PDA

View Full Version : Desperately need help!


NightShadow07
2007-04-07, 06:54
I realized that my first post didn't conform to the rules specified in the Sticky Thread about how to submit posts here. Sorry about that. Here's a second attempt...

I'm totally stumped. Here's the symptoms:


Trying to access/scan Windows/System32 folder ALWAYS results in an automatic shut down without warning. Using DOS "dir" commands has the same result. I can search for specific files or wildcards in the Sys32 folder, but that's about it.
System, especially after rebooting, runs extremely slow.
There is network activity even though I don't have a web browser open. Task Manager says that IE is running, even when I know it shouldn't be.
Doing a system scan with Silent Runners or Spybot results in a fast shut-down, no warning.


All this mess started yesterday and there were a slew of other malware bots running, most of which I killed off last night. But this last one is persistent and simply doesn't want to be found, no matter how hard I try. I am posting the two most comprehensive scan logs I have available before the shut-down problem started occurring (it is a recent issue). Any insight or guidance on this troubling and frustrating problem would be met with every ounce of gratitude I can muster.

Here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:47:09 PM, on 4/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
E:\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\KMaestro\KMaestro.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
E:\Spybot\TeaTimer.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\INSTALLS\Utils\Security\BugKiller.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file:///E:/Design/sites/portal.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///E:/Design/sites/portal.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file:///E:/Design/sites/portal.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file:///E:/Design/sites/portal.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = file:///E:/Design/sites/portal.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = file:///E:/Design/sites/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Online
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Spybot\SDHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: "C:\Program Files\KMaestro\KMaestro.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Spybot\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O10 - Broken Internet access because of LSP provider 'rsvp32_2.dll' missing
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.5.0_07) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{2392E790-76AF-46A7-95CD-5494F312FA82}: NameServer = 200.169.96.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BD04A40-E23A-4990-B6CA-97213962FE9F}: NameServer = 200.169.96.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{82861BA6-E1ED-4898-AF77-9A6708EAA9E3}: NameServer = 200.169.96.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{A020F665-E17F-4D6D-B33A-6A41ADDB54C3}: NameServer = 200.169.96.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5E6859C-171B-4BA4-BEB1-B61F7E2A0F4B}: NameServer = 200.169.96.11
O17 - HKLM\System\CS2\Services\Tcpip\..\{2392E790-76AF-46A7-95CD-5494F312FA82}: NameServer = 200.169.96.11
O17 - HKLM\System\CS4\Services\Tcpip\..\{2392E790-76AF-46A7-95CD-5494F312FA82}: NameServer = 198.231.24.102
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - (no file)
O21 - SSODL: DCOM Server 60787 - {2C1CD3D7-86AC-4068-93BC-A02304B60787} - (no file)
O21 - SSODL: xeLExpGe - {F8CECC18-5264-66B2-254B-9BB0C5FD68DE} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - E:\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[b]And here is the Silent Runners log:

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpybotSD TeaTimer" = "E:\Spybot\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"RemoteControl" = ""C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]
"BtcMaestro" = ""C:\Program Files\KMaestro\KMaestro.exe"" ["BTC"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"InCD" = "C:\Program Files\Ahead\InCD\InCD.exe" ["Ahead Software AG"]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"Ad-watch" = ""C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"" ["Lavasoft Sweden"]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [file not found]
"Logitech Hardware Abstraction Layer" = "KHALMNPR.EXE" [file not found]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "E:\Spybot\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{E0D79300-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]
"{E0D79301-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]
"{E0D79302-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{6DEA92E9-8682-4b6a-97DE-354772FE5727}" = "Autodesk DWF Preview"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll" ["Autodesk"]
"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "AutoCAD Digital Signatures Icon Overlay Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\AcSignIcon.dll" ["Autodesk"]
"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk Drawing Preview"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk"]
"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ahead\InCD\incdshx.dll" ["Ahead Software AG"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{35786D3C-B075-49b9-88DD-029876E11C01}" = "Portable Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\wpdshext.dll" [MS]
"{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8}" = "Portable Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\wpdshext.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
PhotagSearch\(Default) = "{181ED3BC-91D2-4424-B8E1-922B8F55BF56}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\PhoTags Express\PWSSearchHandler.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\flashpaper.html"

Active Desktop web content:

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"FriendlyName" = ""
"Source" = "C:\Program Files\Outlook Express\kyzeq.html"
"SubscribedURL" = ""

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\1\
"FriendlyName" = ""
"Source" = "C:\Program Files\WindowsUpdate\howynyc.html"
"SubscribedURL" = ""


Startup items in "Jay" & "All Users" startup folders:
-----------------------------------------------------

C:\Documents and Settings\Jay\Start Menu\Programs\Startup
"Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Loadout Manager" -> shortcut to: "C:\Program Files\Belkin\Nostromo\nost_LM.exe -startup" [empty string]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"NETGEAR WG311v2 Smart Configuration" -> shortcut to: "C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe /HIDE" [empty string]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\WINDOWS\system32\pnrpnsp.dll" [MS]
000000000005\LibraryPath = "C:\WINDOWS\system32\pnrpnsp.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 26
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
rsvp32_2.dll [file not found], 27 - 52


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll" ["Sun Microsystems, Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Autodesk Licensing Service, Autodesk Licensing Service, ""C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe"" ["Autodesk"]
C-DillaSrv, C-DillaSrv, "C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE" ["C-Dilla Ltd"]
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
InCD Helper, InCDsrv, "C:\Program Files\Ahead\InCD\InCDsrv.exe" ["Ahead Software AG"]
IPv6 Helper Service, 6to4, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\6to4svc.dll" [MS]}
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
RaySat_3dsmax8 Server, mi-raysat_3dsmax8, "E:\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe" [null data]
RIP Listener, Iprip, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\iprip.dll" [MS]}
Simple TCP/IP Services, SimpTcp, "C:\WINDOWS\System32\tcpsvcs.exe" [MS]


Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = INFECTION WARNING! "KeyMaestro" [file not found]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 29 seconds, including 11 seconds for message boxes)





PLEASE HELP!!!
shelf life
2007-04-13, 01:20
hi NightShadow07,

first we will remove malware, (in safe mode)
update ad aware, and spybot. i dont see a antivirus application in the log, do you have one?
i would remove this via add/remove programs panel:
BugKiller.exe
----------------------------
i would copy/paste this into notepad and save it somewhere like your desktop so you can read it in safe mode. to reach safe mode you would tap the f8 key during a computer restart, chose the first option: safe mode.

once in safe mode:
scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.5.0_07) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -

O21 - SSODL: DCOM Server 60787 - {2C1CD3D7-86AC-4068-93BC-A02304B60787} - (no file)

O21 - SSODL: xeLExpGe - {F8CECC18-5264-66B2-254B-9BB0C5FD68DE} - (no file)
-----------------------
still in safe mode:
using explorer(right click on start>explore) drill down to these >>> you want to delete whats >inside< the folder, not the folder itself<<

C:\Windows\Temp\

C:\Documents and Settings\-Your Profile-\Local Settings\Temporary Internet Files\ (will dump all your cached internet content including cookies)

C:\Documents and Settings\-Your Profile-\Local Settings\Temp\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temporary Internet Files\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temp\

Empty your Temp folders. Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin
-----------------------
still in safe mode run bot spybot and ad aware.

reboot normally, first stop is here:
Panda ActiveScan

http://www.pandasoftware.com/products/activescan.htm

* Once you are on the Panda site click the Scan your PC button
* A new window will open...click the Check Now button
* Enter your Country
* Enter your State/Province
* Enter your e-mail address and click send (use a fake e-mail)
* Select either Home User or Company
* Click the big Scan Now button
* If it wants to install an ActiveX component allow it
* It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
* When download is complete, click on My Computer to start the scan
* When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
--------------------------------
if internet explorer still runs when it shouldnt be then you should pull the plug on your modem and use your computer as little as possible.
---------------------------------
do you need antivirus software?
---------------------------------
shelf life
NightShadow07
2007-04-13, 08:49
Thanks for the assistance, but it came just a little too late, unfortunately. I wiped my system this morning and am starting with a completely fresh install of EVERYTHING. I was getting correspondence from my ISP, telling me that my system was being used to send out SPAM. As someone who has a white-hot hatred for SPAM and those who send it out, I just couldn't let things sit any longer.

It's better this way, actually. I can rebuild my system the way I want to with a completely new outlook on things. Yes, I will install HJT, Spybot, ZoneAlarm, AdAware and some anti-virus software all at the beginning so that I won't get caught with my pants around my ankles again.

Anyway... I hope I don't have to seek help from ya'll again anytime soon. I know you provide a good, free service to lots of people. You have my highest regards and respect for all that you do for so many.

Keep on keepin' on!
shelf life
2007-04-13, 13:14
hi NightShadow07,


I wiped my system this morning and am starting with a completely

sometimes that can be the quickest way to resolve everything.
now you have a clean slate to start with.


HJT, Spybot, ZoneAlarm, AdAware and some anti-virus software

you can have 89 security apps and still get malware. it would help to learn how malware gets on your computer, then you can prevent it.

happy safe surfing.

for your reference:
Prevention-or How Can I Help Myself? (http://security-central.us/SafeHex/prevention.htm)