS\system32\vudodghk.exe
O4 - HKCU\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [winlogon] C:\Documents and Settings\LocalService\svchost.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe (User 'Default user')
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\jeti\My Documents\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1207423612044
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1207423600263
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol hijack: mhtml -
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Maya 6 PLE Documentation Server (mple6docserver) - Unknown owner - C:\Documents and Settings\jeti\My Documents\spyware\docs\wrapper.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Procedure Call (RPC) Extensions (RpcxSs) - Unknown owner - C:\WINDOWS\system32\rpcxss.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10087 bytes

=====

I think things are finally looking up, thank you. :3

Edited by jeti, 16 June 2008 - 04:40 PM.

  • 0

#10
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
YOu are welcome one thing for now is that one of your system files is infected.

C:\WINDOWS\system32\user32.dll ... is infected !! (additional data below)
577,024 2005-03-02 18:09:30 C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\user32.dll
577,024 2005-03-02 18:19:56 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
528,896 2002-11-01 22:26:46 C:\WINDOWS\$NtUninstallKB824141$\user32.dll
560,128 2002-08-29 11:00:00 C:\WINDOWS\$NtUninstallKB826939$\user32.dll
560,128 2003-09-25 16:49:02 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
577,024 2004-08-04 07:56:46 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\user32.dll
561,152 2005-03-02 18:20:03 C:\WINDOWS\SoftwareDistribution\Download\58bffe479c581eda56fcf7412cce5cc0\sp1qfe\user32.dll
561,152 2008-06-13 17:22:29 C:\WINDOWS\SYSTEM32\user32.DLL
561,152 2008-06-13 17:22:29 C:\WINDOWS\SYSTEM32\DLLCACHE\user32.dll


To fix this please follow the next instructions.
We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
===========================================================
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When prompted to scan for infected files chose Yes, when done a log named CF_RC.txt will open. Please post the contents of that log.


Please do not reboot your machine until we have reviewed the log.
  • 0

Advertisements


#11
jeti

jeti

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Mission Complete!

=====

ComboFix 08-06-15.4 - jeti 2008-06-16 19:08:37.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.216 [GMT -4:00]
Running from: C:\Documents and Settings\jeti\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\jeti\Desktop\winxpsp1_en_hom_bf.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-05-16 to 2008-06-16 )))))))))))))))))))))))))))))))
.

2008-06-16 16:23 . 2008-06-16 16:18 1,262,900 --a------ C:\ComboFix.exe
2008-06-15 23:28 . 2008-06-15 23:28 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-15 23:24 . 2008-06-16 16:31 190 --a------ C:\WINDOWS\SYSTEM32\1.vbs
2008-06-15 23:22 . 2008-06-16 16:40 <DIR> d-------- C:\SDFix
2008-06-15 22:45 . 2008-06-15 22:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-06-13 13:46 . 2008-06-13 13:22 12,800 --a------ C:\userinit.exe
2008-06-13 13:28 . 2008-06-13 13:28 93,696 --a------ C:\kdfgjoro.exe
2008-06-13 13:28 . 2008-06-13 13:28 14,848 --a------ C:\kvbktit.exe
2008-06-13 13:26 . 2008-06-13 13:26 41,984 --a------ C:\WINDOWS\SYSTEM32\YGWUninstaller.exe
2008-06-13 13:25 . 2008-06-13 13:25 7,680 --a------ C:\voxmajpw.exe
2008-06-13 13:24 . 2008-06-13 13:24 69,120 --a------ C:\uvjnee.exe
2008-06-13 13:23 . 2008-06-13 13:22 561,152 --a------ C:\WINDOWS\SYSTEM32\vdzgpxeuu
2008-06-13 13:22 . 2008-06-13 13:22 93,696 --a------ C:\vlwy.exe
2008-06-13 13:22 . 2008-06-13 13:22 69,120 --a------ C:\nihml.exe
2008-06-13 13:22 . 2008-06-13 13:22 35,840 --a------ C:\d1.exe
2008-06-13 13:22 . 2008-06-13 13:22 14,848 --a------ C:\stfjhqpx.exe
2008-06-13 13:22 . 2008-06-13 13:22 7,680 --a------ C:\raati.exe
2008-06-13 13:09 . 2008-06-13 13:09 <DIR> d-------- C:\Documents and Settings\Administrator.DDHM0V31\Application Data\Talkback
2008-06-13 12:24 . 2008-06-13 12:24 <DIR> d--hs---- C:\found.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-16 23:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-13 17:22 561,152 ----a-w C:\WINDOWS\SYSTEM32\user32.DLL
2008-06-13 17:22 561,152 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\user32.dll
2008-06-13 17:06 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-05 22:27 12,800 ----a-w C:\GX3L.exe
2008-04-05 22:15 67,584 ----a-w C:\Documents and Settings\All Users\Application Data\ktehijcv.dll
2003-12-28 16:26 62,000 ----a-w C:\Documents and Settings\jeti\Application Data\GDIPFONTCACHEV1.DAT
1999-07-07 00:00 6 --sh--r C:\WINDOWS\@[email protected]
2003-11-25 13:00 32 --sha-w C:\WINDOWS\{60740A8D-A2CA-4DEA-A366-9178FBB715C1}.dat
2003-11-25 13:00 32 --sha-w C:\WINDOWS\SYSTEM32\{B2EE84CB-C981-477A-8648-9450CA3C6F92}.dat
.
Infected C:\WINDOWS\system32\user32.dll hex repaired


((((((((((((((((((((((((((((( [email protected]_18.21.56.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-16 22:15:33 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-06-16 23:11:40 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 13:00 200767]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2004-07-19 08:51 306688]
"Hjcpizq"="C:\WINDOWS\SYSTEM32\?racle\wucrtupd.exe" [ ]
"yygivpqv"="C:\WINDOWS\system32\vudodghk.exe" [ ]
"[system]"="C:\WINDOWS\system32\drivers\services.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18 1670144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-04-24 18:58 4616192]
"BCMSMMSG"="BCMSMMSG.exe" [2003-06-02 07:00 122880 C:\WINDOWS\BCMSMMSG.exe]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 03:04 114741]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 03:01 155648]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 12:27 28672]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 21:47 204800]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 03:01 135264]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 03:00 90112]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 17:11 54296]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 17:11 58392]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-11-25 09:00 151597]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2004-04-20 13:24 131072]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-02 20:46 270336]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [2004-02-22 23:44 32881]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2004-04-20 13:24 53248]
"WildTangent CDA"="C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll" [ ]
"LWBMOUSE"="C:\Program Files\NASDAK\OmniMouse Driver\4.0\MOUSE32A.EXE" [2001-11-09 02:47 356352]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-29 22:07 98304]
"iTunesHelper"="C:\Documents and Settings\jeti\My Documents\spyware\iTunesHelper.exe" [2005-06-24 15:16 278528]
"gcasServ"="C:\Documents and Settings\jeti\My Documents\spyware\gcasServ.exe" [2005-07-12 15:35 473928]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]
"[system]"="C:\WINDOWS\system32\drivers\services.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"[system]"="C:\WINDOWS\system32\drivers\services.exe" [ ]
"winlogon"="C:\Documents and Settings\LocalService\svchost.exe" [ ]

C:\Documents and Settings\jeti\Start Menu\Programs\Startup\
Bat - Auto Update.lnk - C:\Program Files\Bat\Bat.exe [2008-04-05 18:14:36 178419]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2003-11-25 08:58:14 36953]
TabUserW.exe.lnk - C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe [2005-08-22 13:29:15 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm

R2 mple6docserver;Maya 6 PLE Documentation Server;"C:\Documents and Settings\jeti\My Documents\spyware\docs\wrapper.exe" -s "C:\Documents and Settings\jeti\My Documents\spyware\docs\Wrapper.conf" []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S2 RpcxSs;Remote Procedure Call (RPC) Extensions;C:\WINDOWS\system32\rpcxss -k rpcxss []
S3 PRISM_USB;Dell TrueMobile 1180 Wireless USB Adapter;C:\WINDOWS\System32\DRIVERS\DELUSB_51.sys [2002-08-09 02:46]

.
Contents of the 'Scheduled Tasks' folder
"2004-01-20 21:48:04 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-06-16 23:15:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-16 19:12:29
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RpcxSs]
"ImagePath"="%SystemRoot%\system32\rpcxss -k rpcxss"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\SYSTEM32\CTsvcCDA.EXE
C:\Documents and Settings\jeti\My Documents\spyware\docs\wrapper.exe
C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\Documents and Settings\jeti\My Documents\spyware\docs\jre\bin\java.exe
C:\WINDOWS\SYSTEM32\Tablet.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\jeti\My Documents\spyware\gcasDtServ.exe
C:\Program Files\Bat\X_Bat.exe
.
**************************************************************************
.
Completion time: 2008-06-16 19:17:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-16 23:17:29
ComboFix2.txt 2008-06-16 22:27:22

Pre-Run: 99,167,924,224 bytes free
Post-Run: 99,133,345,792 bytes free

winxpsp1_en_hom_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

152

=====

And I'm keeping the engine running, so to say.
  • 0

#12
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Driver::
Viewpoint Manager Service
RpcxSs
File::
C:\WINDOWS\SYSTEM32\1.vbs
C:\userinit.exe
C:\kdfgjoro.exe
C:\kvbktit.exe
C:\WINDOWS\SYSTEM32\YGWUninstaller.exe
C:\voxmajpw.exe
C:\uvjnee.exe
C:\vlwy.exe
C:\nihml.exe
C:\d1.exe
C:\stfjhqpx.exe
C:\raati.exe
C:\WINDOWS\system32\drivers\services.exe
C:\Documents and Settings\LocalService\svchost.exe
C:\Documents and Settings\jeti\Start Menu\Programs\Startup\Bat - Auto Update.lnk 
Folder::
C:\WINDOWS\SYSTEM32\vdzgpxeuu
C:\Program Files\Bat
C:\Program Files\Viewpoint
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hjcpizq"=-
"yygivpqv"=-
"[system]"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"[system]"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"[system]"=-
"winlogon"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RpcxSs]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#13
jeti

jeti

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Okay, here's the newest ComboFix:

=====

ComboFix 08-06-15.4 - jeti 2008-06-16 20:13:46.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.222 [GMT -4:00]
Running from: C:\Documents and Settings\jeti\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\jeti\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\d1.exe
C:\Documents and Settings\jeti\Start Menu\Programs\Startup\Bat - Auto Update.lnk
C:\Documents and Settings\LocalService\svchost.exe
C:\kdfgjoro.exe
C:\kvbktit.exe
C:\nihml.exe
C:\raati.exe
C:\stfjhqpx.exe
C:\userinit.exe
C:\uvjnee.exe
C:\vlwy.exe
C:\voxmajpw.exe
C:\WINDOWS\SYSTEM32\1.vbs
C:\WINDOWS\system32\drivers\services.exe
C:\WINDOWS\SYSTEM32\YGWUninstaller.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\d1.exe
C:\Documents and Settings\jeti\Start Menu\Programs\Startup\Bat - Auto Update.lnk
C:\kdfgjoro.exe
C:\kvbktit.exe
C:\nihml.exe
C:\Program Files\Bat
C:\Program Files\Bat\Bat.dll
C:\Program Files\Bat\Bat.dll.intermediate.manifest
C:\Program Files\Bat\Bat.exe
C:\Program Files\Bat\Bat.original
C:\Program Files\Bat\Info.dll
C:\Program Files\Bat\un_BatSetup_15041.exe
C:\Program Files\Bat\un_BatSetup_15041.txt
C:\Program Files\Bat\X_Bat.exe
C:\Program Files\Bat\X_Bat.log
C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Common\VistaBoot.sdll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\AxMetaStream.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\ComponentMgr_03000F11.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\AOLArt.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\AOLShell.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\BlueStreak.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\DataTracking.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\GifReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\LensFlares.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\Mts2Reader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\ObjectMovie.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\ServiceComponent.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VectorView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMgr.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPExtras.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPSpeech.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPVideo.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\WaveletReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\ZoomView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MetaStreamID.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.xpt
C:\Program Files\Viewpoint\Viewpoint Manager\CPtask.xml
C:\Program Files\Viewpoint\Viewpoint Manager\NotifyData\header.gif
C:\Program Files\Viewpoint\Viewpoint Manager\NotifyData\no.gif
C:\Program Files\Viewpoint\Viewpoint Manager\NotifyData\options.ini
C:\Program Files\Viewpoint\Viewpoint Manager\NotifyData\updates.html
C:\Program Files\Viewpoint\Viewpoint Manager\NotifyData\yes.gif
C:\Program Files\Viewpoint\Viewpoint Manager\Read_Me.txt
C:\Program Files\Viewpoint\Viewpoint Manager\VETScriptInterpreter.dll
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCP.cpl
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\s.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_av.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_cp.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_up.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_inner_bg.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_inner_bottom.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab_bg.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab1_off.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab1_on.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab2_off.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab2_on.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vwpt_logo.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\options.ini
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\viewpoint.ico
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPexe.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrCore.dll
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe
C:\raati.exe
C:\stfjhqpx.exe
C:\userinit.exe
C:\uvjnee.exe
C:\vlwy.exe
C:\voxmajpw.exe
C:\WINDOWS\SYSTEM32\1.vbs
C:\WINDOWS\SYSTEM32\vdzgpxeuu\
C:\WINDOWS\SYSTEM32\YGWUninstaller.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RPCXSS
-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_RpcxSs
-------\Service_Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 )))))))))))))))))))))))))))))))
.

2008-06-16 16:23 . 2008-06-16 16:18 1,262,900 --a------ C:\ComboFix.exe
2008-06-15 23:28 . 2008-06-15 23:28 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-15 23:22 . 2008-06-16 16:40 <DIR> d-------- C:\SDFix
2008-06-15 22:45 . 2008-06-15 22:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-06-13 13:23 . 2008-06-13 13:22 561,152 --a------ C:\WINDOWS\SYSTEM32\vdzgpxeuu
2008-06-13 13:09 . 2008-06-13 13:09 <DIR> d-------- C:\Documents and Settings\Administrator.DDHM0V31\Application Data\Talkback
2008-06-13 12:24 . 2008-06-13 12:24 <DIR> d--hs---- C:\found.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-17 00:18 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-13 17:22 561,152 ----a-w C:\WINDOWS\SYSTEM32\user32.DLL
2008-06-13 17:22 561,152 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\user32.dll
2008-06-13 17:06 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-05 22:27 12,800 ----a-w C:\GX3L.exe
2008-04-05 22:15 67,584 ----a-w C:\Documents and Settings\All Users\Application Data\ktehijcv.dll
2003-12-28 16:26 62,000 ----a-w C:\Documents and Settings\jeti\Application Data\GDIPFONTCACHEV1.DAT
1999-07-07 00:00 6 --sh--r C:\WINDOWS\@[email protected]
2003-11-25 13:00 32 --sha-w C:\WINDOWS\{60740A8D-A2CA-4DEA-A366-9178FBB715C1}.dat
2003-11-25 13:00 32 --sha-w C:\WINDOWS\SYSTEM32\{B2EE84CB-C981-477A-8648-9450CA3C6F92}.dat
.

((((((((((((((((((((((((((((( [email protected]_18.21.56.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-16 22:15:33 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-06-17 00:17:18 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 13:00 200767]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2004-07-19 08:51 306688]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18 1670144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-04-24 18:58 4616192]
"BCMSMMSG"="BCMSMMSG.exe" [2003-06-02 07:00 122880 C:\WINDOWS\BCMSMMSG.exe]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 03:04 114741]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 03:01 155648]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 12:27 28672]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 21:47 204800]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 03:01 135264]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 03:00 90112]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 17:11 54296]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 17:11 58392]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-11-25 09:00 151597]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2004-04-20 13:24 131072]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-02 20:46 270336]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [2004-02-22 23:44 32881]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2004-04-20 13:24 53248]
"WildTangent CDA"="C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll" [ ]
"LWBMOUSE"="C:\Program Files\NASDAK\OmniMouse Driver\4.0\MOUSE32A.EXE" [2001-11-09 02:47 356352]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-29 22:07 98304]
"iTunesHelper"="C:\Documents and Settings\jeti\My Documents\spyware\iTunesHelper.exe" [2005-06-24 15:16 278528]
"gcasServ"="C:\Documents and Settings\jeti\My Documents\spyware\gcasServ.exe" [2005-07-12 15:35 473928]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2003-11-25 08:58:14 36953]
TabUserW.exe.lnk - C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe [2005-08-22 13:29:15 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm

R2 mple6docserver;Maya 6 PLE Documentation Server;"C:\Documents and Settings\jeti\My Documents\spyware\docs\wrapper.exe" -s "C:\Documents and Settings\jeti\My Documents\spyware\docs\Wrapper.conf" []
S3 PRISM_USB;Dell TrueMobile 1180 Wireless USB Adapter;C:\WINDOWS\System32\DRIVERS\DELUSB_51.sys [2002-08-09 02:46]

.
Contents of the 'Scheduled Tasks' folder
"2004-01-20 21:48:04 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-06-17 00:20:04 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-16 20:17:53
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\SYSTEM32\CTsvcCDA.EXE
C:\Documents and Settings\jeti\My Documents\spyware\docs\wrapper.exe
C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\Documents and Settings\jeti\My Documents\spyware\docs\jre\bin\java.exe
C:\WINDOWS\SYSTEM32\Tablet.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\jeti\My Documents\spyware\gcasDtServ.exe
.
**************************************************************************
.
Completion time: 2008-06-16 20:22:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-17 00:22:52
ComboFix2.txt 2008-06-16 23:17:36
ComboFix3.txt 2008-06-16 22:27:22

Pre-Run: 99,135,037,440 bytes free
Post-Run: 99,038,777,344 bytes free

228

=====

And the new HijackThis:

=====

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:09 PM, on 6/16/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Documents and Settings\jeti\My Documents\spyware\docs\wrapper.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\jeti\My Documents\spyware\docs\jre\bin\java.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\NASDAK\OmniMouse Driver\4.0\MOUSE32A.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\jeti\My Documents\spyware\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\jeti\My Documents\spyware\gcasDtServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\jeti\Desktop\NOW\HiJackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.co...ntl/xx-hacker/"); (C:\Documents and Settings\JETI\Application Data\Mozilla\Profiles\default\as2mxmwy.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\JETI\Application Data\Mozilla\Profiles\default\as2mxmwy.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\NASDAK\OmniMouse Driver\4.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Documents and Settings\jeti\My Documents\spyware\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Documents and Settings\jeti\My Documents\spyware\gcasServ.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\jeti\My Documents\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1207423612044
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1207423600263
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol hijack: mhtml -
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Maya 6 PLE Documentation Server (mple6docserver) - Unknown owner - C:\Documents and Settings\jeti\My Documents\spyware\docs\wrapper.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9011 bytes

=====

Aaaaand here we go.
  • 0

#14
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\SYSTEM32\vdzgpxeuu
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
============================================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=============
POst these logs please:
MalwareBytes log
OtMove it log
New Hijackthis log

  • 0

#15
jeti

jeti

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
OTMoveit was successful:

=====

C:\WINDOWS\SYSTEM32\vdzgpxeuu moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06162008_204017

=====

Malwarebytes, also successful:

=====

Malwarebytes' Anti-Malware 1.17
Database version: 846

8:48:35 PM 6/16/2008
mbam-log-6-16-2008 (20-48-35).txt

Scan type: Quick Scan
Objects scanned: 38072
Time elapsed: 3 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 18
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\mscmp1.bhoapp.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{f663b917-591f-4172-8d87-3d7d729007ca} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho.1 (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{63f7460b-c831-4142-a4aa-5ec303ec4343} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d279bc2b-a85b-4559-8fd9-ddc55f5d402d} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{b80a3586-caa5-41c8-89bf-e617f0b6cfbf} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\BATCO (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Batco (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\bat.DLL (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bat (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bat (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\xflock (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

=====

Finally, the HijackThis:

=====

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:52:25 PM, on 6/16/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Documents and Settings\jeti\My Documents\spyware\docs\wrapper.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\jeti\My Documents\spyware\docs\jre\bin\java.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\NASDAK\OmniMouse Driver\4.0\MOUSE32A.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\jeti\My Documents\spyware\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\jeti\My Documents\spyware\gcasDtServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\jeti\Desktop\NOW\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.co...ntl/xx-hacker/"); (C:\Documents and Settings\JETI\Application Data\Mozilla\Profiles\default\as2mxmwy.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\JETI\Application Data\Mozilla\Profiles\default\as2mxmwy.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\NASDAK\OmniMouse Driver\4.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Documents and Settings\jeti\My Documents\spyware\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Documents and Settings\jeti\My Documents\spyware\gcasServ.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\jeti\My Documents\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1207423612044
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1207423600263
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol hijack: mhtml -
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Maya 6 PLE Documentation Server (mple6docserver) - Unknown owner - C:\Documents and Settings\jeti\My Documents\spyware\docs\wrapper.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9011 bytes

=====

... This time, when I plugged my flashdrive into this (the internet-active, non-dying) computer, I got a bunch of virus notifications. Very upsetting.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP