• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Dudey

Log File Help Needed Please

37 posts in this topic

Hi

 

After getting a trojan virus I have tried AVG, nanoscan, windows defender, spybot s&d and adaware but I'm still getting IE pop ups and the odd redirection on Firefox. Also when I start the system the syst32 host if closing.

 

Here's my log file. Any help is greatly appreciated

 

Logfile of HijackThis v1.99.1

Scan saved at 19:25:57, on 26/05/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\ASUS\WLAN Card Utilities\Center.exe

C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

C:\Program Files\btbb_wcm\McciTrayApp.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\TomTom HOME\TomTomHOME.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\BT Home Hub\Help\bin\mpbtn.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.asw.asus.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe

O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\knjcdaif.dll",realset

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

O4 - HKCU\..\Run: [eyeBeam SIP Client] "C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Home Hub\Help\bin\matcli.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O11 - Options group: [TABS] Tabbed Browsing

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll

O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: ASWLSVC - Unknown owner - C:\WINDOWS\system32\ASWLSVC.exe (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hello,

 

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

 

Disable Microsoft Windows Defender:

We need to disable your Microsoft Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

  • Open Microsoft Windows Defender. Click Start, Programs, Windows Defender
  • Click on Tools, General Settings.
  • Under Real-time protection options, unselect the Turn on real-time protection check box
  • Click Save

After all of the fixes are complete it is very important that you enable Real-time Protection again.

 

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

 

Click on Fix Checked when finished and exit HijackThis.

 

Restart the computer normally.

 

Enable Microsoft Windows Defender.

 

Please download FixWareout from this site:

http://downloads.subratam.org/Fixwareout.exe

 

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

 

When your system reboots, follow the prompts. Afterwards, HijackThis will launch clos it if it does.

 

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.

 

Let me know what problem remains.

 

p.s.

When replying to your topic, please use the t_reply.gif button.

Share this post


Link to post
Share on other sites

Hi thanks for your help.

 

This is the report.txt

 

 

Fixwareout Last edited 5/15/2007

Post this report in the forums please

...

»»»»»Prerun check

 

»»»»»

 

»»»»» Postrun check

HKLM\SOFTWARE\~\Winlogon\ "System"=""

....

....

»»»»» Misc files.

....

»»»»» Checking for older varients.

....

 

Search five digit cs, dm, kd, jb, other, files.

The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.

 

 

Click browse, find the file then click submit.

http://www.virustotal.com/flash/index_en.html

Or http://virusscan.jotti.org/

 

»»»»» Other

 

»»»»» Current runs

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"

"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"

"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"

"SkyTel"="SkyTel.EXE"

"Control Center"="C:\\Program Files\\ASUS\\WLAN Card Utilities\\Center.exe"

"Motive SmartBridge"="C:\\PROGRA~1\\BTHOME~1\\Help\\SMARTB~1\\BTHelpNotifier.exe"

"btbb_wcm_McciTrayApp"="C:\\Program Files\\btbb_wcm\\McciTrayApp.exe"

"YBrowser"="C:\\PROGRA~1\\Yahoo!\\browser\\ybrwicon.exe"

"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""

"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

"TomTomHOME.exe"="\"C:\\Program Files\\TomTom HOME\\TomTomHOME.exe\" -s"

"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"

"Genuine"="rundll32.exe \"C:\\WINDOWS\\system32\\mcwdvqfc.dll\",realset"

"RTHDCPL"="RTHDCPL.EXE"

"SoundMan"="SOUNDMAN.EXE"

"AlcWzrd"="ALCWZRD.EXE"

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

"Yahoo! Pager"="C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\ypager.exe -quiet"

"eyeBeam SIP Client"="\"C:\\Program Files\\BT Broadband Talk Softphone\\BTSoftphone.exe\""

"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

....

Hosts file was reset, If you use a custom hosts file please replace it

»»»»» End report »»»»»

 

And here is the Hijack this text file

 

Logfile of HijackThis v1.99.1

Scan saved at 18:12:40, on 03/06/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\ASUS\WLAN Card Utilities\Center.exe

C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

C:\Program Files\btbb_wcm\McciTrayApp.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\TomTom HOME\TomTomHOME.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\BT Home Hub\Help\bin\mpbtn.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.asw.asus.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe

O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\mcwdvqfc.dll",realset

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

O4 - HKCU\..\Run: [eyeBeam SIP Client] "C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Home Hub\Help\bin\matcli.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O11 - Options group: [TABS] Tabbed Browsing

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll

O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: ASWLSVC - Unknown owner - C:\WINDOWS\system32\ASWLSVC.exe (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

 

 

 

When i restarted after running fixwareout I had to run the dnsbank.reg script in order to get access to the internet. A message is still coming up on start up advising that Syst32 generic host has an error and needs to close. I also have to uninstall and reinstall the driver for the soundcard on each restart.

 

Thanks again.

Edited by Dudey

Share this post


Link to post
Share on other sites

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

 

Syst32 generic host has an error and needs to close

I'm unable to find any such error message. Please post the exeact error.

 

Disable Microsoft Windows Defender:

 

We need to disable your Microsoft Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

  • Open Microsoft Windows Defender. Click Start, Programs, Windows Defender
  • Click on Tools, General Settings.
  • Under Real-time protection options, unselect the Turn on real-time protection check box
  • Click Save

 

After all of the fixes are complete it is very important that you enable Real-time Protection again.

 

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\mcwdvqfc.dll",realset

 

Click on Fix Checked when finished and exit HijackThis.

 

Delete this files in bold if found.

C:\WINDOWS\system32\mcwdvqfc.dll

 

Restart the computer normally to reset the registry.

 

Enable Microsoft Windows Defender.

 

Download Dr.Web CureIt to the desktop:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.

 

Include a fresh HijackThis log for review.

 

Let me know what problem persist.

Share this post


Link to post
Share on other sites

DrWeb

 

euxxkjwh.dll;c:\windows\system32;Adware.Crew;Incurable.Will be deleted after reboot.;

gebya.dll;c:\windows\system32;Trojan.Virtumod;Will be cured after reboot.;

jfaasndu.dll;c:\windows\system32;Trojan.Virtumod;Will be cured after reboot.;

format.asap;C:\Program Files\ASAP Utilities;W97M.Iseng;Cured.;

A0005408.dll;C:\System Volume Information\_restore{2F37A65E-A13E-48D5-9C0E-3B25543AFD98}\RP14;Trojan.Virtumod;Deleted.;

aonddywq.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;

euxxkjwh.dll;C:\WINDOWS\system32;Adware.Crew;Incurable.Will be deleted after reboot.;

gebya.dll;C:\WINDOWS\system32;Trojan.Virtumod;Will be cured after reboot.;

ghcilfpx.dll;C:\WINDOWS\system32;Trojan.Virtumod;Will be cured after reboot.;

jfaasndu.dll;C:\WINDOWS\system32;Trojan.Virtumod;Will be cured after reboot.;

kikjguva.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;

mcwdvqfc.dll;C:\WINDOWS\system32;Trojan.Virtumod;Will be cured after reboot.;

ssttt.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;

 

 

Hijackthis:

 

Logfile of HijackThis v1.99.1

Scan saved at 18:04:54, on 04/06/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\ASUS\WLAN Card Utilities\Center.exe

C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

C:\Program Files\btbb_wcm\McciTrayApp.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\TomTom HOME\TomTomHOME.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\BT Home Hub\Help\bin\mpbtn.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE

C:\Program Files\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.asw.asus.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe

O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\ghcilfpx.dll",realset

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

O4 - HKCU\..\Run: [eyeBeam SIP Client] "C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Home Hub\Help\bin\matcli.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O11 - Options group: [TABS] Tabbed Browsing

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll

O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: ASWLSVC - Unknown owner - C:\WINDOWS\system32\ASWLSVC.exe (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

 

 

 

On start up I got the following error:

 

Error loading C:\WINDOWS\system32\ghcilpx.dll

Specified module could not be found

 

I again got the error mentioned above:

 

Generic Host Process for Win32 Services encountered a problem and needs to close (followed by standard error reporting script)

 

So far I have not experienced any pop up or redirects in IE, but have had one pop up in Firefox.

 

Thanks for your continued efforts.

Share this post


Link to post
Share on other sites

Let see what the registry will show up.

 

Download the Registry Search Tool from here:

http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip

 

Unzip to your Desktop and double click on regsrch.vbs

(if you have script protection, please allow this to run)

 

In the dialog that opens enter the following:

ghcilpx

 

Press 'OK'

 

The search will run for a while then alert you when it is finished.

 

Press 'OK' and copy the contents of the WordPad window and post in this thread.

Share this post


Link to post
Share on other sites

Search completed in 23 seconds.

 

No instances of "ghcilpx" found.

 

I clicked OK and there was no wordpad text.

Share this post


Link to post
Share on other sites

If after the next restart you still get this error, let me see the result of this scan.

 

Download this file - combofix.exe

 

and save it to your desktop (Important). Also save the below command in Notepad as a text file so that you can copy/paste in safe mode.

 

"%userprofile%\desktop\combofix.exe"

 

Boot into safe mode by tapping the F8 key just before Windows starts to load.

 

go to start --> run and copy/paste in the following:

 

"%userprofile%\desktop\combofix.exe"

 

When finished, it shall produce a log for you. Save it and post that log in your next reply.

 

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

In your next post, please include

  • new hijackthis log
  • combofix log

 

*use separate posts to ensure the logs don't get cut off!

 

 

 

Share this post


Link to post
Share on other sites

Comboifx text:

 

"Administrator" - 2007-06-04 21:56:31 Service Pack 2 NTFS [sAFE MODE]

ComboFix 07-06-3 - Running from: "C:\Documents and Settings\Administrator\Desktop\"

 

 

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\system32\nqtsysbj.dll

C:\WINDOWS\system32\aybeg.bak1

C:\WINDOWS\system32\aybeg.bak2

C:\WINDOWS\system32\aybeg.ini

C:\WINDOWS\system32\aybeg.bak1

C:\WINDOWS\system32\aybeg.bak2

C:\WINDOWS\system32\aybeg.ini

C:\WINDOWS\system32\gebya.dll

 

 

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

C:\WINDOWS\system32\gebya.dll

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\DOCUME~1\ADMINI~1\Desktop.\internet explorer.lnk

 

 

((((((((((((((((((((((((( Files Created from 2007-05-04 to 2007-06-04 )))))))))))))))))))))))))))))))

 

 

2007-06-04 17:18 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DoctorWeb

2007-06-04 17:12 2,580 --a------ C:\WINDOWS\system32\ujkibanx.exe

2007-06-03 17:58 8,133 --a------ C:\dnsbak.reg

2007-06-03 17:13 2,580 --a------ C:\WINDOWS\system32\yucjddhw.exe

2007-06-02 17:18 2,580 --a------ C:\WINDOWS\system32\bjklcekg.exe

2007-05-28 17:34 <DIR> d-------- C:\Program Files\DivX

2007-05-27 16:36 <DIR> d-------- C:\29_tomtom_voices

2007-05-25 16:16 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft

2007-05-25 16:10 <DIR> d-------- C:\Program Files\Lavasoft

2007-05-25 16:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-05-24 20:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Help

2007-05-24 20:30 <DIR> d-------- C:\Program Files\Security Task Manager

2007-05-24 20:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan

2007-05-24 18:25 <DIR> d-------- C:\Program Files\Windows Defender

2007-05-24 14:37 <DIR> d-------- C:\WINDOWS\system32\Panda Software

2007-05-24 14:01 <DIR> d-------- C:\Program Files\Enigma Software Group

2007-05-22 22:58 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

2007-05-22 21:08 75,544 --a------ C:\WINDOWS\system32\cdm.dll

2007-05-22 21:08 465,176 --a------ C:\WINDOWS\system32\wuapi.dll

2007-05-22 21:08 43,352 --a------ C:\WINDOWS\system32\wups2.dll

2007-05-22 21:08 33,624 --a------ C:\WINDOWS\system32\wups.dll

2007-05-22 21:08 173,536 --a------ C:\WINDOWS\system32\wuweb.dll

2007-05-22 21:08 127,256 --a------ C:\WINDOWS\system32\wucltui.dll

2007-05-22 21:08 124,184 --a------ C:\WINDOWS\system32\wuauclt.exe

2007-05-22 21:08 1,343,768 --a------ C:\WINDOWS\system32\wuaueng.dll

2007-05-22 21:08 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution

2007-05-22 13:23 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll

2007-05-22 13:23 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll

2007-05-22 13:23 <DIR> d-------- C:\Program Files\ffdshow

2007-05-20 13:04 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6

2007-05-19 11:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy

2007-05-19 11:48 262,708 --------- C:\WINDOWS\system32\gebya.dll

2007-05-19 11:44 <DIR> d-------- C:\Program Files\BrickShooter

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-04 18:27:13 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\uTorrent

2007-05-28 16:34:31 3,618 ----a-w C:\WINDOWS\mozver.dat

2007-05-28 11:11:03 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\FrostWire

2007-05-27 15:36:29 -------- d-----w C:\Program Files\TomTom HOME

2007-05-24 16:48:01 -------- d-----w C:\Program Files\Absolute Poker

2007-04-29 16:12:10 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-04-29 16:11:45 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\InstallShield

2007-04-09 11:14:34 -------- d-----w C:\Program Files\_uninstallation_info

2007-04-06 18:56:46 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat

2007-03-17 13:45:03 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

2007-03-15 11:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll

2007-03-15 11:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll

2007-03-09 00:02:00 75,512 ----a-w C:\WINDOWS\zllsputility.exe

2007-03-09 00:01:42 1,087,216 ----a-w C:\WINDOWS\system32\zpeng24.dll

2007-03-08 15:48:36 578,048 ----a-w C:\WINDOWS\system32\user32.dll

2007-03-08 15:48:36 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll

2007-03-08 15:48:36 282,112 ----a-w C:\WINDOWS\system32\gdi32.dll

2007-03-08 13:49:49 1,843,968 ----a-w C:\WINDOWS\system32\win32k.sys

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2005-12-07 17:06]

{02BE5F94-6F11-46E5-9E61-F6E5111843EC}=C:\WINDOWS\system32\gebya.dll [2007-05-19 11:48]

{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2005-05-26 12:39]

{65D886A2-7CA7-479B-BB95-14D1EFB7946A}=C:\Program Files\Yahoo!\Common\YIeTagBm.dll [2005-01-24 10:55]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

{F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D}=C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll [2005-02-03 18:07]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 C:\WINDOWS\SkyTel.exe]

"Control Center"="C:\Program Files\ASUS\WLAN Card Utilities\Center.exe" [2005-09-13 22:55]

"Motive SmartBridge"="C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe" [2006-02-06 19:52]

"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [2005-12-29 11:22]

"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 13:03]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-20 19:27]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-19 11:09]

"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]

"TomTomHOME.exe"="C:\Program Files\TomTom HOME\TomTomHOME.exe" [2007-03-14 16:52]

"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

"RTHDCPL"="RTHDCPL.EXE" [2006-05-18 07:27 C:\WINDOWS\RTHDCPL.exe]

"Alcmtr"="ALCMTR.EXE" [2005-05-03 11:43 C:\WINDOWS\Alcmtr.exe]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" [2005-08-31 18:11]

"eyeBeam SIP Client"="C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe" [2006-07-31 21:00]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]

"nltide3"=cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"=1 (0x1)

"NoSMMyDocs"=1 (0x1)

"NoSMMyPictures"=1 (0x1)

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"=1 (0x1)

"NoSMMyDocs"=1 (0x1)

"NoSMMyPictures"=1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebya]

C:\WINDOWS\system32\gebya.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjgecc]

ljjgecc.dll

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18490960-f296-11db-ab88-0016e66387b2}]

AutoRun\command- F:\InstallTomTomHOME.exe

 

 

Contents of the 'Scheduled Tasks' folder

2007-05-31 08:47:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

2007-06-04 21:01:07 C:\WINDOWS\tasks\MP Scheduled Scan.job

 

**************************************************************************

 

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-04 22:01:26

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-06-04 22:03:37 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-06-04 22:03

 

--- E O F ---

Share this post


Link to post
Share on other sites

hijackthis text:

 

Logfile of HijackThis v1.99.1

Scan saved at 22:07:20, on 04/06/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\ASUS\WLAN Card Utilities\Center.exe

C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

C:\Program Files\btbb_wcm\McciTrayApp.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\TomTom HOME\TomTomHOME.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\BT Home Hub\Help\bin\mpbtn.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.asw.asus.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe

O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

O4 - HKCU\..\Run: [eyeBeam SIP Client] "C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Home Hub\Help\bin\matcli.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O11 - Options group: [TABS] Tabbed Browsing

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll

O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: ASWLSVC - Unknown owner - C:\WINDOWS\system32\ASWLSVC.exe (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

 

 

Still getting generic host for win32 error message. Still getting soundcard driver corrupted.

 

Thanks very much for all this.

Share this post


Link to post
Share on other sites

; Purpose: Remove traces in the registry.

;

; Instructions: Copy and paste this text IN BOLD into a text editor such as Notepad.

;

; Save this text as Fix.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.

 

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebya]

 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjgecc]

 

 

; Double-click on Fix.reg. When it asks you to merge the information to the registry click Yes.

 

If you need help on "How to Make a .Reg File"

See: http://www.nellie2.co.uk/file.htm

 

=*=

 

Delete these files in bold.

 

C:\dnsbak.reg

C:\WINDOWS\system32\ujkibanx.exe

C:\WINDOWS\system32\yucjddhw.exe

C:\WINDOWS\system32\bjklcekg.exe

 

Restart the computer normally.

 

Submit a fresh HijackThis log. Let me know if still getting the error message.

Share this post


Link to post
Share on other sites

Okay. I did as you instructed but I was unable to find the three files you listed for C:\WINDOWS\system32.

 

I restarted and got the normal error message as well as the following

 

"Error loading C:\WINDOWS\system32\7251036.dll Access Denied"

 

AVG is detecting a threat in the .dll although it seems to think it has healed it.

 

I am still having to reinstall the driver for my sound card after each restart.

 

Thanks very much

 

 

Hijack this to follow.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 17:57:53, on 05/06/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\ASUS\WLAN Card Utilities\Center.exe

C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

C:\Program Files\btbb_wcm\McciTrayApp.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\TomTom HOME\TomTomHOME.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\BT Home Hub\Help\bin\mpbtn.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.asw.asus.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe

O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [j7251036] rundll32 C:\WINDOWS\system32\j7251036.dll sook

O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\xmgccmab.dll",realset

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

O4 - HKCU\..\Run: [eyeBeam SIP Client] "C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Home Hub\Help\bin\matcli.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O11 - Options group: [TABS] Tabbed Browsing

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll

O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: ASWLSVC - Unknown owner - C:\WINDOWS\system32\ASWLSVC.exe (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Share this post


Link to post
Share on other sites

 

Download this file - combofix.exe

 

and save it to your desktop (Important). Also save the below command in Notepad as a text file so that you can copy/paste in safe mode.

 

"%userprofile%\desktop\combofix.exe"

 

Boot into safe mode by tapping the F8 key just before Windows starts to load.

 

go to start --> run and copy/paste in the following:

 

"%userprofile%\desktop\combofix.exe"

 

When finished, it shall produce a log for you. Save it and post that log in your next reply.

 

Note:

 

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

In your next post, please include

  • new hijackthis log
  • combofix log

 

*use separate posts to ensure the logs don't get cut off!

 

Share this post


Link to post
Share on other sites

I again got the generic host syst32 error.

The sound card driver was again corrupt.

 

logs to follow

Share this post


Link to post
Share on other sites

32"Administrator" - 2007-06-05 19:29:12 Service Pack 2 NTFS [sAFE MODE]

ComboFix 07-06-3 - Running from: "C:\Documents and Settings\Administrator\Desktop\"

 

 

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\system32\aybeg.bak2

C:\WINDOWS\system32\aybeg.ini

C:\WINDOWS\system32\gebya.dll

 

 

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

C:\WINDOWS\system32\gebya.dll

 

((((((((((((((((((((((((( Files Created from 2007-05-05 to 2007-06-05 )))))))))))))))))))))))))))))))

 

 

2007-06-05 17:16 131,124 --a------ C:\WINDOWS\system32\xmgccmab.dll

2007-06-05 17:13 14,868 --a------ C:\WINDOWS\system32\legjtkkp.exe

2007-06-04 22:03 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-04 17:18 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DoctorWeb

2007-05-28 17:34 <DIR> d-------- C:\Program Files\DivX

2007-05-27 16:36 <DIR> d-------- C:\29_tomtom_voices

2007-05-25 16:16 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft

2007-05-25 16:10 <DIR> d-------- C:\Program Files\Lavasoft

2007-05-25 16:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-05-24 20:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Help

2007-05-24 20:30 <DIR> d-------- C:\Program Files\Security Task Manager

2007-05-24 20:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan

2007-05-24 18:25 <DIR> d-------- C:\Program Files\Windows Defender

2007-05-24 14:37 <DIR> d-------- C:\WINDOWS\system32\Panda Software

2007-05-24 14:01 <DIR> d-------- C:\Program Files\Enigma Software Group

2007-05-22 22:58 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

2007-05-22 21:08 75,544 --a------ C:\WINDOWS\system32\cdm.dll

2007-05-22 21:08 465,176 --a------ C:\WINDOWS\system32\wuapi.dll

2007-05-22 21:08 43,352 --a------ C:\WINDOWS\system32\wups2.dll

2007-05-22 21:08 33,624 --a------ C:\WINDOWS\system32\wups.dll

2007-05-22 21:08 173,536 --a------ C:\WINDOWS\system32\wuweb.dll

2007-05-22 21:08 127,256 --a------ C:\WINDOWS\system32\wucltui.dll

2007-05-22 21:08 124,184 --a------ C:\WINDOWS\system32\wuauclt.exe

2007-05-22 21:08 1,343,768 --a------ C:\WINDOWS\system32\wuaueng.dll

2007-05-22 21:08 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution

2007-05-22 13:23 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll

2007-05-22 13:23 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll

2007-05-22 13:23 <DIR> d-------- C:\Program Files\ffdshow

2007-05-20 13:04 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6

2007-05-19 11:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy

2007-05-19 11:48 262,708 --------- C:\WINDOWS\system32\gebya.dll

2007-05-19 11:44 <DIR> d-------- C:\Program Files\BrickShooter

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-04 18:27:13 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\uTorrent

2007-05-28 16:34:31 3,618 ----a-w C:\WINDOWS\mozver.dat

2007-05-28 11:11:03 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\FrostWire

2007-05-27 15:36:29 -------- d-----w C:\Program Files\TomTom HOME

2007-05-24 16:48:01 -------- d-----w C:\Program Files\Absolute Poker

2007-04-29 16:12:10 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-04-29 16:11:45 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\InstallShield

2007-04-09 11:14:34 -------- d-----w C:\Program Files\_uninstallation_info

2007-04-06 18:56:46 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat

2007-03-17 13:45:03 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

2007-03-15 11:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll

2007-03-15 11:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll

2007-03-09 00:02:00 75,512 ----a-w C:\WINDOWS\zllsputility.exe

2007-03-09 00:01:42 1,087,216 ----a-w C:\WINDOWS\system32\zpeng24.dll

2007-03-08 15:48:36 578,048 ----a-w C:\WINDOWS\system32\user32.dll

2007-03-08 15:48:36 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll

2007-03-08 15:48:36 282,112 ----a-w C:\WINDOWS\system32\gdi32.dll

2007-03-08 13:49:49 1,843,968 ----a-w C:\WINDOWS\system32\win32k.sys

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2005-12-07 17:06]

{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2005-05-26 12:39]

{65D886A2-7CA7-479B-BB95-14D1EFB7946A}=C:\Program Files\Yahoo!\Common\YIeTagBm.dll [2005-01-24 10:55]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

{9F0D4C14-EA18-45EB-8354-B0D7907B9666}=C:\WINDOWS\system32\gebya.dll [2007-05-19 11:48]

{F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D}=C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll [2005-02-03 18:07]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 C:\WINDOWS\SkyTel.exe]

"Control Center"="C:\Program Files\ASUS\WLAN Card Utilities\Center.exe" [2005-09-13 22:55]

"Motive SmartBridge"="C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe" [2006-02-06 19:52]

"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [2005-12-29 11:22]

"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 13:03]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-20 19:27]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-19 11:09]

"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]

"TomTomHOME.exe"="C:\Program Files\TomTom HOME\TomTomHOME.exe" [2007-03-14 16:52]

"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

"RTHDCPL"="RTHDCPL.EXE" [2006-05-18 07:27 C:\WINDOWS\RTHDCPL.exe]

"Alcmtr"="ALCMTR.EXE" [2005-05-03 11:43 C:\WINDOWS\Alcmtr.exe]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" [2005-08-31 18:11]

"eyeBeam SIP Client"="C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe" [2006-07-31 21:00]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]

"nltide3"=cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"=1 (0x1)

"NoSMMyDocs"=1 (0x1)

"NoSMMyPictures"=1 (0x1)

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"=1 (0x1)

"NoSMMyDocs"=1 (0x1)

"NoSMMyPictures"=1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebya]

C:\WINDOWS\system32\gebya.dll

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18490960-f296-11db-ab88-0016e66387b2}]

AutoRun\command- F:\InstallTomTomHOME.exe

 

 

Contents of the 'Scheduled Tasks' folder

2007-05-31 08:47:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

2007-06-05 18:33:35 C:\WINDOWS\tasks\MP Scheduled Scan.job

 

**************************************************************************

 

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-05 19:34:00

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-06-05 19:36:39 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-06-05 19:36

C:\ComboFix2.txt ... 2007-06-04 22:03

 

--- E O F ---

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 19:38:46, on 05/06/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\ASUS\WLAN Card Utilities\Center.exe

C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

C:\Program Files\btbb_wcm\McciTrayApp.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\TomTom HOME\TomTomHOME.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\BT Home Hub\Help\bin\mpbtn.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\HijackThis\HijackThis.exe

C:\WINDOWS\system32\notepad.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.asw.asus.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe

O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

O4 - HKCU\..\Run: [eyeBeam SIP Client] "C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Home Hub\Help\bin\matcli.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O11 - Options group: [TABS] Tabbed Browsing

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll

O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: ASWLSVC - Unknown owner - C:\WINDOWS\system32\ASWLSVC.exe (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Share this post


Link to post
Share on other sites

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

 

1. Please download The Avenger by Swandog46 to your Desktop.

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

 

2. Copy all the text in Bold contained in the code box below (including the first line, which is a command to the tool Files to delete: to your Clipboard by highlighting it and pressing (Ctrl+C):

 

Files to delete:

 

C:\WINDOWS\system32\xmgccmab.dll

C:\WINDOWS\system32\legjtkkp.exe

C:\WINDOWS\system32\gebya.dll

 

Registry keys to Delete:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9F0D4C14-EA18-45EB-8354-B0D7907B9666}

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebya

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

 

3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HijackThis log by using Add/Reply.

Share this post


Link to post
Share on other sites

This time I had the error message "C:\WINDOWS\system32\8244130.dll Access Denied"

Again I had the same issue with the generic host process for syst32

Again the sound card driver corrupted.

 

 

Logs to follow.

Share this post


Link to post
Share on other sites

Logfile of The Avenger version 1, by Swandog46

Running from registry key:

\Registry\Machine\System\CurrentControlSet\Services\sdmxgvxn

 

*******************

 

Script file located at: \??\C:\WINDOWS\system32\duyrkcya.txt

Script file opened successfully.

 

Script file read successfully

 

Backups directory opened successfully at C:\Avenger

 

*******************

 

Beginning to process script file:

 

File C:\WINDOWS\system32\xmgccmab.dll deleted successfully.

File C:\WINDOWS\system32\legjtkkp.exe deleted successfully.

File C:\WINDOWS\system32\gebya.dll deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9F0D4C14-EA18-45EB-8354-B0D7907B9666} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebya deleted successfully.

 

Completed script processing.

 

*******************

 

Finished! Terminate.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 18:00:18, on 06/06/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\ASUS\WLAN Card Utilities\Center.exe

C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

C:\Program Files\btbb_wcm\McciTrayApp.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\TomTom HOME\TomTomHOME.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\notepad.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\BT Home Hub\Help\bin\mpbtn.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.asw.asus.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)

O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe

O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [j8241130] rundll32 C:\WINDOWS\system32\j8241130.dll sook

O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\owywqtoh.dll",realset

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

O4 - HKCU\..\Run: [eyeBeam SIP Client] "C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Home Hub\Help\bin\matcli.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O11 - Options group: [TABS] Tabbed Browsing

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll

O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: ASWLSVC - Unknown owner - C:\WINDOWS\system32\ASWLSVC.exe (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Share this post


Link to post
Share on other sites

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

 

Download SDFix and save it to your Desktop.

 

Double click SDFix.exe and it will extract the files to %systemdrive%

 

(Drive that contains the Windows Directory, typically C:\SDFix)

 

Please then reboot your computer in Safe Mode by doing the following :


  •  

  • Restart your computer
     

  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
     

  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
     

  • Select the first option, to run Windows in Safe Mode, then press Enter.
     

  • Choose your usual account.
     


  •  

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
     

  • Type Y to begin the cleanup process.
     

  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
     

  • Press any Key and it will restart the PC.
     

  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
     

  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
     
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
     

  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
     

 

Share this post


Link to post
Share on other sites

SDFix: Version 1.87

 

Run by Administrator - 07/06/2007 - 14:32:40.26

 

Microsoft Windows XP [Version 5.1.2600]

 

Running From: C:\DOCUME~1\ADMINI~1\Desktop\SDFix

 

Safe Mode:

Checking Services:

 

 

 

 

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

Restoring Missing SharedAccess Service

 

Rebooting...

 

 

Normal Mode:

Checking Files:

 

No Trojan Files Found

 

 

 

 

Removing Temp Files...

 

ADS Check:

 

Checking if ADS is attached to system32 Folder

C:\WINDOWS\system32

No streams found.

 

Checking if ADS is attached to svchost.exe

C:\WINDOWS\system32\svchost.exe

No streams found.

 

Checking if ADS is attached to ntoskrnl.exe

C:\WINDOWS\system32\ntoskrnl.exe

No streams found.

 

 

 

Final Check:

 

Remaining Services:

------------------

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

 

Remaining Files:

---------------

 

 

Listing Files with Hidden Attributes:

 

C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp

 

Listing User Accounts:

 

User accounts for \\SPUMCO-C54BBD2C

 

Administrator Carl Guest

HelpAssistant SUPPORT_388945a0 User

 

 

Finished

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 14:46:36, on 07/06/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\ASUS\WLAN Card Utilities\Center.exe

C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

C:\Program Files\btbb_wcm\McciTrayApp.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\TomTom HOME\TomTomHOME.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\BT Home Hub\Help\bin\mpbtn.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.asw.asus.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)

O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe

O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\owywqtoh.dll",realset

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

O4 - HKCU\..\Run: [eyeBeam SIP Client] "C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Home Hub\Help\bin\matcli.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O11 - Options group: [TABS] Tabbed Browsing

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll

O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: ASWLSVC - Unknown owner - C:\WINDOWS\system32\ASWLSVC.exe (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Share this post


Link to post
Share on other sites

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

 

Looking much better.

 

Disable Microsoft Windows Defender:

We need to disable your Microsoft Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

  • Open Microsoft Windows Defender. Click Start, Programs, Windows Defender
  • Click on Tools, General Settings.
  • Under Real-time protection options, unselect the Turn on real-time protection check box
  • Click Save

After all of the fixes are complete it is very important that you enable Real-time Protection again.

 

[*]Please set your system to show all files;

To delete the files/folders in the next steps, you may need to show hidden Files/Folders: How to.

At the end of the fix you can return the files to hidden status if you want..

 

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

 

O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)

O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\owywqtoh.dll",realset

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

 

Click on Fix Checked when finished and exit HijackThis.

 

Delete this file in bold if found.

 

C:\WINDOWS\system32\owywqtoh.dll

 

Restart the computer normally to reset the registry.

 

Enable Windows Defender.

 

Submit a fresh HijackThis log and let me know what problem remains.

Share this post


Link to post
Share on other sites

Glad to hear things are looking better.

 

I still got the 'generic host for syst32' error and the problem with the soundcard driver.

 

I was unable to delete C:\WINDOWS\system32\owywqtoh.dll. Access Denied.

 

Hijack this log:

 

Logfile of HijackThis v1.99.1

Scan saved at 15:24:48, on 07/06/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\ASUS\WLAN Card Utilities\Center.exe

C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

C:\Program Files\btbb_wcm\McciTrayApp.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\TomTom HOME\TomTomHOME.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\BT Home Hub\Help\bin\mpbtn.exe

C:\WINDOWS\system32\dumprep.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.asw.asus.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe

O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

O4 - HKCU\..\Run: [eyeBeam SIP Client] "C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Home Hub\Help\bin\matcli.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O11 - Options group: [TABS] Tabbed Browsing

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll

O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: ASWLSVC - Unknown owner - C:\WINDOWS\system32\ASWLSVC.exe (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Share this post


Link to post
Share on other sites

Something is mutating.

 

Restart the computer normally.

 

Please download Deckard's System Scanner (DSS)

 

1. Download Deckard's System Scanner (DSS) to your Desktop

 

http://www.techsupportforum.com/sectools/Deckard/dss.exe (or other convenient location).

 

2. Close any open applications and windows.

 

3. Double-click on dss.exe to run it, and follow the prompts.

 

4. When the scan is complete, a text file will open - main.txt

 

5. Copy the text from that log and paste it into your post.

 

Note: Some firewalls may warn that sigcheck.exe is trying to access the internet. Please allow it permission to do so.

 

p.s. Do not restart your computer until I have seen your log and suggested a Fix, otherwise the file name may not be the same and the fix will not work.

 

Share this post


Link to post
Share on other sites

Deckard's System Scanner v20070603.47

Run by Administrator on 2007-06-07 at 19:15:05

Computer is in Normal Mode.

--------------------------------------------------------------------------------

 

-- System Restore --------------------------------------------------------------

 

Failed to create restore point; System Restore is disabled (service is not running).

 

 

-- Last 5 Restore Point(s) --

10: 2007-06-06 18:37:13 UTC - RP17 - System Checkpoint

9: 2007-06-05 10:43:45 UTC - RP16 - System Checkpoint

8: 2007-06-03 19:57:51 UTC - RP15 - System Checkpoint

7: 2007-06-02 15:13:09 UTC - RP14 - System Checkpoint

6: 2007-06-01 00:41:28 UTC - RP13 - System Checkpoint

 

 

-- First Restore Point --

1: 2007-05-26 12:43:04 UTC - RP8 - System Checkpoint

 

 

Backed up registry hives.

 

Performed disk cleanup.

 

 

-- HijackThis (run as Administrator.exe) ---------------------------------------

 

Logfile of HijackThis v1.99.1

Scan saved at 19:15:44, on 07/06/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\ASUS\WLAN Card Utilities\Center.exe

C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

C:\Program Files\btbb_wcm\McciTrayApp.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\TomTom HOME\TomTomHOME.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\RTHDCPL.EXE

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\BT Home Hub\Help\bin\mpbtn.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Administrator\Desktop\dss.exe

C:\PROGRA~1\HIJACK~1\Administrator.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.asw.asus.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe

O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

O4 - HKCU\..\Run: [eyeBeam SIP Client] "C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Home Hub\Help\bin\matcli.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O11 - Options group: [TABS] Tabbed Browsing

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll

O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: ASWLSVC - Unknown owner - C:\WINDOWS\system32\ASWLSVC.exe (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

 

 

-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

 

backup-20070603-175645-153 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

backup-20070603-175645-569 O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

backup-20070603-175645-687 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

backup-20070603-175645-717 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

backup-20070603-175645-815 O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

backup-20070603-175645-822 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

backup-20070603-175645-864 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html

backup-20070603-175645-937 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html

backup-20070603-175645-954 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

backup-20070604-171625-165 O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\mcwdvqfc.dll",realset

backup-20070604-171625-684 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

backup-20070607-152030-648 O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

backup-20070607-152030-858 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

backup-20070607-152030-869 O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\owywqtoh.dll",realset

backup-20070607-152030-952 O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)

 

-- File Associations -----------------------------------------------------------

 

All associations okay.

 

 

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

 

R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.9) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>

R3 ASNDIS5 (ASNDIS5 Protocol Driver) - c:\windows\system32\asndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>

R3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\program files\common files\motive\mrendis5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>

 

 

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

 

S2 ASWLSVC - c:\windows\system32\aswlsvc.exe (file missing)

S3 YPCService - c:\windows\system32\ypcser~1.exe <Not Verified; Yahoo! Inc.; YPCService Module>

 

 

-- Scheduled Tasks -------------------------------------------------------------

 

2007-06-07 19:15:33 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job

2007-06-07 09:47:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

 

 

-- Files created between 2007-05-07 and 2007-06-07 -----------------------------

 

2007-06-07 14:57:16 0 d-------- C:\Program Files\MegaSpoof

2007-06-06 17:56:19 0 d-------- C:\avenger

2007-06-06 17:15:40 131124 --a------ C:\WINDOWS\system32\owywqtoh.dll

2007-06-06 17:12:40 14868 --a------ C:\WINDOWS\system32\uepdyigh.exe

2007-06-06 17:12:15 1016625 ---hs---- C:\WINDOWS\system32\aybeg.bak2

2007-06-04 17:18:58 0 d-------- C:\Documents and Settings\Administrator\DoctorWeb

2007-05-28 17:34:26 0 d-------- C:\Program Files\DivX

2007-05-27 16:36:00 0 d-------- C:\29_tomtom_voices

2007-05-25 16:16:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft

2007-05-25 16:10:46 0 d-------- C:\Program Files\Lavasoft

2007-05-25 16:10:13 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-05-24 20:37:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\Help

2007-05-24 20:30:43 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan

2007-05-24 20:30:38 0 d-------- C:\Program Files\Security Task Manager

2007-05-24 18:25:33 0 d-------- C:\Program Files\Windows Defender

2007-05-24 14:37:27 0 d-------- C:\WINDOWS\system32\Panda Software

2007-05-24 14:01:16 0 d-------- C:\Program Files\Enigma Software Group

2007-05-22 21:08:34 0 d-------- C:\WINDOWS\system32\SoftwareDistribution

2007-05-22 13:23:15 60273 --a------ C:\WINDOWS\system32\pthreadGC2.dll <Not Verified; Open Source Software community project; >

2007-05-22 13:23:15 10752 --a------ C:\WINDOWS\system32\ff_vfw.dll

2007-05-22 13:23:14 0 d-------- C:\Program Files\ffdshow

2007-05-20 13:04:30 0 d-------- C:\Documents and Settings\Administrator\.housecall6.6

2007-05-19 11:55:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2007-05-19 11:44:26 0 d-------- C:\Program Files\BrickShooter

 

 

-- Find3M Report ---------------------------------------------------------------

 

2007-06-07 08:29:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7

2007-06-04 19:27:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent

2007-05-28 17:34:31 3618 --a------ C:\WINDOWS\mozver.dat

2007-05-28 12:11:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\FrostWire

2007-05-27 16:36:29 0 d-------- C:\Program Files\TomTom HOME

2007-05-24 17:48:01 0 d-------- C:\Program Files\Absolute Poker

2007-05-09 16:31:54 0 d-------- C:\Program Files\Java

2007-04-29 17:12:10 0 d--h----- C:\Program Files\InstallShield Installation Information

2007-04-29 17:11:45 0 d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield

2007-04-14 11:43:49 0 d-------- C:\Program Files\Common Files\Adobe

2007-04-06 19:56:46 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat

 

 

-- Registry Dump ---------------------------------------------------------------

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} C:\Program Files\Yahoo!\Common\yiesrvc.dll

{65D886A2-7CA7-479B-BB95-14D1EFB7946A} C:\Program Files\Yahoo!\Common\YIeTagBm.dll

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

{F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"SkyTel"="SkyTel.EXE"

"Control Center"="C:\\Program Files\\ASUS\\WLAN Card Utilities\\Center.exe"

"Motive SmartBridge"="C:\\PROGRA~1\\BTHOME~1\\Help\\SMARTB~1\\BTHelpNotifier.exe"

"btbb_wcm_McciTrayApp"="C:\\Program Files\\btbb_wcm\\McciTrayApp.exe"

"YBrowser"="C:\\PROGRA~1\\Yahoo!\\browser\\ybrwicon.exe"

"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""

"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

"TomTomHOME.exe"="\"C:\\Program Files\\TomTom HOME\\TomTomHOME.exe\" -s"

"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"

"RTHDCPL"="RTHDCPL.EXE"

"Alcmtr"="ALCMTR.EXE"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

"Yahoo! Pager"="C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\ypager.exe -quiet"

"eyeBeam SIP Client"="\"C:\\Program Files\\BT Broadband Talk Softphone\\BTSoftphone.exe\""

"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]

"nltide3"=hex(2):63,6d,64,2e,65,78,65,20,2f,43,20,72,75,6e,64,6c,6c,33,32,20,\

61,64,76,70,61,63,6b,2e,64,6c,6c,2c,4c,61,75,6e,63,68,49,4e,46,53,65,63,74,\

69,6f,6e,45,78,20,6e,4c,69,74,65,2e,69,6e,66,2c,43,2c,2c,34,2c,4e,00

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"=dword:00000001

"NoSMMyDocs"=dword:00000001

"NoSMMyPictures"=dword:00000001

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"=dword:00000001

"NoSMMyDocs"=dword:00000001

"NoSMMyPictures"=dword:00000001

 

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa

Authentication Packages REG_MULTI_SZ msv1_0\0\0

Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0

Notification Packages REG_MULTI_SZ scecli\0\0

 

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

HTTPFilter REG_MULTI_SZ HTTPFilter\0\0

LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService REG_MULTI_SZ DnsCache\0\0

DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

rpcss REG_MULTI_SZ RpcSs\0\0

imgsvc REG_MULTI_SZ StiSvc\0\0

termsvcs REG_MULTI_SZ TermService\0\0

WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

 

 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{18490960-f296-11db-ab88-0016e66387b2}]

Shell\AutoRun\command F:\InstallTomTomHOME.exe

 

 

-- End of Deckard's System Scanner: finished at 2007-06-07 at 19:16:19 ---------

Share this post


Link to post
Share on other sites

I don't know how relevant this point is, but system restore is running on my PC. Or at least it appears to be.

Share this post


Link to post
Share on other sites

If you already have this Avenger tool, just follow the instructions.

 

1. Please download The Avenger by Swandog46 to your Desktop.

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text in Bold contained in the code box below (including the first line, which is a command to the tool Files to delete: to your Clipboard by highlighting it and pressing (Ctrl+C):

 

Files to Delete:

 

C:\WINDOWS\system32\owywqtoh.dll

C:\WINDOWS\system32\uepdyigh.exe

C:\WINDOWS\system32\aybeg.bak2

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

 

3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HijackThis log by using Add/Reply.

Share this post


Link to post
Share on other sites

Logfile of The Avenger version 1, by Swandog46

Running from registry key:

\Registry\Machine\System\CurrentControlSet\Services\fgvqjdav

 

*******************

 

Script file located at: \??\C:\WINDOWS\system32\mwsnjesw.txt

Script file opened successfully.

 

Script file read successfully

 

Backups directory opened successfully at C:\Avenger

 

*******************

 

Beginning to process script file:

 

File C:\WINDOWS\system32\owywqtoh.dll deleted successfully.

File C:\WINDOWS\system32\uepdyigh.exe deleted successfully.

File C:\WINDOWS\system32\aybeg.bak2 deleted successfully.

 

Completed script processing.

 

*******************

 

Finished! Terminate.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 08:04:53, on 08/06/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\ASUS\WLAN Card Utilities\Center.exe

C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

C:\Program Files\btbb_wcm\McciTrayApp.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\TomTom HOME\TomTomHOME.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

C:\WINDOWS\system32\notepad.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe

C:\Program Files\BT Home Hub\Help\bin\mpbtn.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.asw.asus.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe

O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

O4 - HKCU\..\Run: [eyeBeam SIP Client] "C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Home Hub\Help\bin\matcli.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O11 - Options group: [TABS] Tabbed Browsing

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll

O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: ASWLSVC - Unknown owner - C:\WINDOWS\system32\ASWLSVC.exe (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Share this post


Link to post
Share on other sites

Nice Work your log is clean.

 

Please read this Prevention page with lots of info and tips how to prevent this in the future.

 

http://users.telenet.be/bluepatchy/miekiem...prevention.html

 

 

Reset your computer restore point, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has

 

administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

 

1. Turn OFF System Restore.

 

On the Desktop, right-click My Computer.

 

Click Properties.

 

Click the System Restore tab.

 

Check Turn off System Restore.

 

Click Apply, and then click OK.

 

2. Reboot.

 

3. Turn ON System Restore.

 

On the Desktop, right-click My Computer.

 

Click Properties.

 

Click the System Restore tab.

 

UN-Check *Turn off System Restore*.

 

Click Apply, and then click OK.

 

Share this post


Link to post
Share on other sites

Awesome!

 

I am still getting the generic host for syst32 error and I am having to reinstall the driver for my soundcard on every restart.

 

Is this not related to the issue I have had with the trojan?

 

Thanks for all your efforts, I'll make a donation on payday.

Share this post


Link to post
Share on other sites

Something is generating that error.

 

Generic Host Process for Win32 Services encountered

 

 

 

Go to Google.com and search for this sting"Generic Host Process for Win32 Services encountered."

 

 

 

You may be able to find out what may be the cause.

 

 

 

If you need any further help let me know what you have tried.

Share this post


Link to post
Share on other sites

Due to the lack of feedback this Topic is closed.

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0