Hijackthis log

Discussion in 'Windows - Virus and spyware problems' started by gotaget, Jan 9, 2007.

Page 1 of 2
  1. gotaget

    gotaget Guest

    I keep getting an error 34 and some screen saying it cannot find w000174.dll . Can someone please check over this and see if everything is ok. I already cleaned 499 viruses, malware, and other things from my computer. Its just running slow as the crap now. Just want to make sure everything is ok now. Thanks

    Logfile of HijackThis v1.99.1
    Scan saved at 10:11:46 AM, on 1/9/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ewido anti-malware\SecuritySuite.exe
    C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,ucefhbh.exe
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: CEngine Object - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\SafeGuard Pop-up Blocker Pro FREE Edition\popupblocker.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
    O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinSP] REGEDIT.EXE -s c:/ireg.reg
    O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_51cb.dll"
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
    O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
    O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [Microsoft Corp TLS Certificates] msauth.exe
    O4 - HKLM\..\Run: [eli2b1f7] RUNDLL32.EXE w000f174.dll,n 0072b1f000000005000f174
    O4 - HKLM\..\Run: [ijsacm] c:\windows\system32\ijsacm.exe ijsacm
    O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [ycqqjmrA] C:\WINDOWS\ycqqjmrA.exe
    O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\pwinnoeb.exe SKY001
    O4 - HKLM\..\Run: [wasarise] C:\WINDOWS\assembly\wasarise.exe
    O4 - HKLM\..\RunServices: [Microsoft Corp TLS Certificates] msauth.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {11111111-1111-1111-1111-111111111133} - file://c:\windows\temp\ie.exe
    O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
    O18 - Protocol hijack: mhtml -
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
    O20 - Winlogon Notify: winkve32 - C:\WINDOWS\
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxcecoms.exe
    O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
    O23 - Service: Internet Protocol (netsvc) - Unknown owner - c:\Windows\java\trustlib\com\ms\mtx\.temp\netservice.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Spools Spooler (Spools) - Unknown owner - c:\windows\system32\spools.exe (file missing)
    O23 - Service: TCP and UDP Supp0rt - Unknown owner - C:\WINDOWS\System32\tccpip.exe (file missing)
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
     
    gotaget, Jan 9, 2007
    #1
  2. Niobis

    Niobis Active member

    Joined:
    Jan 30, 2005
    Messages:
    2,326
    Likes Received:
    0
    Trophy Points:
    66
    Hi gotaget, your computer is still heavily infected. I'd recommend you reformat your HD and reinstall Window because of security reasons, but we can also clean the infections if you like. It's up to you. :)


    If you feel more comfortable cleaning, please do the following:

    Download [bold]ComboFix.exe[/bold] to the desktop from here
    Open [bold]ComboFix.exe[/bold] and follow the prompts.
    [bold]Note[/bold]:
    Do not mouseclick ComboFix's window while it's running, it may cause it to stall.
    When finished, it will produce a log for you. Post that log in your next reply along with a new HijackThis log.
     
    Niobis, Jan 9, 2007
    #2
  3. gotaget

    gotaget Guest

    i am gonna try and fix it and if it still isn't looking good then i will start all over from stratch. Here is the Combo thing followed by The new HijackThis. Thanks for all your help.

    Administrator - 07-01-10 13:38:24.92 Service Pack 1
    ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Desktop"

    ((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\Documents and Settings\Alphonso Smith\Application Data\Dxcknwrd.dll


    * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system32\taskmgr.com
    C:\Program Files\Ipwins
    C:\Program Files\Common Files\{30BA111F-0A62-1033-1202-030512200001}
    C:\Program Files\Common Files\{50BA111F-0A61-1033-1202-030512200001}
    C:\Program Files\Common Files\{50BA111F-0A62-1033-1202-030512200001}

    ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

    Folders Quarantined:

    C:\QooBox\Purity\WINDOWS\SYSTEM32\YMBOLS~1
    C:\QooBox\Purity\WINDOWS\SYSTEM32\YMBOLS~1\?ymbols


    ((((((((((((((((((((((((((((((( Files Created from 2006-12-10 to 2007-01-10 ))))))))))))))))))))))))))))))))))


    2007-01-09 10:16 <DIR> dr-h----- C:\Documents and Settings\Administrator\Recent
    2007-01-09 09:28 <DIR> d-------- C:\WINDOWS\CAVTemp
    2007-01-08 23:53 57,344 --a------ C:\WINDOWS\yocul0578.exe
    2007-01-08 23:32 930 --a------ C:\WINDOWS\SYSTEM32\winpfz32.sys
    2007-01-08 23:28 184,389 --a------ C:\WINDOWS\SYSTEM32\pwinnoeb.exe
    2007-01-08 23:20 256,000 --a------ C:\WINDOWS\xidcu0578.exe
    2007-01-08 23:02 118,784 --a------ C:\WINDOWS\SYSTEM32\MSSTDFMT.DLL
    2007-01-08 23:02 <DIR> d-------- C:\Program Files\SpywareBlaster
    2007-01-08 21:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA
    2007-01-08 21:15 26,787 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetmonnt.sys
    2007-01-08 21:11 34,816 --a------ C:\WINDOWS\rau001978.exe
    2007-01-08 21:10 65,536 --a------ C:\WINDOWS\dls0523pmw.exe
    2007-01-08 21:10 381,920 -r-hs---- C:\WINDOWS\ycqqjmrA.exe
    2007-01-08 21:09 46,592 --a------ C:\WINDOWS\ycqqjmr.exe
    2007-01-05 18:02 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
    2007-01-05 18:02 <DIR> d-------- C:\Program Files\Grisoft
    2007-01-05 18:02 <DIR> d-------- C:\Program Files\CCleaner
    2007-01-05 18:00 <DIR> d-------- C:\Program Files\ewido anti-malware
    2007-01-03 22:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
    2007-01-03 22:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Help
    2006-12-29 18:52 74,864 --a------ C:\WINDOWS\SYSTEM32\VetRedir.dll
    2006-12-29 18:52 629,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\VetEFile.sys
    2006-12-29 18:52 21,031 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Vet-Filt.sys
    2006-12-29 18:52 15,478 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Vet-Rec.sys
    2006-12-29 18:52 15,335 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\VetFDDNT.sys
    2006-12-29 18:52 115,824 --a------ C:\WINDOWS\UnVet32.exe
    2006-12-29 18:52 108,592 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\VetEBoot.sys
    2006-12-29 18:52 107,632 --a------ C:\WINDOWS\AVShlExt.dll
    2006-12-29 17:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
    2006-12-29 17:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
    2006-12-29 17:47 89,360 --a------ C:\WINDOWS\SYSTEM32\VB5DB.DLL
    2006-12-29 17:47 446,464 -ra------ C:\WINDOWS\SYSTEM32\hhactivex.dll
    2006-12-29 17:47 176,128 --a------ C:\WINDOWS\SYSTEM32\RcdScan.dll
    2006-12-27 18:49 1,342 --a------ C:\WINDOWS\SYSTEM32\eli2b1f7.sys
    2006-12-25 11:47 157,184 --a------ C:\WINDOWS\SYSTEM32\affxnds.dll
    2006-12-24 15:07 277,044 ---hs---- C:\WINDOWS\SYSTEM32\awtsr.dll
    2006-12-24 14:45 0 --a------ C:\jrsjgw.exe
    2006-12-24 14:10 <DIR> d-------- C:\Program Files\AdSponsor
    2006-12-23 11:56 <DIR> d-------- C:\WINDOWS\Minidump
    2006-12-23 11:51 184,320 --a------ C:\WINDOWS\sys0135437135912006.exe
    2006-12-23 11:50 5,120 --a------ C:\WINDOWS\SYSTEM32\vxga3me2.exe
    2006-12-23 11:49 22,541 ---hs---- C:\WINDOWS\SYSTEM32\byxustq.dll
    2006-12-23 11:49 15 --a------ C:\WINDOWS\SYSTEM32\dlh9jkd1q8.exe
    2006-12-23 11:48 276,992 --a------ C:\WINDOWS\SYSTEM32\ijsacm.exe
    2006-12-23 11:48 125 --a------ C:\WINDOWS\ssmen.dll
    2006-12-23 11:48 107,610 --a------ C:\WINDOWS\AtxPID29.exe
    2006-12-21 12:15 23,552 --a------ C:\rimcqup.exe
    2006-12-19 17:29 3,141 --a------ C:\dss.exe
    2006-12-19 07:07 29,184 --------- C:\WINDOWS\SYSTEM32\rpcc.dll
    2006-12-19 07:07 1,837 --a------ C:\fghxwjlm.exe
    2006-12-11 16:17 <DIR> d-------- C:\Program Files\MyGlobalSearch


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

    Rootkit driver pe386 is present. A rootkit scan is required

    2007-01-10 13:06 -------- d-a------ C:\Program Files\Common Files
    2007-01-10 12:47 -------- d-------- C:\Program Files\Windows Media Player
    2007-01-09 00:48 -------- d-------- C:\Program Files\BearShare
    2007-01-09 00:17 -------- d-------- C:\Program Files\Spybot - Search & Destroy
    2007-01-08 20:33 -------- d-------- C:\Program Files\Lx_cats
    2007-01-05 18:03 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
    2006-12-29 17:47 -------- d--h----- C:\Program Files\InstallShield Installation Information
    2006-12-25 11:36 -------- d-------- C:\Program Files\XoftSpy
    2006-12-09 18:34 372784 --a------ C:\ymjsetup.exe
    2006-12-01 13:53 624240 --a------ C:\WINDOWS\SYSTEM32\ImageControl.dll
    2006-12-01 13:53 2684528 --a------ C:\WINDOWS\SYSTEM32\AxCtp2.dll
    2006-11-28 14:57 16 --a------ C:\WINDOWS\SYSTEM32\start.bat
    2006-11-20 15:15 0 --a------ C:\WINDOWS\SYSTEM32\winntsrv.exe
    2006-11-06 18:50 38300432 --a------ C:\es_iwne.exe
    2006-10-13 15:49 2468045 --a------ C:\packs.exe
    2006-10-12 19:44 13817216 --a------ C:\pptrialr8.exe


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
    "HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
    "IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
    "DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
    "PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
    "dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
    "UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "WinSP"="REGEDIT.EXE -s c:/ireg.reg"
    "PCShield"="regsvr32 /s \"C:\\WINDOWS\\System32\\sfg_51cb.dll\""
    "Disc Detector"="C:\\Program Files\\Creative\\ShareDLL\\CtNotify.exe"
    "lxcemon.exe"="\"C:\\Program Files\\Lexmark 4300 Series\\lxcemon.exe\""
    "EzPrint"="\"C:\\Program Files\\Lexmark 4300 Series\\ezprint.exe\""
    "mmtask"="\"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe\""
    "Microsoft Corp TLS Certificates"="msauth.exe"
    "ijsacm"="c:\\windows\\system32\\ijsacm.exe ijsacm"
    "CaAvTray"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\CAVTray.exe\""
    "CAVRID"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\CAVRID.exe\""
    "ycqqjmrA"="C:\\WINDOWS\\ycqqjmrA.exe"
    "xete"="C:\\WINDOWS\\browserxtras\\xete.exe"
    "combofix"="c:\\subs\\combofix.cmd"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
    "flags"=dword:00000008

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]
    "combofix"="c:\\subs\\combofix.cmd"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
    "Microsoft Corp TLS Certificates"="msauth.exe"

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
    "DeskHtmlVersion"=dword:00000110
    "DeskHtmlMinorVersion"=dword:00000005
    "Settings"=dword:00000001
    "GeneralFlags"=dword:00000001

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"
    "Flags"=dword:00000002
    "Position"=hex:2c,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c2,01,00,00,00,\
    00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
    "CurrentState"=hex:04,00,00,40
    "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
    ff,ff,04,00,00,00
    "RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
    00,00,01,00,00,00

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
    "Microsoft Corp. Critical Services"="csrs.exe"
    "Microsoft Development Services"="msdevelop.exe"
    "Microsoft Windows Socketx32 Services"="winsockx32.exe"
    "Microsoft Windows Services Edt"="dllrun32.exe"

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runservices]
    "Microsoft Corp. Critical Services"="csrs.exe"
    "Microsoft Development Services"="msdevelop.exe"
    "Microsoft Windows Socketx32 Services"="winsockx32.exe"
    "Microsoft Windows Services Edt"="dllrun32.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
    "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
    "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
    "{04CDB16C-AB38-43CD-A86A-6FEB90290939}"=""
    "{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "dontdisplaylastusername"=dword:00000000
    "legalnoticecaption"=""
    "legalnoticetext"=""
    "shutdownwithoutlogon"=dword:00000001
    "undockwithoutlogon"=dword:00000001

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
    "DisableTaskMgr"=dword:00000000
    "Wallpaper"=""

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091
    "NoActiveDesktop"=dword:00000000
    "ClassicShell"=dword:00000000
    "ForceActiveDesktopOn"=dword:00000000

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\system]
    "DisableTaskMgr"=dword:00000000
    "Wallpaper"=""

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091
    "NoActiveDesktop"=dword:00000000
    "ClassicShell"=dword:00000000
    "ForceActiveDesktopOn"=dword:00000000

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
    "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
    "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
    "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winkve32

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\XoftSpy.job

    Completion time: 07-01-10 13:39:09.40
    C:\ComboFix.txt ... 07-01-10 13:39
    C:\ComboFix2.txt ... 07-01-10 13:06
     
    gotaget, Jan 10, 2007
    #3
  4. gotaget

    gotaget Guest

    Logfile of HijackThis v1.99.1
    Scan saved at 1:43:18 PM, on 1/10/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: CEngine Object - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\SafeGuard Pop-up Blocker Pro FREE Edition\popupblocker.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
    O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinSP] REGEDIT.EXE -s c:/ireg.reg
    O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_51cb.dll"
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
    O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [Microsoft Corp TLS Certificates] msauth.exe
    O4 - HKLM\..\Run: [ijsacm] c:\windows\system32\ijsacm.exe ijsacm
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [ycqqjmrA] C:\WINDOWS\ycqqjmrA.exe
    O4 - HKLM\..\Run: [xete] C:\WINDOWS\browserxtras\xete.exe
    O4 - HKLM\..\Run: [combofix] c:\subs\combofix.cmd
    O4 - HKLM\..\RunServices: [Microsoft Corp TLS Certificates] msauth.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {11111111-1111-1111-1111-111111111133} - file://c:\windows\temp\ie.exe
    O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
    O18 - Protocol hijack: mhtml -
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
    O20 - Winlogon Notify: winkve32 - C:\WINDOWS\
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxcecoms.exe
    O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
    O23 - Service: Internet Protocol (netsvc) - Unknown owner - c:\Windows\java\trustlib\com\ms\mtx\.temp\netservice.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
     
    gotaget, Jan 10, 2007
    #4
  5. Niobis

    Niobis Active member

    Joined:
    Jan 30, 2005
    Messages:
    2,326
    Likes Received:
    0
    Trophy Points:
    66
    You are running HijackThis from a temp folder. This means, when you fix something with HijackThis, a backup will no be created.
    Unzip(extract) the HijackThis.exe from the zip file to a permanent folder.

    Also, these HjT scans are being run from safe mode. Please run all HiajckThis scans in normal mode.

    ------------------------------------------------------------------------

    Go here and download [bold]CCleaner[/bold].
    [bold]Note[/bold]: If you do not want [bold]Yahoo! Toolbar[/bold] uncheck the option when installing.
    Open [bold]CCleaner[/bold].
    Click [bold]Options[/bold] > [bold]Advance[/bold] > uncheck "Only delete files in Windows Temp folders older than 48 hours".
    Close all windows.
    Click Cleaner > [bold]Run Cleaner[/bold].

    Run a scan only with HijackThis, check these:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
    O4 - HKLM\..\Run: [WinSP] REGEDIT.EXE -s c:/ireg.reg
    O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_51cb.dll"
    O4 - HKLM\..\Run: [Microsoft Corp TLS Certificates] msauth.exe
    O4 - HKLM\..\Run: [ijsacm] c:\windows\system32\ijsacm.exe ijsacm
    O4 - HKLM\..\Run: [ycqqjmrA] C:\WINDOWS\ycqqjmrA.exe
    O4 - HKLM\..\Run: [xete] C:\WINDOWS\browserxtras\xete.exe
    O4 - HKLM\..\RunServices: [Microsoft Corp TLS Certificates] msauth.exe
    O16 - DPF: {11111111-1111-1111-1111-111111111133} - file://c:\windows\temp\ie.exe
    O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
    O18 - Protocol hijack: mhtml -
    O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
    O20 - Winlogon Notify: winkve32 - C:\WINDOWS\
    O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe

    Close all windows except HijackThis, then click "Fix checked".

    [bold]Note[/bold]: Print or copy these instructions to Notepad and save them. You will be in safe mode and can't access the internet.
    Restart your computer in safe mode(press [bold]F8[/bold] upon boot, select "[bold]Safe Mode[/bold]" from menu and press [bold]Enter[/bold]).

    Open AVGAS and click "[bold]Scanner[/bold]".
    Click "[bold]Complete System Scan[/bold]".
    When it finishes scanning, set all items to "[bold]Quarantine[/bold]".
    Click "[bold]Apply All Actions[/bold]".
    Click "[bold]Save Report[/bold]" and save it to the desktop.

    Show hidden files and folders.
    Start > Control Panel > Folder Options > View tab > check "Show hidden files and folders".
    Click Apply, then OK.

    Locate and delete these files(if there):
    C:\WINDOWS\yocul0578.exe
    C:\ireg.reg
    C:\WINDOWS\System32\sfg_51cb.dll
    C:\WINDOWS\System32\ijsacm.exe
    C:\WINDOWS\ycqqjmrA.exe
    C:\WINDOWS\ycqqjmr.exe
    C:\WINDOWS\System32\rpcc.dll
    C:\WINDOWS\dls0523pmw.exe
    C:\WINDOWS\SYSTEM32\winpfz32.sys
    C:\WINDOWS\xidcu0578.exe
    C:\WINDOWS\rau001978.exe
    C:\WINDOWS\SYSTEM32\eli2b1f7.sys
    C:\jrsjgw.exe
    C:\WINDOWS\sys0135437135912006.exe
    C:\WINDOWS\SYSTEM32\byxustq.dll
    C:\WINDOWS\SYSTEM32\dlh9jkd1q8.exe
    C:\WINDOWS\SYSTEM32\ijsacm.exe
    C:\fghxwjlm.exe

    Please tell me which files are not there or non-deletable.

    Restart in normal mode.

    Download Rootkit Revealer from here.
    Create a new folder, named RKR, in C:\
    Extract the files to the new folder.
    Open RootkitRevealer.exe.
    Close all other windows and click "Scan".
    Important: Leave the computer idle while the scan runs.
    When the scan is finished, click File > Save... to save the text file to the C:\RKR\ folder.

    Run ComboFix again to get a fresh log.

    Please post back with the RKR log, the ComboFix log and a new HijackThis log.
     
    Niobis, Jan 11, 2007
    #5
  6. gotaget

    gotaget Guest

    I am trying to do this

    Show hidden files and folders.
    Start > Control Panel > Folder Options > View tab > check "Show hidden files and folders".
    Click Apply, then OK.

    When i try the Control Panel Window pops up and says that

    Windows cannot find 'rundll32.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the start button and then click search.

    What should i do now?
    Thanks

     
    gotaget, Jan 11, 2007
    #6
  7. gotaget

    gotaget Guest

    Along with the problem listed above my Etrust Antivirus keeps saying
    C[][][][][][][][]C:\Windows\System32\msauth.exe
    is infected with: Win32/Rbot.FYW

    Something else keeps bringing up the IE screen to do something.

    When i ran the Hijack again after i moved it everything but

    O4 - HKLM\..\Run: [xete] C:\WINDOWS\browserxtras\xete.exe
    O4 - HKLM\..\Run: [ijsacm] c:\windows\system32\ijsacm.exe ijsacm

    Fixed everything else then then ran the AVGAS and the report
    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------
    + Created at: 10:59:10 AM 1/12/2007

    + Scan result:

    C:\I386\P2P Networking v125.cpl -> Adware.P2PNet : Cleaned with backup (quarantined).
    C:\WINDOWS\SYSTEM32\vxga3me2.exe -> Backdoor.Small.nr : Cleaned with backup (quarantined).
    C:\Documents and Settings\LocalService\Local Settings\Temp\f408500.exe -> Downloader.Qoologic.bp : Cleaned with backup (quarantined).
    C:\Documents and Settings\NetworkService\Local Settings\Temp\f408500.exe -> Downloader.Qoologic.bp : Cleaned with backup (quarantined).
    C:\WINDOWS\SYSTEM32\affxnds.dll -> Downloader.Qoologic.bp : Cleaned with backup (quarantined).
    C:\WINDOWS\SYSTEM32\yuubi.dat -> Downloader.Qoologic.bp : Cleaned with backup (quarantined).
    C:\fghxwjlm.exe -> Downloader.Small.ecr : Cleaned with backup (quarantined).
    C:\dss.exe -> Downloader.Small.edb : Cleaned with backup (quarantined).
    C:\rimcqup.exe -> Not-A-Virus.Hoax.Win32.Renos.gc : Cleaned with backup (quarantined).
    C:\Documents and Settings\NetworkService\Local Settings\Temp\mst3E.tmp.mwt -> Trojan.Agent.vg : Cleaned with backup (quarantined).
    C:\WINDOWS\SYSTEM32\winkve32.dll.mwt -> Trojan.Agent.vg : Cleaned with backup (quarantined).
    C:\aoo\31 -> Trojan.Hidewindows.c : Cleaned with backup (quarantined).
    ::Report end

    Cant do the control panel
    deleted all the files except for

    C:\ireg.reg = not there

    C:\WINDOWS\System32\sfg_51cb.dll = not there

    C:\WINDOWS\System32\rpcc.dll = Says being used by another person or program

    C:\WINDOWS\SYSTEM32\byxustq.dll = not there

    C:\WINDOWS\SYSTEM32\ijsacm.exe = all is see is a dat file(wasn't sure)

    C:\fghxwjlm.exe = not there

    Ran Rootkit Revealer

    HKLM\SECURITY\Policy\Secrets\SAC* 9/3/2002 9:18 AM 0 bytes Key name contains embedded nulls (*)
    HKLM\SECURITY\Policy\Secrets\SAI* 9/3/2002 9:18 AM 0 bytes Key name contains embedded nulls (*)
    HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 1/12/2007 11:50 AM 80 bytes Data mismatch between Windows API and raw hive data.
    HKLM\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer\uptime_time_utc 1/12/2007 11:50 AM 8 bytes Data mismatch between Windows API and raw hive data.
    C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1336.tmp 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
    C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1336.tmp.dir00 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
    C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1336.tmp.dir00\appcompat.txt 12/24/2006 7:51 PM 9.62 KB Hidden from Windows API.
    C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1337.tmp 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
    C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1337.tmp.dir00 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
    C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1337.tmp.dir00\appcompat.txt 12/24/2006 7:51 PM 13.14 KB Hidden from Windows API.
    C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1338.tmp 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
    C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1338.tmp.dir00 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
    C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1338.tmp.dir00\appcompat.txt 12/24/2006 7:51 PM 9.96 KB Hidden from Windows API.
    C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER133C.tmp 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
    C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER133C.tmp.dir00 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
    C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1341.tmp 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
    C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1341.tmp.dir00 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
    C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1341.tmp.dir00\appcompat.txt 12/24/2006 7:51 PM 14.00 KB Hidden from Windows API.
    C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1342.tmp 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
    C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1342.tmp.dir00 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
    C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1342.tmp.dir00\appcompat.txt 12/24/2006 7:51 PM 14.46 KB Hidden from Windows API.
    C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1343.tmp 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
    C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1343.tmp.dir00 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
    C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1343.tmp.dir00\appcompat.txt 12/24/2006 7:51 PM 4.44 KB Hidden from Windows API.
    C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1344.tmp 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
    C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1344.tmp.dir00 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
    C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1344.tmp.dir00\appcompat.txt 12/24/2006 7:51 PM 3.49 KB Hidden from Windows API.
    C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1346.tmp 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
    C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1346.tmp.dir00 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
    C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1346.tmp.dir00\appcompat.txt 12/24/2006 7:51 PM 228 bytes Hidden from Windows API.
    C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1347.tmp 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
    C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1347.tmp.dir00 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
    C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1347.tmp.dir00\appcompat.txt 12/24/2006 7:51 PM 3.40 KB Hidden from Windows API.
    C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1348.tmp 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
    C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1348.tmp.dir00 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
    C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1348.tmp.dir00\appcompat.txt 12/24/2006 7:51 PM 3.49 KB Hidden from Windows API.






     
    gotaget, Jan 12, 2007
    #7
  8. rihgt682

    rihgt682 Regular member

    Joined:
    Mar 13, 2005
    Messages:
    1,128
    Likes Received:
    0
    Trophy Points:
    46
    restart in safe mode cause it'll get stuck
     
    rihgt682, Jan 12, 2007
    #8
  9. gotaget

    gotaget Guest

    Alphonso Smith - 07-01-12 13:43:16.78 Service Pack 1
    ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Alphonso Smith\Desktop"

    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\Documents and Settings\Alphonso Smith\Application Data\Install.dat
    C:\Documents and Settings\Alphonso Smith\Start Menu\Programs\Startup\z_start.lnk

    ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

    Folders Quarantined:

    C:\QooBox\Purity\WINDOWS\SYSTEM32\YMBOLS~1
    C:\QooBox\Purity\WINDOWS\SYSTEM32\YMBOLS~1\?ymbols


    ((((((((((((((((((((((((((((((( Files Created from 2006-12-12 to 2007-01-12 ))))))))))))))))))))))))))))))))))


    2007-01-12 11:37 <DIR> d-------- C:\RKR
    2007-01-12 09:47 <DIR> dr-h----- C:\Documents and Settings\Alphonso Smith\Recent
    2007-01-12 00:30 <DIR> d-------- C:\Program Files\hijackthis
    2007-01-09 09:28 <DIR> d-------- C:\WINDOWS\CAVTemp
    2007-01-08 23:28 184,389 --a------ C:\WINDOWS\SYSTEM32\pwinnoeb.exe
    2007-01-08 23:02 118,784 --a------ C:\WINDOWS\SYSTEM32\MSSTDFMT.DLL
    2007-01-08 23:02 <DIR> d-------- C:\Program Files\SpywareBlaster
    2007-01-08 21:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA
    2007-01-08 21:15 26,787 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetmonnt.sys
    2007-01-08 21:10 381,920 -r-hs---- C:\WINDOWS\ycqqjmrA.exe
    2007-01-05 18:02 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
    2007-01-05 18:02 <DIR> d-------- C:\Program Files\Grisoft
    2007-01-05 18:02 <DIR> d-------- C:\Program Files\CCleaner
    2007-01-05 18:00 <DIR> d-------- C:\Program Files\ewido anti-malware
    2006-12-29 18:52 74,864 --a------ C:\WINDOWS\SYSTEM32\VetRedir.dll
    2006-12-29 18:52 629,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\VetEFile.sys
    2006-12-29 18:52 21,031 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Vet-Filt.sys
    2006-12-29 18:52 15,478 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Vet-Rec.sys
    2006-12-29 18:52 15,335 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\VetFDDNT.sys
    2006-12-29 18:52 115,824 --a------ C:\WINDOWS\UnVet32.exe
    2006-12-29 18:52 108,592 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\VetEBoot.sys
    2006-12-29 18:52 107,632 --a------ C:\WINDOWS\AVShlExt.dll
    2006-12-29 17:47 89,360 --a------ C:\WINDOWS\SYSTEM32\VB5DB.DLL
    2006-12-29 17:47 446,464 -ra------ C:\WINDOWS\SYSTEM32\hhactivex.dll
    2006-12-29 17:47 176,128 --a------ C:\WINDOWS\SYSTEM32\RcdScan.dll
    2006-12-24 15:19 751,876 --a------ C:\Documents and Settings\Alphonso Smith\Application Data\Dxcknwrd.dll.ren
    2006-12-24 15:07 277,044 ---hs---- C:\WINDOWS\SYSTEM32\awtsr.dll
    2006-12-24 14:10 <DIR> d-------- C:\Program Files\AdSponsor
    2006-12-23 11:56 <DIR> d-------- C:\WINDOWS\Minidump
    2006-12-23 11:49 22,541 ---hs---- C:\WINDOWS\SYSTEM32\byxustq.dll
    2006-12-23 11:48 125 --a------ C:\WINDOWS\ssmen.dll
    2006-12-23 11:48 107,610 --a------ C:\WINDOWS\AtxPID29.exe
    2006-12-19 07:07 29,184 --------- C:\WINDOWS\SYSTEM32\rpcc.dll


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

    Rootkit driver pe386 is present. A rootkit scan is required

    2007-01-10 13:06 -------- d-a------ C:\Program Files\Common Files
    2007-01-10 12:47 -------- d-------- C:\Program Files\Windows Media Player
    2007-01-09 00:48 -------- d-------- C:\Program Files\BearShare
    2007-01-09 00:17 -------- d-------- C:\Program Files\Spybot - Search & Destroy
    2007-01-08 20:33 -------- d-------- C:\Program Files\Lx_cats
    2006-12-29 17:47 -------- d--h----- C:\Program Files\InstallShield Installation Information
    2006-12-25 11:36 -------- d-------- C:\Program Files\XoftSpy
    2006-12-11 16:17 -------- d-------- C:\Program Files\MyGlobalSearch
    2006-12-09 18:34 372784 --a------ C:\ymjsetup.exe
    2006-12-01 13:53 624240 --a------ C:\WINDOWS\SYSTEM32\ImageControl.dll
    2006-12-01 13:53 2684528 --a------ C:\WINDOWS\SYSTEM32\AxCtp2.dll
    2006-11-28 19:05 -------- d-------- C:\Documents and Settings\Alphonso Smith\Application Data\Leadertech
    2006-11-28 14:57 16 --a------ C:\WINDOWS\SYSTEM32\start.bat
    2006-11-20 15:15 0 --a------ C:\WINDOWS\SYSTEM32\winntsrv.exe
    2006-11-06 18:50 38300432 --a------ C:\es_iwne.exe
    2006-10-13 15:49 2468045 --a------ C:\packs.exe
    2006-10-12 19:44 13817216 --a------ C:\pptrialr8.exe


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    "PCShield"="regsvr32 /s \"C:\\WINDOWS\\System32\\sfg_51cb.dll\""
    "Microsoft Corp TLS Certificates"="msauth.exe"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices]
    "Microsoft Corp TLS Certificates"="msauth.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
    "HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
    "IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
    "DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
    "PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
    "dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
    "UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "Disc Detector"="C:\\Program Files\\Creative\\ShareDLL\\CtNotify.exe"
    "lxcemon.exe"="\"C:\\Program Files\\Lexmark 4300 Series\\lxcemon.exe\""
    "EzPrint"="\"C:\\Program Files\\Lexmark 4300 Series\\ezprint.exe\""
    "mmtask"="\"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe\""
    "ijsacm"="c:\\windows\\system32\\ijsacm.exe ijsacm"
    "CaAvTray"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\CAVTray.exe\""
    "CAVRID"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\CAVRID.exe\""
    "combofix"="c:\\subs\\combofix.cmd"
    "cowovawu"="C:\\WINDOWS\\Config\\cowovawu.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
    "flags"=dword:00000008

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]
    "combofix"="c:\\subs\\combofix.cmd"

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
    "DeskHtmlVersion"=dword:00000110
    "DeskHtmlMinorVersion"=dword:00000005
    "Settings"=dword:00000001
    "GeneralFlags"=dword:00000001

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"
    "Flags"=dword:00000002
    "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
    00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
    "CurrentState"=hex:04,00,00,40
    "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
    ff,ff,04,00,00,00
    "RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
    00,00,01,00,00,00

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
    "Microsoft Corp. Critical Services"="csrs.exe"
    "Microsoft Development Services"="msdevelop.exe"
    "Microsoft Windows Socketx32 Services"="winsockx32.exe"
    "Microsoft Windows Services Edt"="dllrun32.exe"

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runservices]
    "Microsoft Corp. Critical Services"="csrs.exe"
    "Microsoft Development Services"="msdevelop.exe"
    "Microsoft Windows Socketx32 Services"="winsockx32.exe"
    "Microsoft Windows Services Edt"="dllrun32.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
    "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
    "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
    "{04CDB16C-AB38-43CD-A86A-6FEB90290939}"=""
    "{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "dontdisplaylastusername"=dword:00000000
    "legalnoticecaption"=""
    "legalnoticetext"=""
    "shutdownwithoutlogon"=dword:00000001
    "undockwithoutlogon"=dword:00000001

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
    "DisableTaskMgr"=dword:00000000
    "Wallpaper"=""

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091
    "NoActiveDesktop"=dword:00000000
    "ClassicShell"=dword:00000000
    "ForceActiveDesktopOn"=dword:00000000

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\system]
    "DisableTaskMgr"=dword:00000000
    "Wallpaper"=""

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091
    "NoActiveDesktop"=dword:00000000
    "ClassicShell"=dword:00000000
    "ForceActiveDesktopOn"=dword:00000000

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
    "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
    "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
    "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\XoftSpy.job

    Completion time: 07-01-12 13:45:11.62
    C:\ComboFix.txt ... 07-01-12 13:45
    C:\ComboFix2.txt ... 07-01-10 13:39
    C:\ComboFix3.txt ... 07-01-10 13:06
    ______________________________________________________________________

    Logfile of HijackThis v1.99.1
    Scan saved at 1:49:04 PM, on 1/12/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
    C:\WINDOWS\System32\CTSvcCDA.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
    c:\Windows\java\trustlib\com\ms\mtx\.temp\netservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\Lexmark 4300 Series\ezprint.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
    C:\WINDOWS\Config\cowovawu.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\WINDOWS\SYSTEM32\pwinnoeb.exe
    C:\WINDOWS\System32\lxcecoms.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: CEngine Object - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\SafeGuard Pop-up Blocker Pro FREE Edition\popupblocker.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
    O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [ijsacm] c:\windows\system32\ijsacm.exe ijsacm
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [combofix] c:\subs\combofix.cmd
    O4 - HKLM\..\Run: [cowovawu] C:\WINDOWS\Config\cowovawu.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_51cb.dll"
    O4 - HKCU\..\Run: [Microsoft Corp TLS Certificates] msauth.exe
    O4 - HKCU\..\RunServices: [Microsoft Corp TLS Certificates] msauth.exe
    O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\pwinnoeb.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxcecoms.exe
    O23 - Service: Internet Protocol (netsvc) - Unknown owner - c:\Windows\java\trustlib\com\ms\mtx\.temp\netservice.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
     
    gotaget, Jan 12, 2007
    #9
  10. gotaget

    gotaget Guest

    i tried it again in safe mode and it still says rundll32 is missing when i try to open the Control Panel
     
    gotaget, Jan 12, 2007
    #10
  11. Niobis

    Niobis Active member

    Joined:
    Jan 30, 2005
    Messages:
    2,326
    Likes Received:
    0
    Trophy Points:
    66
    Go here and download [bold]KillBox[/bold]. You will use it later.

    Fix these with HijackThis:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customiz...//www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O4 - HKLM\..\Run: [ijsacm] c:\windows\system32\ijsacm.exe ijsacm
    O4 - HKLM\..\Run: [combofix] c:\subs\combofix.cmd
    O4 - HKLM\..\Run: [cowovawu] C:\WINDOWS\Config\cowovawu.exe
    O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_51cb.dll"
    O4 - HKCU\..\Run: [Microsoft Corp TLS Certificates] msauth.exe
    O4 - HKCU\..\RunServices: [Microsoft Corp TLS Certificates] msauth.exe
    O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\pwinnoeb.exe
    O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll


    [bold]Note[/bold]: print these instructions or copy to Notepad and save it, you will be in safe mode and can't access the internet.

    Go to Start > Run > type services.msc > click OK.
    Locate the following and double-click it to open.
    Internet Protocol
    Beside "Startup type" click the drop-down menu and select "Disabled".
    Close Services.

    Open HijackThis.
    Click "Open the misc tools section".
    Click "Delete an NT service".
    Copy/paste this into the area:
    netsvc
    Click OK. You will be prompted to restart, click "Yes".

    Open [bold]Killbox.exe[/bold].
    Check "[bold]Standard File Kill[/bold]".
    In the "[bold]Full Path of File to Delete[/bold]" box, copy/paste each of the following lines below [bold]one at a time[/bold]. Then, click the red button with a white X after you enter each file.
    You will be prompted to confirm, click "[bold]Yes[/bold]".
    [bold]Note[/bold]: KillBox may prompt "File does not seem to exist". If so, continue with next file, but do not miss any.

    C:\WINDOWS\System32\ijsacm.exe
    C:\WINDOWS\System32\ijsacm.dat
    C:\WINDOWS\Config\cowovawu.exe
    C:\WINDOWS\System32\sfg_51cb.dll
    C:\WINDOWS\System32\pwinnoeb.exe
    C:\Windows\System32\msauth.exe
    C:\WINDOWS\browserxtras
    C:\ireg.reg
    C:\WINDOWS\System32\rpcc.dll
    C:\WINDOWS\SYSTEM32\byxustq.dll
    C:\fghxwjlm.exe
    c:\Windows\java\trustlib\com\ms\mtx\.temp\netservice.exe
    C:\WINDOWS\ycqqjmrA.exe
    C:\WINDOWS\SYSTEM32\byxustq.dll
    C:\WINDOWS\SYSTEM32\pwinnoeb.exe

    Restart in normal mode.

    Click here to get The Avenger.

    Click on Avenger.zip to open the file.
    Extract avenger.exe to your desktop.
    Copy all the following red text contained inside the box below to your clipboard by highlighting it and pressing (Ctrl+C):

    ------------------------------------------------------------------------
    Drivers to unload:
    pe386

    Registry keys to delete:
    HKLM\SYSTEM\CurrentControlSet\Services\pe386
    HKLM\SYSTEM\ControlSet001\Services\pe386
    HKLM\SYSTEM\ControlSet002\Services\pe386
    ------------------------------------------------------------------------

    Now, start The Avenger program by clicking on its icon on your desktop.
    Under "Script file to execute" choose "Input Script Manually".
    Click on the Magnifying Glass icon which will open a "View/edit script"
    Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    Click Done.
    Click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.
    The Avenger will automatically do the following:
    It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    Go here to run [bold]ActiveScan[/bold].
    Click "[bold]Panda ActiveScan[/bold].
    Fill in the form with your information.
    After downloading, click [bold]My Computer[/bold] to scan.
    When it finishes, click "[bold]See Report[/bold]".
    Click "[bold]Save report[/bold]" and save it to the desktop.

    Please post back with the ActiveScan report and a new HijackThis log.
     
    Niobis, Jan 13, 2007
    #11
  12. gotaget

    gotaget Guest

    Here is the avenger stuff. some of the other stuff wasnt able to erase with kill switch i will type them in a minute

    Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Services\yympvnok

    *******************

    Script file located at: \??\C:\WINDOWS\mmweeicu.txt
    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Driver pe386 unloaded successfully.


    Registry key HKLM\SYSTEM\CurrentControlSet\Services\pe386 not found!
    Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\pe386 failed!

    Could not process line:
    HKLM\SYSTEM\CurrentControlSet\Services\pe386
    Status: 0xc0000034



    Registry key HKLM\SYSTEM\ControlSet001\Services\pe386 not found!
    Deletion of registry key HKLM\SYSTEM\ControlSet001\Services\pe386 failed!

    Could not process line:
    HKLM\SYSTEM\ControlSet001\Services\pe386
    Status: 0xc0000034

    Registry key HKLM\SYSTEM\ControlSet002\Services\pe386 deleted successfully.

    Completed script processing.

    *******************

    Finished! Terminate.
     
    gotaget, Jan 15, 2007
    #12
  13. Niobis

    Niobis Active member

    Joined:
    Jan 30, 2005
    Messages:
    2,326
    Likes Received:
    0
    Trophy Points:
    66
    That's good. Now, please post a new HijackThis log.
     
    Niobis, Jan 15, 2007
    #13
  14. gotaget

    gotaget Guest


    Incident Status Location

    Adware:adware/navipromo Not disinfected c:\windows\system32\ijsacm_nav.dat
    Adware:adware/comet Not disinfected c:\windows\downloaded program files\dm.inf
    Adware:adware/sidesearch Not disinfected c:\windows\sepsd.bin
    Potentially unwanted tool:application/bestoffer Not disinfected c:\windows\smdat32m.sys
    Adware:adware program Not disinfected c:\windows\ss3unstl.exe
    Potentially unwanted tool:application/mywebsearch Not disinfected c:\program files\MyGlobalSearch
    Adware:adware/popupdefence Not disinfected Windows Registry
    Adware:adware/iedriver Not disinfected Windows Registry
    Potentially unwanted tool:application/myway Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0494D0D1-F8E0-41AD-92A3-14154ECE70AC}
    Adware:adware/savenow Not disinfected Windows Registry
    Virus:Bck/Servu.A Disinfected C:\!KillBox\netservice.exe
    Adware:Adware/Zeno Not disinfected C:\!KillBox\pwinnoeb.exe
    Potentially unwanted tool:Application/Hiderun.F Not disinfected C:\aoo\blastcln.exe
    Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Alphonso Smith\Cookies\alphonso smith@doubleclick[1].txt
    Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Alphonso Smith\Cookies\alphonso smith@revenue[1].txt
    Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Alphonso Smith\Cookies\alphonso smith@searchportal.information[1].txt
    Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Gwendolyn Smith\Application Data\Mozilla\Firefox\Profiles\0tq2ob5j.default\cookies.txt[.atwola.com/]
    Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Gwendolyn Smith\Application Data\Mozilla\Firefox\Profiles\0tq2ob5j.default\cookies.txt[.fortunecity.com/]
    Adware:Adware/Comet Not disinfected C:\Documents and Settings\Gwendolyn Smith\Local Settings\Temp\unpack\CC_43.inf
    Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\LocalService\Cookies\alphonso smith@adultfriendfinder[1].txt
    Spyware:Spyware/Apropos Not disinfected C:\I386\auto_update_uninstall.log
    Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\I386\MARSHAL.DLL
    Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\I386\P2P Networking.exe
    Hacktool:HackTool/Scansql.B Not disinfected C:\packs.exe[8]
    Potentially unwanted tool:Application/Hiderun.F Not disinfected C:\packs.exe[blastcln.exe]
    Potentially unwanted tool:Application/HideWindow.B Not disinfected C:\packs.exe[31]
    Virus:Trj/VB.SU Disinfected C:\WINDOWS\AtxPID29.exe
    Adware:Adware/CWS Not disinfected C:\WINDOWS\INF\ranamine.exe
    Adware:Adware/BraveSentry Not disinfected C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Install.dat
     
    gotaget, Jan 16, 2007
    #14
  15. gotaget

    gotaget Guest

    sorry its taking so long ,but this computer is terribly slooow and then often just freezes for no reason. Thanks for your help though.
     
    gotaget, Jan 16, 2007
    #15
  16. Niobis

    Niobis Active member

    Joined:
    Jan 30, 2005
    Messages:
    2,326
    Likes Received:
    0
    Trophy Points:
    66
    Download [bold]Ad-Aware SE Personal 1.06[/bold].

    [bold]Install Ad-Aware SE Personal[/bold]:
    Follow the default settings for installation.
    After installing uncheck the following:
    * "[bold]Perform a full system scan now[/bold]"
    * "[bold]Update definition file now[/bold]"
    * "[bold]Open the help file now[/bold]"

    [bold]Update Ad-Aware SE Personal[/bold]:
    Open [bold]Ad-Aware[/bold].
    Click "[bold]Check for updates now[/bold]" then click "[bold]Connect[/bold]".
    If any are found click "[bold]OK[/bold]" to download and install the updates. Once it has finished click "[bold]Finish[/bold]".

    [bold]Configure Ad-Aware SE Personal[/bold]:
    Click the Gear button at the top of the window.

    Click "[bold]General[/bold]" on the left hand side. Make sure these items have a green check next to them.
    If they do not, click once on the circle next to them to put a green checkmark.
    * "[bold]Automatically save logfile[/bold]"
    * "[bold]Automatically quarantine objects prior to removal[/bold]"
    * "[bold]Safe Mode (always request confirmation)[/bold]"
    * "[bold]Prompt to update outdated definitions[/bold]" - change to 7 days from the default 14.

    Click "[bold]Scanning[/bold]" on the left hand side. Make sure these items have a green check next to them.
    * "[bold]Scan within archives[/bold]"
    * "[bold]Select drives & folders to scan[/bold]" - select your hard drive(s).
    * "[bold]Scan active processes[/bold]"
    * "[bold]Scan registry[/bold]"
    * "[bold]Deep-scan registry[/bold]"
    * "[bold]Scan my IE favorites for banned URLs[/bold]"
    * "[bold]Scan my Hosts file[/bold]"

    Click "[bold]Advanced[/bold]" on the left hand side. Make sure these items have a green check next to them.
    * "[bold]Move deleted files to Recycle Bin[/bold]"
    * "[bold]Include additional object information[/bold]"
    * "[bold]Include negligible objects information[/bold]"
    * "[bold]Include environment information[/bold]"

    Click "[bold]Tweak[/bold]" on the left hand side to display the Tweak Settings box.
    Click the + (plus) sign next to the [bold]Scanning Engine[/bold] section. Make sure these items have a green check next to them.
    * "[bold]Unload recognized processes & modules during scan[/bold]"
    * "[bold]Scan registry for all users instead of current user only[/bold]"
    * "[bold]Obtain command line of scanned processes[/bold]"

    Click the + (plus) sign next to the [bold]Cleaning Engine[/bold] section. Make sure these items have a green check next to them.
    * "[bold]Always try to unload modules before deletion[/bold]"
    * "[bold]During removal, unload Explorer and IE if necessary[/bold]"
    * "[bold]Let Windows remove files in use at next reboot[/bold]"
    * "[bold]Delete quarantined objects after restoring[/bold]"
    Once you are done with these settings, click "[bold]Proceed[/bold]" to save them. This will take you back to the main screen.

    [bold]Run Ad-Aware SE Personal[/bold]:
    * Click the "[bold]Start[/bold]" button.
    * Uncheck the "[bold]Search for negligible risk entries[/bold]" entry.
    * Choose the "[bold]Use custom scanning options[/bold]" scan mode.
    * Click the "[bold]Next[/bold]" button.
    * When it finishes, right-click on any entry in the list and click "[bold]Select All[/bold]" to select the whole list.
    * Click "[bold]Next[/bold]" and choose "[bold]OK[/bold]" at the prompt to quarantine and remove the objects.

    Restart your computer after scanning.

    Run ActiveScan again and please post the log along with a new HijackThis log.
     
    Niobis, Jan 16, 2007
    #16
  17. gotaget

    gotaget Guest

    Logfile of HijackThis v1.99.1
    Scan saved at 9:25:07 PM, on 1/16/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
    C:\WINDOWS\System32\CTSvcCDA.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\Lexmark 4300 Series\ezprint.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
    C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
    C:\WINDOWS\Debug\geceboci.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\WINDOWS\System32\lxcecoms.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
    C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\hijackthis\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: CEngine Object - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\SafeGuard Pop-up Blocker Pro FREE Edition\popupblocker.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
    O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\SYSTEM32\pwinnoeb.exe SKY001
    O4 - HKLM\..\Run: [geceboci] C:\WINDOWS\Debug\geceboci.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\pwinnoeb.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxcecoms.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
     
    gotaget, Jan 16, 2007
    #17
  18. Niobis

    Niobis Active member

    Joined:
    Jan 30, 2005
    Messages:
    2,326
    Likes Received:
    0
    Trophy Points:
    66
    Go here and download [bold]CCleaner[/bold].
    [bold]Note[/bold]: If you do not want [bold]Yahoo! Toolbar[/bold] uncheck the option when installing.
    Open [bold]CCleaner[/bold].
    Click [bold]Options[/bold] > [bold]Advance[/bold] > uncheck "Only delete files in Windows Temp folders older than 48 hours".
    Close all windows.
    Click Cleaner > [bold]Run Cleaner[/bold].

    Update AVG Anti-spyware.(Important)
    Note: You may uninstall Ewido. AVG Anti-spyware is Ewido, only updated.

    Fix these with HijackThis:
    O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\SYSTEM32\pwinnoeb.exe SKY001
    O4 - HKLM\..\Run: [geceboci] C:\WINDOWS\Debug\geceboci.exe
    O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\pwinnoeb.exe
    O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll

    [bold]Note[/bold]: Print or copy these instructions to Notepad and save them. You will be in safe mode and can't access the internet.
    Restart in safe mode.

    KillBox these files:
    C:\WINDOWS\SYSTEM32\pwinnoeb.exe
    C:\WINDOWS\Debug\geceboci.exe
    C:\WINDOWS\System32\rpcc.dll


    Open AVGAS and click "[bold]Scanner[/bold]".
    Click "[bold]Complete System Scan[/bold]".
    When it finishes scanning, set all items to "[bold]Quarantine[/bold]".
    Click "[bold]Apply All Actions[/bold]".
    Click "[bold]Save Report[/bold]" and save it to the desktop.

    Restart in normal mode and run ActiveScan one more time.

    Please post back with the AVGAS log, the ActiveScan log and a new HijackThis log.
     
    Last edited: Jan 16, 2007
    Niobis, Jan 16, 2007
    #18
  19. gotaget

    gotaget Guest

    I cannot erase ewido because i cannot get into the control panel.

    KillBox these files:
    C:\WINDOWS\SYSTEM32\pwinnoeb.exe= not there
    C:\WINDOWS\Debug\geceboci.exe = not there
    C:\WINDOWS\System32\rpcc.dll = desktop goes blank and computer freezes


     
    gotaget, Jan 19, 2007
    #19
  20. gotaget

    gotaget Guest

    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 6:04:26 AM 1/18/2007

    + Scan result:



    C:\!KillBox\pwinnoeb.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
    C:\WINDOWS\INF\ranamine.exe -> Hijacker.VB.is : Cleaned with backup (quarantined).


    ::Report end


    Logfile of HijackThis v1.99.1
    Scan saved at 6:48:34 PM, on 1/19/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
    C:\WINDOWS\System32\CTSvcCDA.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\Lexmark 4300 Series\ezprint.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
    C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\WINDOWS\System32\lxcecoms.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
    C:\Program Files\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: CEngine Object - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\SafeGuard Pop-up Blocker Pro FREE Edition\popupblocker.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
    O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxcecoms.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

    ______________________________________________________________

    Incident Status Location

    Adware:adware/navipromo Not disinfected c:\windows\system32\ijsacm_nav.dat
    Adware:adware/comet Not disinfected c:\windows\downloaded program files\dm.inf
    Adware:adware/sidesearch Not disinfected c:\windows\sepsd.bin
    Potentially unwanted tool:application/bestoffer Not disinfected c:\windows\smdat32m.sys
    Adware:adware program Not disinfected c:\windows\ss3unstl.exe
    Potentially unwanted tool:application/mywebsearch Not disinfected c:\program files\MyGlobalSearch
    Adware:adware/popupdefence Not disinfected Windows Registry
    Adware:adware/iedriver Not disinfected Windows Registry
    Potentially unwanted tool:application/myway Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0494D0D1-F8E0-41AD-92A3-14154ECE70AC}
    Adware:adware/savenow Not disinfected Windows Registry
    Potentially unwanted tool:Application/Hiderun.F Not disinfected C:\aoo\blastcln.exe
    Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Gwendolyn Smith\Application Data\Mozilla\Firefox\Profiles\0tq2ob5j.default\cookies.txt[.atwola.com/]
    Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Gwendolyn Smith\Application Data\Mozilla\Firefox\Profiles\0tq2ob5j.default\cookies.txt[.fortunecity.com/]
    Adware:Adware/Comet Not disinfected C:\Documents and Settings\Gwendolyn Smith\Local Settings\Temp\unpack\CC_43.inf
    Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\LocalService\Cookies\alphonso smith@adultfriendfinder[1].txt
    Spyware:Spyware/Apropos Not disinfected C:\I386\auto_update_uninstall.log
    Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\I386\MARSHAL.DLL
    Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\I386\P2P Networking.exe
    Hacktool:HackTool/Scansql.B Not disinfected C:\packs.exe[8]
    Potentially unwanted tool:Application/Hiderun.F Not disinfected C:\packs.exe[blastcln.exe]
    Potentially unwanted tool:Application/HideWindow.B Not disinfected C:\packs.exe[31]
    Adware:Adware/BraveSentry Not disinfected C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Install.dat
     
    gotaget, Jan 19, 2007
    #20
Page 1 of 2

Share This Page