PDA

View Full Version : Reoccurring malicious spyware.



Seraphim471
2007-04-10, 08:06
Navigation has been getting rather difficult lately after a system format, I have a reoccurring file in the HijackThis log referred to as mfcmap.dll. I've tried various methods of removal but the file remains, and it's not exactly my best option to see "registry changed denied" on the TeaTimer all day to prevent it from attacking my browser. Here's my HijackThis log, if you see anything wrong with my stuff, including that, and know how to fix it, as I've tried VARIOUS methods of removal and they just keep returning, the assistance would be much appreciated!

Current symptoms have been occasional popup advertisements and in the Processes tree, an iexplore.exe process that remains invisible to the user, and reoccurs even when forced to end process. Occasional malicious spyware is detected by Spybot and Lavasoft Ad-Aware SE Personal.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:06:37 AM, on 4/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
H:\HijackThis\HiJackThis_v2.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {d5e28378-13dc-4f18-b541-2a1c2b6e3eab} - C:\WINDOWS\system32\mfcmap.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\ydbplotak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ydbplotak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ydbplotak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ydbplotak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ydbplotak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ydbplotak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ydbplotak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ydbplotak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ydbplotak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ydbplotak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ydbplotak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ydbplotak.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3900 bytes

Angelfire777
2007-04-10, 21:43
Hi, welcome to Safer Networking forums!


and in the Processes tree, an iexplore.exe process that remains invisible to the user,

Can you elaborate on this please?


Hi,


Please download LSPFix from here (http://www.cexx.org/LSPFix.exe).
Run the LSPFix.exe that you have just finished downloading.
Check the "I know what I'm doing" box.
In the Keep box you should see one or more instances of ydbplotak.dll
Select every instance of ydbplotak.dll and move each one to the Remove box by clicking the ">>" button.
When you are done click "Finish>>".


*Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update AVG Antispyware.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Do not use it yet!

*Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune

Do not use it yet.
___________________

*We need to temporarily disable Spybot's TeaTimer, it may stop our fix.

Disable Spybot's TeaTimer. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.


*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

O2 - BHO: (no name) - {d5e28378-13dc-4f18-b541-2a1c2b6e3eab} - C:\WINDOWS\system32\mfcmap.dll

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.


*You may want to print these instructions here or save them in notepad since you'll work offline.

Reboot into Safe Mode.

To enter Safe Mode..

Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.


*Configure your machine to view hidden files:

Windows XP
Click Start.
Open My Computer..
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the "Hidden files and folders" heading select Show hidden files and folders.
Uncheck the Hide Protected Operating System Files Option.
Click Yes to confirm.
Click OK.


*Using Windows Explorer, find and delete these files:

c:\windows\system32\ydbplotak.dll
C:\WINDOWS\system32\mfcmap.dll

Empty your recycle bin.
____________________

*Important: Make sure all your browsers are closed before running ATF Cleaner..

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose:Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click
No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE:If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

*Please run AVG AntiSpyware, and run a full scan as follow:

IMPORTANT: Do not open any other windows or programs while AVG AntiSpyware is scanning, it may interfere with the scanning process.

Launch AVG AntiSpyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG AntiSpyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save Report As" button in the lower left hand of the screen and save it to a text file on your system. (Make sure to remember where you saved that file, this is important).
Close AVG AntiSpyware.
Reboot to normal mode.


*Your log shows that MSConfig is running at startup. This indicates that you may be using "diagnostic startup" rather than "normal startup" to stop something from running. While this is normally OK, it is possible that you have disabled something that will affect how we fix your malware problem. While disabled, it will not show up in the HijackThis log.

Go to Start > Run and type Notepad
Copy/paste the following quote box into a new notepad (not wordpad) document. Make sure that wordwrap is unchecked.

regedit /a /e %systemdrive%\regkey.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig"
notepad %systemdrive%\regkey.txt
del /q %systemdrive%\regkey.txt
Go to the menu at the top of the Notepad File and Save as
Save it to your Desktop as "mslook.bat" (you MUST include the quotes)
Locate mslook.bat on your Desktop and double-click it. When notepad opens, copy/paste the content in your reply. When you close Notepad the CMD window will close automatically and the text file will be deleted.

On your next reply, please include a fresh HijackThis log, AVG Antispyware log, the results of mslook.bat and a description on how is your machine running.

Seraphim471
2007-04-11, 00:49
As for the iexplore being "invisible," I mean that there is no visible, open browser on the desktop, however, there is a visible process in the processes menu, and frequently before I have heard audible advertisements running. On several occasions, ending the process will close it out, but on more than one occasion it has frequently reopened itself without any visible browser open on the screen.

You're instructing me to "fix" the mfcmap BHO in HijackThis, however upon doing so it just reestablishes itself the next second, is this supposed to occur or is it supposed to remain deleted while I continue the other processes?

Also, on another note, I have attempted manual deletion of mfcmap.dll before, however I was informed that it was "in use by another process" and it would not allow me to delete it, however I will try again following these instructions and reply with the results.

Here are the results from the mslook.bat you instructed me to do for you to read while I conduct the other actions listed.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
"aawservice"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"system.ini"=dword:00000000
"win.ini"=dword:00000000
"bootini"=dword:00000000
"services"=dword:00000000
"startup"=dword:00000000

Angelfire777
2007-04-11, 01:53
You're instructing me to "fix" the mfcmap BHO in HijackThis, however upon doing so it just reestablishes itself the next second, is this supposed to occur or is it supposed to remain deleted while I continue the other processes?

Just continue with the instructions, then let's see how things are after you post the logs:bigthumb:

Seraphim471
2007-04-11, 06:54
Okay, i've returned with the results. As suspected, mfcmap.dll could not be removed, due to windows claiming that it was "in use." ydbplotak.dll went down without a fight.

I alreaedy posted the mslook log, here's the new HijackThis Log. Also, I have attached a screenshot of the detected infections using AVG. While following the instructions, the "Save Report As" was grayed out and there were no "reports" present to save to begin with.

AVG Scan Results
http://i19.photobucket.com/albums/b151/ShadowWolf471/avgscan.jpg

New Hijack Log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:48:32 PM, on 4/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
H:\HijackThis\HiJackThis_v2.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {d5e28378-13dc-4f18-b541-2a1c2b6e3eab} - C:\WINDOWS\system32\mfcmap.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O20 - Winlogon Notify: mfcmap - C:\WINDOWS\SYSTEM32\mfcmap.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3193 bytes

Seraphim471
2007-04-11, 06:58
*Sorry for double post*

Additionally - my computer still receives periodic pop up advertisements while the Internet Explorer window is open, something that I've been getting from the beginning. I have Service Pack 2 installed, but it is doing little to actually prevent popups.

Angelfire777
2007-04-11, 17:19
Hi, I see you have ran vundofix before... Please download and use this new one...

Something came out that wasn't there in your first log..

*Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your Desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Seraphim471
2007-04-12, 00:41
VundoFix V6.3.19

Checking Java version...

Sun Java not detected
Scan started at 4:19:11 PM 4/10/2007

Listing files found while scanning....

C:\WINDOWS\system32\tmp17.tmp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tmp17.tmp.dll
C:\WINDOWS\system32\tmp17.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.19

Checking Java version...

Sun Java not detected
Scan started at 6:27:40 AM 4/11/2007

Listing files found while scanning....


VundoFix V6.3.19

Checking Java version...

Sun Java not detected
Scan started at 4:30:02 PM 4/11/2007

Listing files found while scanning....

No infected files were found.



The other one was found on an initial attempt to remove malicious f
VundoFix V6.3.19

Checking Java version...

Sun Java not detected
Scan started at 4:19:11 PM 4/10/2007

Listing files found while scanning....

C:\WINDOWS\system32\tmp17.tmp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tmp17.tmp.dll
C:\WINDOWS\system32\tmp17.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.19

Checking Java version...

Sun Java not detected
Scan started at 6:27:40 AM 4/11/2007

Listing files found while scanning....


VundoFix V6.3.19

Checking Java version...

Sun Java not detected
Scan started at 4:30:02 PM 4/11/2007

Listing files found while scanning....

No infected files were found.

Angelfire777
2007-04-12, 00:45
Please post a fresh HijackThis log.

Seraphim471
2007-04-18, 01:48
I apologize for the late reply in this issue. I gave up on the attempt to remove the file and committed a system format, however now I am frequently getting something in the system startup labeled dumprep 0 -k or dumprep 0 -u. Before it appears, the computer seems to spontaneuously restart for no reason, most commonly during an adscan. Can you shed any light on the situation?

Angelfire777
2007-04-18, 08:50
I gave up on the attempt to remove the file and committed a system format, however now I am frequently getting something in the system startup labeled dumprep 0 -k or dumprep 0 -u.

Those 2 things are signs that the computer had a BSOD...Are these things happening even after you reformatted the machine..?


Before it appears, the computer seems to spontaneuously restart for no reason, most commonly during an adscan. Can you shed any light on the situation?

Sounds like malware to me..Can you post a fresh HijackThis log?

Seraphim471
2007-04-19, 01:45
After I formatted, mfcmap and all previous errors were erased. Now all I'm facing is random system restarts, and upon restarting, when looking in MSConfig, one of those two dumprep names are there.

I left MSConfig on standard this time for you to see everything, as far as I know I do not see anything malicious. I am also facing various issues when downloading or installing software, the computer frequently claims the files are corrupt, even after several attempts of download or installation. The errors appear ranging from CD-installations to downloaded exes, and I don't know if that's more of a hardware issue or what.:

Logfile of HijackThis v1.99.1
Scan saved at 5:43:22 PM, on 4/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\MsgSys.EXE
F:\backup\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wscntfy.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe



Also, on another note, this is perhaps the wrong place to mention it, but during Windows XP installation, I faced various errors mentioning files on the CD were corrupt, synonomous to the error mentioned earlier over the "corrupt" files. In order to install Windows flawlessly, I was required to remove one of my two memory sticks and my video card to get Windows to install. While both were out, various other things installed fine as well without error, but once they were replaced onto the motherboard, I faced the errors again. I assume this is a hardware error and I should seek support on that issue from my mobo/chip manufacturer?

Angelfire777
2007-04-19, 08:12
I see you are running 2 antivirus applications at the same time...Please disable one of your Antivirus' realtime protection..Not only will 2 active Antivirus conflict with each other, your overall system security is lowered...

I'm sorry but I can't help you anymore with your problem since you said that you just reformatted and your log is clean, I doubt that this is malware related. My knowledge is only limited to malware removal so I'm afraid I have to redirect you to other forums..

You can register here: www.pcpitstop.com , run some tests and ask the troubleshooting experts there about your problem. You'll be in better hands :)
__________________


Here are some free programs I recommend that could help you improve your pc's security.

Firewall Application - Although Windows Xp comes with a firewall, you should not rely on it because the Windows Firewall can only filter incoming data; outgoing traffic is not controlled, meaning that malware/viruses that are present in your computer can access the internet with no restrictions. There are several other Firewall that can protect you better by filtering incoming and outgoing data. Make sure you get only one of these.

» ZoneAlarm (http://www.zonelabs.com)
» Kerio (http//www.sunbelt-software.com/Kerio-Download.cfm)

Install Spyware Guard
~You can download it from here (http://www.javacoolsoftware.com/spywareguard.html)
~You can read the tutorial on how to use Spyware Guard here (http://www.bleepingcomputer.com/tutorials/tutorial50.html)

Install SpyWare Blaster
~You can download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
~You can read the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)

Install WinPatrol
~You can download it from here (http://www.winpatrol.com/download.html)
~You can get some information about how WinPatrol works here (http://www.winpatrol.com/features.html)

IESpyAds
~You can download it from here (http://www.spywarewarrior.com/uiuc/resource.htm#IESPYAD)
~If you want to know how IEspyads work you can take a look at it here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
~Please note that IESpyAds only works with Internet Explorer.

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?" (http://castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html)

Happy safe surfing!

Angelfire777
2007-04-23, 00:56
Glad we could be of assistance :bigthumb:

Since the problem has been resolved, this topic is now closed and archived. If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.