my computer turned extremely slow...

Started by LoganX, Nov 05 2007 12:51 AM

You cannot reply to this topic

17 replies to this topic

#1 OFFLINE LoganX

Advanced Member

Members
72 posts

Posted 05 November 2007 - 12:51 AM

Hi. For some reason when i went on the computer today my whole computer started to run really slowly... Like if i wanted to go on youtube, it would take a while before i could even do anything after i got to the site. Then when i try to watch a video, it freezes and after like a minute or 2 it starts running... this happens with other sites as well... i'm not too sure what could've happened in one night but i don't remember dling anything... it was fine yesterday but yea... i hope you have a solution to this cause i tried to run Active Virus Shield scan but it reaches a certain point and it does not continue... Even if i wanted to just delete what ever i had already detected, it wouldn't continue but stay on the same spot... so without a futher delay, here's my HJT log...by the way thanks for looking at this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:51:37 PM, on 04/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Messenger\Msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] C:\Program Files\PCPitstop\Optimize\Reminder.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [284cbf6f] rundll32.exe "C:\WINDOWS\system32\mkcgcqve.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoveIT Pro XT] C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Active Virus Shield (AVP) - Kaspersky Lab - C:\Program Files\AOL\Active Virus Shield\avp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5294 bytes

Back to top

#2 OFFLINE askey127

Advanced Member

Members
108 posts

Gender:Male
Location:New Hampshire, US

Posted 05 November 2007 - 11:21 PM

Hi LoganX,
You may want to print this out, or save it as a Notepad document on your Desktop, since you won't have Internet access in Safe Mode.
-----------------------------------------------------------
Remove log items with HighjackThis. Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [284cbf6f] rundll32.exe "C:\WINDOWS\system32\mkcgcqve.dll",b
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
-----------------------------------------------------------
Use Add/Remove Programs In Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :

FlashGet

Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into Keeping the program.
-----------------------------------------------------------
Start Your Computer in Safe Mode.
Reboot into Safe Mode by hitting the F8 key repeatedly as the machine boots, until a menu shows up. Choose Safe Mode from the list. In some systems, this may be the F5 key, so try that if F8 doesn't work. Additional Info is here: http://www.computerh...sues/chsafe.htm
-----------------------------------------------------------
File Deletion
In Windows Explorer (My Computer), navigate to the files shown below, select View, Details, highlight each listed file only, one at a time, and press Delete. Be careful not to delete any file without double-checking the exact spelling of the filename.
C:\Windows\System32\mkcgcqve.dll
If you have any problem deleting a file, right click the file and choose Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
Please Note the name and location of any item you cannot delete, or any file not found.
-----------------------------------------------------------
We need to rename HijackThis.exe to reveal.exe
Use My Computer (Windows Explorer) to go to the HiJackThis folder
In your case, the HiJackThis folder is: C:\Program Files\Trend Micro\HijackThis\
(double click C:, then double click Program Files, double click Trend Micro, then double click the HijackThis folder)
In the top menu, click View, Details
Right button-click on the file named HijackThis.exe and select Rename.
Type in the new filename as reveal.exe
Hit <Enter> and close MyComputer

Please post a new log from reveal.exe
Let me know how it goes.
askey127

Microsoft MVP 2007-2008
FixEdit | FixEdit User Guide | Log Comparator |

Back to top

#3 OFFLINE LoganX

Advanced Member

Members
72 posts

Posted 06 November 2007 - 01:25 AM

well first of all thansk for looking at my hjt log askey... but there was something strange when i was in safeboot... i launched my computer into safe boot, and every like 5 seconds or so, it keeps crashing and asking me if i wanted to use system restore and the other stuff that usually happens when u switch from normal boot to safe boot... so yea... and about that .dll file you wanted me to delete, apparently it was already deleted or it wasn't there anymore... there was one more little problem which was that pop ups seem to come almost everytime i switch from a site to another... anywho heres my new log hope you can figure out the problem and also it still lags everytime i visit a site just like....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:19:12 PM, on 05/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Messenger\Msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\reveal.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Seekmo /fleok=1D8A83A5C5E5107B9BAF682A1FBB39BFE4976E26CAEDA120180A196D6093 - {07AA283A-43D7-4CBE-A064-32A21112D94D} - C:\Program Files\Seekmo\bin\10.0.341.0\HostIE.dll
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\qommkji.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {94291C09-69DE-487D-AA9A-EBFA73317977} - C:\WINDOWS\system32\ssqrs.dll
O2 - BHO: {769ada18-a587-d6c9-7584-8b380516936a} - {a6396150-83b8-4857-9c6d-785a81ada967} - C:\WINDOWS\system32\idpracav.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] C:\Program Files\PCPitstop\Optimize\Reminder.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoveIT Pro XT] C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: qommkji - C:\WINDOWS\SYSTEM32\qommkji.dll
O23 - Service: Active Virus Shield (AVP) - Kaspersky Lab - C:\Program Files\AOL\Active Virus Shield\avp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5839 bytes

Back to top

#4 OFFLINE askey127

Advanced Member

Members
108 posts

Gender:Male
Location:New Hampshire, US

Posted 06 November 2007 - 12:17 PM

LoganX,
------------------------------------------------------------
Please download VundoFix.exe and Save to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix will encounter a file it cannot remove.
In that case, VundoFix will run on reboot. Simply repeat the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Please post the contents of C:\vundofix.txt and a new HiJackThis (reveal.exe) log.

askey127

Microsoft MVP 2007-2008
FixEdit | FixEdit User Guide | Log Comparator |

Back to top

#5 OFFLINE LoganX

Advanced Member

Members
72 posts

Posted 06 November 2007 - 09:20 PM

VundoFix V6.5.11

Checking Java version...

Scan started at 4:05:28 PM 06/11/2007

Listing files found while scanning....

C:\WINDOWS\system32\nukepntu.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\nukepntu.dll
C:\WINDOWS\system32\nukepntu.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\nukepntu.dll
C:\WINDOWS\system32\nukepntu.dll Has been deleted!

Performing Repairs to the registry.
Done!

==========================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:38:36 PM, on 06/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Messenger\Msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\mIRC\mirc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\reveal.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\qommkji.dll
O2 - BHO: (no name) - {6E03A383-506B-4332-9DD8-A908DE826F13} - C:\WINDOWS\system32\mllji.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {8fe1f4e9-e651-d27a-5654-5f39db13e14b} - {b41e31bd-93f5-4565-a72d-156e9e4f1ef8} - C:\WINDOWS\system32\cnbrlcvi.dll (file missing)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] C:\Program Files\PCPitstop\Optimize\Reminder.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [284cbf6f] rundll32.exe "C:\WINDOWS\system32\ejukmdmg.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoveIT Pro XT] C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: qommkji - C:\WINDOWS\SYSTEM32\qommkji.dll
O23 - Service: Active Virus Shield (AVP) - Kaspersky Lab - C:\Program Files\AOL\Active Virus Shield\avp.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\cknkgkqr.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6018 bytes

Back to top

#6 OFFLINE askey127

Advanced Member

Members
108 posts

Gender:Male
Location:New Hampshire, US

Posted 07 November 2007 - 05:50 PM

LoganX,
-----------------------------------------------------------
Download Blacklight from here:
http://www.f-secure....ecurity_center/
Under "Downloads", click on Blacklight and Save it to your Desktop
-- or --
Link to it from the ftp site: ftp://ftp.f-secure.c.../tools/fsbl.exe
and save it to your Desktop from there.

Go to Start-->Run, copy in the following text, and press Enter:

Quote

"%userprofile%\desktop\fsbl.exe" /expert

Accept the license agreement.
Click > scan, wait for it to fimish, then click Close

There will be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
Copy and paste the contents of this log into your next reply.
-----------------------------------------------------------
Download and Run ComboFix

Download this file from either of the two sites below and Save to your Desktop :
http://download.blee...Bs/ComboFix.exe
http://www.techsuppo...Bs/ComboFix.exe
Then double click combofix.exe & follow the prompts.
Note: DO NOT mouseclick Combofix's window while it's running. That may cause it to stall
When finished, it will produce a log for you, C:\ComboFix.txt. Post that log in your next reply

So we are looking for the contents of the Blacklight log and the contents of C:\Combofix.txt
askey127

Microsoft MVP 2007-2008
FixEdit | FixEdit User Guide | Log Comparator |

Back to top

#7 OFFLINE LoganX

Advanced Member

Members
72 posts

Posted 07 November 2007 - 11:50 PM

11/07/07 16:05:51 [Info]: BlackLight Engine 1.0.67 initialized
11/07/07 16:05:51 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/07/07 16:05:51 [Note]: 7019 4
11/07/07 16:05:51 [Note]: 7005 0
11/07/07 16:05:56 [Note]: 7006 0
11/07/07 16:05:56 [Note]: 7022 0
11/07/07 16:05:56 [Note]: 7011 1612
11/07/07 16:05:57 [Note]: 7026 0
11/07/07 16:05:57 [Note]: 7026 0
11/07/07 16:06:01 [Note]: FSRAW library version 1.7.1024
11/07/07 16:08:01 [Note]: 4013 53434
11/07/07 16:08:01 [Note]: 4020 29 65536
11/07/07 16:08:01 [Note]: 4018 29 65536
11/07/07 16:08:02 [Note]: 4013 53434
11/07/07 16:08:02 [Note]: 4020 29 65536
11/07/07 16:08:02 [Note]: 4018 29 65536
11/07/07 16:10:18 [Note]: 7007 0

==========================================================================

ComboFix 07-08-25.2 - "Raymond Tuyen" 2007-08-24 20:11:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.658 [GMT -4:00]
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\awtqq.exe
C:\WINDOWS\system32\awtspmm.dll
C:\WINDOWS\system32\awvvs.exe
C:\WINDOWS\system32\ddabb.exe
C:\WINDOWS\system32\ddabc.exe
C:\WINDOWS\system32\ddcya.exe
C:\WINDOWS\system32\gebcb.exe
C:\WINDOWS\system32\jkhhe.exe
C:\WINDOWS\system32\jkkjg.exe
C:\WINDOWS\system32\jkkjh.exe
C:\WINDOWS\system32\jkkjk.exe
C:\WINDOWS\system32\jkkli.exe
C:\WINDOWS\system32\jkklm.exe
C:\WINDOWS\system32\mljgd.exe
C:\WINDOWS\system32\mljji.exe
C:\WINDOWS\system32\pmkhh.exe
C:\WINDOWS\system32\pmkjh.exe
C:\WINDOWS\system32\pmkjj.exe
C:\WINDOWS\system32\pmnli.exe
C:\WINDOWS\system32\pmnno.exe
C:\WINDOWS\system32\ssqpn.exe
C:\WINDOWS\system32\ssqpo.exe
C:\WINDOWS\system32\ssqro.exe
C:\WINDOWS\system32\ssqrp.exe
C:\WINDOWS\system32\ssqrq.exe
C:\WINDOWS\system32\ssqrr.exe
C:\WINDOWS\system32\ssqrs.exe
C:\WINDOWS\system32\sstqn.exe
C:\WINDOWS\system32\sstts.exe
C:\WINDOWS\system32\ssttu.exe
C:\WINDOWS\system32\vtuts.exe

((((((((((((((((((((((((( Files Created from 2007-07-25 to 2007-08-25 )))))))))))))))))))))))))))))))

2007-08-24 20:05 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-19 15:25 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-08-19 15:25 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-07-31 22:37 <DIR> d-------- C:\Program Files\LimeWire
2007-07-31 22:37 <DIR> d-------- C:\DOCUME~1\RAYMON~1\Incomplete
2007-07-31 22:37 <DIR> d-------- C:\DOCUME~1\RAYMON~1\APPLIC~1\LimeWire
2007-07-27 10:40 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-07-27 10:40 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-07-27 10:39 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-24 20:14 9108768 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-08-24 20:14 243232 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-08-24 20:14 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-08-24 20:13 28028 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-08-24 20:13 130352 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-08-24 08:28 --------- d-------- C:\Program Files\mIRC
2007-08-24 00:26 --------- d-------- C:\Program Files\SUPERAntiSpyware
2007-08-24 00:25 --------- d-------- C:\Program Files\True Sword 4
2007-08-24 00:07 --------- d-------- C:\Program Files\FlashGet
2007-08-22 11:36 --------- d-------- C:\DOCUME~1\RAYMON~1\APPLIC~1\Azureus
2007-08-22 11:36 --------- d-------- C:\DOCUME~1\RAYMON~1\APPLIC~1\Azureus
2007-08-15 23:21 425984 --a------ C:\WINDOWS\system32\keystone.exe
2007-08-15 23:21 286720 --a------ C:\WINDOWS\Setup1.exe
2007-08-15 23:21 249856 --a------ C:\WINDOWS\system32\drmupgds.exe
2007-08-15 23:21 147456 --a------ C:\WINDOWS\system32\nvcolor.exe
2007-08-15 23:21 146432 --a------ C:\WINDOWS\system32\WudfHost.exe
2007-08-15 23:21 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-08-15 23:21 124472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-08-09 23:51 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-07-24 01:16 --------- d--h----- C:\DOCUME~1\RAYMON~1\APPLIC~1\ijjigame
2007-07-24 01:16 --------- d--h----- C:\DOCUME~1\RAYMON~1\APPLIC~1\ijjigame
2007-07-21 21:39 794624 --a------ C:\WINDOWS\system32\nvcplui.exe
2007-07-21 20:32 82258 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-07-21 20:32 82258 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-07-21 01:58 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-21 01:58 --------- d-------- C:\DOCUME~1\RAYMON~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-21 01:58 --------- d-------- C:\DOCUME~1\RAYMON~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-21 01:58 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-21 01:54 4566 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-20 21:51 --------- d-------- C:\Program Files\PCPitstop
2007-07-20 21:43 --------- d-------- C:\DOCUME~1\RAYMON~1\APPLIC~1\True Sword
2007-07-20 21:43 --------- d-------- C:\DOCUME~1\RAYMON~1\APPLIC~1\True Sword
2007-07-18 12:11 4096 --a------ C:\WINDOWS\system32\sysres.dll
2007-07-18 12:11 38567 --a------ C:\WINDOWS\system32\pcpbios.exe
2007-07-14 13:59 4 -r-hs---- C:\MSDOS.BIN
2007-07-14 13:50 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-14 13:50 --------- d-------- C:\Program Files\Sony
2007-07-13 16:50 --------- d-------- C:\Program Files\Azureus
2007-07-12 14:12 6139760 --a------ C:\WindowsUpdateAgent30-x86.exe
2007-07-12 14:11 1266056 --a------ C:\WindowsXP-KB927891.exe
2007-07-12 14:10 3038 --a------ C:\fix_svchost.bat
2007-07-12 14:07 --------- d-------- C:\Program Files\Trend Micro
2007-07-12 01:47 --------- d---s---- C:\Program Files\Xfire
2007-07-12 01:47 --------- d-------- C:\DOCUME~1\RAYMON~1\APPLIC~1\Xfire
2007-07-12 01:47 --------- d-------- C:\DOCUME~1\RAYMON~1\APPLIC~1\Xfire
2007-07-12 01:44 --------- d-------- C:\DOCUME~1\RAYMON~1\APPLIC~1\InstallShield
2007-07-12 01:44 --------- d-------- C:\DOCUME~1\RAYMON~1\APPLIC~1\InstallShield
2007-07-10 16:05 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
2007-07-10 16:03 --------- d-------- C:\Program Files\WinAVI Video Converter
2007-07-10 15:31 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\NVIDIA
2007-07-05 19:15 --------- d-------- C:\Program Files\Yahoo!
2007-06-30 11:31 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-06-26 22:22 2722 --a------ C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
2007-06-26 22:21 8972 --a------ C:\WINDOWS\pchealth\helpctr\Config\Cntstore.bin
2007-06-26 02:22 --------- d-------- C:\DOCUME~1\RAYMON~1\APPLIC~1\DivX
2007-06-26 02:22 --------- d-------- C:\DOCUME~1\RAYMON~1\APPLIC~1\DivX
2007-06-25 23:53 --------- d-------- C:\Program Files\MSN Messenger
2007-06-25 23:28 967 --a------ C:\WINDOWS\ScUnin.pif
2007-06-25 23:28 70656 --a------ C:\WINDOWS\ScUnin.exe
2007-06-25 23:14 --------- d-------- C:\DOCUME~1\RAYMON~1\APPLIC~1\Real
2007-06-25 23:14 --------- d-------- C:\DOCUME~1\RAYMON~1\APPLIC~1\Real
2007-06-25 23:11 --------- d-------- C:\Program Files\Real
2007-06-25 23:11 --------- d-------- C:\Program Files\Common Files\xing shared
2007-06-25 23:11 --------- d-------- C:\Program Files\Common Files\Real
2007-06-25 23:10 --------- d-------- C:\Program Files\Alcohol Soft
2007-06-25 23:10 --------- d-------- C:\DOCUME~1\RAYMON~1\APPLIC~1\vlc
2007-06-25 23:10 --------- d-------- C:\DOCUME~1\RAYMON~1\APPLIC~1\vlc
2007-06-25 23:08 12528 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-06-25 23:04 --------- d-------- C:\Program Files\VideoLAN
2007-06-25 23:04 --------- d-------- C:\DOCUME~1\RAYMON~1\APPLIC~1\Skype
2007-06-25 23:04 --------- d-------- C:\DOCUME~1\RAYMON~1\APPLIC~1\Skype
2007-06-25 23:01 --------- d-------- C:\DOCUME~1\RAYMON~1\APPLIC~1\InterVideo
2007-06-25 23:01 --------- d-------- C:\DOCUME~1\RAYMON~1\APPLIC~1\InterVideo
2007-06-25 23:00 --------- d-------- C:\Program Files\MSXML 4.0
2007-06-25 23:00 --------- d-------- C:\Program Files\InterActual
2007-06-25 23:00 --------- d-------- C:\Program Files\Common Files\InterVideo
2007-06-25 22:59 --------- d-------- C:\Program Files\SpywareBlaster
2007-06-25 22:59 --------- d-------- C:\Program Files\InterVideo
2007-06-25 22:59 --------- d-------- C:\Program Files\Creative
2007-06-25 22:58 --------- d-------- C:\Program Files\CCleaner
2007-06-25 22:55 --------- d-------- C:\Program Files\Skype
2007-06-25 22:54 --------- d-------- C:\Program Files\DVDlab
2007-06-25 22:54 --------- d-------- C:\Program Files\burnatonce
2007-06-25 22:53 --------- d-------- C:\Program Files\MagicISO
2007-06-25 22:53 --------- d-------- C:\Program Files\DVD Shrink
2007-06-25 22:53 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD Shrink
2007-06-25 22:52 --------- d-------- C:\Program Files\DivX
2007-06-25 22:51 --------- d-------- C:\Program Files\PowerISO
2007-06-25 22:50 --------- d-------- C:\Program Files\DVD Decrypter
2007-06-25 22:49 --------- d-------- C:\Program Files\Total Video Converter
2007-06-25 22:47 --------- d-------- C:\Program Files\Combined Community Codec Pack
2007-06-25 22:45 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-06-25 22:44 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-06-25 22:44 --------- d-------- C:\Program Files\Analog Devices
2007-06-25 22:42 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-06-25 22:42 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-06-25 22:41 --------- d-------- C:\Program Files\Canon
2007-06-25 22:37 --------- d-------- C:\Program Files\Winamp
2007-06-25 22:34 --------- d-------- C:\Program Files\Ready to Program
2007-06-25 22:30 --------- d-------- C:\Program Files\Messenger

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 17:32]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 17:32]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 17:32]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-06-25 23:11]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-03 19:56]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"MRT"="C:\WINDOWS\system32\MRT.exe" [2007-06-05 23:38]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 C:\WINDOWS\system32\nvmctray.dll]
"PC Pitstop Optimize Scheduler"="C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe" [2007-07-20 22:05]
"PCPitstop Optimize Registration Reminder"="C:\Program Files\PCPitstop\Optimize\Reminder.exe" [2007-07-09 16:51]
"AVP"="C:\Program Files\AOL\Active Virus Shield\avp.exe" [2007-04-03 11:37]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"MSMSGS"="C:\Program Files\Messenger\Msmsgs.exe" [2005-08-31 20:27]
"RemoveIT Pro XT"="C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
"C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-24 20:14:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-24 20:15:38 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-24 20:15

--- E O F ---

just a quick thing, apparently everytime i turn off my computer and turn it back on the next day, i get some sort of spyware or something... it keeps telling me to install some anti spyware and crap so just wondering if that will get fixed as well thanks for your hard work

Back to top

#8 OFFLINE LoganX

Advanced Member

Members
72 posts

Posted 08 November 2007 - 09:04 PM

a continuation of the previous post... each time i turn on my computer, i receive some "
Security Alert: Spyware found" message at the bottom right corner of my monitor. It has a flashing yellow triangular sign with an exclamation mark in the middle. Just wondering if you know how to cure this... sorry for causing you alot of problems and i really appreciate it...

Back to top

#9 OFFLINE askey127

Advanced Member

Members
108 posts

Gender:Male
Location:New Hampshire, US

Posted 08 November 2007 - 09:48 PM

LoganX,
Good so far.
----------------------------------------------------------
Download and Install CCleaner

Download CCleaner from here
Double click on ccsetupXXX_slim.exe to start the installation of CCleaner. (XXX is the version number)
Click OK
Click Next
Click I agree
Click Next
Click Install
Once the installation has finished, click Finish

-----------------------------------------------------------
Set Options in CCleaner and run Cleaning Scan.
Open CCleaner if it's not already running.
( Do not use the Registry block to clean anything with this program. It is for experts only and it is risky).

Select Cleaner Settings.
Check Internet Explorer, Windows Explorer, and System so that all items are checked. In the Advanced section, have a check only on Old PreFetch Data.
Click on the Options block on the left. Select Advanced.
Uncheck Only delete files in Windows Temp folders older than 48 hours.
Set Cookie Retention.
Click on the Options block on the left, then choose Cookies.
Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
Run Cleaning Scan. Click on the Cleaner block on the left. Choose the Windows tab.
Click the Run Cleaner button. This process could take a while. When CCleaner shows how much has been removed, cleaning is finished.

-----------------------------------------------------------
Remove Program(s) with CCleaner
Open CCleaner. In the Left Pane, click Tools. Verify that Uninstall is highlighted in color, or click on it.
Click and Highlight the Following Programs, one at a time, and click the Run Uninstaller button for each one.
Wait for completion of each one before highlighting and Uninstalling the next.

FlashGet
True Sword 4

Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into Keeping the program.
-----------------------------------------------------------
Retrieve the Installed Programs List from CCleaner
Open CCleaner if it's not already running.
In the Left Pane, click Tools
Verify that Uninstall is highlighted in color, or click on it.
In the lower Right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt
Click Save
Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.
-----------------------------------------------------------
Post a New HiJackThis Log
Reboot your computer. Start HijackThis (reveal.exe).
Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply.

So we are looking for the CCleaner Installed Programs list install.txt and a fresh HijackThis(reveal.exe) log.
Also if the warning or request to get some antispy program comes up again, please note if it has a program name associated (BS..AntiSpy..etc) with it.
And DON'T agree to buy or install anything. These are phony programs.

askey127

Microsoft MVP 2007-2008
FixEdit | FixEdit User Guide | Log Comparator |

Back to top

#10 OFFLINE LoganX

Advanced Member

Members
72 posts

Posted 08 November 2007 - 10:54 PM

thanks for the quick reply... anyways back on topic... here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:46:33 PM, on 09/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Messenger\Msmsgs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\reveal.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {c30059d4-aa5c-f6fa-f114-ab47c05cc490} - {094cc50c-74ba-411f-af6f-c5aa4d95003c} - C:\WINDOWS\system32\sbtitrbo.dll
O2 - BHO: (no name) - {459EDA87-F575-43C1-9D86-19DC9BE27186} - C:\WINDOWS\system32\ddcyx.dll
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\qommkji.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\ixvgbzzn.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\ixvgbzzn.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] C:\Program Files\PCPitstop\Optimize\Reminder.exe
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [284cbf6f] rundll32.exe "C:\WINDOWS\system32\xwlrfgbp.dll",b
O4 - HKLM\..\Run: [AVP] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoveIT Pro XT] C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ixvgbzzn - C:\WINDOWS\SYSTEM32\ixvgbzzn.dll
O20 - Winlogon Notify: mnivrpdz - mnivrpdz.dll (file missing)
O20 - Winlogon Notify: qommkji - C:\WINDOWS\SYSTEM32\qommkji.dll
O23 - Service: Active Virus Shield (AVP) - Kaspersky Lab - C:\Program Files\AOL\Active Virus Shield\avp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5901 bytes

=========================================================================

Active Virus Shield
Adobe Flash Player ActiveX
Adobe Reader 8.1.1
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.2
Alcohol 120%
AutoUpdate
Azureus
burnatonce
Call of Duty Game of the Year Edition
Canon PhotoRecord
Canon PIXMA iP1500
CCleaner (remove only)
Combined Community Codec Pack 2007-02-22
Creative DVD Audio Plugin for Audigy Series
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVD-lab 1.3.1
GameSpy Arcade
Guitar Pro 4
Guitar Pro 5.2
Gunbound Revolution
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB926239)
ijji - Gunz
ijji Auto Installer
ijji
InterActual Player
InterVideo WinDVD 7
Java™ 6 Update 2
Java™ 6 Update 3
Java™ SE Runtime Environment 6 Update 1
LimeWire 4.14.0
Magic ISO Maker v5.4 (build 0239)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
mIRC
Mozilla Firefox (2.0.0.6)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 Parser and SDK
Nero OEM
NVIDIA Drivers
Pando
PC Pitstop Optimize 1.5
Power Tab Editor 1.7
PowerISO
Rakion International
Ready to Program with Java Technology
RealPlayer
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player (KB911564)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB928843)
Skype 2.5
Soldier Front
SoundMAX
SpywareBlaster v3.5.1
Starcraft
StarForge
Station LaunchPad
SUPERAntiSpyware Free Edition
Total Video Converter 3.02
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
Update for Windows XP (KB927891)
VideoLAN VLC media player 0.8.6c
WebFldrs XP
Winamp (remove only)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows Messenger 5.1
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB890859
WinRAR archiver

µTorrent

==========================================================================

and also about this phony malware or spyware or w.e it is, it has appeared once again.... it showed up after 2 minutes after the computer boots up and when the alert balloon pops up, as usual, it says "Security Alert: Spyware found" or "System Alert: Malware threats" or "Security Alert: NetWorm-i.Virus@fp" and then gives me some description... and then after like a minute it pops up again but it says something different... i don't believe i've installed a program lately to have gotten this... it sometimes opens up a IE and brings me to a site... and for some reason it happens when i try to run IE and it has a Security toolbar... so yea thats pretty much as detailed as i can probably get for this

Back to top

#11 OFFLINE askey127

Advanced Member

Members
108 posts

Gender:Male
Location:New Hampshire, US

Posted 09 November 2007 - 12:41 AM

LoganX,
Thanks for the info.
While we are doing this, please do not use any Peer to Peer apps like Limewire or uTorrent for anything.
-----------------------------------------------------------
Remove log items with HighjackThis. Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)

O2 - BHO: {c30059d4-aa5c-f6fa-f114-ab47c05cc490} - {094cc50c-74ba-411f-af6f-c5aa4d95003c} - C:\WINDOWS\system32\sbtitrbo.dll
O2 - BHO: (no name) - {459EDA87-F575-43C1-9D86-19DC9BE27186} - C:\WINDOWS\system32\ddcyx.dll
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\qommkji.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\ixvgbzzn.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\ixvgbzzn.dll
O4 - HKLM\..\Run: [284cbf6f] rundll32.exe "C:\WINDOWS\system32\xwlrfgbp.dll",b
O20 - Winlogon Notify: ixvgbzzn - C:\WINDOWS\SYSTEM32\ixvgbzzn.dll
O20 - Winlogon Notify: mnivrpdz - mnivrpdz.dll (file missing)
O20 - Winlogon Notify: qommkji - C:\WINDOWS\SYSTEM32\qommkji.dll

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
-------------------------------------------------------------

Open a new Notepad window (Start>All programs>accessories>notepad). Choose File, New.

Highlight the contents of the codebox below and press Ctrl+C to copy it to the clipboard

File::
C:\WINDOWS\system32\sbtitrbo.dll
C:\WINDOWS\system32\ddcyx.dll
C:\WINDOWS\system32\xwlrfgbp.dll"
C:\WINDOWS\SYSTEM32\ixvgbzzn.dll
C:\Windows\System32\mnivrpdz.dll
C:\WINDOWS\SYSTEM32\qommkji.dll

Paste the contents of the clipboard into the Notepad window by pressing Ctrl+V or Edit, Paste
Save it to your desktop as CFScript.txt
Now drag and drop the CFScript.txt icon onto combofix.exe as in the picture above, and follow the prompts.
Then post the resultant log, C:\ComboFix.txt, in your next reply.

-----------------------------------------------------------
Post a New HiJackThis Log
Reboot your computer. Start HijackThis (reveal.exe).
Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply, along with the contents of C:\Combofix.txt

askey127

Microsoft MVP 2007-2008
FixEdit | FixEdit User Guide | Log Comparator |

Back to top

#12 OFFLINE LoganX

Advanced Member

Members
72 posts

Posted 09 November 2007 - 02:00 AM

Thanks... Heres the Combofix log first:

ComboFix 07-11-08.1 - Raymond Tuyen 2007-11-09 20:46:51.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.588 [GMT -5:00]
Running from: C:\Documents and Settings\Raymond Tuyen\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Raymond Tuyen\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\ddcyx.dll
C:\WINDOWS\SYSTEM32\ixvgbzzn.dll
C:\Windows\System32\mnivrpdz.dll
C:\WINDOWS\SYSTEM32\qommkji.dll
C:\WINDOWS\system32\sbtitrbo.dll
C:\WINDOWS\system32\xwlrfgbp.dll"
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Raymond Tuyen\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\dcbeg.bak1
C:\WINDOWS\system32\dcbeg.ini
C:\WINDOWS\system32\gebcd.dll
C:\WINDOWS\system32\ixvgbzzn.dllbox
C:\WINDOWS\system32\jgmedjzw.dllbox
C:\WINDOWS\system32\mnivrpdz.dllbox
C:\WINDOWS\system32\nqtss.bak1
C:\WINDOWS\system32\nqtss.ini2
C:\WINDOWS\system32\nqtss.tmp
C:\WINDOWS\SYSTEM32\qommkji.dll
C:\WINDOWS\system32\sbtitrbo.dll
C:\WINDOWS\system32\xycdd.bak1
C:\WINDOWS\system32\xycdd.bak2
C:\WINDOWS\system32\xycdd.ini
C:\WINDOWS\system32\xycdd.ini2
C:\WINDOWS\system32\xycdd.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-10-10 to 2007-11-10 )))))))))))))))))))))))))))))))
.

2007-11-09 18:52 80,448 --a------ C:\WINDOWS\system32\qcedtish.dll
2007-11-09 18:46 86,080 --a------ C:\WINDOWS\system32\ccvyvmxg.dll
2007-11-09 18:44 71,232 --a------ C:\WINDOWS\system32\gorhmgyd.exe
2007-11-09 18:31 86,080 --a------ C:\WINDOWS\system32\rphracly.dll
2007-11-09 18:30 71,232 --a------ C:\WINDOWS\system32\psnwclri.exe
2007-11-09 18:28 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-11-09 18:05 71,232 --a------ C:\WINDOWS\system32\xwgutrcx.exe
2007-11-09 18:04 <DIR> d-------- C:\Program Files\Roguescanfix
2007-11-09 17:54 80,448 --a------ C:\WINDOWS\system32\wegblnhr.dll
2007-11-09 17:49 86,080 --a------ C:\WINDOWS\system32\umwewdks.dll
2007-11-09 17:44 71,232 --a------ C:\WINDOWS\system32\twmjgtem.exe
2007-11-09 17:20 71,232 --a------ C:\WINDOWS\system32\wqljpdsf.exe
2007-11-09 17:18 145,984 --a------ C:\WINDOWS\system32\wfilecrq.dll
2007-11-09 16:52 86,080 --a------ C:\WINDOWS\system32\wlptdtrv.dll
2007-11-09 16:49 80,448 --a------ C:\WINDOWS\system32\dtluxjbk.dll
2007-11-09 16:47 71,232 --a------ C:\WINDOWS\system32\thykqtjw.exe
2007-11-09 16:08 <DIR> d-------- C:\Deckard
2007-11-09 16:02 80,448 --a------ C:\WINDOWS\system32\ruudgmkr.dll
2007-11-09 08:12 86,080 --a------ C:\WINDOWS\system32\tpshgvic.dll
2007-11-09 08:12 80,448 --a------ C:\WINDOWS\system32\spkilqei.dll
2007-11-09 08:11 145,984 --a------ C:\WINDOWS\system32\mtvfvboo.dll
2007-11-09 08:09 71,232 --a------ C:\WINDOWS\system32\ebocdywy.exe
2007-11-07 16:03 86,080 --a------ C:\WINDOWS\system32\sgdbuvwt.dll
2007-11-07 16:02 27,200 --a------ C:\WINDOWS\system32\3EN41ltW.exe
2007-11-07 16:01 145,984 --a------ C:\WINDOWS\system32\mivkaobe.dll
2007-11-07 16:01 71,232 --a------ C:\WINDOWS\system32\snvoupky.exe
2007-11-06 20:39 32,768 --a------ C:\WINDOWS\system32\mssrv32.exe
2007-11-06 16:05 <DIR> d-------- C:\VundoFix Backups
2007-11-06 16:04 87,104 --a------ C:\WINDOWS\system32\ejukmdmg.dll
2007-11-06 16:02 145,984 --a------ C:\WINDOWS\system32\wbrqalck.dll
2007-11-05 19:49 85,568 --a------ C:\WINDOWS\system32\hojvobkc.dll
2007-11-05 19:43 83,008 --a------ C:\WINDOWS\system32\idpracav.dll
2007-11-05 19:29 83,008 --a------ C:\WINDOWS\system32\mvowcjwh.dll
2007-11-04 20:51 <DIR> d-------- C:\Chuck
2007-11-03 18:39 <DIR> d-------- C:\WINDOWS\system32\Mz02r
2007-11-03 18:39 <DIR> d-------- C:\temp\mZOr
2007-10-27 20:26 <DIR> d-------- C:\Program Files\Power Tab Software
2007-10-15 21:14 <DIR> d-------- C:\Wilber (Will) Pan ??? - Play It Cool ??

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-10 01:54 913,184 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-10 01:54 27,073,568 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-10 01:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-11-10 01:53 90,836 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-10 01:53 370,952 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-09 23:44 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-11-09 23:35 3,712 ----a-w C:\WINDOWS\system32\tmp.reg
2007-11-09 04:58 --------- d-----w C:\Program Files\mIRC
2007-11-06 23:05 --------- d-----w C:\Documents and Settings\Raymond Tuyen\Application Data\LimeWire
2007-11-06 01:05 --------- d-----w C:\Program Files\FlashGet
2007-11-04 22:08 --------- d-----w C:\Program Files\SpywareBlaster
2007-10-31 05:14 --------- d-----w C:\Documents and Settings\Raymond Tuyen\Application Data\uTorrent
2007-10-27 03:48 --------- d-----w C:\Program Files\Java
2007-10-07 18:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-29 18:57 8,192 ----a-w C:\sysycxs.exe
2007-09-29 06:14 --------- d-----w C:\Documents and Settings\Raymond Tuyen\Application Data\Apple Computer
2007-09-26 00:26 --------- d-----w C:\Program Files\Winamp
2007-09-22 21:15 --------- d-----w C:\Documents and Settings\Raymond Tuyen\Application Data\dvdcss
2007-09-15 19:24 --------- d-----w C:\Program Files\NHN USA
2007-09-15 18:58 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-09-15 18:58 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-09-11 01:35 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-09-11 01:33 --------- d-----w C:\Program Files\Microsoft.NET
2007-09-11 01:15 --------- d-----w C:\Program Files\uTorrent
2007-09-10 15:55 692,224 ----a-w C:\WINDOWS\system32\ijjiSetup.exe
2007-08-28 00:28 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-08-16 03:21 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-08-16 03:21 286,720 ----a-w C:\WINDOWS\Setup1.exe
2007-08-16 03:21 249,856 ----a-w C:\WINDOWS\system32\drmupgds.exe
2007-08-16 03:21 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-08-16 03:21 146,432 ----a-w C:\WINDOWS\system32\WudfHost.exe
2007-08-16 03:21 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-08-16 03:21 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-08-10 03:51 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-08_16.28.22.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-09 21:17:23 585,791 ----a-w C:\WINDOWS\gmer.dll
+ 2007-06-29 14:38:18 581,632 ----a-w C:\WINDOWS\gmer.exe
+ 2007-11-09 21:17:23 70,001 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
- 2006-11-29 21:21:29 370,688 ----a-w C:\WINDOWS\system32\swsc.exe
+ 2006-11-29 22:21:29 370,688 ----a-w C:\WINDOWS\system32\swsc.exe
- 2006-12-01 09:20:32 212,480 ----a-w C:\WINDOWS\system32\swxcacls.exe
+ 2006-12-01 10:20:32 212,480 ----a-w C:\WINDOWS\system32\swxcacls.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72d3bd6a-af2f-41b2-bd97-fb7a936a64ff}]
2007-11-09 18:52 80448 --a------ C:\WINDOWS\system32\qcedtish.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-06-25 22:11]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-03 18:56]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22]
"nwiz"="nwiz.exe" [2006-10-22 11:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 11:22 C:\WINDOWS\system32\nvmctray.dll]
"PC Pitstop Optimize Scheduler"="C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe" [2007-07-20 21:05]
"SoundMax"="C:\Program Files\Analog Devices\SoundMAX\smax4.exe" [2003-05-30 08:42]
"AVP"="C:\Program Files\AOL\Active Virus Shield\avp.exe" [2007-04-03 10:37]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 13:06]
"MSMSGS"="C:\Program Files\Messenger\Msmsgs.exe" [2005-08-31 19:27]
"RemoveIT Pro XT"="C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe" []
"Pando"="C:\Program Files\Pando Networks\Pando\Pando.exe" [2007-10-05 11:33]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ixvgbzzn]
ixvgbzzn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qommkji]
qommkji.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\gebcd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
"C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-09 20:54:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-09 20:55:56 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-31 14:02
C:\ComboFix2.txt ... 2007-11-08 16:30
C:\ComboFix3.txt ... 2007-08-31 14:02
.
--- E O F ---

===========================================================================

now its the updated HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:51 PM, on 09/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Messenger\Msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\reveal.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {ff46a639-a7bf-79db-2b14-f2faa6db3d27} - {72d3bd6a-af2f-41b2-bd97-fb7a936a64ff} - C:\WINDOWS\system32\qcedtish.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [AVP] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoveIT Pro XT] C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ixvgbzzn - ixvgbzzn.dll (file missing)
O20 - Winlogon Notify: qommkji - qommkji.dll (file missing)
O23 - Service: Active Virus Shield (AVP) - Kaspersky Lab - C:\Program Files\AOL\Active Virus Shield\avp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5287 bytes

so far nothing has of happened yet but ill keep a watch for it

Back to top

#13 OFFLINE askey127

Advanced Member

Members
108 posts

Gender:Male
Location:New Hampshire, US

Posted 09 November 2007 - 01:15 PM

LoganX,
-------------------------------------------------------------

Open a new Notepad window (Start>All programs>accessories>notepad). Choose File, New.

Highlight the contents of the codebox below and press Ctrl+C to copy it to the clipboard

Files::
C:\WINDOWS\system32\qcedtish.dll
Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ixvgbzzn]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qommkji]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72d3bd6a-af2f-41b2-bd97-fb7a936a64ff}]

Paste the contents of the clipboard into the Notepad window by pressing Ctrl+V or Edit, Paste
Save it to your desktop as CFScript.txt
Now drag and drop the CFScript.txt icon onto combofix.exe as in the picture above, and follow the prompts.
Then post the resultant log, C:\ComboFix.txt, in your next reply.

-----------------------------------------------------------
Post a New HiJackThis Log
Reboot your computer. Start HijackThis (reveal.exe).
Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply, along with the contents of the C:\Combofix.txt
askey127

Microsoft MVP 2007-2008
FixEdit | FixEdit User Guide | Log Comparator |

Back to top

#14 OFFLINE LoganX

Advanced Member

Members
72 posts

Posted 10 November 2007 - 06:14 AM

Sorry for the delay in reply... i was out late and had friends over... anyways just wanted to say thanks for your hardwork these pass few days... i really appreciate your help and the amount of time you put into this... without a further a do, heres ym HJT log and ComboFix log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31:20 AM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Messenger\Msmsgs.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\reveal.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {56B9206A-91E8-4D1E-8863-7544F36477BC} - C:\Program Files\Common Files\sadeC:\WINDOWS\system32\x24\jumper83122.exe.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [AVP] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoveIT Pro XT] C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Active Virus Shield (AVP) - Kaspersky Lab - C:\Program Files\AOL\Active Virus Shield\avp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5282 bytes

ComboFix 07-11-08.1 - Raymond Tuyen 2007-11-11 0:26:35.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.635 [GMT -5:00]
Running from: C:\Documents and Settings\Raymond Tuyen\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Raymond Tuyen\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\system32\h12
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\s21
C:\WINDOWS\system32\x24
C:\WINDOWS\system32\x24\jumper83122.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
.

2007-11-09 21:24 <DIR> d-------- C:\WINDOWS\system32\rMa01yy
2007-11-09 21:24 <DIR> d-------- C:\temp\abW9
2007-11-09 18:52 80,448 --a------ C:\WINDOWS\system32\qcedtish.dll
2007-11-09 18:46 86,080 --a------ C:\WINDOWS\system32\ccvyvmxg.dll
2007-11-09 18:44 71,232 --a------ C:\WINDOWS\system32\gorhmgyd.exe
2007-11-09 18:31 86,080 --a------ C:\WINDOWS\system32\rphracly.dll
2007-11-09 18:30 71,232 --a------ C:\WINDOWS\system32\psnwclri.exe
2007-11-09 18:28 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-11-09 18:05 71,232 --a------ C:\WINDOWS\system32\xwgutrcx.exe
2007-11-09 18:04 <DIR> d-------- C:\Program Files\Roguescanfix
2007-11-09 17:54 80,448 --a------ C:\WINDOWS\system32\wegblnhr.dll
2007-11-09 17:49 86,080 --a------ C:\WINDOWS\system32\umwewdks.dll
2007-11-09 17:44 71,232 --a------ C:\WINDOWS\system32\twmjgtem.exe
2007-11-09 17:20 71,232 --a------ C:\WINDOWS\system32\wqljpdsf.exe
2007-11-09 17:18 145,984 --a------ C:\WINDOWS\system32\wfilecrq.dll
2007-11-09 16:52 86,080 --a------ C:\WINDOWS\system32\wlptdtrv.dll
2007-11-09 16:49 80,448 --a------ C:\WINDOWS\system32\dtluxjbk.dll
2007-11-09 16:47 71,232 --a------ C:\WINDOWS\system32\thykqtjw.exe
2007-11-09 16:08 <DIR> d-------- C:\Deckard
2007-11-09 16:02 80,448 --a------ C:\WINDOWS\system32\ruudgmkr.dll
2007-11-09 08:12 86,080 --a------ C:\WINDOWS\system32\tpshgvic.dll
2007-11-09 08:12 80,448 --a------ C:\WINDOWS\system32\spkilqei.dll
2007-11-09 08:11 145,984 --a------ C:\WINDOWS\system32\mtvfvboo.dll
2007-11-09 08:09 71,232 --a------ C:\WINDOWS\system32\ebocdywy.exe
2007-11-07 16:03 86,080 --a------ C:\WINDOWS\system32\sgdbuvwt.dll
2007-11-07 16:02 27,200 --a------ C:\WINDOWS\system32\3EN41ltW.exe
2007-11-07 16:01 145,984 --a------ C:\WINDOWS\system32\mivkaobe.dll
2007-11-07 16:01 71,232 --a------ C:\WINDOWS\system32\snvoupky.exe
2007-11-06 20:39 32,768 --a------ C:\WINDOWS\system32\mssrv32.exe
2007-11-06 16:05 <DIR> d-------- C:\VundoFix Backups
2007-11-06 16:04 87,104 --a------ C:\WINDOWS\system32\ejukmdmg.dll
2007-11-06 16:02 145,984 --a------ C:\WINDOWS\system32\wbrqalck.dll
2007-11-05 19:49 85,568 --a------ C:\WINDOWS\system32\hojvobkc.dll
2007-11-05 19:43 83,008 --a------ C:\WINDOWS\system32\idpracav.dll
2007-11-05 19:29 83,008 --a------ C:\WINDOWS\system32\mvowcjwh.dll
2007-11-04 20:51 <DIR> d-------- C:\Chuck
2007-11-03 18:39 <DIR> d-------- C:\WINDOWS\system32\Mz02r
2007-11-03 18:39 <DIR> d-------- C:\temp\mZOr
2007-10-27 20:26 <DIR> d-------- C:\Program Files\Power Tab Software
2007-10-15 21:14 <DIR> d-------- C:\Wilber (Will) Pan ??? - Play It Cool ??

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-11 05:28 939,552 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-11 05:27 27,483,936 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-11 03:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-11-10 20:32 93,044 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-10 20:32 374,720 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-09 23:44 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-11-09 23:35 3,712 ----a-w C:\WINDOWS\system32\tmp.reg
2007-11-09 04:58 --------- d-----w C:\Program Files\mIRC
2007-11-06 23:05 --------- d-----w C:\Documents and Settings\Raymond Tuyen\Application Data\LimeWire
2007-11-06 01:05 --------- d-----w C:\Program Files\FlashGet
2007-11-04 22:08 --------- d-----w C:\Program Files\SpywareBlaster
2007-10-31 05:14 --------- d-----w C:\Documents and Settings\Raymond Tuyen\Application Data\uTorrent
2007-10-27 03:48 --------- d-----w C:\Program Files\Java
2007-10-07 18:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-29 18:57 8,192 ----a-w C:\sysycxs.exe
2007-09-29 06:14 --------- d-----w C:\Documents and Settings\Raymond Tuyen\Application Data\Apple Computer
2007-09-26 00:26 --------- d-----w C:\Program Files\Winamp
2007-09-22 21:15 --------- d-----w C:\Documents and Settings\Raymond Tuyen\Application Data\dvdcss
2007-09-15 19:24 --------- d-----w C:\Program Files\NHN USA
2007-09-15 18:58 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-09-15 18:58 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-09-11 01:35 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-09-11 01:33 --------- d-----w C:\Program Files\Microsoft.NET
2007-09-11 01:15 --------- d-----w C:\Program Files\uTorrent
2007-09-10 15:55 692,224 ----a-w C:\WINDOWS\system32\ijjiSetup.exe
2007-08-28 00:28 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-08-16 03:21 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-08-16 03:21 286,720 ----a-w C:\WINDOWS\Setup1.exe
2007-08-16 03:21 249,856 ----a-w C:\WINDOWS\system32\drmupgds.exe
2007-08-16 03:21 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-08-16 03:21 146,432 ----a-w C:\WINDOWS\system32\WudfHost.exe
2007-08-16 03:21 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-08-16 03:21 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-08_16.28.22.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-09 21:17:23 585,791 ----a-w C:\WINDOWS\gmer.dll
+ 2007-06-29 14:38:18 581,632 ----a-w C:\WINDOWS\gmer.exe
+ 2007-11-09 21:17:23 70,001 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
+ 2007-11-07 18:25:00 32,768 ----a-w C:\WINDOWS\system32\rMa01yy\rMa01yy1065.exe
- 2006-11-29 21:21:29 370,688 ----a-w C:\WINDOWS\system32\swsc.exe
+ 2006-11-29 22:21:29 370,688 ----a-w C:\WINDOWS\system32\swsc.exe
- 2006-12-01 09:20:32 212,480 ----a-w C:\WINDOWS\system32\swxcacls.exe
+ 2006-12-01 10:20:32 212,480 ----a-w C:\WINDOWS\system32\swxcacls.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56B9206A-91E8-4D1E-8863-7544F36477BC}]
C:\Program Files\Common Files\sadeC:\WINDOWS\system32\x24\jumper83122.exe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-06-25 22:11]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-03 18:56]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22]
"nwiz"="nwiz.exe" [2006-10-22 11:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 11:22 C:\WINDOWS\system32\nvmctray.dll]
"PC Pitstop Optimize Scheduler"="C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe" [2007-07-20 21:05]
"SoundMax"="C:\Program Files\Analog Devices\SoundMAX\smax4.exe" [2003-05-30 08:42]
"AVP"="C:\Program Files\AOL\Active Virus Shield\avp.exe" [2007-04-03 10:37]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 13:06]
"MSMSGS"="C:\Program Files\Messenger\Msmsgs.exe" [2005-08-31 19:27]
"RemoveIT Pro XT"="C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe" []
"Pando"="C:\Program Files\Pando Networks\Pando\Pando.exe" [2007-10-05 11:33]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
"C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 00:28:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-11 0:28:37
C:\ComboFix-quarantined-files.txt ... 2007-08-31 14:02
C:\ComboFix2.txt ... 2007-11-09 20:55
.
--- E O F ---

Back to top

#15 OFFLINE askey127

Advanced Member

Members
108 posts

Gender:Male
Location:New Hampshire, US

Posted 10 November 2007 - 11:58 AM

LoganX,
-----------------------------------------------------------
Peer to Peer File Sharing
Please note that as long as you're using any form of Peer-to-Peer networking (utorrent, Azureus, Morpheus, Limewire, etc.) and downloading files from non-documented sources, you can expect infestations of malware to occur.

When you use Peer-to-peer (P2P) programs, you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. It's hardly surprising that many of the available downloads are being used by malware purveyors as a delivery method for their infections. Further, if your P2P program is not configured correctly you may be sharing more files than you realize. See here : http://www.infoworld.com/article/07/09/06/...ID-theft_1.html

Even if you have one of the SAFE P2P programs, the practice of file-sharing is very UNSAFE for the health of your PC.
You may decide to continue P2P sharing, but keep in mind that this practice may be the source of major PC infections.
Better ask yourself if you and your system CD are REALLY ready to reformat your Hard Drive and Re-install Windows.

The risks of using P2P programs are described here Sourceforge webpage and in this Information Week article.
Some malware help forums are now refusing to help those who show up with infections from P2P usage.

I think you should stop using and Uninstall Azureus, utorrent and Limewire, but it's your decision.
-----------------------------------------------------------
Remove Program(s) with CCleaner
Open CCleaner. In the Left Pane, click Tools. Verify that Uninstall is highlighted in color, or click on it.
Click and Highlight the Following Programs, one at a time, and click the Run Uninstaller button for each one.
Wait for completion of each one before highlighting and Uninstalling the next.

Flashget
uTorrent
Limewire
Azureus

Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into Keeping the program.
-----------------------------------------------------------
Remove log items with HighjackThis. Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)

O2 - BHO: (no name) - {56B9206A-91E8-4D1E-8863-7544F36477BC} - C:\Program Files\Common Files\sadeC:\WINDOWS\system32\x24\jumper83122.exe.dll (file missing)

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
-----------------------------------------------------------
Press Start->Run, copy/paste the following command into the box and press OK:

Quote

cmd /c dir C:\*.* /L /A /B /S|Find "jumper8" >> "%userprofile%\desktop\look.txt"

A file called look.txt should appear on your Desktop. Please post the contents of this file.
------------------------------------------------------
Please download SmitFraudFix.exe by S!Ri and save it to the desktop.

Double click on SmitfraudFix.exe.
Press 1 then hit the Enter key.
It will create a report named rapport.txt, usually in the root of your C drive
Please copy/paste the content of that text file report (C:\rapport.txt) into your next reply.

-----------------------------------------------------------
Post a New HiJackThis Log
Reboot your computer. Start HijackThis (reveal.exe).
Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply, along with the contents of C:\rapport.txt and look.txt on your desktop.

askey127

Microsoft MVP 2007-2008
FixEdit | FixEdit User Guide | Log Comparator |

Back to top

#16 OFFLINE LoganX

Advanced Member

Members
72 posts

Posted 11 November 2007 - 03:46 AM

SmitFraudFix v2.252

Scan done at 22:44:20.48, 11/11/2007
Run from C:\Documents and Settings\Raymond Tuyen\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Messenger\Msmsgs.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Raymond Tuyen

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Raymond Tuyen\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\RAYMON~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Wireless-G PCI Adapter - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2AF4E7DA-FFFB-40E4-8938-F3ADAAEDA608}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2AF4E7DA-FFFB-40E4-8938-F3ADAAEDA608}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2AF4E7DA-FFFB-40E4-8938-F3ADAAEDA608}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

i tried the cmd/ run thingy but the look.txt file had nothing in it for me to paste

Back to top

#17 OFFLINE askey127

Advanced Member

Members
108 posts

Gender:Male
Location:New Hampshire, US

Posted 11 November 2007 - 12:30 PM

LoganX,
Looks much better.
-----------------------------------------------------------
Run CCleaner Cleaning Scan.
If it's not already running, Start CCleaner.
Click on the Cleaner block on the left. Choose the Windows tab.
Click the Run Cleaner button. This process could take a while. When CCleaner shows how much has been removed, cleaning is finished.
Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.
-----------------------------------------------------------
Download and Run AVG Anti-Spyware:
Download the trial version of AVG Anti-Spyware from here and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open. Do not run a scan yet.

If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:

Click the Update icon at the top and under Manual Update click the Start update button.
The program will either update or inform you that no update was available.
It is essential that you get the update - keep trying until successful. (Note: If you have problems getting the update, you can download an installer for the full database from here (save it on your desktop). Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed and then double-click on avgas-signatures-full-current.exe to install the database).

Please set up the program as follows:

Click the Shield icon at the top and under Resident shield is... click active. This should now change to inactive.
Click the Update icon and untick the automatic update option.
Click on Scanner on the toolbar.
Click on the Settings tab.
- Under How to act? - make sure that Quarantine is selected.
- Under How to scan? - All checkboxes should be ticked.
- Under Possibly unwanted software - All checkboxes should be ticked.
- Under Reports - Select Do not automatically generate reports. <== This is important
- Under What to scan? - Select Scan every file.

Close all open windows.

Click on Scanner on the program's toolbar.
Click on Complete System Scan to start the scan process.
Let the program scan your computer.
When the scan has finished, follow the instructions below:
- Make sure that Set all elements to: shows Quarantine
- Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
- When the program has finished, it will display the message All actions have been applied.
- Then click the Save Scan Report button.
- Click the Save Report as button.
- Save the report to your Desktop.
Right-click the AVG Tray Icon and select Exit.

-----------------------------------------------------------
Post a New HiJackThis Log
Reboot your computer. Start HijackThis (reveal.exe).
Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply, along with the contents of the AVG Anti-Spyware report..
askey127

Microsoft MVP 2007-2008
FixEdit | FixEdit User Guide | Log Comparator |

Back to top

#18 OFFLINE LoganX

Advanced Member

Members
72 posts

Posted 13 November 2007 - 12:59 AM

sorry for the delay but i have alot of tests coming up lately in school and need to focus there so it may take a while for me to do all those sorry to make you wait...

Back to top

Back to Spyware Hell