Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Please help remove BackDoor.t trojan [RESOLVED]


  • This topic is locked This topic is locked

#1
Crazyseal

Crazyseal

    Member

  • Member
  • PipPip
  • 12 posts
I recently got infected with the BackDoor.t trojan while viewing a public message board I've been visiting on a regular basis. My McAfee AV pops up alert messages about this trojan but unable to remove it from system during Full Scan.

Your help removing this trojan will be greatly appreciated!!

I'm running XP Home Edition SP2 on my laptop and it's been up to date with Windows Updates and McAfee Security updates.

Here's my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:17 PM, on 8/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\macidwe.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Config2500\Utility\Config2500.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\Nobicyt.exe
C:\WINDOWS\system32\perfs.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\sobicyt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\tdxdowkc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\WServing.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Isaac\Desktop\Crazyseal.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.averatec.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - Global Startup: Config2500.lnk = C:\Program Files\Config2500\Utility\Config2500.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O23 - Service: macidwe Service (macidwe) - Unknown owner - C:\WINDOWS\system32\macidwe.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: nobicyt Service (nobicyt) - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe
O23 - Service: perfs Service (perfs) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: sobicyt Service (sobicyt) - Unknown owner - C:\WINDOWS\system32\sobicyt.exe
O23 - Service: tdxdowkc Service (tdxdowkc) - Unknown owner - C:\WINDOWS\system32\tdxdowkc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: wserving Service (wserving) - Unknown owner - C:\WINDOWS\system32\WServing.exe

--
End of file - 5480 bytes


Below is my Uninstall List:

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Agere Systems AC'97 Modem v2136D
AIM 6
ALPS Touch Pad Driver
Athlon 64 Processor Driver
Basic Webcam
CCleaner (remove only)
Config2500 WLAN Software 3.0.1.0
DigiQuote
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DV 5900
Easy CD & DVD Creator 6
GOM Player
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
iTunes
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 3
Java™ 6 Update 5
Java™ SE Runtime Environment 6 Update 1
Kids Cam Show and Share Creativity Center
LimeWire 4.18.3
Macromedia Flash Player 8
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Windows Journal Viewer
Microsoft Works 7.0
MyDSC2
Picasa 2
PowerDVD
QuickTime
Realtek AC'97 Audio
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
SiS 900 PCI Fast Ethernet Adapter Driver
SiS VGA Utilities
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Yahoo! Messenger

I forgot to mention that this trojan hijacked my security settings and doesn't allow me to download programs off the internet. It also turns off my McAfee Firewall each time I restart my computer. I use a portable memory stick to download antispyware programs off my desktop and then load them to my laptop, but when I try to run a scan the computer shuts off after a few minutes of scan. PLEASE HELP!!
THANK YOU.

Edited by Crazyseal, 13 August 2008 - 10:20 AM.

  • 0

Advertisements


#2
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello Crazyseal, and welcome to Geeks to go. I'm currently reading over your log right now and I'll do my best to try to get your system clean. :)

Since I'm still in training, there may be a slight delay between my posts because they must be checked by an expert.
  • 0

#3
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello Crazyseal,
If you have any questions please feel free to ask. :)

From what you said in your post you may need to download the tools I ask you to use to another computer and move them to the infected one.

STEP 1
Please click Start>Control Panel>Add or Remove Programs. And remove the following program.(if present)
Viewpoint Media Player

Please reopen HijackThis and click on Do a system scan only. And put a check next to the following lines.

O23 - Service: macidwe Service (macidwe) - Unknown owner - C:\WINDOWS\system32\macidwe.exe
O23 - Service: nobicyt Service (nobicyt) - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe
O23 - Service: perfs Service (perfs) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: sobicyt Service (sobicyt) - Unknown owner - C:\WINDOWS\system32\sobicyt.exe
O23 - Service: tdxdowkc Service (tdxdowkc) - Unknown owner - C:\WINDOWS\system32\tdxdowkc.exe
O23 - Service: wserving Service (wserving) - Unknown owner - C:\WINDOWS\system32\WServing.exe

Once you have the checks in those lines please make sure all open windows are closed (keep HijackThis open) and click Fix checked on HijackThis. A box will open up asking if you want to fix the selected items, please click Yes. After you have fixed those lines you can close HijackThis.


Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    macidwe <delete service>
    nobicyt <delete service>
    perfs <delete service>
    sobicyt <delete service>
    tdxdowkc <delete service>
    wserving <delete service>
    C:\WINDOWS\system32\macidwe.exe
    C:\WINDOWS\system32\Nobicyt.exe
    C:\WINDOWS\system32\perfs.exe
    C:\WINDOWS\system32\sobicyt.exe
    C:\WINDOWS\system32\tdxdowkc.exe
    C:\WINDOWS\system32\WServing.exe
    C:\Program Files\Viewpoint
    purity
    EmptyTemp
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

STEP 2
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
~~~~~~~~~~~
In your next reply please have these logs.
The OTMoveIt2 log
And the DSS main.txt and extra.txt
  • 0

#4
Crazyseal

Crazyseal

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Jimmy,

Thanks for your reply!
I followed STEP 1 and after the computer reboot my IE browser gives me a "Cant find server" "Page can't be found" error so I can't post the OTMoveIt2 log generated (I'm on my desktop right now). What went wrong here?
  • 0

#5
Crazyseal

Crazyseal

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I was finally able to get my laptop back online so I'm posting the logs you requested. Please let me know what's the next move.

OTMoveIt2 log:

Explorer killed successfully
macidwe service deleted successfully.
nobicyt service deleted successfully.
perfs service deleted successfully.
sobicyt service deleted successfully.
tdxdowkc service deleted successfully.
wserving service deleted successfully.
C:\WINDOWS\system32\macidwe.exe moved successfully.
C:\WINDOWS\system32\Nobicyt.exe moved successfully.
C:\WINDOWS\system32\perfs.exe moved successfully.
C:\WINDOWS\system32\sobicyt.exe moved successfully.
C:\WINDOWS\system32\tdxdowkc.exe moved successfully.
C:\WINDOWS\system32\WServing.exe moved successfully.
File/Folder C:\Program Files\Viewpoint not found.
< purity >
< EmptyTemp >
File delete failed. C:\WINDOWS\temp\fb_1412.lck scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_qgPaYYcWy0ghbbF scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_ZsdDIk7nW0TchfC scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mta117960.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mta36995.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mta53147.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mta58110.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mta72794.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mta73039.dll scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08132008_174752

Files moved on Reboot...
File C:\WINDOWS\temp\fb_1412.lck not found!
File C:\WINDOWS\temp\mcmsc_qgPaYYcWy0ghbbF not found!
C:\WINDOWS\temp\mcmsc_ZsdDIk7nW0TchfC moved successfully.
C:\WINDOWS\temp\mta117960.dll unregistered successfully.
C:\WINDOWS\temp\mta117960.dll moved successfully.
C:\WINDOWS\temp\mta36995.dll unregistered successfully.
C:\WINDOWS\temp\mta36995.dll moved successfully.
C:\WINDOWS\temp\mta53147.dll unregistered successfully.
C:\WINDOWS\temp\mta53147.dll moved successfully.
C:\WINDOWS\temp\mta58110.dll unregistered successfully.
C:\WINDOWS\temp\mta58110.dll moved successfully.
C:\WINDOWS\temp\mta72794.dll unregistered successfully.
C:\WINDOWS\temp\mta72794.dll moved successfully.
C:\WINDOWS\temp\mta73039.dll unregistered successfully.
C:\WINDOWS\temp\mta73039.dll moved successfully.

DSS main log:

Deckard's System Scanner v20071014.68
Run by Isaac on 2008-08-13 22:46:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-08-14 02:46:37 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 480 MiB (512 MiB recommended).


-- HijackThis (run as Isaac.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:31 PM, on 8/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Documents and Settings\Isaac\Desktop\dss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\DOCUME~1\Isaac\Desktop\Isaac.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.averatec.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - Global Startup: Config2500.lnk = C:\Program Files\Config2500\Utility\Config2500.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 4387 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\Isaac\Desktop\backups\) ---------------

backup-20080813-173847-221 O23 - Service: sobicyt Service (sobicyt) - Unknown owner - C:\WINDOWS\system32\sobicyt.exe
backup-20080813-173847-233 O23 - Service: nobicyt Service (nobicyt) - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe
backup-20080813-173847-261 O23 - Service: wserving Service (wserving) - Unknown owner - C:\WINDOWS\system32\WServing.exe
backup-20080813-173847-440 O23 - Service: macidwe Service (macidwe) - Unknown owner - C:\WINDOWS\system32\macidwe.exe
backup-20080813-173847-826 O23 - Service: perfs Service (perfs) - Unknown owner - C:\WINDOWS\system32\perfs.exe
backup-20080813-173847-920 O23 - Service: tdxdowkc Service (tdxdowkc) - Unknown owner - C:\WINDOWS\system32\tdxdowkc.exe

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SiSkp - c:\windows\system32\drivers\srvkp.sys <Not Verified; Silicon Integrated Systems Corporation; SiS ® WindowsXP Display Manager>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.1.6.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.6.0>
R3 AgereSoftModem (Agere Systems Soft Modem) - c:\windows\system32\drivers\agrsm.sys <Not Verified; Agere Systems; Agere SoftModem Driver>
R3 ApfiltrService (Alps Pointing-device Filter Driver) - c:\windows\system32\drivers\apfiltr.sys <Not Verified; Alps Electric Co., Ltd.; Alps Touch Pad Driver for Windows 2000/XP>
R3 SiS315 - c:\windows\system32\drivers\sisgrp.sys <Not Verified; Silicon Integrated Systems Corporation; SiS ® Compatible Super VGA Miniport Driver for Windows XP>

S3 F-Secure Standalone Minifilter - c:\docume~1\isaac\locals~1\temp\onlinescanner\anti-virus\fsgk.sys (file missing)
S3 HwIOctl - c:\documents and settings\owner\desktop\hwioctl.sys (file missing)
S3 Ktp3 (Elantech TouchPad(KTP3)) - c:\windows\system32\drivers\ktp3.sys <Not Verified; Elantech Devices Corp.; Elantech Touchpad(KTP3)>
S3 M2500 (802.11g Wireless Network Driver) - c:\windows\system32\drivers\m2500.sys <Not Verified; Ralink Technology Inc.; RT2500 802.11g Wireless Adapters>
S3 Memctl - c:\documents and settings\owner\desktop\memctl.sys (file missing)
S3 Secdrv - c:\windows\system32\drivers\secdrv.sys (file missing)
S3 SQTECH905C (DualCamera) - c:\windows\system32\drivers\capt905c.sys <Not Verified; Service & Quality Technology.; SQ905c>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 seictrl (Security Control) - c:\windows\system32\rundll32.exe dbi102.dll,scan (file missing)
S4 afinding (afinding Service) - c:\windows\system32\afinding.exe
S4 DigiQuoteService - "c:\program files\uga\salesapp\wrapper.exe" -s "c:\program files\uga\salesapp\\config\wrapper.conf" (file missing)
S4 routing (routing Service) - c:\windows\system32\routing.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-19 10:03:01 340 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2008-06-19 10:03:00 332 --a------ C:\WINDOWS\Tasks\McQcTask.job


-- Files created between 2008-07-13 and 2008-08-13 -----------------------------

2008-08-13 22:46:02 0 dr-h----- C:\Documents and Settings\Isaac\Recent
2008-08-13 10:42:13 0 d-------- C:\fsaua.data
2008-08-12 01:09:16 0 d---s---- C:\Documents and Settings\LocalService\UserData
2008-08-09 10:06:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-08 17:02:09 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-08 17:02:03 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2008-08-08 14:38:54 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-08 14:38:42 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-08-08 14:38:42 0 d-------- C:\Documents and Settings\Isaac\Application Data\SUPERAntiSpyware.com
2008-08-08 11:45:48 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-08-08 10:52:21 0 d-------- C:\Documents and Settings\LocalService\Application Data\McAfee
2008-08-08 10:23:14 0 d-------- C:\Documents and Settings\Isaac\Application Data\McAfee
2008-07-18 12:18:49 0 d-------- C:\282aaeac37bc0dbe14


-- Find3M Report ---------------------------------------------------------------

2008-08-09 21:06:09 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-09 21:03:29 0 d-------- C:\Program Files\Common Files
2008-08-08 23:57:53 3 --a------ C:\WINDOWS\system32\fhpatch.dll
2008-08-08 23:57:50 117615 --a------ C:\WINDOWS\system32\new2.exe
2008-07-26 11:03:36 4 --a------ C:\WINDOWS\system32\riphy.dll
2008-07-26 11:03:36 4 --a------ C:\WINDOWS\system32\iphy.dll
2008-07-26 03:43:55 0 d-------- C:\Program Files\LimeWire
2008-07-19 16:56:20 102400 --a------ C:\WINDOWS\system32\IPHOST.dll
2008-06-19 10:24:51 0 d-------- C:\Program Files\McAfee
2008-06-19 10:03:38 0 d-------- C:\Program Files\Common Files\McAfee
2008-06-19 10:02:49 0 d-------- C:\Program Files\McAfee.com


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [05/01/2003 10:44 PM]
"SoundMan"="SOUNDMAN.EXE" [09/22/2004 01:58 PM C:\WINDOWS\SOUNDMAN.EXE]
"SiSPower"="SiSPower.dll" [09/22/2004 02:01 PM C:\WINDOWS\system32\SiSPower.dll]
"SiS Windows KeyHook"="C:\WINDOWS\system32\keyhook.exe" [09/02/2004 05:44 PM]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [09/22/2004 02:00 PM]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [12/05/2003 01:22 AM]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [01/08/2007 11:22 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Config2500.lnk - C:\Program Files\Config2500\Utility\Config2500.exe [2/24/2005 11:46:16 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfetdik]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfetdik.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process]
C:\WINDOWS\Fonts\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1152498985\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
"C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"DigiQuoteService"=2 (0x2)
"sobicyt"=2 (0x2)
"routing"=2 (0x2)
"gusvc"=3 (0x3)
"afinding"=2 (0x2)
"macidwe"=2 (0x2)




-- End of Deckard's System Scanner: finished at 2008-08-13 22:48:24 ------------

DSS Extra log:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Mobile AMD Athlon™ 64 Processor 3000+
Percentage of Memory in Use: 72%
Physical Memory (total/avail): 479.36 MiB / 133.44 MiB
Pagefile Memory (total/avail): 1122.59 MiB / 847.04 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1946.39 MiB

C: is Fixed (NTFS) - 74.53 GiB total, 12.09 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - IC25N080ATMR04-0 - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.53 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: McAfee Personal Firewall v (McAfee) Disabled
AV: McAfee VirusScan v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\UGA\\SalesApp\\JRE\\bin\\javaw.exe"="C:\\Program Files\\UGA\\SalesApp\\JRE\\bin\\javaw.exe:*:Enabled:javaw"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1152498985\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1152498985\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1152498985\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1152498985\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Isaac\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LAPTOP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Isaac
LOGONSERVER=\\LAPTOP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 28 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=1c00
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Isaac\LOCALS~1\Temp
TMP=C:\DOCUME~1\Isaac\LOCALS~1\Temp
USERDOMAIN=LAPTOP
USERNAME=Isaac
USERPROFILE=C:\Documents and Settings\Isaac
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Isaac (admin)
Administrator.LAPTOP (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E06E4F4E-72D6-4497-BFFD-BCB43077C2F4}\setup.exe" -l0x9 -uninst
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) --> MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Reader 8.1.2 Security Update 1 (KB403742) -->
Agere Systems AC'97 Modem v2136D --> agrsmdel
AIM 6 --> C:\Program Files\AIM6\uninst.exe
ALPS Touch Pad Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
Athlon 64 Processor Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9
Basic Webcam --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{701FD972-904D-458E-A7E5-6F1F13F3D946} /l1033
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Config2500 WLAN Software 3.0.1.0 --> MsiExec.exe /I{C76145F4-19F6-407D-AEE5-CE1D376FA777}
DigiQuote --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchiSetup -ether"C:\Program Files\InstallShield Installation Information\{375E7534-7FFE-463A-8FEC-D36696170519}" -L0x9
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DV 5900 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C589DCD8-CA7F-4966-9648-EE41CEA52E8C}\Setup.exe"
Easy CD & DVD Creator 6 --> MsiExec.exe /I{46DDF76F-ACD4-42BC-B48F-B89C4EE2E1A9}
GOM Player --> "C:\Program Files\GRETECH\GomPlayer\Uninstall.exe"
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2 --> "E:\HijackThis.exe" /uninstall
iTunes --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{00FC6799-866E-44A1-A60C-DCF394CF56FD}
J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Kids Cam Show and Share Creativity Center --> C:\PROGRA~1\KIDSCA~1\Setup.exe /remove /q0
LimeWire 4.18.3 --> "C:\Program Files\LimeWire\uninstall.exe"
Macromedia Flash Player 8 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
MyDSC2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{83D96ED0-98AA-4515-8DDC-816F3EFDD104}\Setup.exe" -l0x9
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
SiS 900 PCI Fast Ethernet Adapter Driver --> C:\Progra~1\SiSLan\Uninst.exe
SiS VGA Utilities --> Rundll32 SiSInst.dll,Uninstall VGA,R,oem6.inf
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type2654 / Error
Event Submitted/Written: 08/12/2008 10:28:36 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type2653 / Error
Event Submitted/Written: 08/12/2008 10:28:36 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type2154 / Error
Event Submitted/Written: 08/11/2008 04:29:26 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application IEXPLORE.EXE, version 6.0.2900.2180, faulting module unknown, version 0.0.0.0, fault address 0x01e91d60.
Processing media-specific event for [IEXPLORE.EXE!ws!]

Event Record #/Type1635 / Success
Event Submitted/Written: 08/08/2008 08:45:41 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type1609 / Error
Event Submitted/Written: 08/08/2008 03:38:06 PM
Event ID/Source: 1508 / Userenv
Event Description:
Windows was unable to load the registry. This is often caused by insufficient memory or insufficient security rights.


DETAIL - The media is write protected. for C:\Documents and Settings\Isaac\Local Settings\Application Data\Microsoft\Windows\\UsrClass.dat



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4236 / Error
Event Submitted/Written: 08/13/2008 10:45:37 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the Security Control service to connect.

Event Record #/Type4235 / Error
Event Submitted/Written: 08/13/2008 10:45:37 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The DV 5900(Video) service failed to start due to the following error:
%%1058

Event Record #/Type4234 / Error
Event Submitted/Written: 08/13/2008 10:45:37 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The 6to4 service terminated with the following error:
%%126

Event Record #/Type4206 / Error
Event Submitted/Written: 08/13/2008 09:36:06 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the Security Control service to connect.

Event Record #/Type4205 / Error
Event Submitted/Written: 08/13/2008 09:36:06 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The DV 5900(Video) service failed to start due to the following error:
%%1058



-- End of Deckard's System Scanner: finished at 2008-08-13 22:48:24 ------------

Edited by Crazyseal, 13 August 2008 - 09:10 PM.

  • 0

#6
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello Crazyseal,

STEP 1
I see that you have a P2P (Peer to Peer) program on your computer. While the programs it self may be safe the files you get can be illegal and can also have malware in them also. I recommend you remove the following program. (if you do not want to remove the P2P programs please skip this step and go to the next one)

Please click Start>Control Panel>Add or Remove Programs. And remove the following program (if present) Also remove any other P2P programs you may have.
Limewire

Once you have done that please remove following folder (if present)
C:\Program Files\LimeWire

STEP 2
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    afinding Service <delete service>
    Security Control <delete service>
    routing Service <delete service>
    C:\WINDOWS\system32\fhpatch.dll
    C:\WINDOWS\system32\iphy.dll
    C:\WINDOWS\system32\IPHOST.dll
    C:\WINDOWS\system32\riphy.dll
    C:\WINDOWS\system32\new2.exe
    c:\windows\system32\afinding.exe
    c:\windows\system32\routing.exe
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\\sobicyt
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\\routing
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\\afinding
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\\macidwe
    purity
    EmptyTemp
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

STEP 3
Please download DirLook by jpshortstuff from here.
  • Double-click DirLook.exe to run it.
  • Ensure that Show Hidden Files/Folders and BBCode Ouput are both checked.
  • Copy the content of the following codebox into the main textfield:

    C:\282aaeac37bc0dbe14
  • Click the DirLook button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (Note: The log can also be found at C:\dl_log.txt)
Note: Scanning may take longer for large folders.

STEP 4
Please rescan with DSS
  • Click on Start, click on Run
  • Copy and paste the following in bold in the open window and then click OK
    "%userprofile%\desktop\dss.exe" /config
  • This will open up DSS configuration
  • Click on Check All
  • Click Scan
  • DSS will now run again
  • When finished, please post back both logs that open in notepad: main.txt and extra.txt
~~~~~~~~~
In your next reply please have these logs.
The OTMoveIt2 log
The DirLook log
And the DSS main.txt and extra.txt
  • 0

#7
Crazyseal

Crazyseal

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Jimmy,

Following a reboot after STEP 2 my computer was totally messed up, took forever to load the main screen and was missing the McAfee program, the wireless card and other items. After a few minutes the computer kept shutting down for no reason. I went back to OTMoveIt2 and restored the following paths:

C:\WINDOWS\system32\fhpatch.dll
C:\WINDOWS\system32\iphy.dll
C:\WINDOWS\system32\IPHOST.dll
C:\WINDOWS\system32\riphy.dll
C:\WINDOWS\system32\new2.exe

After another reboot my computer seems to be operating normal again and I have Internet connection once again.

Now, each time I run IE browser ,after a few minutes the browser closes off and an alert window from McAfee AV comes up with the following message:
Trojan Removed
McAfee has automatically blocked and removed a Trojan
About this Trojan
Detected: BackDoor-DPS (Trojan), BackDoor-DPS (Trojan)
Location: C\WINDOWS\system32\IPHACTION.dll

OTMoveIt2 log:
Explorer killed successfully
Service not present: afinding Service.
Service not present: Security Control.
Service not present: routing Service.
LoadLibrary failed for C:\WINDOWS\system32\fhpatch.dll
C:\WINDOWS\system32\fhpatch.dll NOT unregistered.
C:\WINDOWS\system32\fhpatch.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\iphy.dll
C:\WINDOWS\system32\iphy.dll NOT unregistered.
C:\WINDOWS\system32\iphy.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\IPHOST.dll
C:\WINDOWS\system32\IPHOST.dll NOT unregistered.
C:\WINDOWS\system32\IPHOST.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\riphy.dll
C:\WINDOWS\system32\riphy.dll NOT unregistered.
C:\WINDOWS\system32\riphy.dll moved successfully.
File move failed. C:\WINDOWS\system32\new2.exe scheduled to be moved on reboot.
c:\windows\system32\afinding.exe moved successfully.
c:\windows\system32\routing.exe moved successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\\sobicyt >
Registry value HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\\sobicyt deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\\routing >
Registry value HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\\routing deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\\afinding >
Registry value HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\\afinding deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\\macidwe >
Registry value HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\\macidwe deleted successfully.
< purity >
< EmptyTemp >
File delete failed. C:\DOCUME~1\Isaac\LOCALS~1\Temp\~DF8653.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Isaac\LOCALS~1\Temp\~DF86A2.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Isaac\LOCALS~1\Temp\~DFD693.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Isaac\LOCALS~1\Temp\~DFD6B4.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\fb_1216.lck scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcafee_clDdXCDu6dF3B2u scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_9qu9PbSQoeD8HiO scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08142008_212423

Files moved on Reboot...
File C:\WINDOWS\system32\new2.exe not found!
File C:\DOCUME~1\Isaac\LOCALS~1\Temp\~DF8653.tmp not found!
File C:\DOCUME~1\Isaac\LOCALS~1\Temp\~DF86A2.tmp not found!
File C:\DOCUME~1\Isaac\LOCALS~1\Temp\~DFD693.tmp not found!
File C:\DOCUME~1\Isaac\LOCALS~1\Temp\~DFD6B4.tmp not found!
File C:\WINDOWS\temp\fb_1216.lck not found!
File C:\WINDOWS\temp\mcafee_clDdXCDu6dF3B2u not found!
File C:\WINDOWS\temp\mcmsc_9qu9PbSQoeD8HiO not found!

DirLook log:
DirLook.exe by jpshortstuff
Log created at 23:08:24 on Thu 08/14/2008

==============================

Contents of "C:\282aaeac37bc0dbe14" (inc. hidden/system files/folders)

---FOLDERS---


---FILES---

$shtdwn$.req (788 bytes, created: 07/18/2008 12:18 PM) --ah-----
mrt.exe._p (746117 bytes, created: 06/25/2008 09:21 AM) --a------
mrtstub.exe (37496 bytes, created: 06/25/2008 09:15 AM) --a------

==============================

=EOF=

DSS log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:50 AM, on 8/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Config2500\Utility\Config2500.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Documents and Settings\Isaac\Desktop\dss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\Isaac\Desktop\Isaac.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.averatec.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - Global Startup: Config2500.lnk = C:\Program Files\Config2500\Utility\Config2500.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 4397 bytes

Main.txt log:

Deckard's System Scanner v20071014.68
Run by Isaac on 2008-08-15 00:07:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 480 MiB (512 MiB recommended).


-- HijackThis (run as Isaac.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:50 AM, on 8/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Config2500\Utility\Config2500.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Documents and Settings\Isaac\Desktop\dss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\Isaac\Desktop\Isaac.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.averatec.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - Global Startup: Config2500.lnk = C:\Program Files\Config2500\Utility\Config2500.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 4397 bytes

-- Files created between 2008-07-15 and 2008-08-15 -----------------------------

2008-08-14 22:21:15 0 dr-h----- C:\Documents and Settings\Isaac\Recent
2008-08-14 21:59:43 0 d-------- C:\4164d84cbd95a8359705
2008-08-14 21:51:09 4 --a------ C:\WINDOWS\system32\riphy.dll
2008-08-14 21:51:09 4 --a------ C:\WINDOWS\system32\iphy.dll
2008-08-14 21:51:09 102400 --a------ C:\WINDOWS\system32\IPHOST.dll
2008-08-14 21:51:09 3 --a------ C:\WINDOWS\system32\fhpatch.dll
2008-08-13 10:42:13 0 d-------- C:\fsaua.data
2008-08-12 01:09:16 0 d---s---- C:\Documents and Settings\LocalService\UserData
2008-08-09 10:06:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-08 17:02:09 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-08 17:02:03 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2008-08-08 14:38:54 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-08 14:38:42 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-08-08 14:38:42 0 d-------- C:\Documents and Settings\Isaac\Application Data\SUPERAntiSpyware.com
2008-08-08 11:45:48 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-08-08 10:52:21 0 d-------- C:\Documents and Settings\LocalService\Application Data\McAfee
2008-08-08 10:23:14 0 d-------- C:\Documents and Settings\Isaac\Application Data\McAfee
2008-07-18 12:18:49 0 d-------- C:\282aaeac37bc0dbe14


-- Find3M Report ---------------------------------------------------------------

2008-08-14 22:15:22 0 d-------- C:\Program Files\Messenger
2008-08-09 21:06:09 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-09 21:03:29 0 d-------- C:\Program Files\Common Files
2008-07-26 03:43:55 0 d-------- C:\Program Files\LimeWire
2008-06-19 10:24:51 0 d-------- C:\Program Files\McAfee
2008-06-19 10:03:38 0 d-------- C:\Program Files\Common Files\McAfee
2008-06-19 10:02:49 0 d-------- C:\Program Files\McAfee.com


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [05/01/2003 10:44 PM]
"SoundMan"="SOUNDMAN.EXE" [09/22/2004 01:58 PM C:\WINDOWS\SOUNDMAN.EXE]
"SiSPower"="SiSPower.dll" [09/22/2004 02:01 PM C:\WINDOWS\system32\SiSPower.dll]
"SiS Windows KeyHook"="C:\WINDOWS\system32\keyhook.exe" [09/02/2004 05:44 PM]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [09/22/2004 02:00 PM]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [12/05/2003 01:22 AM]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [01/08/2007 11:22 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Config2500.lnk - C:\Program Files\Config2500\Utility\Config2500.exe [2/24/2005 11:46:16 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfetdik]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfetdik.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process]
C:\WINDOWS\Fonts\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1152498985\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
"C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"DigiQuoteService"=2 (0x2)
"gusvc"=3 (0x3)




-- End of Deckard's System Scanner: finished at 2008-08-15 00:08:35 ------------
  • 0

#8
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello Crazyseal,

Following a reboot after STEP 2 my computer was totally messed up, took forever to load the main screen and was missing the McAfee program, the wireless card and other items. After a few minutes the computer kept shutting down for no reason.

Well from looking at those files it seems they had modified one of your svchost files, that seems to be what caused your computer to mess up. The following scan should be able to take care of that.


Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#9
Crazyseal

Crazyseal

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Jimmy,

I can't post a log!
After following the last step you gave me (ComboFix) I'm having the same problem loading windows on my laptop and the machine shuts off after a few minutes. I'm at a loss here as I'm not sure what to do from here. Do I need to run the recovery console?

Thanks.
  • 0

#10
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello Crazyseal,

After following the last step you gave me (ComboFix) I'm having the same problem loading windows on my laptop and the machine shuts off after a few minutes. I'm at a loss here as I'm not sure what to do from here. Do I need to run the recovery console?

That infection does what what to go away easy. Please try booting in to Safe Mode, and let me know if it works.
Also, are there any errors it gives when it boots up or any errors before it shuts back down?

Please do not run the recovery console yet.

How to boot into Safe Mode:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select this option Safe Mode with networking, you should start up in Safe Mode now.
5) Select your normal user account.

If you were able to get into Safe Mode please find this file.
C:\ComboFix.txt
And please copy/paste the text in that file in your next reply if you can.
  • 0

Advertisements


#11
Crazyseal

Crazyseal

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Jimmy,

Thanks for your reply.
Even in Safe Mode with Networking it takes forever for the main screen to load and once it's loaded it missing a few things in the tray. I can't run a Search (blank screen) and I lost my networking as well so no Internet connection.
I tried looking for C:\ComboFix.txt manually but I don't think it was generated since the computer shut off after the reboot while the log was generating. I forgot to mention that I get no error messages at all and McAfee Security doesn't load at all. The computer simply shuts off after a few minutes in both Normal and Safe modes.

Edited by Crazyseal, 15 August 2008 - 05:09 PM.

  • 0

#12
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello Crazyseal,
Please boot into Safe Mode, and try to run a scan with DSS doing this.

  • Click on Start, click on Run
  • Copy and paste the following in bold in the open window and then click OK
    "%userprofile%\desktop\dss.exe" /config
  • This will open up DSS configuration
  • Click on Check All
  • Click Scan
  • DSS will now run again
  • When finished, there will be two notepad files open up: main.txt and extra.txt
  • Please reboot your computer and copy/paste those two files in your next reply.
  • The files can found here: C:\Deckard\System Scanner\main.txt and C:\Deckard\System Scanner\extra.txt

Edited by Jimmy2012, 16 August 2008 - 10:03 PM.

  • 0

#13
Crazyseal

Crazyseal

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Jimmy,

I'm getting the following error message:

Windows cannot find "C:\Documents and settings\user\desktop\dss.exe"/config
  • 0

#14
Crazyseal

Crazyseal

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Jimmy,

I'm getting the following error message:

Windows cannot find "C:\Documents and settings\user\desktop\dss.exe"/config
  • 0

#15
Crazyseal

Crazyseal

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Jimmy,

I'm getting the following error message:

Windows cannot find "C:\Documents and settings\user\desktop\dss.exe"/config
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP