Help please....Spyware has taken over!

H

hillcountry

New member
From what I have read in the forum I need to get HJT and or something else installed to diagnose the problem. I need help getting HJT and or something installed so that I can hopefully get my system back. I am unable to run the installer for HJT, when I double click on it, I get the hour glass like it's starting but then a dialog box pops up saying "spyware has been detected in my system click here to install "...(this is one of three or four different messages) and the install program just "stops" (never actually gets started that I can tell)

All assistance appreciated.
 
Hello Hillcountry :)

I will help you get cleaned up. :cool:

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.
 
Requested DSS files

First of all THANKS for your help!!! :)

There appears to be some sort of app running that I cannot shutdown. I have a constant message on my screen basically stating spyware has been detected, with several more lines of intimadating text, ending with a line of click here to scan your system for spyware. I keep getting popups that look like "windows security" also wanting me to scan my system, among others that just do not stop.

Main TXT

Deckard's System Scanner v20071014.68
Run by Kathy on 2008-06-30 15:09:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
77: 2008-06-30 20:09:38 UTC - RP1785 - Deckard's System Scanner Restore Point
76: 2008-06-30 19:49:51 UTC - RP1784 - pre DSS install
75: 2008-06-30 19:33:43 UTC - RP1783 - System Checkpoint
74: 2008-06-29 17:45:48 UTC - RP1782 - Last known good configuration
73: 2008-06-29 17:12:56 UTC - RP1781 - Installed AVG Free 8.0


-- First Restore Point --
1: 2008-04-18 11:26:44 UTC - RP1709 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 82% (more than 75%).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-30 15:12:07
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\SYSTEM32\cisvc.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\444.470
C:\WINDOWS\portsv.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\SYSTEM32\CIDAEMON.EXE
C:\WINDOWS\SYSTEM32\CIDAEMON.EXE
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\WINDOWS\SYSTEM32\uoyzsydz.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\HP\HP Software Update\hpwuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SYSTEM32\rwwnw64d.exe
C:\WINDOWS\mrofinu72.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\SYSTEM32\tcntaxdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\??crosoft.NET\regsvr32.exe
C:\Program Files\AVG\AVG8\aAvgApi.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\WINDOWS\SYSTEM32\HPZipm12.exe
C:\Documents and Settings\Kathy\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\system32\spywarewarning.mht
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://video.yahoo.com/video/play?vid=337678&fr=yvmtf
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uoyzsydz.exe,
O1 - Hosts: 127.127.127.127 elite
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {11A7A749-0381-4AE2-940B-27EC006D6006} - C:\WINDOWS\SYSTEM32\jkkKDurS.dll
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealOne Player\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {43EA6D2A-33A6-4C1E-B704-CDAF5F60377A} - C:\WINDOWS\SYSTEM32\nnnllKDs.dll
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {8D67B81A-7D8B-5974-AA3A-7AA2909D429A} - C:\WINDOWS\system32\gcuoxe.dll (file missing)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{5E-E8-8B-BF-DW}] C:\windows\system32\rwwnw64d.exe DWram1
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\tcntaxdm.exe DWram1
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [IEUpdate] C:\WINDOWS\system32\actxprxyf.exe
O4 - HKLM\..\RunServices: [IEUpdate] C:\WINDOWS\system32\actxprxyf.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\CROSOF~1.NET\regsvr32.exe" -vt yazb
O4 - HKCU\..\Run: [IEUpdate] C:\WINDOWS\system32\actxprxyf.exe
O4 - HKCU\..\RunServices: [IEUpdate] C:\WINDOWS\system32\actxprxyf.exe
O4 - Startup: Deewoo.lnk = C:\WINDOWS\SYSTEM32\tcntaxdm.exe
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\SYSTEM32\rwwnw64d.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: C:\WINDOWS\SYSTEM32\nwprovau.dll
O16 - DPF: {00000075-9980-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/voxacm.CAB
O16 - DPF: {00000161-0000-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/msaudio.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} () - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} () - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - AppInit_DLLs: wbsys.dll,avgrsstx.dll
O20 - Winlogon Notify: jkkKDurS - C:\WINDOWS\system32\jkkKDurS.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\SYSTEM32\ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmVmZiBTZWF0b24\command.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.470
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe service
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\SYSTEM32\NMSSvc.Exe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\HPZipm12.exe


--
End of file - 11154 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SYMC8100 - c:\windows\system32\drivers\symc8100.sys

S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 jatmlano - c:\docume~1\jeffse~1\locals~1\temp\jatmlano.sys (file missing)
S3 MA311 (NETGEAR Wireless LAN Driver) - c:\windows\system32\drivers\ma311n51.sys <Not Verified; NETGEAR; MA311 PCI adapter>
S3 MTK (Media Technology Kernel Driver) - c:\windows\system32\drivers\fide.sys <Not Verified; MediaTek Corporation; MTK (R) Driver for Window 2000>
S3 NMSCFG (NIC Management Service Configuration Driver) - c:\windows\system32\drivers\nmscfg.sys <Not Verified; Intel Corporation; Intel(R) NMSCFG Driver>
S3 ProtoWall (ProtoWall Defender) - c:\windows\system32\drivers\protowall.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 MsSecurity1.209.4 (MsSecurity Updated) - c:\windows\444.470 service
R2 PlugPlayRPC (Plug and Play (RPC)) - c:\windows\portsv.exe service

S2 cmdService (Command Service) - c:\windows\smvmzibtzwf0b24\command.exe (file missing)
S2 Network Monitor - c:\program files\network monitor\netmon.exe service (file missing)
S3 NMSSvc (Intel(R) NMS) - c:\windows\system32\nmssvc.exe <Not Verified; Intel Corporation; NMS>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NETGEAR MA311 PCI Adapter
Device ID: PCI\VEN_1260&DEV_3873&SUBSYS_41051385&REV_01\4&3B1CAF2B&0&00F0
Manufacturer: NETGEAR
Name: NETGEAR MA311 PCI Adapter
PNP Device ID: PCI\VEN_1260&DEV_3873&SUBSYS_41051385&REV_01\4&3B1CAF2B&0&00F0
Service: MA311


-- Files created between 2008-05-30 and 2008-06-30 -----------------------------

2008-06-30 14:41:12 200774 --a------ C:\WINDOWS\system32\tcntaxdm.exe
2008-06-29 16:39:09 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-29 16:39:09 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-29 16:39:09 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-29 16:39:09 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-29 16:39:09 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-06-29 16:39:09 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-29 16:39:09 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-29 16:39:09 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-06-29 16:39:09 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-29 16:39:09 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-06-29 16:39:09 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-29 16:39:09 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-06-29 16:39:09 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-29 16:39:09 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-29 16:39:09 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-06-29 16:39:08 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-29 12:45:21 676 --ahs---- C:\WINDOWS\system32\sDKllnnn.ini2
2008-06-29 12:45:17 314784 --a------ C:\WINDOWS\system32\nnnllKDs.dll
2008-06-29 12:40:10 25504 --a------ C:\WINDOWS\system32\jkkKDurS.dll
2008-06-29 12:29:20 0 d--h----- C:\$AVG8.VAULT$
2008-06-29 12:13:21 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-29 12:13:20 0 d-------- C:\Documents and Settings\Kathy\Application Data\AVGTOOLBAR
2008-06-29 12:12:59 0 d-------- C:\Program Files\AVG
2008-06-29 12:12:59 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-29 11:28:13 0 d-------- C:\WINDOWS\system32\8608
2008-06-29 11:28:12 55808 --a------ C:\WINDOWS\portsv.exe
2008-06-29 11:24:53 200774 --a------ C:\WINDOWS\system32\xx_tcntaxdm.exe
2008-06-29 10:49:30 25344 --a------ C:\WINDOWS\y.exe
2008-06-29 10:49:29 21760 --a------ C:\WINDOWS\xplugin.dll
2008-06-29 10:49:29 15616 --a------ C:\WINDOWS\x.exe
2008-06-29 10:49:29 18176 --a------ C:\WINDOWS\winmgnt.exe
2008-06-29 10:49:29 20480 --a------ C:\WINDOWS\window.exe
2008-06-29 10:49:29 22272 --a------ C:\WINDOWS\winajbm.dll
2008-06-29 10:49:28 11008 --a------ C:\WINDOWS\win64.exe
2008-06-29 10:49:28 8448 --a------ C:\WINDOWS\win32e.exe
2008-06-29 10:49:28 8704 --a------ C:\WINDOWS\waol.exe
2008-06-29 10:49:28 18176 --a------ C:\WINDOWS\users32.exe
2008-06-29 10:49:28 9984 --a------ C:\WINDOWS\time.exe
2008-06-29 10:49:28 16384 --a------ C:\WINDOWS\systemcritical.exe
2008-06-29 10:49:28 8704 --a------ C:\WINDOWS\systeem.exe
2008-06-29 10:49:28 19456 --a------ C:\WINDOWS\svcinit.exe
2008-06-29 10:49:28 19968 --a------ C:\WINDOWS\svchost32.exe
2008-06-29 10:49:28 31488 --a------ C:\WINDOWS\sistem.exe
2008-06-29 10:49:27 23552 --a------ C:\WINDOWS\searchword.dll
2008-06-29 10:49:27 24832 --a------ C:\WINDOWS\rundll16.exe
2008-06-29 10:49:27 20736 --a------ C:\WINDOWS\quicken.exe
2008-06-29 10:49:27 19712 --a------ C:\WINDOWS\qttasks.exe
2008-06-29 10:49:26 28160 --a------ C:\WINDOWS\olehelp.exe
2008-06-29 10:49:26 18944 --a------ C:\WINDOWS\notepad32.exe
2008-06-29 10:49:26 11520 --a------ C:\WINDOWS\mtwirl32.dll
2008-06-29 10:49:26 16384 --a------ C:\WINDOWS\mswsc20.dll
2008-06-29 10:49:26 22784 --a------ C:\WINDOWS\mswsc10.dll
2008-06-29 10:49:26 8704 --a------ C:\WINDOWS\msupdate.exe
2008-06-29 10:49:26 25088 --a------ C:\WINDOWS\mssys.exe
2008-06-29 10:49:25 15872 --a------ C:\WINDOWS\msspi.dll
2008-06-29 10:49:25 28160 --a------ C:\WINDOWS\msconfd.dll
2008-06-29 10:49:25 24320 --a------ C:\WINDOWS\loader.exe
2008-06-29 10:49:25 32768 --a------ C:\WINDOWS\internet.exe
2008-06-29 10:49:24 32256 --a------ C:\WINDOWS\inetinf.exe
2008-06-29 10:49:24 25600 --a------ C:\WINDOWS\iexplorer.exe
2008-06-29 10:49:24 28416 --a------ C:\WINDOWS\iedll.exe
2008-06-29 10:49:23 27648 --a------ C:\WINDOWS\helpcvs.exe
2008-06-29 10:49:23 8448 --a------ C:\WINDOWS\gfmnaaa.dll
2008-06-29 10:49:23 9216 --a------ C:\WINDOWS\funny.exe
2008-06-29 10:49:23 25856 --a------ C:\WINDOWS\funniest.exe
2008-06-29 10:49:23 15360 --a------ C:\WINDOWS\explorer32.exe
2008-06-29 10:49:23 17664 --a------ C:\WINDOWS\explore.exe
2008-06-29 10:49:23 11776 --a------ C:\WINDOWS\editpad.exe
2008-06-29 10:49:23 25856 --a------ C:\WINDOWS\dnsrelay.dll
2008-06-29 10:49:22 19712 --a------ C:\WINDOWS\directx32.exe
2008-06-29 10:49:22 29184 --a------ C:\WINDOWS\ctrlpan.dll
2008-06-29 10:49:22 12032 --a------ C:\WINDOWS\ctfmon32.exe
2008-06-29 10:49:22 15872 --a------ C:\WINDOWS\cpan.dll
2008-06-29 10:49:22 16896 --a------ C:\WINDOWS\clrssn.exe
2008-06-29 10:49:22 18432 --a------ C:\WINDOWS\avpcc.dll
2008-06-29 10:49:22 9728 --a------ C:\WINDOWS\accesss.exe
2008-06-29 10:27:54 848 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-06-29 10:27:50 0 d-------- C:\Program Files\Outerinfo
2008-06-29 10:27:50 0 d-------- C:\Program Files\F?nts
2008-06-29 10:27:47 687592 --a------ C:\WINDOWS\system32\atmtd.dll
2008-06-29 10:27:47 41984 --a------ C:\WINDOWS\mrofinu72.exe
2008-06-29 10:27:37 0 d-------- C:\Documents and Settings\LocalService\Application Data\NetMon
2008-06-29 10:27:34 1989 --a------ C:\WINDOWS\uninstall_nmon.vbs
2008-06-29 10:27:34 0 d--hs---- C:\WINDOWS\SmVmZiBTZWF0b24
2008-06-29 10:27:34 0 d-------- C:\Program Files\Network Monitor
2008-06-29 10:27:31 49159 --a------ C:\WINDOWS\system32\rwwnw64d.exe <Not Verified; ; Browser Driver>
2008-06-29 10:27:27 41984 --a------ C:\WINDOWS\mrofinu1000106.exe
2008-06-29 10:27:21 86144 --a------ C:\WINDOWS\system32\drivers\SYMC8100.sys
2008-06-29 10:27:16 0 d-------- C:\WINDOWS\system32\eb10
2008-06-29 10:27:16 0 d-------- C:\WINDOWS\system32\bgi
2008-06-29 10:27:16 0 d-------- C:\WINDOWS\system32\axc
2008-06-29 10:27:16 41724 ---hs---- C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
2008-06-29 10:27:15 0 d-------- C:\WINDOWS\system32\1049a
2008-06-29 10:27:14 0 d-------- C:\WINDOWS\??crosoft.NET
2008-06-29 10:27:12 0 d-------- C:\WINDOWS\system32\netrax06
2008-06-29 10:27:01 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-06-29 10:26:57 0 d-------- C:\Program Files\webHancer
2008-06-29 10:26:55 0 d-------- C:\Documents and Settings\LocalService\Application Data\Real
2008-06-29 10:26:53 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-06-29 10:26:50 88025 --a------ C:\WINDOWS\system32\uoyzsydz.exe <Not Verified; Microsoft; XML Media>
2008-06-29 10:26:50 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-06-29 10:26:50 88025 --a------ C:\WINDOWS\lfn.exe <Not Verified; Microsoft; XML Media>
2008-06-27 22:33:16 210123 --a------ C:\WINDOWS\system32\000060.exe
2008-06-27 15:36:06 187904 ---hs---- C:\Program Files\Common Files\Yazzle1552OinAdmin.exe


-- Find3M Report ---------------------------------------------------------------

2008-06-29 12:40:57 0 d-------- C:\Program Files\F?nts
2008-06-29 12:08:09 0 d-------- C:\Program Files\Common Files
2008-06-23 14:59:58 0 d-------- C:\Documents and Settings\Kathy\Application Data\Mozilla
2008-06-16 08:25:18 0 d-------- C:\Documents and Settings\Kathy\Application Data\Juniper Networks
2008-05-05 22:08:00 0 d-------- C:\Documents and Settings\Kathy\Application Data\U3


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00110011-4b0b-44d5-9718-90c88817369b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{086ae192-23a6-48d6-96ec-715f53797e85}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11A7A749-0381-4AE2-940B-27EC006D6006}]
06/29/2008 12:40 PM 25504 --a------ C:\WINDOWS\system32\jkkKDurS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{150fa160-130d-451f-b863-b655061432ba}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d38a51a-23c9-48a1-a33c-48675aa2b494}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2e9caff6-30c7-4208-8807-e79d4ec6f806}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{43EA6D2A-33A6-4C1E-B704-CDAF5F60377A}]
06/29/2008 12:45 PM 314784 --a------ C:\WINDOWS\system32\nnnllKDs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5321e378-ffad-4999-8c62-03ca8155f0b3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{587dbf2d-9145-4c9e-92c2-1f953da73773}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79369d5c-2903-4b7a-ade2-d5e0dee14d24}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{799a370d-5993-4887-9df7-0a4756a77d00}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8D67B81A-7D8B-5974-AA3A-7AA2909D429A}]
C:\WINDOWS\system32\gcuoxe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
06/29/2008 12:13 PM 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a55581dc-2cdb-4089-8878-71a080b22342}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b847676d-72ac-4393-bfff-43a1eb979352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765721306}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e2ddf680-9905-4dee-8c64-0a5de7fe133c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e7afff2a-1b57-49c7-bf6b-e5123394c970}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fd9bc004-8331-4457-b830-4759ff704c22}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [06/29/2008 12:13 PM 2050816]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [05/27/2004 10:05 PM]
"WinampAgent"="C:\Program Files\Winamp\Winampa.exe" []
"LogonStudio"="C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" [09/03/2002 08:38 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/02/2005 02:34 AM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/25/2004 02:52 PM]
"BCMSMMSG"="BCMSMMSG.exe" [08/29/2003 04:59 AM C:\WINDOWS\BCMSMMSG.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [08/04/2003 05:28 PM]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [05/12/2004 03:18 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [11/15/2007 12:27 PM]
"{5E-E8-8B-BF-DW}"="C:\windows\system32\rwwnw64d.exe" [06/29/2008 10:27 AM]
"runner1"="C:\WINDOWS\mrofinu72.exe" [06/29/2008 10:27 AM]
"ExploreUpdSched"="C:\WINDOWS\system32\tcntaxdm.exe" [06/30/2008 02:41 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [06/29/2008 12:13 PM]
"IEUpdate"="C:\WINDOWS\system32\actxprxyf.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"Aida"="C:\WINDOWS\CROSOF~1.NET\regsvr32.exe" [06/29/2008 10:27 AM]
"IEUpdate"="C:\WINDOWS\system32\actxprxyf.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices]
"IEUpdate"=C:\WINDOWS\system32\actxprxyf.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"IEUpdate"=C:\WINDOWS\system32\actxprxyf.exe

C:\Documents and Settings\Kathy\Start Menu\Programs\Startup\
Deewoo.lnk - C:\WINDOWS\SYSTEM32\tcntaxdm.exe [6/30/2008 2:41:12 PM]
DESKTOP.INI [9/3/2002 10:00:00 AM]
DING!.lnk - C:\Program Files\Southwest Airlines\Ding\Ding.exe [6/22/2006 2:15:48 PM]
DW_Start.lnk - C:\WINDOWS\SYSTEM32\rwwnw64d.exe [6/29/2008 10:27:31 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 10:00:00 AM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [3/18/2003 2:16:11 AM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [9/16/2003 5:19:24 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{11A7A749-0381-4AE2-940B-27EC006D6006}"= C:\WINDOWS\system32\jkkKDurS.dll [06/29/2008 12:40 PM 25504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uoyzsydz.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkKDurS]
jkkKDurS.dll 06/29/2008 12:40 PM 25504 C:\WINDOWS\SYSTEM32\jkkKDurS.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll 12/21/2001 12:34 AM 24576 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll,avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\nnnllKDs
"IEUpdate"= C:\WINDOWS\system32\actxprxyf.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\LaunchU3.exe -a




-- Hosts -----------------------------------------------------------------------

127.127.127.127 elite


-- End of Deckard's System Scanner: finished at 2008-06-30 15:15:06 ------------




Extra TXT

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 2.53GHz
Percentage of Memory in Use: 84%
Physical Memory (total/avail): 511 MiB / 76.79 MiB
Pagefile Memory (total/avail): 1504.38 MiB / 1118.43 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1934.76 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 55.84 GiB total, 43.19 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD600BB-75CAA0 - 55.87 GiB - 2 partitions
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 (bootable) - Installable File System - 55.84 GiB - C:

\\.\PHYSICALDRIVE1 - HP psc 2410 USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

AV: AVG Anti-Virus Free v8.0 (AVG Technologies) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Kathy\Application Data
CLASSPATH="C:\WINDOWS\system32\QTJava.zip"
COLLECTIONID=COL6400
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GALVESTON
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HMSERVER=https://wwss1proa.cce.hp.com/wuss/servlet/WUSSServlet
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Kathy
ITEMID=ps-19683-3
LANG=1033
LOGONSERVER=\\GALVESTON
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
OSVER=winXPH
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA="C:\WINDOWS\system32\QTJava.zip"
SESSIONID=1187620507847htx6056.cce.hp.com64eb31:11483b28aff:19ee
SESSIONNAME=Console
SWUTVER=1.0.22.20030804
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Kathy\LOCALS~1\Temp
TIMEOUT=0
TMP=C:\DOCUME~1\Kathy\LOCALS~1\Temp
TOOLPATH=/C:\Program%20Files\HP\HP%20Software%20Update\install.htm
UPDATEDIR=C:\DOCUME~1\JEFFSE~1\LOCALS~1\Temp\rad44F4F.tmp
USERDOMAIN=GALVESTON
USERNAME=Kathy
USERPROFILE=C:\Documents and Settings\Kathy
VERSION=3.5.0
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Jeff Seaton (admin)
Kathy (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45893FEB-30FD-4034-8661-3BA4238FE67A}\SETUP.EXE" -l0x9 -uninst -y -a -f"b2003ce.isu"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Download Manager (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Aspi Installer --> C:\Temp\UNWISE.EXE C:\Temp\INSTALL.LOG
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
BCM V.92 56K Modem --> C:\WINDOWS\BCMSMU.exe quiet
Britannica Ready Reference --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45893FEB-30FD-4034-8661-3BA4238FE67A}\SETUP.EXE" -l0x9 -uninst
Command --> wscript "C:\WINDOWS\SmVmZiBTZWF0b24\mApAt21ntqIXvZb.vbs"
Dell Picture Studio - Dell Image Expert --> MsiExec.exe /I{151C555A-A9E7-4A2E-B6D7-165D04A3C956}
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
Dell Support --> MsiExec.exe /X{43FCA273-9534-40DB-B7C5-D7758875616A}
Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
DING! --> MsiExec.exe /X{84031A18-BA9A-4156-A74F-E05B52DDFCE2}
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Pro Codec Adware --> C:\WINDOWS\unvise32.exe C:\Program Files\DivX\DivX Pro Codec Adware\UninstalDivXProCodecAdware.log
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Image Zone 3.5 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 3.5 --> "C:\Program Files\HP\Digital Imaging\{0FABD3D7-3036-4e78-B29D-58957ADB0A12}\setup\hpzscr01.exe" -datfile hposcr03.dat
HP Software Update --> MsiExec.exe /X{34957B51-9676-41CE-9E52-44AE91B73F1C}
HP Unload DLL Patch --> MsiExec.exe /X{595D0DE8-C38A-4432-B851-47DECC1A99BD}
Intel RSX 3D --> C:\WINDOWS\System32\rsxunins.exe
Intel(R) PRO Ethernet Adapter and Software --> Prounstl.exe
Intel(R) PROSet II --> MsiExec.exe /I{01A4AEDE-F219-49A2-B855-16A016EAF9A4}
Juniper Networks Network Connect 5.5.0 --> "C:\Program Files\Juniper Networks\Network Connect 5.5.0\uninstall.exe"
Juniper Networks Network Connect 6.0.0 --> "C:\Program Files\Juniper Networks\Network Connect 6.0.0\uninstall.exe"
LogonStudio --> C:\PROGRA~1\WINCUS~1\LOGONS~1\UNWISE.EXE C:\PROGRA~1\WINCUS~1\LOGONS~1\INSTALL.LOG
Macromedia Shockwave Player --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\Install.log
Memories Disc Creator 2.0 --> MsiExec.exe /X{2E132061-C78A-48D4-A899-1D13B9D189FA}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office XP Professional --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML4 Parser --> MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
nas_screensaver Screen Saver --> C:\WINDOWS\nas_screensaver.scr /u
Network Monitor --> wscript "C:\WINDOWS\uninstall_nmon.vbs"
Outerinfo --> "C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe"
overland --> MsiExec.exe /I{766273C1-A39B-47EB-ACE8-DEBDD8094BCC}
Paint Shop Pro 7 --> MsiExec.exe /I{D6DE02C7-1F47-11D4-9515-00105AE4B89A}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
Star Wars®: Knights of the Old Republic (TM) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A9A40C7-6670-4D5F-8F41-D12E2E08B48B}\setup.exe" -l0x9
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
WindowBlinds --> C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\UNWISE.EXE C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\INSTALL.LOG
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type12444 / Error
Event Submitted/Written: 06/29/2008 03:03:52 PM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 796831275.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Event Record #/Type12443 / Error
Event Submitted/Written: 06/29/2008 03:03:48 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16674, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00002abb.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type12442 / Error
Event Submitted/Written: 06/29/2008 02:14:51 PM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 796831275.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Event Record #/Type12441 / Error
Event Submitted/Written: 06/29/2008 02:14:45 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16674, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00002abb.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type12430 / Error
Event Submitted/Written: 06/29/2008 11:59:14 AM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type29034 / Error
Event Submitted/Written: 06/30/2008 02:18:56 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
Beep

Event Record #/Type29033 / Error
Event Submitted/Written: 06/30/2008 02:18:47 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Network Monitor service failed to start due to the following error:
%%2

Event Record #/Type29032 / Error
Event Submitted/Written: 06/30/2008 02:18:25 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.1.103 for the Network Card with network address 0007E9EC822A has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type29028 / Error
Event Submitted/Written: 06/29/2008 07:19:35 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type29027 / Error
Event Submitted/Written: 06/29/2008 04:54:05 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}



-- End of Deckard's System Scanner: finished at 2008-06-30 15:15:06 ------------
 
Hello :)

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Now please try install HijackThis. After install, please run HijackThis, choose Do system scan and save logfile. Post the log and combofix log back here :)
 
Last edited:
It will not load...http://forums.spybot.info/images/smilies/sad.gif

Thanks again for your ongoing assistance!!!!!!

I am having to work between 2 computers. I cannot get to this forum on the infected computer. On the infected system I can open an IE window but it will not allow me to get to many sites. If I try to get to this forum or any of the "bleepingcomputer" links you sent, I get the msg that IE has encountered a problem and needs to shut down or the "IE cannot display the webpage" msg.

Before I got started in this forum I managed to get AVG 8.0 to load on the infected system by downloading the install file on this system and then copying it to the infected system desktop. During the install of AVG I got an error message that I needed to close two items 1) an explorer window and 2) a blank html page. I cannot find a way to get to and close the blank page. I believe it is still open. If I try to open Task manager, I get an error message that it has been disabled by the administrator.

I tried the same process of downloading ComboFix and copying it to the infected system. When I double click on ComboFix.exe on the infected system nothing happens...........the CF icon is selected/highlighted, I momentarily get the hourglass/arrow cursor, one of several different popups displays and the highlight on the CF icon returns to normal (unselected).

The same thing happens if I try to launch firefox, or HJT ...selected, cursor, popup, unselected.

I was very surprised, earlier, when DSS loaded and ran.

Any suggestions to close whatever is running??

The system has been rebooted a couple of times......takes about 5 mins for the blinking cursor at the top of the screen to disappear and the windows loading page to show up.

Thanks again for your assistance.
 
Hello :)

Let's try Combofix /killall <-- This will kill all process (including services) except system critical processes.

Run ComboFix using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK.

"%userprofile%\desktop\combofix.exe" /killall

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
 
kill all ........ dies??

Hi Baabiouz,

Again Thanks for your continuing efforts!!!!!!!:)

Since I am working on two different computers I manually typed the following into the command line of the run window:

"%userprofile%\desktop\combofix.exe" /killall

Including the quotation marks.

I got the "Open File Security Warning" window regarding publisher cannot be verified. Are you sure you want to run this software. Then shows name of file "Combofix.exe with run or cancel buttons.

I click on run and get nothing...:sad:..........the popups continue...

Thanks again
 
If you didn't get Combofix running, please try Sdfix:

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download SDFix by AndyManchesta and save it to your desktop.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Double click SDFix.exe and it will extract the files to %systemdrive%
  • (this is the drive that contains the Windows Directory, typically C:\SDFix).
  • DO NOT use it just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Copy and paste the contents of the results file Report.txt in your next replyalong with a new HijackThis log.
-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe
 
same problem.....will not load

Hi again,

I opened an IE browser window on the infected computer gave me the error message ...cannot display page......when I went to download SDFix

I went back to an uninfected system, downloaded SDFix, copied across network to infected computer desktop.........checked, file is there with size of 1.37 mb.........

double clicked on SDFix.exe...........got the same song and dance.........

sdfix.exe icon selected/highlighted, arrow/hourglass cursor, popup, icon unselected ........nothing happens I even went to My Computer looked in the desktop ....no new files extracted.

I even tried to go to cmd, got to the desktop dir, tried to run sdfix.exe there nothing


The command prompt window seems to display and allow me to move around on the drive....find different directories, etc


However, Just an FYI, If I try to run TASK MANAGER I do get the error message: Task manager has been disabled by your administrator.

Again I appreciate your ongoing support and assistance!!!!!!:)
 
Hello

Step #1
Please click on Start > Control Panel > Add/Remove Programs and uninstall the following programs(if present):

Command
Network Monitor
Outerinfo
Viewpoint Media Player

Step #2
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code: 
    C:\WINDOWS\system32\tcntaxdm.exe
C:\WINDOWS\system32\sDKllnnn.ini2
C:\WINDOWS\system32\nnnllKDs.dll
C:\WINDOWS\system32\jkkKDurS.dll
C:\WINDOWS\system32\xx_tcntaxdm.exe
C:\WINDOWS\y.exe
C:\WINDOWS\xplugin.dll
C:\WINDOWS\x.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\window.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\win64.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\users32.exe
C:\WINDOWS\time.exe
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\svchost32.exe
C:\WINDOWS\sistem.exe
C:\WINDOWS\searchword.dll
C:\WINDOWS\rundll16.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\qttasks.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\notepad32.exe
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\msupdate.exe
C:\WINDOWS\mssys.exe
C:\WINDOWS\msspi.dll
C:\WINDOWS\msconfd.dll
C:\WINDOWS\loader.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\inetinf.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\iedll.exe
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\funny.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\editpad.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\directx32.exe
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\cpan.dll
C:\WINDOWS\clrssn.exe
C:\WINDOWS\avpcc.dll
C:\WINDOWS\accesss.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\system32\drivers\SYMC8100.sys

C:\Program Files\Outerinfo
C:\Program Files\F?nts
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Network Monitor
C:\WINDOWS\SmVmZiBTZWF0b24
C:\WINDOWS\system32\eb10
C:\WINDOWS\system32\bgi
C:\WINDOWS\system32\axc
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\WINDOWS\system32\1049a
C:\WINDOWS\??crosoft.NET
C:\WINDOWS\system32\netrax06
C:\WINDOWS\system32\uoyzsydz.exe 
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\lfn.exe 
C:\WINDOWS\system32\000060.exe
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\WINDOWS\system32\actxprxyf.exe
C:\WINDOWS\444.470
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Step #3
Please download ATF-cleaner and save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser:
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser:
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.

Step #4
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Acan" option is selected.
    • Then click on the Scan button.
  • The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Step #5
Please post OtMoveIt log, Mbam log back here :)
Please try install HjT and post the log.
 
Last edited:
Hello,

Step #1
Please click on Start > Control Panel > Add/Remove Programs and uninstall the following programs(if present):

Command attempt to remove....launches IE window URL: http://Command.adservs.com/uninstall.php
Network Monitor attempt to remove....Critical error msg.."An error occurred removing Network Monitor. Network Monitor has not been removed.
Outerinforemoved successfully
Viewpoint Media Playerremoved successfully

On top of that...........now instead of the popups I had been getting.......my normal desktop has been hijacked......changed to 640X480 16 colors........

and every about 15 seconds a blue screen of normal setting is overlayed on the desktop stating "A problem has been detected and windows has been shutdown to protect your computer." along with a whole screen of text and addresses. After appx 20 seconds this screen disappears...with a restarting...msg at the bottom back to the hijacked desktop and this repeats....

This just seems to be getting worse and worse..................

Thanks again for your tenacity in resolving this..........
 
????

Have I missed a reply somehow.........I am still in need of help.........I hope my comment regarding the situation getting worse wasn't misunderstood.......I appreciate your help and in no way meant to imply anything other than an observation of the situation.

Thanks again for your assistance!
 
Hello.

Let's try this first:

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

CF_download_FF.gif



CF_download_rename.gif

--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

If you can't run Combofix like that, please reboot your computer in Safe Mode and try run Combofix there. (have to go sleep now, seeya -->)
 
ComboFix

Hello again,

I downloaded CF from the geekstogo site.
saved it to my desktop as Combo-Fix.exe
transferred it across my network to the infected system
attempted to run it normally got a small box titled Combo-Fix with green bars at the bottom (like it was installing)

screen went blank
then a Error dialog box showed up stating "You cannot rename ComboFix as Combo-Fix. Please use another name, preferbaly made up of alphanumeric characters."

This is a letter for letter quote including the mis-spelling.

I re-booted to Safe Mode.

Went through the same process.......got the same error dialog message.

Another FYI, When I boot-up or re-boot the infected system from normal mode to safe or safe mode to normal it takes approximately 9 minutes.

I really appreciate your efforts in trying to get this problem resolved.
 
Hello

Please rename Combo-fix.exe to Country.exe and double-click to run. Please tell me if you got error again ;)
 
It ran!!!!!!!!! I have a log.txt file.........I just cannot get it to you. Something has now killed my network. When I try to copy and paste LOG.TXT to my uninfected computer via windows explorer.......I get an error msg saying the xxx(destination system) is not accessible.

I tried to copy the log to a floppy, but on the good computer I get an error msg saying the floppy is not formatted..........yet on the infected system the file shows on the floppy.

I tried to start over and format the floppy on the infected system........GUESS WHAT..........It will not let me format the floppy........go to my computer> A: Drive > right click > double click on format..........nothing........

Again, Thanks for your help!!!!!!!!!
 
I'm sorry ........I left that out.....

Yes I did format the floppy on the good computer, copy to floppy on bad system, tried to open file on good system........got error...floppy is not formatted.......
 
Finally............I just keep trying different floppies........

here is the log.txt........file


ComboFix 08-07-01.5 - Kathy 2008-07-03 12:19:42.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.230 [GMT -5:00]
Running from: C:\Documents and Settings\Kathy\Desktop\Contry.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Kathy\Application Data\shcrblj0ea3r
C:\Documents and Settings\Kathy\Start Menu\Programs\Startup\DW_Start.lnk
C:\Program Files\shcrblj0ea3r
C:\WINDOWS\accesss.exe
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\avpcc.dll
C:\WINDOWS\clrssn.exe
C:\WINDOWS\cpan.dll
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\default.htm
C:\WINDOWS\directx32.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\editpad.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\funny.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\iedll.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\inetinf.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\loader.exe
C:\WINDOWS\msconfd.dll
C:\WINDOWS\msspi.dll
C:\WINDOWS\mssys.exe
C:\WINDOWS\msupdate.exe
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\notepad32.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\qttasks.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\searchword.dll
C:\WINDOWS\sistem.exe
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\SYMC8100.sys
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\time.exe
C:\WINDOWS\users32.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\win64.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\window.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\x.exe
C:\WINDOWS\xplugin.dll
C:\WINDOWS\xxxvideo.hta
C:\WINDOWS\y.exe
.
---- Previous Run -------
.
C:\Documents and Settings\Administrator\Application Data\rhcpblj0ea3r
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Desktop\Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\How to Register Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\License Agreement.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Register Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Uninstall.lnk
C:\Documents and Settings\Kathy\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Protector 2008.lnk
C:\Documents and Settings\Kathy\Application Data\rhcpblj0ea3r
C:\Documents and Settings\Kathy\Application Data\shcrblj0ea3r
C:\Documents and Settings\Kathy\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Kathy\Start Menu\Programs\Startup\DW_Start.lnk
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\comet systems
C:\Program Files\comet systems\DM\activeJobs.xml
C:\Program Files\comet systems\DM\completedJobs.xml
C:\Program Files\comet systems\DM\jobIndex.xml
C:\Program Files\comet systems\DM\pendingJobs.xml
C:\Program Files\comet systems\DM\productInfo.xml
C:\Program Files\comet systems\DM\request.xml
C:\Program Files\comet systems\DM\response.xml
C:\Program Files\fnts~1
C:\Program Files\FunWebProducts
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\444.470
C:\WINDOWS\444.471
C:\WINDOWS\accesss.exe
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\avpcc.dll
C:\WINDOWS\b152.exe
C:\WINDOWS\clrssn.exe
C:\WINDOWS\cpan.dll
C:\WINDOWS\crosof~1.net
C:\WINDOWS\crosof~1.net\??crosoft.NET\
C:\WINDOWS\crosof~1.net\regsvr32.exe
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\default.htm
C:\WINDOWS\directx32.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\editpad.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\funny.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\hosts
C:\WINDOWS\iedll.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\inetinf.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\lfn.exe
C:\WINDOWS\loader.exe
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\msconfd.dll
C:\WINDOWS\msspi.dll
C:\WINDOWS\mssys.exe
C:\WINDOWS\msupdate.exe
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\muotr.so
C:\WINDOWS\notepad32.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\portsv.exe
C:\WINDOWS\qttasks.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\searchword.dll
C:\WINDOWS\sistem.exe
C:\WINDOWS\SmVmZiBTZWF0b24\
C:\WINDOWS\SmVmZiBTZWF0b24\\mApAt21ntqIXvZb.vbs
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\SYSTEM32\000060.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\blphctblj0ea3r.scr
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\lphctblj0ea3r.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\mysidesearch_sidebar.dll
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\nnnllKDs.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\phctblj0ea3r.bmp
C:\WINDOWS\system32\pphctblj0ea3r.exe
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\SYSTEM32\sDKllnnn.ini
C:\WINDOWS\SYSTEM32\sDKllnnn.ini2
C:\WINDOWS\system32\spywarewarning.mht
C:\WINDOWS\system32\spywarewarning2.mht
C:\WINDOWS\system32\tcntaxdm.exe
C:\WINDOWS\system32\tcntstdm.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\time.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\users32.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\win64.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\window.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\x.exe
C:\WINDOWS\xplugin.dll
C:\WINDOWS\xxxvideo.hta
C:\WINDOWS\y.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER
-------\Legacy_CMDSERVICE
-------\Legacy_MSSECURITY1.209.4
-------\Legacy_NETWORK_MONITOR
-------\Legacy_SYMC8100
-------\Legacy_TNIDRIVER
-------\Service_cmdService
-------\Service_MsSecurity1.209.4
-------\Service_Network Monitor
-------\Service_SYMC8100
-------\Service_sysrest.sys
-------\Legacy_PlugPlayRPC
-------\Service_PlugPlayRPC
-------\Legacy_CLBDRIVER
-------\Legacy_CMDSERVICE
-------\Legacy_MSSECURITY1.209.4
-------\Legacy_NETWORK_MONITOR
-------\Legacy_SYMC8100
-------\Legacy_TNIDRIVER
-------\Service_cmdService
-------\Service_MsSecurity1.209.4
-------\Service_Network Monitor
-------\Service_SYMC8100
-------\Service_sysrest.sys


((((((((((((((((((((((((( Files Created from 2008-06-03 to 2008-07-03 )))))))))))))))))))))))))))))))
.

2008-07-03 12:47 . 2008-07-03 12:48 1,862 --a------ C:\WINDOWS\default.htm
2008-07-03 11:47 . 2008-07-03 12:16 <DIR> d-------- C:\Country
2008-07-03 10:27 . 2008-07-03 10:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-02 14:53 . 2008-07-02 14:53 <DIR> d-------- C:\Combo-Fix
2008-07-01 23:41 . 2008-07-01 23:41 <DIR> d-------- C:\Program Files\xx_mjc
2008-07-01 23:40 . 2008-07-01 23:40 49,164 --a------ C:\WINDOWS\SYSTEM32\rswnw64l.exe
2008-07-01 02:45 . 2008-07-01 23:41 94,208 --a------ C:\WINDOWS\SYSTEM32\11.tmp
2008-06-30 22:17 . 2008-06-30 22:17 13,942 --a------ C:\WINDOWS\SYSTEM32\iphone-011.ico
2008-06-30 20:41 . 2008-06-30 20:41 63,902 --a------ C:\WINDOWS\SYSTEM32\{58c2a5a9-2e8f-6f69-4e92-e40944b64c1b}.dll-uninst.exe
2008-06-30 18:17 . 2008-06-30 18:17 9,662 --a------ C:\WINDOWS\SYSTEM32\pinkip.ico
2008-06-30 15:09 . 2008-06-30 15:09 <DIR> d-------- C:\Deckard
2008-06-29 16:39 . 2003-03-18 02:17 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-29 16:39 . 2008-06-29 16:39 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-29 12:40 . 2008-06-29 12:40 25,504 --a------ C:\WINDOWS\SYSTEM32\jkkKDurS.dll
2008-06-29 12:13 . 2008-06-29 12:43 <DIR> d-------- C:\Documents and Settings\Kathy\Application Data\AVGTOOLBAR
2008-06-29 11:28 . 2008-07-03 10:56 <DIR> d-------- C:\WINDOWS\SYSTEM32\8608
2008-06-29 11:24 . 2008-06-29 11:24 200,774 --a------ C:\WINDOWS\SYSTEM32\xx_tcntaxdm.exe
2008-06-29 11:18 . 2008-06-29 11:18 <DIR> d-------- C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Juniper Networks
2008-06-29 10:57 . 2008-06-29 10:57 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico
2008-06-29 10:27 . 2008-06-29 10:27 <DIR> d-------- C:\WINDOWS\SYSTEM32\netrax06
2008-06-29 10:27 . 2008-06-29 10:27 <DIR> d-------- C:\WINDOWS\SYSTEM32\eb10
2008-06-29 10:27 . 2008-06-29 13:48 <DIR> d-------- C:\WINDOWS\SYSTEM32\bgi
2008-06-29 10:27 . 2008-06-29 10:27 <DIR> d-------- C:\WINDOWS\SYSTEM32\axc
2008-06-29 10:27 . 2008-06-29 13:48 <DIR> d-------- C:\WINDOWS\SYSTEM32\1049a
2008-06-29 10:27 . 2008-06-29 10:27 <DIR> d-------- C:\Temp\itmp4
2008-06-29 10:27 . 2008-06-29 10:27 <DIR> d-------- C:\Program Files\xx_Outerinfo
2008-06-29 10:27 . 2008-06-29 13:21 <DIR> d-------- C:\Program Files\xx_Network Monitor
2008-06-29 10:26 . 2008-06-29 10:26 88,025 --a------ C:\WINDOWS\SYSTEM32\uoyzsydz.exe
2008-06-29 10:26 . 2008-06-29 10:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-29 10:26 . 2002-08-29 06:00 4,224 --a------ C:\WINDOWS\SYSTEM32\beep.sys
2008-06-29 10:26 . 2008-06-29 10:26 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-11 04:07 . 2008-06-13 08:10 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-06-07 21:16 . 2008-06-07 21:16 32,768 --a------ C:\WINDOWS\SYSTEM32\netrax06\netrax061083.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-03 17:34 30,464 ----a-w C:\WINDOWS\win32e.exe
2008-07-03 17:34 30,464 ----a-w C:\WINDOWS\users32.exe
2008-07-03 17:34 28,928 ----a-w C:\WINDOWS\winmgnt.exe
2008-07-03 17:34 24,576 ----a-w C:\WINDOWS\waol.exe
2008-07-03 17:34 23,552 ----a-w C:\WINDOWS\win64.exe
2008-07-03 17:34 17,152 ----a-w C:\WINDOWS\window.exe
2008-07-03 17:34 16,128 ----a-w C:\WINDOWS\winajbm.dll
2008-07-03 17:31 22,784 ----a-w C:\WINDOWS\accesss.exe
2008-07-02 05:13 --------- d-----w C:\Program Files\xx_Viewpoint
2008-07-02 05:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-29 15:26 10,240 ----a-w C:\WINDOWS\system32\drivers\BEEP.SYS
2008-06-16 13:25 --------- d-----w C:\Documents and Settings\Kathy\Application Data\Juniper Networks
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2008-05-06 03:08 --------- d-----w C:\Documents and Settings\Kathy\Application Data\U3
2008-04-24 03:16 3,591,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2007-09-06 01:41 53,472 ----a-w C:\Documents and Settings\Kathy\Application Data\GDIPFONTCACHEV1.DAT
2003-03-18 07:21 207,758 -c--a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11A7A749-0381-4AE2-940B-27EC006D6006}]
2008-06-29 12:40 25504 --a------ C:\WINDOWS\system32\jkkKDurS.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 22:05 323584]
"LogonStudio"="C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 20:38 987187]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-02 02:34 98304]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 14:52 339968]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 17:28 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-15 12:27 185896]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]

C:\Documents and Settings\Kathy\Start Menu\Programs\Startup\
DING!.lnk - C:\Program Files\Southwest Airlines\Ding\Ding.exe [2006-06-22 14:15:48 462848]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-03-18 02:16:11 45056]
HJTInstall.exe [2008-06-29 14:58:40 812344]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24 237568]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{11A7A749-0381-4AE2-940B-27EC006D6006}"= "C:\WINDOWS\system32\jkkKDurS.dll" [2008-06-29 12:40 25504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\uoyzsydz.exe,"
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 00:34 24576 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkKDurS]
2008-06-29 12:40 25504 C:\WINDOWS\SYSTEM32\jkkKDurS.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.NSPAC"= NSPAC32.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2007-04-10 18:05]
S3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2002-04-08 10:05]
S3 jatmlano;jatmlano;C:\DOCUME~1\JEFFSE~1\LOCALS~1\Temp\jatmlano.sys []
S3 MA311;NETGEAR Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\ma311n51.sys [2002-04-30 20:56]
S3 MTK;Media Technology Kernel Driver;C:\WINDOWS\system32\Drivers\fide.sys [2005-04-19 18:50]
S3 ProtoWall;ProtoWall Defender;C:\WINDOWS\system32\DRIVERS\ProtoWall.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
- - - - ORPHANS REMOVED - - - -

BHO-{00110011-4b0b-44d5-9718-90c88817369b} - (no file)
BHO-{086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
BHO-{150fa160-130d-451f-b863-b655061432ba} - (no file)
BHO-{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
BHO-{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
BHO-{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
BHO-{2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
BHO-{2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
BHO-{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
BHO-{5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
BHO-{587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
BHO-{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
BHO-{79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
BHO-{799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
BHO-{8D67B81A-7D8B-5974-AA3A-7AA2909D429A} - C:\WINDOWS\system32\gcuoxe.dll
BHO-{98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
BHO-{a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
BHO-{b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
BHO-{bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
BHO-{cf021f40-3e14-23a5-cba2-717765721306} - (no file)
BHO-{e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
BHO-{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
BHO-{e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
BHO-{fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
BHO-{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
HKCU-Run-mjc - C:\Program Files\mjc\mjc.exe
HKLM-Run-WinampAgent - C:\Program Files\Winamp\Winampa.exe
HKLM-Run-{5E-E8-8B-BF-DW} - c:\windows\system32\rwwnw64d.exe
HKLM-Run-lphctblj0ea3r - C:\WINDOWS\system32\lphctblj0ea3r.exe
HKLM-Run-SMrhcpblj0ea3r - C:\Program Files\rhcpblj0ea3r\rhcpblj0ea3r.exe
HKLM-Run-sysrest32.exe - C:\WINDOWS\system32\sysrest32.exe
HKLM-Run-SMshcrblj0ea3r - C:\Program Files\shcrblj0ea3r\shcrblj0ea3r.exe
SSODL-NbpiiXB-{B425E8C0-1E8F-426A-336A-6D80A3A8F732} - C:\WINDOWS\system32\fg.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-03 12:47:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Program Files\Common Files\Real\Plugins\clbascauth.dll 25088 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
-> C:\WINDOWS\system32\jkkKDurS.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\WINDOWS\SYSTEM32\cisvc.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\WINDOWS\SYSTEM32\uoyzsydz.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\SYSTEM32\HPZipm12.exe
C:\WINDOWS\SYSTEM32\CIDAEMON.EXE
C:\WINDOWS\SYSTEM32\CIDAEMON.EXE
C:\WINDOWS\SYSTEM32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-07-03 12:52:17 - machine was rebooted [Kathy]
ComboFix-quarantined-files.txt 2008-07-03 17:52:09

Pre-Run: 48,512,413,696 bytes free
Post-Run: 48,413,011,968 bytes free

420 --- E O F --- 2008-06-21 08:02:02
 
You must log in or register to reply here.
Back
Top