RSS

Viruses and other nasty stuff

Please support our Viruses, Spyware and other Nasties advertiser: 64-bit Windows Community

Views: 1457 | Replies: 12 | Thread Tools Display Modes

Page 2 of 2

•

Join Date: Feb 2004

Location: Oztralya

Posts: 8,310

Reputation: crunchie is a jewel in the rough

Rep Power: 23

Solved Threads: 491

crunchie

Offline

Spyware Killer

Re: Viruses and other nasty stuff

#11

Nov 17th, 2007

Maybe Smitfraudfix has not been updated?

Please download VundoFix.exe
to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.

=============================

A. Please RUN HijackThis

Click the SCAN button to produce a log.
Place a check mark beside each one of the following items:

R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\tekyjnll.dll
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\cbxwttu.dll

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\tekyjnll.dll

O4 - HKLM\..\Run: [40b0045d] rundll32.exe "C:\WINDOWS\system32\mihotder.dll",b
O4 - Global Startup: SnapDetect.lnk = ?

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/14...2/cpbrkpie.cab

O20 - Winlogon Notify: cbxwttu - C:\WINDOWS\SYSTEM32\cbxwttu.dll
O20 - Winlogon Notify: tekyjnll - C:\WINDOWS\SYSTEM32\tekyjnll.dll
Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

B. 1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Help with Code Tags

(Toggle Plain Text)

File::
C:\WINDOWS\SYSTEM32\cbxwttu.dll
C:\WINDOWS\SYSTEM32\tekyjnll.dll
C:\WINDOWS\system32\mihotder.dll

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://i5.photobucket.com/albums/y15...1/CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster

Please do not PM me for help. Instead, post in the public forum where others may benefit.

•

Join Date: Nov 2005

Posts: 30

Reputation: tutonk is an unknown quantity at this point

Rep Power: 4

Solved Threads: 0

tutonk

Offline

Light Poster

Re: Viruses and other nasty stuff

#12

Nov 18th, 2007

Ok, I've run everything that you previously posted. One thing to note: None of the entries that were indicated for deletion from the HiJackThis log which contained the tekyjnll.dll tag (3 items total) were in the HJT log after running the vundofix. I have to assume this is normal.

Combat this log:

ComboFix 07-11-08.3 - Dad 2007-11-17 23:09:23.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.496 [GMT -5:00]
Running from: C:\Documents and Settings\Dad\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dad\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\SYSTEM32\cbxwttu.dll
C:\WINDOWS\system32\mihotder.dll
C:\WINDOWS\SYSTEM32\tekyjnll.dll
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Dad\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Dad\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Dad\Favorites\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\abeeg.ini
C:\WINDOWS\system32\abeeg.ini2
C:\WINDOWS\SYSTEM32\cbxwttu.dll
C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\mihotder.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-18 to 2007-11-18 )))))))))))))))))))))))))))))))
.

2007-11-17 22:11 <DIR> d-------- C:\VundoFix Backups
2007-11-17 07:20 4,772 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-16 20:49 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-16 18:11 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\Land Of Runes
2007-11-16 18:10 <DIR> d-------- C:\Program Files\Land of Runes
2007-11-16 14:34 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\Grisoft
2007-11-16 09:52 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-15 19:03 <DIR> d-------- C:\Documents and Settings\Mom\Application Data\Grisoft
2007-11-15 19:02 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-15 19:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-15 13:45 12,288 --a------ C:\WINDOWS\system32\impborl.dll
2007-11-15 11:49 36,352 --a------ C:\WINDOWS\system32\xxywxxy.dll
2007-11-15 11:49 36,352 --a------ C:\WINDOWS\system32\gebxxxy.dll
2007-11-15 06:57 36,352 --a------ C:\WINDOWS\system32\efcdbay.dll
2007-11-14 19:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\The Learning Company
2007-11-14 18:55 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-14 18:54 <DIR> d-------- C:\Program Files\Common Files\DirectX
2007-11-14 18:52 <DIR> d-------- C:\WINDOWS\system32\rMa18yy
2007-11-14 18:52 36,352 --a------ C:\WINDOWS\system32\cbxusts.dll
2007-11-14 09:45 <DIR> d-------- C:\Documents and Settings\Mom\Application Data\Wal-Mart Digital Photo Viewer
2007-11-13 08:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Fugazo
2007-11-12 13:28 <DIR> d-------- C:\Program Files\ComcastToolbar
2007-11-12 13:28 <DIR> d-------- C:\Documents and Settings\Mom\Application Data\ComcastToolbar
2007-11-12 13:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2007-11-12 13:27 <DIR> d-------- C:\Program Files\Comcast
2007-11-09 10:10 36,734 --a------ C:\WINDOWS\system32\OggDSuninst.exe
2007-11-09 09:00 <DIR> d-------- C:\Program Files\E-Pie Game
2007-11-09 07:48 <DIR> d-------- C:\Program Files\Diner Dash Hometown Hero
2007-11-07 20:09 <DIR> d-------- C:\Program Files\King Mania
2007-11-04 08:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MumboJumbo
2007-10-27 07:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Super X Studios
2007-10-26 13:17 <DIR> d-------- C:\Program Files\3DGroove
2007-10-25 06:35 <DIR> d-------- C:\DNData
2007-10-23 17:55 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\eGames
2007-10-23 17:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\eGames
2007-10-23 17:48 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\COMCASTTOOLBAR
2007-10-23 07:12 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-10-23 07:12 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2007-10-23 07:10 171,240 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-10-23 07:10 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-10-23 07:10 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-10-23 07:10 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-10-23 07:10 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-10-23 07:10 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-10-23 07:09 <DIR> d-------- C:\Program Files\McAfee.com
2007-10-23 07:09 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-10-23 07:08 <DIR> d-------- C:\Program Files\McAfee
2007-10-20 07:50 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2007-10-18 07:31 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\SBTT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-17 18:58 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-15 12:17 --------- d-----w C:\Documents and Settings\Dad\Application Data\LimeWire
2007-11-15 00:16 --------- d-----w C:\Program Files\Valusoft
2007-11-10 21:35 --------- d-----w C:\Program Files\Google
2007-11-10 15:25 --------- d--h--r C:\Documents and Settings\Mom\Application Data\yahoo!
2007-11-10 15:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-11-10 13:45 --------- d-----w C:\Program Files\Java
2007-11-09 12:50 --------- d-----w C:\Documents and Settings\Dad\Application Data\PlayFirst
2007-11-09 12:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-11-08 12:56 --------- d-----w C:\Program Files\Big Kahuna Reef
2007-11-02 23:11 --------- d-----w C:\Program Files\Yahoo! Games
2007-11-02 23:10 --------- d-----w C:\Program Files\Oberon Media
2007-10-23 12:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-22 22:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2007-10-22 18:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-10-22 18:30 --------- d-----w C:\Program Files\Kodak
2007-10-13 21:12 --------- d-----w C:\Program Files\iTunes
2007-10-13 21:12 --------- d-----w C:\Program Files\iPod
2007-10-13 21:07 --------- d-----w C:\Program Files\Apple Software Update
2007-10-13 00:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\FireGlow
2007-10-12 21:42 --------- d-----w C:\Documents and Settings\Dad\Application Data\Legends of pirates
2007-10-10 13:48 --------- d-----w C:\Program Files\Blue Squirrel
2007-10-04 23:59 --------- d-----w C:\Documents and Settings\Dad\Application Data\Wal-Mart Digital Photo Viewer
2007-10-04 00:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-02 22:37 --------- d-----w C:\Program Files\Aveyond
2007-10-02 22:33 --------- d-----w C:\Program Files\Adssite Advanced Toolbar
2007-10-02 22:32 --------- d-----w C:\Documents and Settings\Dad\Application Data\Adssite Advanced Toolbar
2007-09-24 20:11 --------- d-----w C:\Program Files\JoWood
2007-09-23 14:17 --------- d-----w C:\Documents and Settings\Dad\Application Data\Jane s Hotel
2007-09-23 14:16 --------- d-----w C:\Program Files\SmartDraw 2007
2007-09-16 19:32 286,720 ------w C:\WINDOWS\Setup1.exe
2007-09-16 19:31 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-09-14 18:51 192,512 ----a-w C:\WINDOWS\off-road-uninst.exe
2007-01-10 17:15 839,690 ----a-w C:\WINDOWS\Fonts\Crack.exe
2006-10-21 21:27 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2006-10-13 20:43 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-06-01 18:15:06 80 --sh--r C:\WINDOWS\system32\1F139F1F50.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-16_15.07.52.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-16 10:09:51 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-11-17 01:49:58 4,468,736 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2007-11-17 01:49:59 217,088 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-11-16 10:09:51 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-11-17 01:49:43 4,468,736 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2007-11-17 01:49:43 217,088 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BD0E6A2A-DD4C-4879-85D5-85C32012783D}]
C:\WINDOWS\system32\gebyx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-08-11 20:43]
"nwiz"="nwiz.exe" [2006-08-11 20:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-08-11 20:43]
"C-Media Mixer"="Mixer.exe" [2002-10-15 18:00 C:\WINDOWS\mixer.exe]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 18:06]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2003-12-01 10:38]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2003-06-18 01:00]
"CTHelper"="CTHELPER.EXE" [2004-03-19 03:33 C:\WINDOWS\system32\CTHELPER.EXE]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" []
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 16:34]
"NWEReboot"="" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"QuickTime Task"="D:\downloaded files\ouicktime4\qttask.exe" [2007-06-29 05:24]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 14:57]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2007-06-25 07:47]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"ddoctorv2"="C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2007-04-19 14:21]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 18:03]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxwttu]
cbxwttu.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geeba.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R1 nvport;NVIDIA PORT IO Control Driver;\??\C:\WINDOWS\system32\Drivers\nvport.sys
R3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\FA312nd5.sys
S3 IPCTYPE;IPCTYPE;\??\C:\Program Files\Pro-face\GP-Pro EX 2.00 E\IPCType.sys
S3 NMUSB;NMUSB;C:\WINDOWS\system32\drivers\nmusb.sys
S3 SetupNTGLM7X;SetupNTGLM7X;\??\F:\NTGLM7X.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-16 13:28:56 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-23 12:09:47 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2007-10-23 12:09:46 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2007-11-18 04:26:48 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-17 23:27:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-17 23:31:04 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-17 19:18
C:\ComboFix3.txt ... 2007-11-17 09:40
.
--- E O F ---

HJT Log File (ran after ComboFix had completed).

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:35:16 PM, on 11/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Documents and Settings\Mom\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {BD0E6A2A-DD4C-4879-85D5-85C32012783D} - C:\WINDOWS\system32\gebyx.dll (file missing)
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\downloaded files\ouicktime4\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: Backgammon by pogo - http://game1.pogo.com/applet-6.9.1.3...mmon-en_US.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/Pog...rInstaller.CAB
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - https://www.webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1184682572500
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} (SpinTop Games Launcher) - http://www.gamehouse.com/realarcade-...esLauncher.cab
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidc...downloader.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.24.15/ttinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/z...ploader_v5.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://w1.webex.com/client/T23L/webex/ieatgpc.cab
O20 - Winlogon Notify: cbxwttu - cbxwttu.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTsvcCDA.exe (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbucoms.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

--
End of file - 11055 bytes

As of the time of this posting, the system appears to be running pretty well. I am withholding final judgement until I see if the offending links and warnings begin showing up when I boot up in the morning.

•

Join Date: Feb 2004

Location: Oztralya

Posts: 8,310

Reputation: crunchie is a jewel in the rough

Rep Power: 23

Solved Threads: 491

crunchie

Offline

Spyware Killer

Re: Viruses and other nasty stuff

#13

Nov 18th, 2007

Can you please do the following.

===============

Can you disable Windows Defender as it may interfere with the removal process. Please leave it disabled until your PC has been given the all clear.

Open Windows Defender
Click Tools
Click General Settings
Scroll down to Real Time Protection Options
Uncheck Turn on Real Time Protection (recommended)
After you uncheck this, click on the Save button
Close Windows Defender

===============

Scan with HijackThis and then place a check next to all the following, if present:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {BD0E6A2A-DD4C-4879-85D5-85C32012783D} - C:\WINDOWS\system32\gebyx.dll (file missing)

O20 - Winlogon Notify: cbxwttu - cbxwttu.dll (file missing)

Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Let us know how things are when you know for sure.

Page 2 of 2

Quick Reply to Thread

•

Only community members can participate in forum threads. You must register or log in to contribute.

Similar Threads

Ugh: hechta.a and mywebsearch.j and more (Viruses, Spyware and other Nasties)
RANT: McDonalds has fallen (Geeks' Lounge)
Can't remove Trojan horse (Viruses, Spyware and other Nasties)
About:Blank homepage ... (Viruses, Spyware and other Nasties)
edmond.exe & ceres.dll and other nasty stuff (Viruses, Spyware and other Nasties)
More nasty stuff on my PC (Viruses, Spyware and other Nasties)
Philosophies on Theology? (Geeks' Lounge)
IE is hijacked by http://th.msie.cc/index.php?aid=20035 (Viruses, Spyware and other Nasties)

Other Threads in the Viruses, Spyware and other Nasties Forum

Previous Thread: Log File: suspicious of being key logged
Next Thread: Slow computer/lots of errors/ Virus?

•

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

•

Thread Tools	Display Modes
Show Printable Version Email this Page	Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

DaniWeb Home > Forums > Hardware and Software > Microsoft Windows > Viruses, Spyware and...

Viruses and other nasty stuff

Re: Viruses and other nasty stuff

Re: Viruses and other nasty stuff

Re: Viruses and other nasty stuff