malware disabled spybotsd.exe [Archive]

View Full Version : malware disabled spybotsd.exe

asheatl26

2009-03-26, 03:11

I tried renaming it to spybotsd1.exe, ran an update and obviously I still can't run the new spybotsd.exe...

Windows XP Home edition...

My 7 yr old was on ESPN's website and clicked on some popup or banner and installed some spyware removal program which is irritating to say the least. I have already removed what I can of it via Prog Files and Task Man and Regedit, but I still can't open spybot and some pages still give a weird microsoft security error... I installed DDS, any help to get spybot running for me to remove this pain in my @$$ is appreciated. Another thing to add is I was unable to do a system restore as I have no restore points? Which I always have so I'm not sure what that is about?

DDS.txt is below and attach.txt is below that... It's only 9KB but I was not allowed to attach it...

Thanks in advance!
Ashley

DDS (Ver_09-03-16.01) - NTFSx86
Run by ashe at 21:57:19.54 on Wed 03/25/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.507 [GMT -5:00]

AV: AVG 7.5.524 *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SetPoint\LBTWiz.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\ashe\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mWindow Title = Windows Internet Explorer provided by Comcast
mSearchAssistant = hxxp://www.google.com
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
mWinlogon: SFCDisable=4 (0x4)
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: : {6cb4d79d-4a29-4fce-ad72-02355d2e1fa1} - c:\windows\system32\ewmwzkg.dll
BHO: BHO: {abd42510-9b22-41cd-9dcd-8182a2d07c63} - c:\windows\system32\iehelper.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Internet Speed Monitor: {1bac9a2a-4755-43c3-a430-d3512c5b8a4e} - c:\program files\qdrdrive\QdrDrive8.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Logitech Hardware Abstraction Layer] "c:\program files\common files\logitech\khalshared\KHALMNPR.EXE"
mRun: [<NO NAME>]
mRun: [Logitech BT Wizard] LBTWiz.exe -silent
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [lxcymon.exe] "c:\program files\lexmark 3400 series\lxcymon.exe"
mRun: [!AVG Anti-Spyware] "c:\program files\grisoft\avg anti-spyware 7.5\avgas.exe" /minimized
dRun: [AVG7_Run] c:\progra~1\grisoft\avgfre~1\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\setpoint.lnk - c:\program files\setpoint\SetPoint.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://www.ritzpix.com/net/Uploader/LPUploader45.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} - hxxps://actsvr.comcastonline.com/techtools/dl/Comcast%20Activation%20Controls.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: dpodcztj - ewmwzkg.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SEH: {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - No File
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\vtutt.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [2006-9-28 11000]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2008-1-5 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2008-1-5 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2008-1-5 27776]
R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2008-1-5 3968]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2008-1-5 10760]
R2 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [2006-9-28 312880]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avgfre~1\avgamsvr.exe [2008-1-5 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avgfre~1\avgupsvc.exe [2008-1-5 49664]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avgfre~1\avgemc.exe [2008-1-5 406528]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2008-1-5 4960]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
R2 ruxsmkkf;AVG Anti-Spyware Support;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
S2 r_server;Remote Administrator Service;c:\windows\system32\r_server.exe [2007-6-26 724992]
S3 MSControlService;Microsoft cache control;c:\windows\system32\windows --> c:\windows\system32\windows [?]

=============== Created Last 30 ================

2009-03-25 09:37 <DIR> --d----- c:\docume~1\ashe\applic~1\kxtinfbn
2009-03-25 07:14 10,752 a------- c:\windows\system32\iehelper.dll
2009-03-25 07:09 <DIR> --d----- c:\program files\WinPcap
2009-03-25 07:04 <DIR> --dsh--- c:\windows\system32\lowsec
2009-02-23 23:13 <DIR> --d----- c:\documents and settings\ashe\.realobjects

==================== Find3M ====================

2009-02-09 05:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-02-09 05:19 1,846,272 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-03 12:56 122,771 a------- c:\windows\hpoins14.dat
2008-10-16 23:27 19,757 a------- c:\docume~1\alluse~1\applic~1\oxeza.bin
2008-10-16 23:27 18,603 a------- c:\docume~1\ashe\applic~1\qigiz.dll
2008-10-16 23:27 18,202 a------- c:\docume~1\alluse~1\applic~1\yhetetarig.scr
2008-10-15 17:44 14,161 a------- c:\docume~1\alluse~1\applic~1\uhiteji.pif
2008-04-27 14:10 40,936 a------- c:\docume~1\ashe\applic~1\GDIPFONTCACHEV1.DAT
2007-12-14 10:10 6,773 a--sh--- c:\windows\system32\edeeg.ini2
2008-01-05 09:15 6,560 a--sh--- c:\windows\system32\egjlm.bak1
2008-01-04 17:27 6,560 a--sh--- c:\windows\system32\ijkmp.bak1
2008-01-03 06:02 625,574 a--sh--- c:\windows\system32\kjkmp.bak1
2007-12-09 12:26 6,536 a--sh--- c:\windows\system32\qrutv.bak1
2007-12-14 10:10 6,921 a--sh--- c:\windows\system32\rrqss.ini2
2007-12-20 18:09 6,589 a--sh--- c:\windows\system32\ststv.ini2
2008-01-05 15:10 6,560 a--sh--- c:\windows\system32\ttutv.bak1
2008-01-05 15:35 626,441 a--sh--- c:\windows\system32\ttutv.bak2
2008-01-04 18:28 6,560 a--sh--- c:\windows\system32\xbadd.bak1
2007-12-20 18:09 6,836 a--sh--- c:\windows\system32\ybadd.ini2

============= FINISH: 21:57:59.43 ===============

ATTACH.TXT
----------------------

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 5/17/2007 12:58:45 PM
System Uptime: 3/25/2009 9:52:49 PM (0 hours ago)

Motherboard: Dell Inc. | | 0WG864
Processor: Intel(R) Core(TM)2 CPU 6320 @ 1.86GHz | Microprocessor | 1862/1066mhz
Processor: Intel(R) Core(TM)2 CPU 6320 @ 1.86GHz | Microprocessor | 1862/1066mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 230 GiB total, 205.292 GiB free.
D: is CDROM (CDFS)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

32 Bit HP CIO Components Installer
ABBYY FineReader 6.0 Sprint
Adobe Flash Player ActiveX
Adobe Reader 7.0.8
Adobe Shockwave Player
AIO_Scan
AOLIcon
AVG Anti-Spyware 7.5
AVG Free Edition
Cabela's Big Game Hunter - Alaskan Adventures
CDDRV_Installer
Conexant D850 56K V.9x DFVc Modem
Crazy Browser version 2.0.1
CyberSky
Dell CinePlayer
Dell Driver Reset Tool
Dell System Restore
Desktop Doctor
Digital Line Detect
DJ_AIO_Software_min
Documentation & Support Launcher
Dungeon Siege Legends of Aranna
ESPN Java Check
Games, Music, & Photos Launcher
High Definition Audio Driver Package - KB835221
HijackThis 1.99.1
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB908673)
Hotfix for Windows XP (KB909095)
Hotfix for Windows XP (KB921411)
Hotfix for Windows XP (KB952287)
HP Deskjet All-In-One Software 9.0
HUNT 1.0
Hunting Unlimited 3
IAS Visual ADVANCE!
Intel(R) Graphics Media Accelerator Driver
Intel(R) Matrix Storage Manager
Intel(R) PRO Network Connections
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 6
KhalSetup
Learn2 Player (Uninstall Only)
Lexmark 3400 Series
Lexmark Fax Solutions
Lexmark Toolbar
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office XP Professional with FrontPage
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Modem Helper
Mozilla Firefox (3.0.6)
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
NetWaiting
Pdf995 (installed by TaxCut)
PdfEdit995 (installed by TaxCut)
PokerStars.net
QuickTime
RealPlayer Basic
Remote Administrator v2.2
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Scan
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
SetPoint
Sonic Activation Module
Sonic Update Manager
Spybot - Search & Destroy
TaxCut Basic + Efile 2008
TaxCut Georgia 2007
TaxCut Premium + State 2007
Toolbox
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Media Player
WebFldrs XP
WIDCOMM Bluetooth Software
Windows Genuine Advantage Notifications (KB905474)
Windows Installer 3.1 (KB893803)
Windows Live installer
Windows Live Mail
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver

==== Event Viewer Messages From Past Week ========

3/25/2009 3:55:57 PM, error: TermService [1036] - Terminal Server session creation failed. The relevant status code was 0xC0000037.

==== End Of File ===========================

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

pskelley

2009-03-27, 13:14

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Pinned (sticky) to the top of this forum, and posted above are the directions, make sure you have read and followed them.

If you still want help, please read and follow the "Before you Post" instructions, since I do not have a HJT log I have to assume you did not.

Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Flash Player ActiveX
Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87
http://www.adobe.com/support/security/bulletins/apsb09-01.html

Adobe Reader 7.0.8 <<< out of date and unsafe, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows (make sure to uncheck any toolbars)
http://www.foxitsoftware.com/pdf/rd_intro.php

AVG Anti-Spyware 7.5 <<< uninstall this obsolete program in Add Remove programs.

AVG Free Edition <<< why are you running an out of date antivirus program? Please wait until I give you instructions for updating this later.

J2SE Runtime Environment 5.0 Update 6 <<< out of date and unsafe, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php

Mozilla Firefox (3.0.6) <<< an update is available to (3.0.7)

Let's start like this:

Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

Thanks

asheatl26

2009-03-30, 01:35

Here it is below. Sorry for the delay, I was not near this computer to run the log... I have not done anything yet as I want to wait for you to see this log, then I will do what y'all suggest I do. Thanks again for any help y'all can provide. ~ ashe

Logfile of HijackThis v1.99.1
Scan saved at 7:27:08 PM, on 3/29/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SetPoint\LBTWiz.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\programs\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6CB4D79D-4A29-4FCE-AD72-02355D2E1FA1} - c:\windows\system32\ewmwzkg.dll
O2 - BHO: BHO - {ABD42510-9B22-41cd-9DCD-8182A2D07C63} - C:\WINDOWS\system32\iehelper.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O16 - DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} (Image Uploader Control) - http://www.ritzpix.com/net/Uploader/LPUploader45.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} (SupportSoft External Control) - https://actsvr.comcastonline.com/techtools/dl/Comcast%20Activation%20Controls.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O20 - Winlogon Notify: dpodcztj - C:\WINDOWS\SYSTEM32\ewmwzkg.dll
O20 - Winlogon Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - Unknown owner - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe" /service /P ddoctorv2 (file missing)

asheatl26

2009-03-30, 01:41

Everytime I try to download I get redirected to this error page http://browser-security.microsoft.com/blocked.php?r=17.2

This happens 85% of the time I go anywhere on the internet now...

Thanks,
Ashley

asheatl26

2009-03-30, 02:18

I finally got it downloaded but something is stopping it from executing... I click on it and nothing happens. I redownloaded it again, thinking something happened with the download, and still, when I hit run, nothing happens. Even looking at process list, nothing. Thanks again for any help!!

~ashe

pskelley

2009-03-30, 14:32

Sounds like you have some real problems, have you read the "Before you Post" directions yet? Reason I ask is you posted a HJT log that is out of date. Please see if you can post the correct HJT log, it might show something not shown in the old version.

Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.

I am not sure what is causing this, but it may be Conflicker, let's see if we can find out.

Tutorial:
http://www.pchell.com/virus/malicioussoftwareremovaltool.shtml

1) Click on Start, Run
2) Type MRT and Press Enter
3) You'll be presented with the following screen, click on the Next button

Scan results: If anything is found.
Follow the instructions below to open it.

1) Click on Start, Run
2) Type the following and Press Enter

notepad c:\windows\debug\mrt.log

copy/paste the contents of that notepad along with the new HJT log from version 2.0.2

Thanks

asheatl26

2009-03-31, 02:51

I did read it but obviously not close enough as first thought. Installed new HT version... Ran the MRT and it found nothing (posted below HT log) but lots of scan errors? BS in my opinion as I know something is wrong with my PC. Also note that I know the sdra64.exe is a problem, I don't want to hit fix just yet as last year when something affected the userinit file and I fixed it it took me days to find how to do a manual sysrestore from the cmd prompt. Also find it odd that I can't do a system restore, I have it enabled, and have it maxed as far as disk space, but no restore points are listed. I went to services and checked it, it is set to automatic but wasn't running, so something is affecting that as well, even though I don't know how.. So I started the service. I know that something is up with iexplore.exe as well. When I ran HT, no browser was open and it still shows it as running, so something is using it. There is always an iexplore in process list when nothing is open. Which is not normal... The rundll32.exe is a little fishy, I run HT alot, so I know what is different, and that is not anything that I installed causing that, while it could be a legitimate process, I don't think it is... as it hasn't always been there. The BHO ewmwzkg.dll is also an issue, I removed it and it is back... Also, the 1a.tmp was not there before and no one has been using this PC so that is odd as I have no idea where it is coming from. Also lastly, last night, I tried to delete sdra64.exe, I don't have any files hidden or anything, and I found it in sys32, my PC froze, I had to do a hard reboot, and now I can't find it but I'm sure some way or how it has hidden itself. I'll stop now, and I appreciate any help in fixing my PC. I was a Systems Analyst for an IT company for several years but have been out of the game for awhile now, and obviously feel like a newbie now with how much PC stuff I just don't know or remember... Sad. Anyhow, thanks again!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:41:36 PM, on 3/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SetPoint\LBTWiz.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6CB4D79D-4A29-4FCE-AD72-02355D2E1FA1} - c:\windows\system32\ewmwzkg.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [PromoReg] C:\WINDOWS\TEMP\1A.tmp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O16 - DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} (Image Uploader Control) - http://www.ritzpix.com/net/Uploader/LPUploader45.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O20 - Winlogon Notify: dpodcztj - C:\WINDOWS\SYSTEM32\ewmwzkg.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

--
End of file - 6892 bytes

--------------------------
Microsoft Windows Malicious Software Removal Tool v1.42, June 2008
Started On Mon Mar 30 19:44:01 2009

Extended Scan Results
----------------
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACgjnjfcif.dll (code 0x00000021 (33))
->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000020 (32))
->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000020 (32))
->Scan ERROR: resource file://C:\Documents and Settings\All Users\Application Data\TaxCut\2007\cache\{0AF1CCE8-7A29-40E9-8049-0E1F8673969D}\TaxCut Georgia 2007.msi->(MSI Stream 35) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\All Users\Application Data\TaxCut\2007\cache\{A353070D-94F4-472C-85D4-FFB1109F55E1}\TaxCut 2007.msi->(MSI Stream 62) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\All Users\Application Data\TaxCut\2008\cache\{C7FCF908-7C2A-4120-AFA3-9870AB84CBBC}\TaxCut 2008.msi->(MSI Stream 62) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\WINDOWS\Installer\1d9ba914.msp->(MSI Stream 70) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\WINDOWS\Installer\1d9ba914.msp->(MSI Stream 130) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\WINDOWS\Installer\1d9ba914.msp->(MSI Stream 209) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\WINDOWS\Installer\1d9ba914.msp->(MSI Stream 210) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\WINDOWS\Installer\1d9ba914.msp->(MSI Stream 213) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\WINDOWS\Installer\1d9ba914.msp->(MSI Stream 217) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\WINDOWS\Installer\1d9ba914.msp->(MSI Stream 219) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\WINDOWS\Installer\30bb4d0f.msp->(MSI Stream 41) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\WINDOWS\Installer\30bb4d0f.msp->(MSI Stream 79) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\WINDOWS\Installer\30bb4d0f.msp->(MSI Stream 80) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\WINDOWS\Installer\30bb4d0f.msp->(MSI Stream 143) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\WINDOWS\Installer\30bb4d0f.msp->(MSI Stream 229) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\WINDOWS\Installer\30bb4d0f.msp->(MSI Stream 231) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\WINDOWS\Installer\32fa0c4.msp->(MSI Stream 17) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\WINDOWS\Installer\32fa0c4.msp->(MSI Stream 33) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\WINDOWS\Installer\457d065.msp->(MSI Stream 7) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\WINDOWS\Installer\7e77245.msi->(MSI Stream 51) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\WINDOWS\Installer\7e77704.msp->(MSI Stream 14) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\WINDOWS\Installer\7e77af7.msp->(MSI Stream 14) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\WINDOWS\Installer\7e77be2.msp->(MSI Stream 12) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\WINDOWS\Installer\7e77dc7.msp->(MSI Stream 21) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\WINDOWS\Installer\7e77f77.msp->(MSI Stream 14) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\WINDOWS\Installer\7facb36.msi->(MSI Stream 48) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\WINDOWS\Installer\f2484d.msi->(MSI Stream 51) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\WINDOWS\Installer\f24e75.msp->(MSI Stream 19) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\WINDOWS\Installer\f24e75.msp->(MSI Stream 76) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\WINDOWS\Installer\f24e75.msp->(MSI Stream 77) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\WINDOWS\Installer\f24e75.msp->(MSI Stream 84) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\WINDOWS\Installer\f24e75.msp->(MSI Stream 126) (code 0x0000000D (13))
No infection found as part of the extended scan

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Mon Mar 30 20:35:40 2009

pskelley

2009-03-31, 12:04

We will give combofix a try first, please follow the directions carefully.

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from here:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

asheatl26

2009-04-02, 21:06

I really appreciate all your help with this! I had to just uninstall Spybot completely, as it wouldn't open. At first I couldn't get Combofix.exe to open either...

I tried to delete ewmwzkg.dll, and couldn't. I went to regedit, tried to delete the BHO value, couldn't do it. I tried to unregister the .dll thinking maybe I could delete it afterwards and it wouldn't let me... Then I went back to combofix.exe and renamed it to combofix1.exe and it was able to run. Whatever infected my PC blocked certain programs from running. Blocked my system restore too, hopefully that is fixed now. Below is the log from combofix and following that is my hijackthis log. Looks like it still couldn't delete that BHO... Let me know if you know any other ways to get rid of it. Or should I now try to install Spybot and run it? Maybe it won't be blocked?

Thanks again for everything!!!
ashe

ComboFix 09-04-01.01 - ashe 2009-04-02 14:44:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.725 [GMT -5:00]
Running from: c:\documents and settings\ashe\Desktop\ComboFix1.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
c:\documents and settings\ashe\Local Settings\Temporary Internet Files\cusito.sys
c:\documents and settings\ashe\Local Settings\Temporary Internet Files\ezesec.sys
c:\documents and settings\ashe\Local Settings\Temporary Internet Files\fypykuno.ban
c:\documents and settings\ashe\Local Settings\Temporary Internet Files\levyrir.dl
c:\documents and settings\ashe\Local Settings\Temporary Internet Files\syqinifaw.com
c:\documents and settings\ashe\Local Settings\Temporary Internet Files\yhitubydok.bat
c:\windows\cookies.ini
c:\windows\mainms.vpi
c:\windows\megavid.cdt
c:\windows\muotr.so
c:\windows\system32\_scui.cpl
c:\windows\system32\AutoRun.inf
c:\windows\system32\cjvyrgrh.ini
c:\windows\system32\dhhlcbqf.ini
c:\windows\system32\drivers\UACabxcigeb.sys
c:\windows\system32\edeeg.ini
c:\windows\system32\edeeg.ini2
c:\windows\system32\egjlm.bak1
c:\windows\system32\egjlm.ini
c:\windows\system32\ejrcoxov.ini
c:\windows\system32\fueanaej.ini
c:\windows\system32\gcnhxjaa.ini
c:\windows\system32\hnubgcxj.ini
c:\windows\system32\hqljwhjy.dllbox
c:\windows\system32\ihxyavcp.ini
c:\windows\system32\ijkmp.bak1
c:\windows\system32\ijkmp.ini
c:\windows\system32\jsaxocfi.ini
c:\windows\system32\kjkmp.bak1
c:\windows\system32\kvccdhfa.ini
c:\windows\system32\lnqcluow.dllbox
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\mcrh.tmp
c:\windows\system32\oeggglfr.ini
c:\windows\system32\pac.txt
c:\windows\system32\pclchhnf.ini
c:\windows\system32\qeiqujye.ini
c:\windows\system32\qlculodh.ini
c:\windows\system32\qrutv.bak1
c:\windows\system32\qrutv.ini
c:\windows\system32\royrgifv.ini
c:\windows\system32\rrqss.ini
c:\windows\system32\rrqss.ini2
c:\windows\system32\sdra64.exe
c:\windows\system32\ststv.ini2
c:\windows\system32\tpyurycf.dllbox
c:\windows\system32\ttutv.bak1
c:\windows\system32\ttutv.bak2
c:\windows\system32\ttutv.ini
c:\windows\system32\tuvwanqp.ini
c:\windows\system32\UACdoevxefr.log
c:\windows\system32\UACeyudhbsu.log
c:\windows\system32\UACgjnjfcif.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjdlwkdys.dat
c:\windows\system32\UACrqdwfthr.dll
c:\windows\system32\UACrxftmtpe.dll
c:\windows\system32\UACshbaqbyu.dll
c:\windows\system32\UACtnquxlqr.dll
c:\windows\system32\UACyvabhkmd.log
c:\windows\system32\vhnteaul.ini
c:\windows\system32\x64
c:\windows\system32\xbadd.bak1
c:\windows\system32\xbadd.ini
c:\windows\system32\ybadd.ini2
c:\windows\Tasks\At1.job
c:\windows\system32\ewmwzkg.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_DOMAINSERVICE
-------\Legacy_MSCONTROLSERVICE
-------\Legacy_RUXSMKKF
-------\Legacy_R_SERVER
-------\Service_MSControlService
-------\Service_r_server
-------\Service_ruxsmkkf

((((((((((((((((((((((((( Files Created from 2009-03-02 to 2009-04-02 )))))))))))))))))))))))))))))))
.

2009-04-02 09:12 . 2009-04-02 09:12 <DIR> d-------- c:\documents and settings\ashe\Application Data\kxtinfbn
2009-03-30 19:41 . 2009-03-30 19:41 <DIR> d-------- c:\program files\Trend Micro
2009-03-25 07:09 . 2009-03-25 16:40 <DIR> d-------- c:\program files\WinPcap

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-02 18:04 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-02 17:26 --------- d-----w c:\documents and settings\All Users\Application Data\SupportSoft
2009-04-02 17:26 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-02 17:25 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2009-03-06 02:14 --------- d-----w c:\program files\TaxCut08
2009-02-04 05:30 --------- d-----w c:\documents and settings\ashe\Application Data\TaxCut
2009-02-04 05:29 --------- d-----w c:\documents and settings\All Users\Application Data\TaxCut
2009-02-03 17:53 --------- d-----w c:\program files\Hewlett-Packard
2009-02-03 17:53 --------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-02-03 17:53 --------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-02-03 17:52 --------- d-----w c:\program files\HP
2008-10-17 04:27 19,757 ----a-w c:\documents and settings\All Users\Application Data\oxeza.bin
2008-10-17 04:27 18,603 ----a-w c:\documents and settings\ashe\Application Data\qigiz.dll
2008-10-17 04:27 18,202 ----a-w c:\documents and settings\All Users\Application Data\yhetetarig.scr
2008-10-15 22:44 14,161 ----a-w c:\documents and settings\All Users\Application Data\uhiteji.pif
2008-04-27 19:10 40,936 ----a-w c:\documents and settings\ashe\Application Data\GDIPFONTCACHEV1.DAT
2008-04-10 20:16 128 ----a-w c:\documents and settings\Guest\Application Data\wklnhst.dat
2008-03-13 04:16 148 ----a-w c:\documents and settings\Big Rod\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6CB4D79D-4A29-4FCE-AD72-02355D2E1FA1}]
2009-04-02 14:45 104960 --a------ c:\windows\system32\ewmwzkg.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2007-01-11 101136]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"lxcymon.exe"="c:\program files\Lexmark 3400 Series\lxcymon.exe" [2007-06-25 291504]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 c:\windows\stsystra.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-11 c:\windows\KHALMNPR.Exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-29 561213]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-05-11 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
SetPoint.lnk - c:\program files\SetPoint\SetPoint.exe [2007-05-11 679936]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-02-20 13:57 65536 c:\program files\Common Files\Logitech\Bluetooth\LBTWlgn.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\lxcycoms.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R0 kilzlhdl;kilzlhdl;c:\windows\system32\drivers\kilzlhdl.sys [2004-08-10 23424]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Autorun.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Logitech BT Wizard - LBTWiz.exe
ShellExecuteHooks-{BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
mWindow Title = Windows Internet Explorer provided by Comcast
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://www.ritzpix.com/net/Uploader/LPUploader45.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-02 14:49:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\windows\system32\lxcycoms.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\wdfmgr.exe
c:\program files\SetPoint\LBTWiz.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-02 14:51:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-02 19:51:06

Pre-Run: 221,863,227,392 bytes free
Post-Run: 222,844,608,512 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

219 --- E O F --- 2009-03-26 08:00:53
-----------------------HIJACKTHIS LOG NEXT----------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:03, on 2009-04-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SetPoint\LBTWiz.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {6CB4D79D-4A29-4FCE-AD72-02355D2E1FA1} - c:\windows\system32\ewmwzkg.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O16 - DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} (Image Uploader Control) - http://www.ritzpix.com/net/Uploader/LPUploader45.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe

--
End of file - 4848 bytes

pskelley

2009-04-02, 21:39

I had to just uninstall Spybot completely, as it wouldn't open. At first I couldn't get Combofix.exe to open either...
This junk does all it can to block the tools we use, not to be concerned about Spybot S&D at this point, it looks like it was downloaded infected anyway. Wait until I provide a link and instructions. Please follow the directions carefully and in the numbered order.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open notepad and copy/paste the text in the codebox below into it:

File::
c:\windows\system32\ewmwzkg.dll
c:\documents and settings\All Users\Application Data\oxeza.bin
c:\documents and settings\ashe\Application Data\qigiz.dll
c:\documents and settings\All Users\Application Data\yhetetarig.scr
c:\documents and settings\All Users\Application Data\uhiteji.pif

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6CB4D79D-4A29-4FCE-AD72-02355D2E1FA1}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

Folder::
c:\documents and settings\ashe\Application Data\kxtinfbn

Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(may be gone)
O2 - BHO: (no name) - {6CB4D79D-4A29-4FCE-AD72-02355D2E1FA1} - c:\windows\system32\ewmwzkg.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

How is the computer running?

Thanks

pskelley

2009-04-08, 16:17

09-04-02, 15:39 <<< no response since?

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.