Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Malware infected, cant run any EXE ? [RESOLVED]

Started by Euromir , Jun 29 2008 02:01 AM

This topic is locked

#1
Euromir

Posted 29 June 2008 - 02:01 AM

New Member

Member
9 posts

Hi

I actually "normally" consider myself a computer geek, but i bow down to this one.
I think i got a similar malware infection thats been posted here already under here:
http://www.geekstogo...08-t202942.html

But i have an odd and disabling problem in that i cant seem to get any .exe files to run?
I have tried to run Hijackthis and DSS and install and run MBAM but any of these i click on just do nothing, also tried oldtimers tools but again ntohing happens after clicking on them, so having problems even showing you my problems with a log at all.

I think its similar malware to other threads as i found "tovafrnm.exe" and the following .dll which match:
ljJCsPhl.dll
awtRKAQG.dll
rjorewen.dll

I managed to delete the above malware .exe (hope that was right?) but i cant get rid of those .dll's as there in use.
I have tried windows safe mode but still the same problems there, and the hijackthis exe files arent on my desktop in safe mode?
The internet doesnt seem to work, the odd site will work, such as Google, but any virus site or help sites etc just come up with not connected to internet errors.

Many applications on PC wont work now either, notepad wont run, firefox wont run etc etc

I done a full deep scan with NOD32 (my antivirus) but it comes back clean.

My first major hurdle is that this seems to have crippled my system and i cant "run" anything, so would appreciate your ideas please?
Thankfully i have a Mac also else i couldn't type this to you now.

#2
kahdah

Posted 29 June 2008 - 07:35 AM

GeekU Teacher

Retired Staff
15,822 posts

Hello Euromir

Welcome to G2Go.

=====================
See if you can get this to run.

Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.

Save it to the desktop.
Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
You will receive a prompt:
- Do you want to skip supplementary searches?
  click NO
If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

#3
Euromir

Posted 29 June 2008 - 02:49 PM

New Member

Topic Starter
Member
9 posts

Thanks for response, i will try that tonight as soon as i am home.
Thanks

#4
kahdah

Posted 29 June 2008 - 03:36 PM

GeekU Teacher

Retired Staff
15,822 posts

#5
Euromir

Posted 30 June 2008 - 12:51 AM

New Member

Topic Starter
Member
9 posts

Ok the script ran just fine, great idea when .exe dont seem to work now.
I not sure it matters but i should have said my PC is sytem encrypted with Truecrypt, although once booted Windows knows no different and never had any issues with it.

Heres the log:

"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"TrueCrypt" = ""C:\Program Files\TrueCrypt\TrueCrypt.exe" /q preferences" ["TrueCrypt Foundation"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"SoundMAXPnP" = "C:\Program Files\Analog Devices\Core\smax4pnp.exe" ["Analog Devices, Inc."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"egui" = ""C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice" ["ESET"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"BCWipeTM Startup" = ""C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup" ["Jetico, Inc."]
"OODefragTray" = "C:\WINDOWS\system32\oodtray.exe" [file not found]
"SpyHunter Security Suite" = "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" ["Enigma Software Group, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"686a6c1f" = "rundll32.exe "C:\WINDOWS\system32\ijpmqyre.dll",b" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{366B6722-EE9A-4D45-B92A-5DA70661E2AB}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\awtRKAQG.dll" [null data]
{D2EEB637-A4A5-4BBB-8C0C-96AF821110C2}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\ljJCsPhI.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]
"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "Eset Smart Security - Context Menu Shell Extension"
-> {HKLM...CLSID} = "Eset Smart Security - Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll" ["ESET"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{7850a720-705f-11d0-a9eb-0080488625e5}" = "BestCrypt Shell Extension"
-> {HKLM...CLSID} = "BestCrypt Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Jetico\Shared\BCShExt.dll" ["Jetico, Inc."]
"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{D2EEB637-A4A5-4BBB-8C0C-96AF821110C2}" = "*[*[**l**c*j?*l**c********" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\ljJCsPhI.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
<<!>> "Authentication Packages" = "msv1_0"|"C:\WINDOWS\system32\awtRKAQG"

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"OODBS" [file not found]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> dimsntfy\DLLName = "C:\WINDOWS\System32\dimsntfy.dll" [MS]
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
<<!>> ljJCsPhI\DLLName = "ljJCsPhI.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
BCShellMenu\(Default) = "{7850a720-705f-11d0-a9eb-0080488625e5}"
-> {HKLM...CLSID} = "BestCrypt Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Jetico\Shared\BCShExt.dll" ["Jetico, Inc."]
Eset Smart Security - Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"
-> {HKLM...CLSID} = "Eset Smart Security - Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll" ["ESET"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
BCShellMenu\(Default) = "{7850a720-705f-11d0-a9eb-0080488625e5}"
-> {HKLM...CLSID} = "BestCrypt Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Jetico\Shared\BCShExt.dll" ["Jetico, Inc."]
Eset Smart Security - Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"
-> {HKLM...CLSID} = "Eset Smart Security - Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll" ["ESET"]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\ssstars.scr" [MS]

Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

VLCPlayCDAudioOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.CDAudio"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe --one-instance-when-started-from-file cdda:%1" ["VideoLAN Team"]

VLCPlayDVDMovieOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.DVDMovie"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe --one-instance-when-started-from-file dvd:%1" ["VideoLAN Team"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

CSIScanner, CSIScanner, ""C:\Program Files\PrevxCSI\prevxcsi.exe" /service" ["Prevx"]
Eset Service, ekrn, ""C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe"" ["ESET"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
PnkBstrA, PnkBstrA, "C:\WINDOWS\system32\PnkBstrA.exe" [null data]
UPS - APC PowerChute plus, UPS, "C:\Program Files\Pwrchute\ups.exe" ["APC"]

---------- (launch time: 2008-06-30 18:47:33)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 41 seconds.
---------- (total run time: 98 seconds)

Edited by Euromir, 30 June 2008 - 12:53 AM.

#6
Euromir

Posted 30 June 2008 - 12:56 AM

New Member

Topic Starter
Member
9 posts

I "think" i can see the dodgy .dll files myself under the Browser objects, but i could be wrong?

#7
kahdah

Posted 30 June 2008 - 02:47 AM

GeekU Teacher

Retired Staff
15,822 posts

See if this will work.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

First, we need to backup your registry:
Please go to Start > Run
Paste in the following line:regedit /e c:\registrybackup.reg
Click OK.
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

Please open up Notepad and copy all of the items in the code box below.
Change the "Save As Type" to "All Files". Save it as fixthis.reg on your Desktop.

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"

[HKEY_CLASSES_ROOT\exefile\shell]

[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\runas]

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shellex]

[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]
@="{09A63660-16F9-11d0-B1DF-004F56001CA7}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
@="{86F19A00-42A0-1069-A2E9-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

Now double-click fixthis.reg.
A window will come up asking if you want to let it merge with the registry.
Click yes.
Reboot for the changes to take place.
========================
Then see if you can do the following:

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

#8
Euromir

Posted 30 June 2008 - 03:50 AM

New Member

Topic Starter
Member
9 posts

All done with the Reg fix but had to use Wordpad as Notepad still wont function. Which brings me onto the problem with DSS, it runs ok now, it does its scan thing all fine. And it then shows a popup saying notepad will open the 2 log files now. And then as soon as notepad tries opening it crashes meaning i cant see the results of DSS.

Notepad crashes ever since this "malware" has existed. It crashes under Data Execution Protection Eventype: BEX

Is there any other way to output logs from DSS? Else i need try fix Notepad somehow.

Thanks for continued help.

#9
Euromir

Posted 30 June 2008 - 04:10 AM

New Member

Topic Starter
Member
9 posts

Well i forgot i can turn DEP off for Notepad! Doh, so fixed notepad..

Deckard's System Scanner v20071014.68
Run by user on 2008-06-30 22:01:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-30 22:01:49
Platform: Windows XP Service Pack 3 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Pwrchute\ups.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\user\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {D2EEB637-A4A5-4BBB-8C0C-96AF821110C2} - C:\WINDOWS\system32\ljJCsPhI.dll
O2 - BHO: (no name) - {E8F9B79D-6852-44F2-A099-7AE1C0D21D88} - C:\WINDOWS\system32\awtRKAQG.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [686a6c1f] rundll32.exe "C:\WINDOWS\system32\fkycovot.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TrueCrypt] "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q preferences
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1207365669576
O20 - Winlogon Notify: ljJCsPhI - C:\WINDOWS\system32\ljJCsPhI.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: UPS - APC PowerChute plus (UPS) - APC - C:\Program Files\Pwrchute\ups.exe

--
End of file - 4359 bytes

-- Files created between 2008-05-30 and 2008-06-30 -----------------------------

2008-06-30 21:23:19 45212590 --a------ C:\registrybackup.reg
2008-06-30 19:49:44 91520 --a------ C:\WINDOWS\system32\fkycovot.dll
2008-06-29 20:28:41 0 d-------- C:\Program Files\Enigma Software Group
2008-06-29 20:08:56 0 d-------- C:\Documents and Settings\user\Application Data\Desktopicon
2008-06-29 19:37:23 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-06-29 19:31:24 1508 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-29 19:26:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-06-29 19:07:02 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-29 19:07:02 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-29 19:07:02 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-29 19:07:02 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-06-29 19:07:02 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-29 19:07:02 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-29 19:07:02 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-29 19:07:02 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-06-29 19:07:02 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-29 19:07:02 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-06-29 19:07:02 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-29 19:07:02 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-06-29 19:07:02 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-29 19:07:02 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-29 18:53:24 0 d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-06-29 18:19:21 0 d-------- C:\Program Files\uTorrent
2008-06-29 18:19:18 0 d-------- C:\Documents and Settings\user\Application Data\uTorrent
2008-06-29 17:35:38 0 d-------- C:\WINDOWS\system32\oodag
2008-06-29 16:49:26 96966 --ahs---- C:\WINDOWS\system32\GQAKRtwa.ini2
2008-06-29 16:49:21 318720 --a------ C:\WINDOWS\system32\awtRKAQG.dll
2008-06-29 16:44:16 28288 --a------ C:\WINDOWS\system32\ljJCsPhI.dll
2008-06-29 14:21:04 0 d-------- C:\Documents and Settings\user\Application Data\InfraRecorder
2008-06-29 14:20:45 0 d-------- C:\Program Files\InfraRecorder
2008-06-29 14:17:31 0 d-------- C:\Documents and Settings\All Users\Application Data\TrueCrypt
2008-06-29 14:07:29 66048 --a------ C:\WINDOWS\system32\xnmte450.dll
2008-06-29 14:07:29 25088 --a------ C:\WINDOWS\system32\xnmhn450.dll
2008-06-29 14:07:29 86528 --a------ C:\WINDOWS\system32\xnmhb450.dll
2008-06-29 14:07:29 373760 --a------ C:\WINDOWS\system32\xnmba450.dll
2008-06-29 14:07:27 36864 --a------ C:\WINDOWS\system32\apcctrs.dll <Not Verified; American Power Conversion; PowerChute plus Performance DLL>
2008-06-29 14:07:26 0 d-------- C:\Program Files\Pwrchute
2008-06-29 14:06:45 299008 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2008-06-29 14:06:41 0 d-------- C:\Documents and Settings\user\WINDOWS
2008-06-24 16:40:03 0 d-------- C:\Program Files\GameSpy Arcade
2008-06-24 16:37:52 0 d-------- C:\Program Files\EA GAMES
2008-06-24 16:20:12 0 d-------- C:\Program Files\TrueCrypt
2008-06-24 16:20:02 0 d-------- C:\Documents and Settings\user\Application Data\TrueCrypt
2008-06-24 16:19:39 0 d-------- C:\Program Files\Jetico
2008-06-24 16:08:08 0 d-------- C:\Documents and Settings\user\Application Data\VSRevoGroup
2008-06-24 16:04:34 0 d-------- C:\Program Files\VS Revo Group
2008-06-23 19:47:49 0 d-------- C:\Program Files\Prey
2008-06-22 12:28:19 0 d-------- C:\Program Files\[bleep] NFO Viewer
2008-06-22 12:10:19 0 d-------- C:\Program Files\Common Files\ASCOM
2008-06-22 12:09:32 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-22 12:09:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-06-22 12:08:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-22 12:08:33 0 d-------- C:\Program Files\QuickTime
2008-06-22 12:02:55 0 d--h----- C:\Program Files\Zero G Registry
2008-06-22 12:02:55 0 d-------- C:\Program Files\Starry Night Pro Plus 6
2008-06-22 12:02:31 0 d--h----- C:\Documents and Settings\user\InstallAnywhere
2008-06-19 17:23:36 0 d-------- C:\Program Files\World of Warcraft
2008-06-19 16:57:43 0 d-------- C:\Program Files\Common Files\EasyInfo
2008-06-18 23:08:38 908 --a------ C:\WINDOWS\eReg.dat
2008-06-18 22:49:59 0 d-------- C:\WINDOWS\nvidia icons
2008-06-18 22:49:14 0 d-------- C:\NVIDIA
2008-06-18 21:58:20 0 d-------- C:\Documents and Settings\user\Application Data\Macromedia
2008-06-18 21:40:00 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-06-18 21:34:51 0 d-------- C:\Documents and Settings\user\Application Data\Adobe
2008-06-18 21:34:16 4298 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2008-06-18 21:04:43 0 d-------- C:\Program Files\GameSpy
2008-06-18 20:54:28 0 d-------- C:\WINDOWS\Prefetch
2008-06-18 20:49:28 0 d-------- C:\WINDOWS\system32\scripting
2008-06-18 20:49:27 0 d-------- C:\WINDOWS\system32\en
2008-06-18 20:49:27 0 d-------- C:\WINDOWS\l2schemas
2008-06-18 20:49:26 0 d-------- C:\WINDOWS\system32\bits
2008-06-18 20:47:15 0 d-------- C:\WINDOWS\ServicePackFiles
2008-06-18 20:43:54 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-06-18 20:41:08 0 d-------- C:\WINDOWS\EHome
2008-06-18 20:20:43 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-18 19:41:46 5702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2008-06-18 19:41:46 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-06-18 19:40:24 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-06-18 19:39:21 0 d-------- C:\Documents and Settings\user\Application Data\WinRAR
2008-06-18 19:35:51 0 d-------- C:\WINDOWS\pss
2008-06-18 19:31:57 0 d-------- C:\Documents and Settings\user\Application Data\dvdcss
2008-06-18 19:27:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-06-10 16:03:40 0 d-------- C:\Program Files\Windows Media Connect 2
2008-06-10 16:00:47 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-06-10 15:59:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-06-05 19:59:55 0 d-------- C:\Program Files\Ubisoft
2008-06-05 19:58:41 0 d-------- C:\WINDOWS\Cache
2008-06-05 19:40:42 0 d-------- C:\WINDOWS\system32\URTTemp
2008-06-05 19:38:24 669184 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-06-05 19:38:24 0 d-------- C:\WINDOWS\system32\LogFiles
2008-06-05 19:32:17 0 d-------- C:\Program Files\Electronic Arts
2008-06-05 19:27:36 0 d-------- C:\WINDOWS\nview
2008-06-05 19:27:16 1630208 --a------ C:\WINDOWS\system32\nwiz.exe
2008-06-05 19:27:14 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2008-06-05 19:27:14 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2008-06-05 19:27:14 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2008-06-05 19:27:14 1486848 --a------ C:\WINDOWS\system32\nview.dll
2008-06-05 19:27:14 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2008-06-05 19:27:14 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2008-06-05 19:27:14 425984 --a------ C:\WINDOWS\system32\keystone.exe
2008-06-05 19:26:01 0 d-------- C:\Program Files\VDOTool
2008-06-05 19:25:20 5248 --a------ C:\WINDOWS\system32\drivers\d347prt.sys
2008-06-05 19:25:20 155136 --a------ C:\WINDOWS\system32\drivers\d347bus.sys
2008-06-05 19:25:18 0 d-------- C:\Program Files\D-Tools
2008-06-05 19:25:07 0 d-------- C:\WINDOWS\Downloaded Installations
2008-06-01 16:02:22 0 d-------- C:\Documents and Settings\user\Application Data\AVGTOOLBAR

-- Find3M Report ---------------------------------------------------------------

2008-06-29 18:27:29 0 d-------- C:\Program Files\Common Files
2008-06-24 16:50:54 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-18 23:01:27 0 d-------- C:\Program Files\Common Files\InstallShield
2008-06-18 20:49:42 0 d-------- C:\Program Files\Messenger
2008-06-18 20:49:26 0 d-------- C:\Program Files\Movie Maker
2008-06-18 20:47:01 0 d-------- C:\Program Files\Windows NT
2008-06-18 19:30:13 0 d-------- C:\Program Files\Common Files\Ahead
2008-05-20 20:14:37 262144 --a------ C:\WINDOWS\BCUnInstall.exe <Not Verified; Jetico; BCUnInstall>
2008-04-06 03:12:12 62 --ahs---- C:\Documents and Settings\user\Application Data\desktop.ini
2008-04-05 15:36:41 0 -rahs---- C:\MSDOS.SYS
2008-04-05 15:36:41 0 -rahs---- C:\IO.SYS
2008-04-05 15:36:41 0 --a------ C:\CONFIG.SYS
2008-04-05 15:36:41 0 --a------ C:\AUTOEXEC.BAT
2008-04-05 15:33:59 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2EEB637-A4A5-4BBB-8C0C-96AF821110C2}]
29/06/2008 16:44 28288 --a------ C:\WINDOWS\system32\ljJCsPhI.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E8F9B79D-6852-44F2-A099-7AE1C0D21D88}]
29/06/2008 16:49 318720 --a------ C:\WINDOWS\system32\awtRKAQG.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [23/01/2005 10:36]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [23/01/2005 10:31]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [14/10/2004 14:42]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [02/05/2008 22:46]
"nwiz"="nwiz.exe" [02/05/2008 22:46 C:\WINDOWS\system32\nwiz.exe]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [20/02/2008 11:06]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [02/05/2008 22:46]
"BCWipeTM Startup"="C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" [11/03/2008 20:16]
"OODefragTray"="C:\WINDOWS\system32\oodtray.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [22/06/2008 12:08]
"686a6c1f"="C:\WINDOWS\system32\fkycovot.dll" [30/06/2008 19:49]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [14/04/2008 05:42]
"TrueCrypt"="C:\Program Files\TrueCrypt\TrueCrypt.exe" [24/06/2008 16:20]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{D2EEB637-A4A5-4BBB-8C0C-96AF821110C2}"= C:\WINDOWS\system32\ljJCsPhI.dll [29/06/2008 16:44 28288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJCsPhI]
ljJCsPhI.dll 29/06/2008 16:44 28288 C:\WINDOWS\system32\ljJCsPhI.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awtRKAQG

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc

-- End of Deckard's System Scanner: finished at 2008-06-30 22:04:50 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.80GHz
Percentage of Memory in Use: 29%
Physical Memory (total/avail): 1022.01 MiB / 721.4 MiB
Pagefile Memory (total/avail): 2447.25 MiB / 2243.87 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1923.75 MiB

A: is Removable (Unformatted)
C: is Fixed (NTFS) - 74.5 GiB total, 47.21 GiB free.
D: is CDROM (UDF)
F: is Fixed (NTFS) - 232.88 GiB total, 184.73 GiB free.

\\.\PHYSICALDRIVE0 - WDC WD800JD-75JNA0 - 74.5 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.5 GiB - C:

\\.\PHYSICALDRIVE1 - Maxtor Basics Desktop USB Device - 232.88 GiB - 1 partition
\PARTITION0 - Installable File System - 232.88 GiB - F:

-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\user\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=USER-63F3DD10DC
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\user
LOGONSERVER=\\USER-63F3DD10DC
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
PWRCHUTE=C:\Program Files\Pwrchute
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\user\LOCALS~1\Temp
TMP=C:\DOCUME~1\user\LOCALS~1\Temp
USERDOMAIN=USER-63F3DD10DC
USERNAME=user
USERPROFILE=C:\Documents and Settings\user
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

user (admin)
Administrator (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
ASCOM Platform 4.1 --> C:\PROGRA~1\COMMON~1\ASCOM\TELESC~1\UNWISE.EXE C:\PROGRA~1\COMMON~1\ASCOM\TELESC~1\INSTALL.LOG
Battlefield 1942 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{698D7E61-E4BF-4CA6-8A09-CF6BDBFDEF65}\setup.exe" -l0x9
Battlefield 1942: Secret Weapons of WWII --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B73B4A99-4173-4747-BBEC-0F05E966F9D2}\setup.exe" -l0x9
Battlefield 1942: The Road To Rome --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D057AA08-8CBF-42E3-9EAB-23B8FED1C279}\setup.exe" -l0x9
Battlefield 2142 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ED50ECE9-EC54-4C05-B5ED-EE4741A9F2EC}\setup.exe" -l0x9 -removeonly
BCWipe 3.0 --> "C:\WINDOWS\BCUnInstall.exe" C:\Program Files\Jetico\BCWipe\UnInstall.log
Broadcom Gigabit Integrated Controller --> MsiExec.exe /X{7E369B27-13E2-41A5-9879-358EE1C8B5AD}
DAEMON Tools --> MsiExec.exe /I{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}
ESET NOD32 Antivirus --> MsiExec.exe /I{7D974ACA-4EE5-412C-8E6A-A5B57B305727}
Far Cry --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{D6DBDC2A-E72C-4284-B6AD-6B3B61B4DABC} /l2057
First Strike Mod --> C:\Program Files\Electronic Arts\Battlefield 2142\Mods\FirstStrike\Uninst.exe
GameSpy Arcade --> C:\PROGRA~1\GAMESP~1\UNWISE.EXE C:\PROGRA~1\GAMESP~1\INSTALL.LOG
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
InfraRecorder --> C:\Program Files\InfraRecorder\uninstall.exe
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2782 PCI\VEN_8086&DEV_2582
Lightroom --> MsiExec.exe /I{D4134B0B-EA9B-4835-A77A-60BEE6277101}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.13) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NOD32 v3.0.642 FiX1.2 by TemDono (31 days remaining forever up --> "C:\Program Files\ESET\ESET NOD32 Antivirus\unins000.exe"
NVIDIA Drivers --> C:\WINDOWS\system32\nvuninst.exe UninstallGUI
PowerChute plus 5.2 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Pwrchute\DeIsL1.isu" -c"C:\Program Files\Pwrchute\uninst.dll
Prey --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A785BBA7-3FB9-4D81-BC35-4A2028915ACB}\setup.exe" -l0x9 -removeonly
PunkBuster for Battlefield 1942 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{127B684B-A002-44C8-99A7-6CF8F1E26873}\setup.exe" -l0x9
PunkBuster Services --> C:\WINDOWS\system32\pbsvc.exe -u
QuickTime --> MsiExec.exe /X{C21D5524-A970-42FA-AC8A-59B8C7CDCA31}
Revo Uninstaller 1.71 --> C:\Program Files\VS Revo Group\Revo Uninstaller\uninst.exe
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\SETUP.exe" -l0x9 -removeonly
Starry Night Pro Plus 6 --> "C:\Program Files\Starry Night Pro Plus 6\Uninstall Starry Night Pro Plus 6\Uninstall Starry Night Pro Plus 6.exe"
TrueCrypt --> "C:\Program Files\TrueCrypt\TrueCrypt Setup.exe" /u
VDOTool 6.1 --> "C:\Program Files\VDOTool\unins000.exe"
VideoLAN VLC media player 0.8.5 --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe

-- Application Event Log -------------------------------------------------------

Event Record #/Type291 / Error
Event Submitted/Written: 06/30/2008 07:50:57 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application vlc.exe, version 0.8.5.0, faulting module liblibmpeg2_plugin.dll, version 0.0.0.0, fault address 0x000165d1.
Processing media-specific event for [vlc.exe!ws!]

Event Record #/Type290 / Error
Event Submitted/Written: 06/30/2008 07:49:03 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application prevxcsi.exe, version 1.9.112.121, faulting module prevxcsi.exe, version 1.9.112.121, fault address 0x0000caa7.
Processing media-specific event for [prevxcsi.exe!ws!]

Event Record #/Type287 / Error
Event Submitted/Written: 06/29/2008 10:28:54 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application prevxcsi.exe, version 1.9.112.121, faulting module prevxcsi.exe, version 1.9.112.121, fault address 0x0000caa7.
Processing media-specific event for [prevxcsi.exe!ws!]

Event Record #/Type283 / Error
Event Submitted/Written: 06/29/2008 08:15:42 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application notepad.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x00a7000a.
Processing media-specific event for [notepad.exe!ws!]

Event Record #/Type282 / Error
Event Submitted/Written: 06/29/2008 08:13:20 PM
Event ID/Source: 1004 / Application Error
Event Description:
Faulting application lsass.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x009c9377.
Error in creating result PEAP-TLV in response to received PEAP-TLV (lsass.exe!ld!)

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type3472 / Error
Event Submitted/Written: 06/30/2008 09:39:28 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Eset Nod32 Boot service failed to start due to the following error:
%%1053

Event Record #/Type3471 / Error
Event Submitted/Written: 06/30/2008 09:39:28 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the Eset Nod32 Boot service to connect.

Event Record #/Type3463 / Error
Event Submitted/Written: 06/30/2008 09:34:28 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type3448 / Error
Event Submitted/Written: 06/30/2008 09:33:49 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Eset Nod32 Boot service failed to start due to the following error:
%%1053

Event Record #/Type3447 / Error
Event Submitted/Written: 06/30/2008 09:33:49 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the Eset Nod32 Boot service to connect.

-- End of Deckard's System Scanner: finished at 2008-06-30 21:44:14 ------------

EDITED: As i forgot the 2nd txt file

Edited by Euromir, 30 June 2008 - 04:13 AM.

#10
Euromir

Posted 30 June 2008 - 05:16 AM

New Member

Topic Starter
Member
9 posts

The annoying thing is i can see the problems i think, and have found most of them in the Registry but if i try and delete them they just reappear and nothings solved? This is where my experience of editing the registry lacks, the problems i can see i "think" are these, but i cant shift them from registry.

O2 - BHO: (no name) - {D2EEB637-A4A5-4BBB-8C0C-96AF821110C2} - C:\WINDOWS\system32\ljJCsPhI.dll
O2 - BHO: (no name) - {E8F9B79D-6852-44F2-A099-7AE1C0D21D88} - C:\WINDOWS\system32\awtRKAQG.dll
O20 - Winlogon Notify: ljJCsPhI - C:\WINDOWS\system32\ljJCsPhI.dll
2008-06-29 16:49:26 96966 --ahs---- C:\WINDOWS\system32\GQAKRtwa.ini2
2008-06-29 16:49:21 318720 --a------ C:\WINDOWS\system32\awtRKAQG.dll
2008-06-29 16:44:16 28288 --a------ C:\WINDOWS\system32\ljJCsPhI.dll
{D2EEB637-A4A5-4BBB-8C0C-96AF821110C2}"= C:\WINDOWS\system32\ljJCsPhI.dll [29/06/2008 16:44 28288]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJCsPhI]
ljJCsPhI.dll 29/06/2008 16:44 28288 C:\WINDOWS\system32\ljJCsPhI.dll
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awtRKAQG

Sorry dont mean to tread-on-toes of your advice, just trying to figure out the problem myself as much as i can, just need a little more expert advice such as yourself to get me on my way.. Think i sign up to your Geek University after this is over,

#11
Euromir

Posted 30 June 2008 - 06:25 PM

New Member

Topic Starter
Member
9 posts

I think i "may" have fixed this now. I read on a post elsewhere (guilty as charged) that if i renamed the EXE files they may run. So i renamed malwarebytes to random and run it. And it worked! I assume the torjan etc must have recognised its name and stopped it from running?

After running malwarebytes it found 23 infected files all saying "Vundo" trojan, so i downlaoded vundo-fix as the tutorial here and now all seems well?
So it maybe fixed i hope?

I am just running a FULL scan with both anti-malware and anti-virus scanners and then i shall post a new log for you to check if thats ok?
Thanks for all your help so far

#12
kahdah

Posted 30 June 2008 - 06:37 PM

GeekU Teacher

Retired Staff
15,822 posts

If you are going to continue on your self then I am not going to help you.
Removing infections improperly can have bad effects on a machine.
Do Not keep going ahead and doing things on your own if you want my help.

If you wish to fix it yourself then let me know please.

#13
Euromir

Posted 30 June 2008 - 06:53 PM

New Member

Topic Starter
Member
9 posts

Kahdah

I very much have appreciated your help my friend, i am worried that i seem to have offended you, that has certainly not been my intention.
I have merely been trying to locate and fix the problem alongside your help, i have removed Vundo by following a tutorial posted here by the sites own admin? Surely following instructions and carrying them out is not improper, i would assume using initiative would be a good thing and thus saving time of experts such as yourself to help others.

I have done nothing but follow the advice and wonderful help found on this forum, i sincerely apologise if in anyway i have upset you, i am very grateful indeed for your help, But yes after numerous scans it appears to be fixed now.

Either way for future thread searches heres the new log..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:02, on 1/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Pwrchute\ups.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TrueCrypt] "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q preferences
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1207365669576
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: ljJCsPhI - C:\WINDOWS\
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: UPS - APC PowerChute plus (UPS) - APC - C:\Program Files\Pwrchute\ups.exe

--
End of file - 4076 bytes

#14
kahdah

Posted 30 June 2008 - 07:14 PM

GeekU Teacher

Retired Staff
15,822 posts

You have not offended me.
Those tutorials are to be followed Before posting a Hijackthis log.
After you ask for help you should not proceed on your own.

Please run dss again and post the one log it produces.

#15
kahdah

Posted 01 July 2008 - 06:49 PM

GeekU Teacher

Retired Staff
15,822 posts

Sent via Pm.

Thanks for your help, hope i didn't annoy you. PM'ing you rather than dragging up the now old topic.

I am unable to post a new DSS log as even though i am 95% i got the problem cleared, i only bought this PC a couple of weeks ago to replace my old one and it came with loads of junk on it. So even though we got the problem i decided it would be better to start with a fresh setup and i formatted drive. Not due to the malware just as new PC, new clean install rather than what i was left.

Sorry for any problems, i appreciated your help.
I have now started in Geek Uni so hope i can improve and stick around.

Lee (Euromir)

Thanks for letting me know and I will put this in the thread to show it is resolved.

Good luck with training.
===================
You are welcome

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.