PDA

View Full Version : Help Please!



scottymore
2006-07-02, 17:31
Greetings and thank you in advance for any assistance you may provide!

System is:
HP Kayak (2x350mhz processors)
Win2000 w/ser pack 4

Issues:

1. Spy Bot took over 36 hours to scan. (example: stalled on 499/41728 - Baciami) (eventurally found 7 issues)

2. Spy Bot locks up when scanning Scanning Internals (registry issues?)

3. CCleaner locks up scanning for "Issues" (registry again?)

4. Ad-Aware Locks up when scanning "Deep Registry" (I was able to parcel out the scans with this tool - found 5 isssues)

Below is the HiJackThis log from moments ago! (please help!)

Logfile of HijackThis v1.99.1
Scan saved at 7:15:19 AM, on 7/2/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
D:\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\Profiles\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scottperry.tv/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scottperry.tv
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Scott Perry Multimedia : Marketing Madman
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\acrobat5\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Picasa Media Detector] D:\picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINNT\system32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [Eraser] D:\software\eraser57\Eraser\eraser.exe -hide
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\WTablet\TabUserW.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Acrobat Assistant.lnk = D:\acrobat5\Distillr\AcroTray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Desktop Manager.lnk = D:\DesktopMgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\software\yahoo\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\software\yahoo\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\OFFICE11\REFIEBAR.DLL
O13 - WWW. Prefix: http://
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Intel File Transfer - Intel Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Intel WUser Agent - Intel Corporation - C:\LDClient\wuser32.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\System32\Tablet.exe
O23 - Service: TMA Distribution - Unknown owner - C:\WINNT\system32\cba\lcfinst.exe

scottymore
2006-07-03, 19:02
Here is the Fixwareout report:


Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\anhmd
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
* csr.exe C:\WINNT\System32\CSWDW.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINNT\SYSTEM32\CSWDW.EXE 51,232 2006-06-28
C:\WINNT\SYSTEM32\DMVMC.EXE 44,087 2003-06-19
C:\WINNT\SYSTEM32\DMOYM.EXE 44,087 2003-06-19
C:\WINNT\SYSTEM32\DMZJU.EXE 44,087 2003-06-19
C:\WINNT\SYSTEM32\DMWJW.EXE 44,087 2003-06-19
Other suspects
Directory of C:\WINNT\system32


Here is the latest Hijack This report:

Logfile of HijackThis v1.99.1
Scan saved at 8:56:55 AM, on 7/3/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\cba\pds.exe
C:\LDClient\wuser32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\Tablet.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\mqsvc.exe
D:\picasa2\PicasaMediaDetector.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
D:\software\eraser57\Eraser\eraser.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINNT\system32\WTablet\TabUserW.exe
C:\Program Files\WinZip\WZQKPICK.EXE
D:\acrobat5\Distillr\AcroTray.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
D:\DesktopMgr.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scottperry.tv
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Scott Perry Multimedia : Marketing Madman
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\acrobat5\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Picasa Media Detector] D:\picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINNT\system32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [dmjzd.exe] C:\WINNT\system32\dmjzd.exe
O4 - HKCU\..\Run: [Eraser] D:\software\eraser57\Eraser\eraser.exe -hide
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\WTablet\TabUserW.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Acrobat Assistant.lnk = D:\acrobat5\Distillr\AcroTray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Desktop Manager.lnk = D:\DesktopMgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\software\yahoo\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\software\yahoo\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\OFFICE11\REFIEBAR.DLL
O13 - WWW. Prefix: http://
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Intel File Transfer - Intel Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Intel WUser Agent - Intel Corporation - C:\LDClient\wuser32.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\System32\Tablet.exe
O23 - Service: TMA Distribution - Unknown owner - C:\WINNT\system32\cba\lcfinst.exe

HJT Start up log:

StartupList report, 7/3/2006, 8:44:58 AM
StartupList version: 1.52.2
Started from : C:\Program Files\HJT\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\cba\pds.exe
C:\LDClient\wuser32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\Tablet.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\mqsvc.exe
D:\picasa2\PicasaMediaDetector.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
D:\software\eraser57\Eraser\eraser.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINNT\system32\WTablet\TabUserW.exe
C:\Program Files\WinZip\WZQKPICK.EXE
D:\acrobat5\Distillr\AcroTray.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
D:\DesktopMgr.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\HJT\HijackThis.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S00MT2.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S00RN2.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
TabUserW.exe.lnk = C:\WINNT\system32\WTablet\TabUserW.exe
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
Acrobat Assistant.lnk = D:\acrobat5\Distillr\AcroTray.exe
EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
Desktop Manager.lnk = D:\DesktopMgr.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
Picasa Media Detector = D:\picasa2\PicasaMediaDetector.exe
IntelliPoint = "C:\Program Files\Microsoft IntelliPoint\point32.exe"
LMPDPSRV = C:\WINNT\system32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
MPFExe = C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
MCAgentExe = c:\PROGRA~1\mcafee.com\agent\mcagent.exe
MCUpdateExe = C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
VSOCheckTask = "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
VirusScan Online = C:\Program Files\McAfee.com\VSO\mcvsshld.exe
OASClnt = C:\Program Files\McAfee.com\VSO\oasclnt.exe
dmjzd.exe = C:\WINNT\system32\dmjzd.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Eraser = D:\software\eraser57\Eraser\eraser.exe -hide

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry key not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - d:\acrobat5\Acrobat\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - D:\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft Office Template and Media Control]
InProcServer32 = D:\OFFICE11\IEAWSDC.DLL
CODEBASE = http://office.microsoft.com/templates/ieawsdc.cab

[Office Genuine Advantage Validation Tool]
InProcServer32 = C:\WINNT\system32\OGACheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=58813

[Musicnotes Viewer]
InProcServer32 = C:\WINNT\Downloaded Program Files\mnviewer.dll
CODEBASE = http://www.musicnotes.com/download/mnviewer.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINNT\System32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[LSSupCtl Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\LSSupCtl.dll
CODEBASE = http://www.symantec.com/techsupp/asa/LSSupCtl.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[Office Update Installation Engine]
InProcServer32 = C:\WINNT\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

[Malicious Software Removal Tool]
InProcServer32 = C:\WINNT\Downloaded Program Files\WebCleaner.dll
CODEBASE = http://download.microsoft.com/download/5/c/2/5c2fc4b7-3875-4eec-946b-ffe15472cabc/WebCleaner.cab

[EPUImageControl Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\EPUWALcontrol.dll
CODEBASE = http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab

[McAfee.com Operating System Class]
InProcServer32 = C:\WINNT\system32\mcinsctl.dll
CODEBASE = http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab

[Trend Micro ActiveX Scan Agent 6.5]
InProcServer32 = C:\WINNT\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

[WScanCtl Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\webscan.dll
CODEBASE = http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

[MsnMessengerSetupDownloadControl Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\MsnMessengerSetupDownloader.ocx
CODEBASE = http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

[DwnldGroupMgr Class]
InProcServer32 = C:\WINNT\system32\McGDMgr.dll
CODEBASE = http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab

[ActiveDataInfo Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\SymAData.dll
CODEBASE = http://www.symantec.com/techsupp/asa/SymAData.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\Macromed\Flash\Flash8b.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINNT\System32\webcheck.dll
Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 8,865 bytes
Report generated in 0.297 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

LonnyRJones
2006-07-08, 17:25
Hello
Manualy delete these files, carefull of spelling please.
C:\WINNT\SYSTEM32\CSWDW.EXE
C:\WINNT\SYSTEM32\DMVMC.EXE
C:\WINNT\SYSTEM32\DMOYM.EXE
C:\WINNT\SYSTEM32\DMZJU.EXE
C:\WINNT\SYSTEM32\DMWJW.EXE

Open the c:\fixwareour folder and run FixIt.BAT, fallow the prompts, after the reboot post the report again, along with one more new hiajckthis log.

tashi
2006-07-12, 10:09
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a pm and provide a link to the thread.

Applies only to the original topic starter.