Mobile/PDA About Us Advertise here
User User name Password  
  Not registered yet? Register here.
Lost your password? Click here. 		 
  Home   News   Guides   Downloads   Glossary   Hardware   Profiles   Forums   v4  
 Advertise at AfterDawn.com     Link to us!     Private messages     Compose a private message     List of all updated threads     Threads without replies     Search messages
Saturday 30.8.2025 / 14:24
Search AfterDawn Forums:        In English   Suomeksi   På svenska
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > hijackthis log
Show topics
 
Forums
Forums
Hijackthis log
  Jump to:
 
Posted Message
Page:12Next >
gotaget
Suspended due to non-functional email address
_ 		9. January 2007 @ 06:12 _ Link to this message    Send private message to this user   
I keep getting an error 34 and some screen saying it cannot find w000174.dll . Can someone please check over this and see if everything is ok. I already cleaned 499 viruses, malware, and other things from my computer. Its just running slow as the crap now. Just want to make sure everything is ok now. Thanks

Logfile of HijackThis v1.99.1
Scan saved at 10:11:46 AM, on 1/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\SecuritySuite.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,ucefhbh.exe
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: CEngine Object - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\SafeGuard Pop-up Blocker Pro FREE Edition\popupblocker.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinSP] REGEDIT.EXE -s c:/ireg.reg
O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_51cb.dll"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Microsoft Corp TLS Certificates] msauth.exe
O4 - HKLM\..\Run: [eli2b1f7] RUNDLL32.EXE w000f174.dll,n 0072b1f000000005000f174
O4 - HKLM\..\Run: [ijsacm] c:\windows\system32\ijsacm.exe ijsacm
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [ycqqjmrA] C:\WINDOWS\ycqqjmrA.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\pwinnoeb.exe SKY001
O4 - HKLM\..\Run: [wasarise] C:\WINDOWS\assembly\wasarise.exe
O4 - HKLM\..\RunServices: [Microsoft Corp TLS Certificates] msauth.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11111111-1111-1111-1111-111111111133} - file://c:\windows\temp\ie.exe
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O18 - Protocol hijack: mhtml -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O20 - Winlogon Notify: winkve32 - C:\WINDOWS\
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxcecoms.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
O23 - Service: Internet Protocol (netsvc) - Unknown owner - c:\Windows\java\trustlib\com\ms\mtx\.temp\netservice.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Spools Spooler (Spools) - Unknown owner - c:\windows\system32\spools.exe (file missing)
O23 - Service: TCP and UDP Supp0rt - Unknown owner - C:\WINDOWS\System32\tccpip.exe (file missing)
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
[ + quote]
Advertisement
_ 		__
Niobis
Senior Member
_ 		9. January 2007 @ 15:31 _ Link to this message    Send private message to this user   
Hi gotaget, your computer is still heavily infected. I'd recommend you reformat your HD and reinstall Window because of security reasons, but we can also clean the infections if you like. It's up to you. :-)


If you feel more comfortable cleaning, please do the following:

Download ComboFix.exe to the desktop from here
Open ComboFix.exe and follow the prompts.
Note:
Do not mouseclick ComboFix's window while it's running, it may cause it to stall.
When finished, it will produce a log for you. Post that log in your next reply along with a new HijackThis log.
[ + quote]
Don't be fooled any longer.
http://www.youtube.com/watch?v=BUtbGYgsIu4&feature=related
gotaget
Suspended due to non-functional email address
_ 		10. January 2007 @ 09:00 _ Link to this message    Send private message to this user   
i am gonna try and fix it and if it still isn't looking good then i will start all over from stratch. Here is the Combo thing followed by The new HijackThis. Thanks for all your help.

Administrator - 07-01-10 13:38:24.92 Service Pack 1
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Desktop"

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Alphonso Smith\Application Data\Dxcknwrd.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\taskmgr.com
C:\Program Files\Ipwins
C:\Program Files\Common Files\{30BA111F-0A62-1033-1202-030512200001}
C:\Program Files\Common Files\{50BA111F-0A61-1033-1202-030512200001}
C:\Program Files\Common Files\{50BA111F-0A62-1033-1202-030512200001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\WINDOWS\SYSTEM32\YMBOLS~1
C:\QooBox\Purity\WINDOWS\SYSTEM32\YMBOLS~1\?ymbols


((((((((((((((((((((((((((((((( Files Created from 2006-12-10 to 2007-01-10 ))))))))))))))))))))))))))))))))))


2007-01-09 10:16 <DIR> dr-h----- C:\Documents and Settings\Administrator\Recent
2007-01-09 09:28 <DIR> d-------- C:\WINDOWS\CAVTemp
2007-01-08 23:53 57,344 --a------ C:\WINDOWS\yocul0578.exe
2007-01-08 23:32 930 --a------ C:\WINDOWS\SYSTEM32\winpfz32.sys
2007-01-08 23:28 184,389 --a------ C:\WINDOWS\SYSTEM32\pwinnoeb.exe
2007-01-08 23:20 256,000 --a------ C:\WINDOWS\xidcu0578.exe
2007-01-08 23:02 118,784 --a------ C:\WINDOWS\SYSTEM32\MSSTDFMT.DLL
2007-01-08 23:02 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-01-08 21:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA
2007-01-08 21:15 26,787 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetmonnt.sys
2007-01-08 21:11 34,816 --a------ C:\WINDOWS\rau001978.exe
2007-01-08 21:10 65,536 --a------ C:\WINDOWS\dls0523pmw.exe
2007-01-08 21:10 381,920 -r-hs---- C:\WINDOWS\ycqqjmrA.exe
2007-01-08 21:09 46,592 --a------ C:\WINDOWS\ycqqjmr.exe
2007-01-05 18:02 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-01-05 18:02 <DIR> d-------- C:\Program Files\Grisoft
2007-01-05 18:02 <DIR> d-------- C:\Program Files\CCleaner
2007-01-05 18:00 <DIR> d-------- C:\Program Files\ewido anti-malware
2007-01-03 22:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-01-03 22:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Help
2006-12-29 18:52 74,864 --a------ C:\WINDOWS\SYSTEM32\VetRedir.dll
2006-12-29 18:52 629,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\VetEFile.sys
2006-12-29 18:52 21,031 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Vet-Filt.sys
2006-12-29 18:52 15,478 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Vet-Rec.sys
2006-12-29 18:52 15,335 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\VetFDDNT.sys
2006-12-29 18:52 115,824 --a------ C:\WINDOWS\UnVet32.exe
2006-12-29 18:52 108,592 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\VetEBoot.sys
2006-12-29 18:52 107,632 --a------ C:\WINDOWS\AVShlExt.dll
2006-12-29 17:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2006-12-29 17:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2006-12-29 17:47 89,360 --a------ C:\WINDOWS\SYSTEM32\VB5DB.DLL
2006-12-29 17:47 446,464 -ra------ C:\WINDOWS\SYSTEM32\hhactivex.dll
2006-12-29 17:47 176,128 --a------ C:\WINDOWS\SYSTEM32\RcdScan.dll
2006-12-27 18:49 1,342 --a------ C:\WINDOWS\SYSTEM32\eli2b1f7.sys
2006-12-25 11:47 157,184 --a------ C:\WINDOWS\SYSTEM32\affxnds.dll
2006-12-24 15:07 277,044 ---hs---- C:\WINDOWS\SYSTEM32\awtsr.dll
2006-12-24 14:45 0 --a------ C:\jrsjgw.exe
2006-12-24 14:10 <DIR> d-------- C:\Program Files\AdSponsor
2006-12-23 11:56 <DIR> d-------- C:\WINDOWS\Minidump
2006-12-23 11:51 184,320 --a------ C:\WINDOWS\sys0135437135912006.exe
2006-12-23 11:50 5,120 --a------ C:\WINDOWS\SYSTEM32\vxga3me2.exe
2006-12-23 11:49 22,541 ---hs---- C:\WINDOWS\SYSTEM32\byxustq.dll
2006-12-23 11:49 15 --a------ C:\WINDOWS\SYSTEM32\dlh9jkd1q8.exe
2006-12-23 11:48 276,992 --a------ C:\WINDOWS\SYSTEM32\ijsacm.exe
2006-12-23 11:48 125 --a------ C:\WINDOWS\ssmen.dll
2006-12-23 11:48 107,610 --a------ C:\WINDOWS\AtxPID29.exe
2006-12-21 12:15 23,552 --a------ C:\rimcqup.exe
2006-12-19 17:29 3,141 --a------ C:\dss.exe
2006-12-19 07:07 29,184 --------- C:\WINDOWS\SYSTEM32\rpcc.dll
2006-12-19 07:07 1,837 --a------ C:\fghxwjlm.exe
2006-12-11 16:17 <DIR> d-------- C:\Program Files\MyGlobalSearch


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2007-01-10 13:06 -------- d-a------ C:\Program Files\Common Files
2007-01-10 12:47 -------- d-------- C:\Program Files\Windows Media Player
2007-01-09 00:48 -------- d-------- C:\Program Files\BearShare
2007-01-09 00:17 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2007-01-08 20:33 -------- d-------- C:\Program Files\Lx_cats
2007-01-05 18:03 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-12-29 17:47 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-12-25 11:36 -------- d-------- C:\Program Files\XoftSpy
2006-12-09 18:34 372784 --a------ C:\ymjsetup.exe
2006-12-01 13:53 624240 --a------ C:\WINDOWS\SYSTEM32\ImageControl.dll
2006-12-01 13:53 2684528 --a------ C:\WINDOWS\SYSTEM32\AxCtp2.dll
2006-11-28 14:57 16 --a------ C:\WINDOWS\SYSTEM32\start.bat
2006-11-20 15:15 0 --a------ C:\WINDOWS\SYSTEM32\winntsrv.exe
2006-11-06 18:50 38300432 --a------ C:\es_iwne.exe
2006-10-13 15:49 2468045 --a------ C:\packs.exe
2006-10-12 19:44 13817216 --a------ C:\pptrialr8.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"WinSP"="REGEDIT.EXE -s c:/ireg.reg"
"PCShield"="regsvr32 /s \"C:\\WINDOWS\\System32\\sfg_51cb.dll\""
"Disc Detector"="C:\\Program Files\\Creative\\ShareDLL\\CtNotify.exe"
"lxcemon.exe"="\"C:\\Program Files\\Lexmark 4300 Series\\lxcemon.exe\""
"EzPrint"="\"C:\\Program Files\\Lexmark 4300 Series\\ezprint.exe\""
"mmtask"="\"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe\""
"Microsoft Corp TLS Certificates"="msauth.exe"
"ijsacm"="c:\\windows\\system32\\ijsacm.exe ijsacm"
"CaAvTray"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\CAVTray.exe\""
"CAVRID"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\CAVRID.exe\""
"ycqqjmrA"="C:\\WINDOWS\\ycqqjmrA.exe"
"xete"="C:\\WINDOWS\\browserxtras\\xete.exe"
"combofix"="c:\\subs\\combofix.cmd"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]
"combofix"="c:\\subs\\combofix.cmd"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft Corp TLS Certificates"="msauth.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c2,01,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"Microsoft Corp. Critical Services"="csrs.exe"
"Microsoft Development Services"="msdevelop.exe"
"Microsoft Windows Socketx32 Services"="winsockx32.exe"
"Microsoft Windows Services Edt"="dllrun32.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runservices]
"Microsoft Corp. Critical Services"="csrs.exe"
"Microsoft Development Services"="msdevelop.exe"
"Microsoft Windows Socketx32 Services"="winsockx32.exe"
"Microsoft Windows Services Edt"="dllrun32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{04CDB16C-AB38-43CD-A86A-6FEB90290939}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000
"Wallpaper"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000
"Wallpaper"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winkve32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\XoftSpy.job

Completion time: 07-01-10 13:39:09.40
C:\ComboFix.txt ... 07-01-10 13:39
C:\ComboFix2.txt ... 07-01-10 13:06
[ + quote]
gotaget
Suspended due to non-functional email address
_ 		10. January 2007 @ 09:01 _ Link to this message    Send private message to this user   
Logfile of HijackThis v1.99.1
Scan saved at 1:43:18 PM, on 1/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: CEngine Object - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\SafeGuard Pop-up Blocker Pro FREE Edition\popupblocker.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinSP] REGEDIT.EXE -s c:/ireg.reg
O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_51cb.dll"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Microsoft Corp TLS Certificates] msauth.exe
O4 - HKLM\..\Run: [ijsacm] c:\windows\system32\ijsacm.exe ijsacm
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [ycqqjmrA] C:\WINDOWS\ycqqjmrA.exe
O4 - HKLM\..\Run: [xete] C:\WINDOWS\browserxtras\xete.exe
O4 - HKLM\..\Run: [combofix] c:\subs\combofix.cmd
O4 - HKLM\..\RunServices: [Microsoft Corp TLS Certificates] msauth.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11111111-1111-1111-1111-111111111133} - file://c:\windows\temp\ie.exe
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O18 - Protocol hijack: mhtml -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O20 - Winlogon Notify: winkve32 - C:\WINDOWS\
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxcecoms.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
O23 - Service: Internet Protocol (netsvc) - Unknown owner - c:\Windows\java\trustlib\com\ms\mtx\.temp\netservice.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
[ + quote]
Niobis
Senior Member
_ 		11. January 2007 @ 16:59 _ Link to this message    Send private message to this user   
You are running HijackThis from a temp folder. This means, when you fix something with HijackThis, a backup will no be created.
Unzip(extract) the HijackThis.exe from the zip file to a permanent folder.

Also, these HjT scans are being run from safe mode. Please run all HiajckThis scans in normal mode.

------------------------------------------------------------------------

Go here and download CCleaner.
Note: If you do not want Yahoo! Toolbar uncheck the option when installing.
Open CCleaner.
Click Options > Advance > uncheck "Only delete files in Windows Temp folders older than 48 hours".
Close all windows.
Click Cleaner > Run Cleaner.

Run a scan only with HijackThis, check these:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [WinSP] REGEDIT.EXE -s c:/ireg.reg
O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_51cb.dll"
O4 - HKLM\..\Run: [Microsoft Corp TLS Certificates] msauth.exe
O4 - HKLM\..\Run: [ijsacm] c:\windows\system32\ijsacm.exe ijsacm
O4 - HKLM\..\Run: [ycqqjmrA] C:\WINDOWS\ycqqjmrA.exe
O4 - HKLM\..\Run: [xete] C:\WINDOWS\browserxtras\xete.exe
O4 - HKLM\..\RunServices: [Microsoft Corp TLS Certificates] msauth.exe
O16 - DPF: {11111111-1111-1111-1111-111111111133} - file://c:\windows\temp\ie.exe
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O18 - Protocol hijack: mhtml -
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O20 - Winlogon Notify: winkve32 - C:\WINDOWS\
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe

Close all windows except HijackThis, then click "Fix checked".

Note: Print or copy these instructions to Notepad and save them. You will be in safe mode and can't access the internet.
Restart your computer in safe mode(press F8 upon boot, select "Safe Mode" from menu and press Enter).

Open AVGAS and click "Scanner".
Click "Complete System Scan".
When it finishes scanning, set all items to "Quarantine".
Click "Apply All Actions".
Click "Save Report" and save it to the desktop.

Show hidden files and folders.
Start > Control Panel > Folder Options > View tab > check "Show hidden files and folders".
Click Apply, then OK.

Locate and delete these files(if there):
C:\WINDOWS\yocul0578.exe
C:\ireg.reg
C:\WINDOWS\System32\sfg_51cb.dll
C:\WINDOWS\System32\ijsacm.exe
C:\WINDOWS\ycqqjmrA.exe
C:\WINDOWS\ycqqjmr.exe
C:\WINDOWS\System32\rpcc.dll
C:\WINDOWS\dls0523pmw.exe
C:\WINDOWS\SYSTEM32\winpfz32.sys
C:\WINDOWS\xidcu0578.exe
C:\WINDOWS\rau001978.exe
C:\WINDOWS\SYSTEM32\eli2b1f7.sys
C:\jrsjgw.exe
C:\WINDOWS\sys0135437135912006.exe
C:\WINDOWS\SYSTEM32\byxustq.dll
C:\WINDOWS\SYSTEM32\dlh9jkd1q8.exe
C:\WINDOWS\SYSTEM32\ijsacm.exe
C:\fghxwjlm.exe

Please tell me which files are not there or non-deletable.

Restart in normal mode.

Download Rootkit Revealer from here.
Create a new folder, named RKR, in C:\
Extract the files to the new folder.
Open RootkitRevealer.exe.
Close all other windows and click "Scan".
Important: Leave the computer idle while the scan runs.
When the scan is finished, click File > Save... to save the text file to the C:\RKR\ folder.

Run ComboFix again to get a fresh log.

Please post back with the RKR log, the ComboFix log and a new HijackThis log.
[ + quote]
Don't be fooled any longer.
http://www.youtube.com/watch?v=BUtbGYgsIu4&feature=related
gotaget
Suspended due to non-functional email address
_ 		11. January 2007 @ 20:11 _ Link to this message    Send private message to this user   
I am trying to do this

Show hidden files and folders.
Start > Control Panel > Folder Options > View tab > check "Show hidden files and folders".
Click Apply, then OK.

When i try the Control Panel Window pops up and says that

Windows cannot find 'rundll32.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the start button and then click search.

What should i do now?
Thanks
[ + quote]
gotaget
Suspended due to non-functional email address
_ 		12. January 2007 @ 10:05 _ Link to this message    Send private message to this user   
Along with the problem listed above my Etrust Antivirus keeps saying
C[][][][][][][][]C:\Windows\System32\msauth.exe
is infected with: Win32/Rbot.FYW

Something else keeps bringing up the IE screen to do something.

When i ran the Hijack again after i moved it everything but

O4 - HKLM\..\Run: [xete] C:\WINDOWS\browserxtras\xete.exe
O4 - HKLM\..\Run: [ijsacm] c:\windows\system32\ijsacm.exe ijsacm

Fixed everything else then then ran the AVGAS and the report
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 10:59:10 AM 1/12/2007

+ Scan result:

C:\I386\P2P Networking v125.cpl -> Adware.P2PNet : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\vxga3me2.exe -> Backdoor.Small.nr : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temp\f408500.exe -> Downloader.Qoologic.bp : Cleaned with backup (quarantined).
C:\Documents and Settings\NetworkService\Local Settings\Temp\f408500.exe -> Downloader.Qoologic.bp : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\affxnds.dll -> Downloader.Qoologic.bp : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\yuubi.dat -> Downloader.Qoologic.bp : Cleaned with backup (quarantined).
C:\fghxwjlm.exe -> Downloader.Small.ecr : Cleaned with backup (quarantined).
C:\dss.exe -> Downloader.Small.edb : Cleaned with backup (quarantined).
C:\rimcqup.exe -> Not-A-Virus.Hoax.Win32.Renos.gc : Cleaned with backup (quarantined).
C:\Documents and Settings\NetworkService\Local Settings\Temp\mst3E.tmp.mwt -> Trojan.Agent.vg : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\winkve32.dll.mwt -> Trojan.Agent.vg : Cleaned with backup (quarantined).
C:\aoo\31 -> Trojan.Hidewindows.c : Cleaned with backup (quarantined).
::Report end

Cant do the control panel
deleted all the files except for

C:\ireg.reg = not there

C:\WINDOWS\System32\sfg_51cb.dll = not there

C:\WINDOWS\System32\rpcc.dll = Says being used by another person or program

C:\WINDOWS\SYSTEM32\byxustq.dll = not there

C:\WINDOWS\SYSTEM32\ijsacm.exe = all is see is a dat file(wasn't sure)

C:\fghxwjlm.exe = not there

Ran Rootkit Revealer

HKLM\SECURITY\Policy\Secrets\SAC* 9/3/2002 9:18 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 9/3/2002 9:18 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 1/12/2007 11:50 AM 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer\uptime_time_utc 1/12/2007 11:50 AM 8 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1336.tmp 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1336.tmp.dir00 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1336.tmp.dir00\appcompat.txt 12/24/2006 7:51 PM 9.62 KB Hidden from Windows API.
C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1337.tmp 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1337.tmp.dir00 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1337.tmp.dir00\appcompat.txt 12/24/2006 7:51 PM 13.14 KB Hidden from Windows API.
C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1338.tmp 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1338.tmp.dir00 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1338.tmp.dir00\appcompat.txt 12/24/2006 7:51 PM 9.96 KB Hidden from Windows API.
C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER133C.tmp 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER133C.tmp.dir00 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1341.tmp 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1341.tmp.dir00 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1341.tmp.dir00\appcompat.txt 12/24/2006 7:51 PM 14.00 KB Hidden from Windows API.
C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1342.tmp 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1342.tmp.dir00 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1342.tmp.dir00\appcompat.txt 12/24/2006 7:51 PM 14.46 KB Hidden from Windows API.
C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1343.tmp 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1343.tmp.dir00 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1343.tmp.dir00\appcompat.txt 12/24/2006 7:51 PM 4.44 KB Hidden from Windows API.
C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1344.tmp 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1344.tmp.dir00 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1344.tmp.dir00\appcompat.txt 12/24/2006 7:51 PM 3.49 KB Hidden from Windows API.
C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1346.tmp 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1346.tmp.dir00 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1346.tmp.dir00\appcompat.txt 12/24/2006 7:51 PM 228 bytes Hidden from Windows API.
C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1347.tmp 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1347.tmp.dir00 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1347.tmp.dir00\appcompat.txt 12/24/2006 7:51 PM 3.40 KB Hidden from Windows API.
C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1348.tmp 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1348.tmp.dir00 12/24/2006 7:51 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Alphonso Smith\Local Settings\Temp\WER1348.tmp.dir00\appcompat.txt 12/24/2006 7:51 PM 3.49 KB Hidden from Windows API.
[ + quote]
rihgt682
Senior Member
_ 		12. January 2007 @ 10:06 _ Link to this message    Send private message to this user   
restart in safe mode cause it'll get stuck
[ + quote]
gotaget
Suspended due to non-functional email address
_ 		12. January 2007 @ 10:23 _ Link to this message    Send private message to this user   
Alphonso Smith - 07-01-12 13:43:16.78 Service Pack 1
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Alphonso Smith\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Alphonso Smith\Application Data\Install.dat
C:\Documents and Settings\Alphonso Smith\Start Menu\Programs\Startup\z_start.lnk

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\WINDOWS\SYSTEM32\YMBOLS~1
C:\QooBox\Purity\WINDOWS\SYSTEM32\YMBOLS~1\?ymbols


((((((((((((((((((((((((((((((( Files Created from 2006-12-12 to 2007-01-12 ))))))))))))))))))))))))))))))))))


2007-01-12 11:37 <DIR> d-------- C:\RKR
2007-01-12 09:47 <DIR> dr-h----- C:\Documents and Settings\Alphonso Smith\Recent
2007-01-12 00:30 <DIR> d-------- C:\Program Files\hijackthis
2007-01-09 09:28 <DIR> d-------- C:\WINDOWS\CAVTemp
2007-01-08 23:28 184,389 --a------ C:\WINDOWS\SYSTEM32\pwinnoeb.exe
2007-01-08 23:02 118,784 --a------ C:\WINDOWS\SYSTEM32\MSSTDFMT.DLL
2007-01-08 23:02 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-01-08 21:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA
2007-01-08 21:15 26,787 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetmonnt.sys
2007-01-08 21:10 381,920 -r-hs---- C:\WINDOWS\ycqqjmrA.exe
2007-01-05 18:02 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-01-05 18:02 <DIR> d-------- C:\Program Files\Grisoft
2007-01-05 18:02 <DIR> d-------- C:\Program Files\CCleaner
2007-01-05 18:00 <DIR> d-------- C:\Program Files\ewido anti-malware
2006-12-29 18:52 74,864 --a------ C:\WINDOWS\SYSTEM32\VetRedir.dll
2006-12-29 18:52 629,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\VetEFile.sys
2006-12-29 18:52 21,031 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Vet-Filt.sys
2006-12-29 18:52 15,478 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Vet-Rec.sys
2006-12-29 18:52 15,335 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\VetFDDNT.sys
2006-12-29 18:52 115,824 --a------ C:\WINDOWS\UnVet32.exe
2006-12-29 18:52 108,592 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\VetEBoot.sys
2006-12-29 18:52 107,632 --a------ C:\WINDOWS\AVShlExt.dll
2006-12-29 17:47 89,360 --a------ C:\WINDOWS\SYSTEM32\VB5DB.DLL
2006-12-29 17:47 446,464 -ra------ C:\WINDOWS\SYSTEM32\hhactivex.dll
2006-12-29 17:47 176,128 --a------ C:\WINDOWS\SYSTEM32\RcdScan.dll
2006-12-24 15:19 751,876 --a------ C:\Documents and Settings\Alphonso Smith\Application Data\Dxcknwrd.dll.ren
2006-12-24 15:07 277,044 ---hs---- C:\WINDOWS\SYSTEM32\awtsr.dll
2006-12-24 14:10 <DIR> d-------- C:\Program Files\AdSponsor
2006-12-23 11:56 <DIR> d-------- C:\WINDOWS\Minidump
2006-12-23 11:49 22,541 ---hs---- C:\WINDOWS\SYSTEM32\byxustq.dll
2006-12-23 11:48 125 --a------ C:\WINDOWS\ssmen.dll
2006-12-23 11:48 107,610 --a------ C:\WINDOWS\AtxPID29.exe
2006-12-19 07:07 29,184 --------- C:\WINDOWS\SYSTEM32\rpcc.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2007-01-10 13:06 -------- d-a------ C:\Program Files\Common Files
2007-01-10 12:47 -------- d-------- C:\Program Files\Windows Media Player
2007-01-09 00:48 -------- d-------- C:\Program Files\BearShare
2007-01-09 00:17 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2007-01-08 20:33 -------- d-------- C:\Program Files\Lx_cats
2006-12-29 17:47 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-12-25 11:36 -------- d-------- C:\Program Files\XoftSpy
2006-12-11 16:17 -------- d-------- C:\Program Files\MyGlobalSearch
2006-12-09 18:34 372784 --a------ C:\ymjsetup.exe
2006-12-01 13:53 624240 --a------ C:\WINDOWS\SYSTEM32\ImageControl.dll
2006-12-01 13:53 2684528 --a------ C:\WINDOWS\SYSTEM32\AxCtp2.dll
2006-11-28 19:05 -------- d-------- C:\Documents and Settings\Alphonso Smith\Application Data\Leadertech
2006-11-28 14:57 16 --a------ C:\WINDOWS\SYSTEM32\start.bat
2006-11-20 15:15 0 --a------ C:\WINDOWS\SYSTEM32\winntsrv.exe
2006-11-06 18:50 38300432 --a------ C:\es_iwne.exe
2006-10-13 15:49 2468045 --a------ C:\packs.exe
2006-10-12 19:44 13817216 --a------ C:\pptrialr8.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"PCShield"="regsvr32 /s \"C:\\WINDOWS\\System32\\sfg_51cb.dll\""
"Microsoft Corp TLS Certificates"="msauth.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices]
"Microsoft Corp TLS Certificates"="msauth.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Disc Detector"="C:\\Program Files\\Creative\\ShareDLL\\CtNotify.exe"
"lxcemon.exe"="\"C:\\Program Files\\Lexmark 4300 Series\\lxcemon.exe\""
"EzPrint"="\"C:\\Program Files\\Lexmark 4300 Series\\ezprint.exe\""
"mmtask"="\"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe\""
"ijsacm"="c:\\windows\\system32\\ijsacm.exe ijsacm"
"CaAvTray"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\CAVTray.exe\""
"CAVRID"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\CAVRID.exe\""
"combofix"="c:\\subs\\combofix.cmd"
"cowovawu"="C:\\WINDOWS\\Config\\cowovawu.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]
"combofix"="c:\\subs\\combofix.cmd"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"Microsoft Corp. Critical Services"="csrs.exe"
"Microsoft Development Services"="msdevelop.exe"
"Microsoft Windows Socketx32 Services"="winsockx32.exe"
"Microsoft Windows Services Edt"="dllrun32.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runservices]
"Microsoft Corp. Critical Services"="csrs.exe"
"Microsoft Development Services"="msdevelop.exe"
"Microsoft Windows Socketx32 Services"="winsockx32.exe"
"Microsoft Windows Services Edt"="dllrun32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{04CDB16C-AB38-43CD-A86A-6FEB90290939}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000
"Wallpaper"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000
"Wallpaper"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\XoftSpy.job

Completion time: 07-01-12 13:45:11.62
C:\ComboFix.txt ... 07-01-12 13:45
C:\ComboFix2.txt ... 07-01-10 13:39
C:\ComboFix3.txt ... 07-01-10 13:06
______________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 1:49:04 PM, on 1/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\Windows\java\trustlib\com\ms\mtx\.temp\netservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\Config\cowovawu.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\SYSTEM32\pwinnoeb.exe
C:\WINDOWS\System32\lxcecoms.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customiz...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: CEngine Object - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\SafeGuard Pop-up Blocker Pro FREE Edition\popupblocker.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ijsacm] c:\windows\system32\ijsacm.exe ijsacm
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [combofix] c:\subs\combofix.cmd
O4 - HKLM\..\Run: [cowovawu] C:\WINDOWS\Config\cowovawu.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_51cb.dll"
O4 - HKCU\..\Run: [Microsoft Corp TLS Certificates] msauth.exe
O4 - HKCU\..\RunServices: [Microsoft Corp TLS Certificates] msauth.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\pwinnoeb.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxcecoms.exe
O23 - Service: Internet Protocol (netsvc) - Unknown owner - c:\Windows\java\trustlib\com\ms\mtx\.temp\netservice.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
[ + quote]
gotaget
Suspended due to non-functional email address
_ 		12. January 2007 @ 10:25 _ Link to this message    Send private message to this user   
i tried it again in safe mode and it still says rundll32 is missing when i try to open the Control Panel
[ + quote]
Niobis
Senior Member
_ 		13. January 2007 @ 02:16 _ Link to this message    Send private message to this user   
Go here and download KillBox. You will use it later.

Fix these with HijackThis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customiz...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [ijsacm] c:\windows\system32\ijsacm.exe ijsacm
O4 - HKLM\..\Run: [combofix] c:\subs\combofix.cmd
O4 - HKLM\..\Run: [cowovawu] C:\WINDOWS\Config\cowovawu.exe
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_51cb.dll"
O4 - HKCU\..\Run: [Microsoft Corp TLS Certificates] msauth.exe
O4 - HKCU\..\RunServices: [Microsoft Corp TLS Certificates] msauth.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\pwinnoeb.exe
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll


Note: print these instructions or copy to Notepad and save it, you will be in safe mode and can't access the internet.

Go to Start > Run > type services.msc > click OK.
Locate the following and double-click it to open.
Internet Protocol
Beside "Startup type" click the drop-down menu and select "Disabled".
Close Services.

Open HijackThis.
Click "Open the misc tools section".
Click "Delete an NT service".
Copy/paste this into the area:
netsvc
Click OK. You will be prompted to restart, click "Yes".

Open Killbox.exe.
Check "Standard File Kill".
In the "Full Path of File to Delete" box, copy/paste each of the following lines below one at a time. Then, click the red button with a white X after you enter each file.
You will be prompted to confirm, click "Yes".
Note: KillBox may prompt "File does not seem to exist". If so, continue with next file, but do not miss any.

C:\WINDOWS\System32\ijsacm.exe
C:\WINDOWS\System32\ijsacm.dat
C:\WINDOWS\Config\cowovawu.exe
C:\WINDOWS\System32\sfg_51cb.dll
C:\WINDOWS\System32\pwinnoeb.exe
C:\Windows\System32\msauth.exe
C:\WINDOWS\browserxtras
C:\ireg.reg
C:\WINDOWS\System32\rpcc.dll
C:\WINDOWS\SYSTEM32\byxustq.dll
C:\fghxwjlm.exe
c:\Windows\java\trustlib\com\ms\mtx\.temp\netservice.exe
C:\WINDOWS\ycqqjmrA.exe
C:\WINDOWS\SYSTEM32\byxustq.dll
C:\WINDOWS\SYSTEM32\pwinnoeb.exe

Restart in normal mode.

Click here to get The Avenger.

Click on Avenger.zip to open the file.
Extract avenger.exe to your desktop.
Copy all the following red text contained inside the box below to your clipboard by highlighting it and pressing (Ctrl+C):

------------------------------------------------------------------------
Drivers to unload:
pe386

Registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\pe386
HKLM\SYSTEM\ControlSet001\Services\pe386
HKLM\SYSTEM\ControlSet002\Services\pe386
------------------------------------------------------------------------

Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Click on the Magnifying Glass icon which will open a "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done.
Click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger?s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Go here to run ActiveScan.
Click "Panda ActiveScan.
Fill in the form with your information.
After downloading, click My Computer to scan.
When it finishes, click "See Report".
Click "Save report" and save it to the desktop.

Please post back with the ActiveScan report and a new HijackThis log.
[ + quote]
Don't be fooled any longer.
http://www.youtube.com/watch?v=BUtbGYgsIu4&feature=related
gotaget
Suspended due to non-functional email address
_ 		15. January 2007 @ 19:01 _ Link to this message    Send private message to this user   
Here is the avenger stuff. some of the other stuff wasnt able to erase with kill switch i will type them in a minute

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\yympvnok

*******************

Script file located at: \??\C:\WINDOWS\mmweeicu.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver pe386 unloaded successfully.


Registry key HKLM\SYSTEM\CurrentControlSet\Services\pe386 not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\pe386 failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\pe386
Status: 0xc0000034



Registry key HKLM\SYSTEM\ControlSet001\Services\pe386 not found!
Deletion of registry key HKLM\SYSTEM\ControlSet001\Services\pe386 failed!

Could not process line:
HKLM\SYSTEM\ControlSet001\Services\pe386
Status: 0xc0000034

Registry key HKLM\SYSTEM\ControlSet002\Services\pe386 deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
[ + quote]
Niobis
Senior Member
_ 		15. January 2007 @ 19:29 _ Link to this message    Send private message to this user   
That's good. Now, please post a new HijackThis log.
[ + quote]
Don't be fooled any longer.
http://www.youtube.com/watch?v=BUtbGYgsIu4&feature=related
gotaget
Suspended due to non-functional email address
_ 		16. January 2007 @ 01:33 _ Link to this message    Send private message to this user   
Incident Status Location

Adware:adware/navipromo Not disinfected c:\windows\system32\ijsacm_nav.dat
Adware:adware/comet Not disinfected c:\windows\downloaded program files\dm.inf
Adware:adware/sidesearch Not disinfected c:\windows\sepsd.bin
Potentially unwanted tool:application/bestoffer Not disinfected c:\windows\smdat32m.sys
Adware:adware program Not disinfected c:\windows\ss3unstl.exe
Potentially unwanted tool:application/mywebsearch Not disinfected c:\program files\MyGlobalSearch
Adware:adware/popupdefence Not disinfected Windows Registry
Adware:adware/iedriver Not disinfected Windows Registry
Potentially unwanted tool:application/myway Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0494D0D1-F8E0-41AD-92A3-14154ECE70AC}
Adware:adware/savenow Not disinfected Windows Registry
Virus:Bck/Servu.A Disinfected C:\!KillBox\netservice.exe
Adware:Adware/Zeno Not disinfected C:\!KillBox\pwinnoeb.exe
Potentially unwanted tool:Application/Hiderun.F Not disinfected C:\aoo\blastcln.exe
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Alphonso Smith\Cookies\alphonso smith@doubleclick[1].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Alphonso Smith\Cookies\alphonso smith@revenue[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Alphonso Smith\Cookies\alphonso smith@searchportal.information[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Gwendolyn Smith\Application Data\Mozilla\Firefox\Profiles\0tq2ob5j.default\cookies.txt[.atwola.com/]
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Gwendolyn Smith\Application Data\Mozilla\Firefox\Profiles\0tq2ob5j.default\cookies.txt[.fortunecity.com/]
Adware:Adware/Comet Not disinfected C:\Documents and Settings\Gwendolyn Smith\Local Settings\Temp\unpack\CC_43.inf
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\LocalService\Cookies\alphonso smith@adultfriendfinder[1].txt
Spyware:Spyware/Apropos Not disinfected C:\I386\auto_update_uninstall.log
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\I386\MARSHAL.DLL
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\I386\P2P Networking.exe
Hacktool:HackTool/Scansql.B Not disinfected C:\packs.exe[8]
Potentially unwanted tool:Application/Hiderun.F Not disinfected C:\packs.exe[blastcln.exe]
Potentially unwanted tool:Application/HideWindow.B Not disinfected C:\packs.exe[31]
Virus:Trj/VB.SU Disinfected C:\WINDOWS\AtxPID29.exe
Adware:Adware/CWS Not disinfected C:\WINDOWS\INF\ranamine.exe
Adware:Adware/BraveSentry Not disinfected C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Install.dat
[ + quote]
gotaget
Suspended due to non-functional email address
_ 		16. January 2007 @ 04:21 _ Link to this message    Send private message to this user   
sorry its taking so long ,but this computer is terribly slooow and then often just freezes for no reason. Thanks for your help though.
[ + quote]
Niobis
Senior Member
_ 		16. January 2007 @ 07:50 _ Link to this message    Send private message to this user   
Download Ad-Aware SE Personal 1.06.

Install Ad-Aware SE Personal:
Follow the default settings for installation.
After installing uncheck the following:
* "Perform a full system scan now"
* "Update definition file now"
* "Open the help file now"

Update Ad-Aware SE Personal:
Open Ad-Aware.
Click "Check for updates now" then click "Connect".
If any are found click "OK" to download and install the updates. Once it has finished click "Finish".

Configure Ad-Aware SE Personal:
Click the Gear button at the top of the window.

Click "General" on the left hand side. Make sure these items have a green check next to them.
If they do not, click once on the circle next to them to put a green checkmark.
* "Automatically save logfile"
* "Automatically quarantine objects prior to removal"
* "Safe Mode (always request confirmation)"
* "Prompt to update outdated definitions" - change to 7 days from the default 14.

Click "Scanning" on the left hand side. Make sure these items have a green check next to them.
* "Scan within archives"
* "Select drives & folders to scan" - select your hard drive(s).
* "Scan active processes"
* "Scan registry"
* "Deep-scan registry"
* "Scan my IE favorites for banned URLs"
* "Scan my Hosts file"

Click "Advanced" on the left hand side. Make sure these items have a green check next to them.
* "Move deleted files to Recycle Bin"
* "Include additional object information"
* "Include negligible objects information"
* "Include environment information"

Click "Tweak" on the left hand side to display the Tweak Settings box.
Click the + (plus) sign next to the Scanning Engine section. Make sure these items have a green check next to them.
* "Unload recognized processes & modules during scan"
* "Scan registry for all users instead of current user only"
* "Obtain command line of scanned processes"

Click the + (plus) sign next to the Cleaning Engine section. Make sure these items have a green check next to them.
* "Always try to unload modules before deletion"
* "During removal, unload Explorer and IE if necessary"
* "Let Windows remove files in use at next reboot"
* "Delete quarantined objects after restoring"
Once you are done with these settings, click "Proceed" to save them. This will take you back to the main screen.

Run Ad-Aware SE Personal:
* Click the "Start" button.
* Uncheck the "Search for negligible risk entries" entry.
* Choose the "Use custom scanning options" scan mode.
* Click the "Next" button.
* When it finishes, right-click on any entry in the list and click "Select All" to select the whole list.
* Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.

Restart your computer after scanning.

Run ActiveScan again and please post the log along with a new HijackThis log.
[ + quote]
Don't be fooled any longer.
http://www.youtube.com/watch?v=BUtbGYgsIu4&feature=related
gotaget
Suspended due to non-functional email address
_ 		16. January 2007 @ 16:30 _ Link to this message    Send private message to this user   
Logfile of HijackThis v1.99.1
Scan saved at 9:25:07 PM, on 1/16/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\Debug\geceboci.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\lxcecoms.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: CEngine Object - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\SafeGuard Pop-up Blocker Pro FREE Edition\popupblocker.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\SYSTEM32\pwinnoeb.exe SKY001
O4 - HKLM\..\Run: [geceboci] C:\WINDOWS\Debug\geceboci.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\pwinnoeb.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxcecoms.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
[ + quote]
Niobis
Senior Member
_ 		16. January 2007 @ 20:37 _ Link to this message    Send private message to this user   
Go here and download CCleaner.
Note: If you do not want Yahoo! Toolbar uncheck the option when installing.
Open CCleaner.
Click Options > Advance > uncheck "Only delete files in Windows Temp folders older than 48 hours".
Close all windows.
Click Cleaner > Run Cleaner.

Update AVG Anti-spyware.(Important)
Note: You may uninstall Ewido. AVG Anti-spyware is Ewido, only updated.

Fix these with HijackThis:
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\SYSTEM32\pwinnoeb.exe SKY001
O4 - HKLM\..\Run: [geceboci] C:\WINDOWS\Debug\geceboci.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\pwinnoeb.exe
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll

Note: Print or copy these instructions to Notepad and save them. You will be in safe mode and can't access the internet.
Restart in safe mode.

KillBox these files:
C:\WINDOWS\SYSTEM32\pwinnoeb.exe
C:\WINDOWS\Debug\geceboci.exe
C:\WINDOWS\System32\rpcc.dll


Open AVGAS and click "Scanner".
Click "Complete System Scan".
When it finishes scanning, set all items to "Quarantine".
Click "Apply All Actions".
Click "Save Report" and save it to the desktop.

Restart in normal mode and run ActiveScan one more time.

Please post back with the AVGAS log, the ActiveScan log and a new HijackThis log.
[ + quote]
Don't be fooled any longer.
http://www.youtube.com/watch?v=BUtbGYgsIu4&feature=related

This message has been edited since posting. Last time this message was edited on 16. January 2007 @ 20:38
gotaget
Suspended due to non-functional email address
_ 		19. January 2007 @ 14:09 _ Link to this message    Send private message to this user   
I cannot erase ewido because i cannot get into the control panel.

KillBox these files:
C:\WINDOWS\SYSTEM32\pwinnoeb.exe= not there
C:\WINDOWS\Debug\geceboci.exe = not there
C:\WINDOWS\System32\rpcc.dll = desktop goes blank and computer freezes
[ + quote]
gotaget
Suspended due to non-functional email address
_ 		19. January 2007 @ 14:18 _ Link to this message    Send private message to this user   
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:04:26 AM 1/18/2007

+ Scan result:



C:\!KillBox\pwinnoeb.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\WINDOWS\INF\ranamine.exe -> Hijacker.VB.is : Cleaned with backup (quarantined).


::Report end


Logfile of HijackThis v1.99.1
Scan saved at 6:48:34 PM, on 1/19/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\lxcecoms.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: CEngine Object - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\SafeGuard Pop-up Blocker Pro FREE Edition\popupblocker.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxcecoms.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

______________________________________________________________

Incident Status Location

Adware:adware/navipromo Not disinfected c:\windows\system32\ijsacm_nav.dat
Adware:adware/comet Not disinfected c:\windows\downloaded program files\dm.inf
Adware:adware/sidesearch Not disinfected c:\windows\sepsd.bin
Potentially unwanted tool:application/bestoffer Not disinfected c:\windows\smdat32m.sys
Adware:adware program Not disinfected c:\windows\ss3unstl.exe
Potentially unwanted tool:application/mywebsearch Not disinfected c:\program files\MyGlobalSearch
Adware:adware/popupdefence Not disinfected Windows Registry
Adware:adware/iedriver Not disinfected Windows Registry
Potentially unwanted tool:application/myway Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0494D0D1-F8E0-41AD-92A3-14154ECE70AC}
Adware:adware/savenow Not disinfected Windows Registry
Potentially unwanted tool:Application/Hiderun.F Not disinfected C:\aoo\blastcln.exe
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Gwendolyn Smith\Application Data\Mozilla\Firefox\Profiles\0tq2ob5j.default\cookies.txt[.atwola.com/]
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Gwendolyn Smith\Application Data\Mozilla\Firefox\Profiles\0tq2ob5j.default\cookies.txt[.fortunecity.com/]
Adware:Adware/Comet Not disinfected C:\Documents and Settings\Gwendolyn Smith\Local Settings\Temp\unpack\CC_43.inf
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\LocalService\Cookies\alphonso smith@adultfriendfinder[1].txt
Spyware:Spyware/Apropos Not disinfected C:\I386\auto_update_uninstall.log
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\I386\MARSHAL.DLL
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\I386\P2P Networking.exe
Hacktool:HackTool/Scansql.B Not disinfected C:\packs.exe[8]
Potentially unwanted tool:Application/Hiderun.F Not disinfected C:\packs.exe[blastcln.exe]
Potentially unwanted tool:Application/HideWindow.B Not disinfected C:\packs.exe[31]
Adware:Adware/BraveSentry Not disinfected C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Install.dat
[ + quote]
Niobis
Senior Member
_ 		20. January 2007 @ 09:08 _ Link to this message    Send private message to this user   
Copy all the red text to your clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:

C:\WINDOWS\System32\rpcc.dll
c:\windows\system32\ijsacm_nav.dat
c:\windows\downloaded program files\dm.inf
c:\windows\sepsd.bin
c:\windows\smdat32m.sys
c:\windows\ss3unstl.exe
C:\Documents and Settings\Gwendolyn Smith\Local Settings\Temp\unpack\CC_43.inf
C:\packs.exe
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Install.dat
C:\I386\auto_update_uninstall.log
C:\I386\MARSHAL.DLL
C:\I386\P2P Networking.exe

Folders to delete:

c:\program files\MyGlobalSearch
C:\aoo


Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Click on the Magnifying Glass icon which will open a "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done.
Click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger?s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.



Copy the following bold text into Notepad.

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0494D0D1-F8E0-41AD-92A3-14154ECE70AC}]

Name the file Fix.reg
Change the "Save as Type" to All Files and save it on the desktop.
Open the Fix.reg file and click Yes when prompted to merge.

Open CCleaner.
Click "Issues".
Click "Scan for Issues".
After scanning, click "Fix selected issues...".
When prompted to backup registry, click "Yes".

Restart your computer.

Please post back with the contents of C:\avenger.txt and a new HijackThis log.
[ + quote]
Don't be fooled any longer.
http://www.youtube.com/watch?v=BUtbGYgsIu4&feature=related
gotaget
Suspended due to non-functional email address
_ 		21. January 2007 @ 17:53 _ Link to this message    Send private message to this user   
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\iepjjmkm

*******************

Script file located at: \??\C:\Documents and Settings\odeewngk.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\System32\rpcc.dll deleted successfully.
File c:\windows\system32\ijsacm_nav.dat deleted successfully.
File c:\windows\downloaded program files\dm.inf deleted successfully.
File c:\windows\sepsd.bin deleted successfully.
File c:\windows\smdat32m.sys deleted successfully.
File c:\windows\ss3unstl.exe deleted successfully.
File C:\Documents and Settings\Gwendolyn Smith\Local Settings\Temp\unpack\CC_43.inf deleted successfully.
File C:\packs.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Install.dat deleted successfully.
File C:\I386\auto_update_uninstall.log deleted successfully.
File C:\I386\MARSHAL.DLL deleted successfully.
File C:\I386\P2P Networking.exe deleted successfully.
Folder c:\program files\MyGlobalSearch deleted successfully.
Folder C:\aoo deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
[ + quote]
gotaget
Suspended due to non-functional email address
_ 		21. January 2007 @ 18:22 _ Link to this message    Send private message to this user   
Logfile of HijackThis v1.99.1
Scan saved at 11:20:12 PM, on 1/21/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\lxcecoms.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: CEngine Object - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\SafeGuard Pop-up Blocker Pro FREE Edition\popupblocker.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxcecoms.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
[ + quote]
Niobis
Senior Member
_ 		22. January 2007 @ 00:51 _ Link to this message    Send private message to this user   
Fix this with HijackThis:
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll (file missing)

How are things? Any more problems or symptoms?
[ + quote]
Don't be fooled any longer.
http://www.youtube.com/watch?v=BUtbGYgsIu4&feature=related
Advertisement
_ 		__
 
_
gotaget
Suspended due to non-functional email address
_ 		22. January 2007 @ 04:52 _ Link to this message    Send private message to this user   
I still cant get into the CONTROL PANEL.
It keeps telling me that RUNDLL IS MISSING.
[ + quote]
 
Page:12Next >
Related links
Download the latest version of HijackThis now!
 
Related forum topics Posts Last post Forum room
HijackThis 101 1 11. September 2013 Windows - Virus and spyware problems
Had Department of Justice money pack virus. Now computer is acting strange. Could someone take a look at my hijackthis log? 64 6. January 2013 Windows - Virus and spyware problems
ComboFix/HIJackThis Log Help 9 10. April 2012 Windows - Virus and spyware problems
Please review HiJackThis log and help 1 11. November 2011 Windows - Virus and spyware problems
HijackThis Log File! 3 27. June 2011 Windows - Virus and spyware problems
please help read hijackthis log 1 7. April 2011 Windows - Virus and spyware problems
HijackThis Log, Please Help ! 5 4. April 2011 Windows - Virus and spyware problems
HiJackThis log...pls help 1 2. April 2011 Windows - Virus and spyware problems
My Hijackthis log file, please help 2 20. February 2011 Windows - Virus and spyware problems
Malware help! hijackthis log provided. 6 29. September 2010 Windows - Virus and spyware problems

 
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > hijackthis log
 

Digital video: AfterDawn.com | AfterDawn Forums
Music: MP3Lizard.com
Gaming: Blasteroids.com | Blasteroids Forums | Compare game prices
Software: Software downloads
Blogs: User profile pages
RSS feeds: AfterDawn.com News | Software updates | AfterDawn Forums
International: AfterDawn in Finnish | AfterDawn in Swedish | AfterDawn in Norwegian | download.fi
Navigate: Search | Site map
About us: About AfterDawn Ltd | Advertise on our sites | Rules, Restrictions, Legal disclaimer & Privacy policy
Contact us: Send feedback | Contact our media sales team
 
  © 1999-2025 by AfterDawn Ltd.

  IDG TechNetwork