Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Win Anti-Virus2008 and 2009/Worm.Win32 Hijack [CLOSED]

Started by aliasjones , Jul 30 2008 08:03 PM

  • This topic is locked This topic is locked

#1
aliasjones
Posted 30 July 2008 - 08:03 PM

aliasjones

    New Member

  • Member
  • Pip
  • 4 posts
Hi,
I recently got hijacked via an Active X
It is similar to what is described in posts below.
Basic things showing up include:

*Worm.Win32.Netbooster Spyware "Spyware Alert-Security Warning" Pop Up

* A balloon pop up stating stating that I have a virus and to click on it to fix the issue.


as well as to anoth site that hasn't come up since I started this post and I am unsure where it is leading me too.

*The Start Menu is missing things

*The Clock on the Desktop has changed (It is now in a new font and in Military time, it also has the phrase , "VIRUS ALERT!"

And of course this all is causing jitters and a slower system etc)

****

I have run the following:
Lavasoft Ad-Aware SE Personal (which found 3 infections but I am unsure what they were)
Spybot Search and Destroy (which keeps finding H-Key reg. issues)
CCleaner
as well as a free version of Spyware Doctor (The version I have only allows scans: but it keeps saying it is blocking explorer.exe from attempting to write to the registry- PATH:HKEY_USERS etc)

But although the above mentioned programs did find and remove things, they did not fix the issue.


Help would be appreciated.



THe HJT Log is as follows:

le of Trend Micro HijackThis v2.0.2
Scan saved at 21:34: VIRUS ALERT!, on 7/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\nmutools\nmuebs.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
c:\WINDOWS\spm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BitDownload\BitDownload.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AdwareAlert\AdwareAlert.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iesearch.com/
O3 - Toolbar: fdkowvbp - {E82E9D76-F0A8-4286-ADB5-52FFE3E79868} - C:\WINDOWS\fdkowvbp.dll
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Exit Type] C:\DOCUME~1\cbentti\APPLIC~1\VIEWCO~1\Love Grid Ooze.exe
O4 - HKCU\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1189564189156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1189564182062
O16 - DPF: {CAFECAFE-0013-0001-0026-ABCDEFABCDEF} (JInitiator 1.3.1.26) -
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://liveupdate.nm...all/webinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll
O21 - SSODL: eqvwamkl - {06BD0520-2134-4FF7-84B1-CDBE8AB4CDA1} - C:\WINDOWS\eqvwamkl.dll
O21 - SSODL: wnslvxtf - {855D5237-AB03-4A76-90DE-6331722698B1} - C:\WINDOWS\wnslvxtf.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Kaspersky Network Agent (klnagent) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.exe
O23 - Service: NMU Emergency Broadcast System (nmuebs) - Northern Michigan University - c:\nmutools\nmuebs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: System Profile Monitor (spm) - Northern Michigan University - c:\WINDOWS\spm.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe

--
End of file - 9168 bytes
  • 0

Advertisements

#2
Jimmy2012
Posted 30 July 2008 - 11:56 PM

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello aliasjones, and welcome to Geeks to go. I'm currently reading over your log right now and I'll do my best to try to get your system clean. :)

Since I'm still in training, there may be a slight delay between my posts because they must be checked by an expert.
  • 0

#3
aliasjones
Posted 31 July 2008 - 01:30 AM

aliasjones

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
O.K. and thanks.
Glad to hear that you're a fact checker.
Look forward to hearing from you.

Edited by aliasjones, 31 July 2008 - 01:33 AM.

  • 0

#4
Jimmy2012
Posted 31 July 2008 - 11:16 AM

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello aliasjones,
If you have any questions please feel free to ask. :)

I do not see a Firewall on your computer. A firewall can help protect you from Hackers and some types of Malware. I recommend you download a firewall. Here are a few to chose from(all are free).
Comodo
Zone Alarm
OutPost
Out of these I would recommend Comodo, please only install one firewall at a time. If you need any help installing/using one of these firewalls please let me know.

STEP 1
Please Download NoLop to your desktop from the link below...
Link 1
  • First close any other programs you have running as this will require a reboot
  • Double click NoLop.exe to run it
  • Now click the button labelled "Search and Destroy"
    <<your computer will now be scanned for infected files>>
  • When scanning is finished you will be prompted to reboot only if infected, Click OK
  • Now click the "REBOOT" Button.
  • A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log
--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program. --

STEP 2
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum
STEP 3
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
~~~~~~~~~~~~
In your next reply please have these logs.
The NoLop log
The SDFix log
The DSS main.txt and extra.txt
  • 0

#5
aliasjones
Posted 31 July 2008 - 06:01 PM

aliasjones

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hello,

I just did what you said to do and it seems to have resolved most of the issues but there are still some problems.


Here is a list of known unresolved issues:

~The Pop Up for the Windows 2009 Antivirus still shows up now and then
~The clock is still in military time.
~My desktop Background has switched to a blue background with an image saying,"Warning! Spyware detected on your computer. Install an antivirus or spyware remover to clean your computer."
~I also have lost the ability to save pictures from the web. (Save as function)

Note: I ran a the registry cleaner in Ccleaner after I did this as well, not sure if that effected anything

Here is the run down of what you said to do:
The NoLop log: No infections were found so there is no list to post
The SDFix log: Included below
The DSS main.txt and extra.txt: main.txt is included below
NOTE: Only the main.txt showed up with the DSS.

Here are the lists:


NoLop: Again no infections were found so no list was generated



SDFix log:


SDFix: Version 1.210
Run by cbentti on Thu 07/31/2008 at 19:19

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\cbentti\Desktop\UNUSED~1\SDFix\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value
Restoring Windows ProductId To Remove Fake Virus Alert
Restoring Time Format To Remove Fake Virus Alert

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\efcCvSMF.dll - Deleted
C:\WINDOWS\ENVO.EXE - Deleted
C:\Documents and Settings\cbentti\Desktop\Error Cleaner.url - Deleted
C:\Documents and Settings\cbentti\Favorites\Error Cleaner.url - Deleted
C:\Documents and Settings\cbentti\Desktop\Privacy Protector.url - Deleted
C:\Documents and Settings\cbentti\Favorites\Privacy Protector.url - Deleted
C:\Documents and Settings\cbentti\Desktop\Spyware&Malware Protection.url - Deleted
C:\Documents and Settings\cbentti\Favorites\Spyware&Malware Protection.url - Deleted
C:\WINDOWS\privacy_danger\index.htm - Deleted
C:\WINDOWS\privacy_danger\images\capt.gif - Deleted
C:\WINDOWS\privacy_danger\images\danger.jpg - Deleted
C:\WINDOWS\privacy_danger\images\down.gif - Deleted
C:\WINDOWS\privacy_danger\images\spacer.gif - Deleted
C:\WINDOWS\nfavxwdbbfk.dll - Deleted
C:\WINDOWS\eqvwamkl.dll - Deleted
C:\WINDOWS\fdkowvbp.dll - Deleted
C:\WINDOWS\grswptdl.exe - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\wnslvxtf.dll - Deleted



Folder C:\WINDOWS\privacy_danger - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-31 19:29:54
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\CatalogNames\Windows\SystemIndex]
"pkm:catalog:LastCatalogCrawlId"=dword:000001f6
"pkm:catalog:LastCatalogCrawlModified"=dword:0000016c
"pkm:catalog:LastCatalogCrawlErrors"=dword:00000000
"pkm:catalog:LastCatalogCrawlExcludes"=dword:0000001b
"pkm:catalog:LastCatalogCrawlKBytes"=dword:00001ffe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex]
"CheckPointNumber"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\503]
"CrawlType"=dword:00000005
"InProgress"=dword:00000001
"DoneAddingCrawlSeeds"=dword:00000001
"LogName"="C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Crwl503.gthr"
"CheckPoint"=hex:c0,ef,03,00,00,00,00,00
"IsCatalogLevel"=dword:00000000
"LogStartAddId"=dword:00000000
"SuccessfulTransactions"=dword:00000001
"ErrorTransactions"=dword:00000000
"WarningTransactions"=dword:00000000
"ExcludedTransactions"=dword:00000017
"RetryTransactions"=dword:00000000
"KilobytesCrawled"=dword:00000000
"Modified"=dword:00000028
"UnvisitedItems"=dword:00000000
"ForcedFullCrawl"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\504]
"InProgress"=dword:00000000
"DoneAddingCrawlSeeds"=dword:00000000
"LogStartAddId"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\0]
"CrawlNumberInProgress"=dword:000001f7
"CrawlNumberScheduled"=dword:000001f8

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Nortel Networks\\Extranet.exe"="C:\\Program Files\\Nortel Networks\\Extranet.exe:*:Enabled:Contivity VPN Client"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\BitDownload\\BitDownload.exe"="C:\\Program Files\\BitDownload\\BitDownload.exe:*:Enabled:Warez3"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\DOCUME~1\cbentti\Desktop\UNUSED~1\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 2 Jul 2007 40,960 A..HR --- "C:\WINDOWS\spm.exe"
Fri 9 Mar 2007 479,096 A..H. --- "C:\nmutools\NetAgent\klcfginst.exe"
Fri 9 Mar 2007 607,832 A..H. --- "C:\nmutools\NetAgent\klrbtagt.exe"
Fri 9 Mar 2007 603,664 A..H. --- "C:\nmutools\NetAgent\lsexec.exe"
Fri 9 Mar 2007 12,244,608 A..H. --- "C:\nmutools\NetAgent\setup.exe"
Mon 3 Dec 2007 19,639 ...H. --- "C:\Documents and Settings\cbentti\Desktop\~WRL1805.tmp"
Mon 9 Jun 2008 29,184 ...H. --- "C:\Documents and Settings\cbentti\My Documents\~WRL0001.tmp"
Tue 11 Sep 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 13 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fe627730c4f93db8af2aa6f435442134\BITB.tmp"
Wed 30 Jul 2008 616,448 A.SH. --- "C:\Deckard\System Scanner\backup\WINDOWS\temp\t01ridy2.TMP"
Wed 30 Jul 2008 616,448 A.SH. --- "C:\Deckard\System Scanner\backup\WINDOWS\temp\ut6qh2of.TMP"

Finished!


DSS log:(Again, only the main.txt appeared)


Deckard's System Scanner v20071014.68
Run by cbentti on 2008-07-31 19:44:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as cbentti.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:44:59, on 7/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\nmutools\nmuebs.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
c:\WINDOWS\spm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\cbentti\Desktop\dss(2).exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\cbentti.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {71B4822F-8642-460D-A7BE-8CE2DBC17A37} - C:\WINDOWS\system32\yaywxuTM.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {E6DF0B46-7D6F-407A-A6A2-62D17A021A9A} - (no file)
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1189564189156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1189564182062
O16 - DPF: {CAFECAFE-0013-0001-0026-ABCDEFABCDEF} (JInitiator 1.3.1.26) -
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://liveupdate.nm...all/webinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: AwayNotify - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Kaspersky Network Agent (klnagent) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.exe
O23 - Service: NMU Emergency Broadcast System (nmuebs) - Northern Michigan University - c:\nmutools\nmuebs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: System Profile Monitor (spm) - Northern Michigan University - c:\WINDOWS\spm.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe

--
End of file - 9422 bytes

-- Files created between 2008-06-30 and 2008-07-31 -----------------------------

2008-07-31 19:16:42 0 d-------- C:\WINDOWS\ERUNT
2008-07-31 18:28:32 212 --a------ C:\delete.bat
2008-07-31 02:58:59 99712 --a------ C:\WINDOWS\system32\oarfnodc.dll
2008-07-30 20:59:04 99712 --a------ C:\WINDOWS\system32\rxuoabfe.dll
2008-07-30 20:56:01 636264 --ahs---- C:\WINDOWS\system32\MTuxwyay.ini2
2008-07-30 20:55:57 323328 --a------ C:\WINDOWS\system32\yaywxuTM.dll
2008-07-30 20:49:07 0 d-------- C:\Documents and Settings\cbentti\Application Data\AdwareAlert
2008-07-30 20:48:58 0 d-------- C:\Program Files\AdwareAlert
2008-07-30 20:39:45 0 d-------- C:\Program Files\Trend Micro
2008-07-30 20:23:49 0 d-------- C:\Program Files\Desktop Hijack fix
2008-07-30 20:23:06 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-07-30 19:12:33 0 d--h----- C:\Documents and Settings\cbentti\Recent
2008-07-30 06:06:56 0 d-------- C:\Documents and Settings\cbentti\Application Data\TmpRecentIcons
2008-07-30 06:04:07 34176 --a------ C:\WINDOWS\system32\fccaYspN.dll
2008-07-27 12:22:41 0 d-------- C:\Program Files\Easy Adder
2008-07-27 09:36:50 0 d-------- C:\Program Files\MySpaceMusicPromoter
2008-07-27 09:28:20 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-24 01:04:47 0 d-------- C:\WINDOWS\system32\kBin15
2008-07-24 01:04:47 0 d-------- C:\Temp
2008-07-22 23:25:24 0 d-------- C:\Program Files\view cool license
2008-07-15 23:08:14 21008 -----n--- C:\WINDOWS\system32\Ctl3d.dll <Not Verified; Microsoft Corporation; 3d Windows Control>
2008-07-15 23:08:03 0 d-------- C:\Program Files\Serif
2008-07-12 01:43:36 0 d-------- C:\Documents and Settings\cbentti\Application Data\BitDownload
2008-07-12 01:42:49 0 d-------- C:\Documents and Settings\All Users\Application Data\live 64 math does
2008-07-12 01:42:31 0 d-------- C:\Documents and Settings\cbentti\Application Data\view cool license
2008-07-12 01:42:13 0 d-------- C:\Program Files\BitDownload
2008-07-12 01:06:04 0 d-------- C:\Documents and Settings\cbentti\Application Data\.wyzo


-- Find3M Report ---------------------------------------------------------------

2008-07-31 05:14:33 0 d-------- C:\Program Files\Spyware Doctor
2008-07-30 22:45:11 0 d-------- C:\Documents and Settings\cbentti\Application Data\LimeWire
2008-07-27 09:28:20 0 d-------- C:\Program Files\Common Files
2008-07-16 15:22:54 0 d-------- C:\Documents and Settings\cbentti\Application Data\Adobe
2008-07-12 00:58:30 0 d-------- C:\Program Files\LimeWire
2008-07-01 01:13:30 0 d-------- C:\Program Files\VirtualDJ


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{71B4822F-8642-460D-A7BE-8CE2DBC17A37}]
07/30/2008 20:56 323328 --a------ C:\WINDOWS\system32\yaywxuTM.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [07/05/2007 14:58]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [07/05/2007 14:51]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe" [05/28/2008 22:00]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [11/12/2007 10:13]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 20:05]
"AdwareAlert"="C:\Program Files\AdwareAlert\AdwareAlert.exe" [07/28/2008 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 00:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [9/25/2007 8:35:50 PM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [6/29/2006 12:52:57 PM]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2/5/2007 3:40:46 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeStartMenu"=
"NoLogOff"=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [02/05/2007 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
ACNotify.dll 07/05/2007 14:52 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
C:\Program Files\Lenovo\AwayTask\AwayNotify.dll 04/13/2006 02:05 49152 C:\Program Files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
notifyf2.dll 07/05/2005 23:45 28672 C:\WINDOWS\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 11/30/2005 20:16 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\yaywxuTM
"Notification Packages"= scecli csspwntfy ACGina

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4fb367d0-60dd-11dc-b657-444553544200}]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee5de0df-1ad5-11dd-b66d-444553544200}]
AutoRun\command- E:\DCoTMenu.exe
menu\command- E:\DCoTMenu.exe




-- End of Deckard's System Scanner: finished at 2008-07-31 19:46:03 ------------



THANKS

Edited by aliasjones, 01 August 2008 - 02:48 AM.

  • 0

#6
aliasjones
Posted 01 August 2008 - 02:17 AM

aliasjones

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Just stopped by to check in..I actually added a few details but then decided to add them to the prvious post..
I don't see a delete option for the reply...So I edited.

Anyway, please see the previous reply

Thanks

Edited by aliasjones, 01 August 2008 - 02:23 AM.

  • 0

#7
Jimmy2012
Posted 01 August 2008 - 10:31 AM

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello aliasjones,
The steps that I am about to suggest involve modifying the registry. Modfying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot preform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry
  • Go Here and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.

STEP 1
I see that you have P2P(Peer to Peer) programs on your computer.While the programs it self may be safe the files you get can be illegal and can also have malware in them also. I recommend you remove the following programs.(if you do not want to remove the P2P programs please skip this step and go to the next one)

Please click start>control panel>add/remove programs. And remove the following programs(if present)Also remove any other P2P programs you may have.
BitDownload
LimeWire

Once you have done that please remove following folders(if present)
C:\Documents and Settings\cbentti\Application Data\BitDownload
C:\Program Files\BitDownload
C:\Documents and Settings\cbentti\Application Data\LimeWire
C:\Program Files\LimeWire

STEP 2
Please reopen HijackThis and click on Do a system scan only.And put a check next to the following entries.

O2 - BHO: (no name) - {71B4822F-8642-460D-A7BE-8CE2DBC17A37} -
C:\WINDOWS\system32\yaywxuTM.dll
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

Once you have the checks in those entries please make sure all open windows are closed(keep HijackThis open) and click Fix checked on HijackThis. A box will open up asking if you want to fix the selected items, please click yes. After you have fixed those entires you can close HijackThis.

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
C:\WINDOWS\system32\oarfnodc.dll
C:\WINDOWS\system32\rxuoabfe.dll
C:\WINDOWS\system32\MTuxwyay.ini2
C:\WINDOWS\system32\yaywxuTM.dll
C:\WINDOWS\system32\fccaYspN.dll
C:\Documents and Settings\All Users\Application Data\live 64 math does
C:\Program Files\view cool license
C:\Documents and Settings\cbentti\Application Data\view cool license
C:\WINDOWS\system32\kBin15
E:\LaunchU3.exe
E:\DCoTMenu.exe
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4fb367d0-60dd-11dc-b657-444553544200}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee5de0df-1ad5-11dd-b66d-444553544200}
purity
EmptyTemp
[start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

STEP 3
Now we need to fix your problems by making a .reg file. Copy the code below into a Notepad file. Name the file as fix.reg, change the "Save as Type" to "All files" and save it on the desktop.
REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
Then double click on the fix.reg file, when it prompts to merge click "Yes".

STEP 4
Please rescan with DSS
  • Click on Start, click on Run
  • Copy and paste the following in bold in the open window and then click OK
    "%userprofile%\desktop\dss.exe" /config
  • This will open up DSS configuration
  • Click on Check All
  • Click Scan
  • DSS will now run again
  • When finished, please post back both logs that open in notepad: main.txt and extra.txt
~~~~~~~~~~~
In your next reply please have these logs.
The OTMoveIt2 log
And the DSS main.txt and extra.txt
  • 0

#8
Rorschach112
Posted 04 August 2008 - 03:08 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP