Member Avatar for 3dgreek

Hi all...my first thread here so please be patient.
Got a bizrre problem...PC boots up without problem but explorer fails to start or starts, then shuts itself off, and repeats this every 15 secs or so. I can still access programs via the task manager but no desktop! This even occurs in safe mode- with or without networking!

After running Bit Defender it recognised a few vundos which it seemed to have gotten rid of but from hijackthis I have a few entries which will NOT go away despite my efforts.

O2 - BHO: (no name) - {598F4775-6FB6-477B-9842-E0426824E077} - blank (file missing)
O2 - BHO: (no name) - {72664D4F-C520-4FA8-8EDA-5FA7FFF522B2} - C:\windows\system32\awttrOEw.dll
O2 - BHO: (no name) - {F3AEF888-A3E2-44EB-BD85-F0C85BA7673F} - C:\windows\system32\byXPJaXr.dll
O20 - Winlogon Notify: byXPJaXr - C:\windows\SYSTEM32\byXPJaXr.dll

On top of asking hijackthis to fix the selected I have tried to manually delete the byXPJaXr.dll but have had zero luck down that road! I have also run vundofix but it doesn't detect anything.

Does anyone have any suggestions on this before I tear my bloody hair out start banging my head repeatedly off the table?

Thanks in advance
3D Greek

  • 2 Contributors
  • 8 Replies
  • 197 Views
  • 2 Days Discussion Span
  • Latest Post Latest Post by crunchie

Recommended Answers

All 8 Replies

Member Avatar for crunchie

Hi and welcome to the Daniweb forums :).

==========

Please download ComboFix by sUBs from HERE or HERE

  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Member Avatar for 3dgreek

Crunchie...you are a god my friend!!!

Combo fix log:
ComboFix 08-04-26.3 - Chris 2008-04-27 13:36:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1580 [GMT 1:00]
Running from: C:\Documents and Settings\All Users\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\windows\hosts
C:\windows\system32\awttrOEw.dll
C:\windows\system32\byXPJaXr.dll
C:\windows\system32\drivers\npf.sys
C:\windows\system32\FOLESVR.DLL
C:\windows\system32\install.exe
C:\windows\system32\packet.dll
C:\windows\system32\slootniw01.dll
C:\windows\system32\wEOrttwa.ini
C:\WINDOWS\system32\wEOrttwa.ini2
C:\windows\system32\winsys.exe
C:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NTNDIS
-------\Service_NPF
-------\Service_ntndis


((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.

2008-04-26 21:25 . 2008-04-26 21:25 <DIR> d-------- C:\Documents and Settings\thegreek
2008-04-26 21:25 . 2008-04-27 13:40 1,024 --ah----- C:\Documents and Settings\thegreek\ntuser.dat.LOG
2008-04-26 21:24 . 2008-04-26 21:24 0 --a------ C:\WINDOWS\FantasyDVDPlatinum.ini
2008-04-26 21:07 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-26 21:07 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-26 21:07 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-26 21:07 . 2008-04-23 22:14 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-26 21:07 . 2008-04-23 22:14 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-04-26 21:07 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-26 21:07 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-26 21:07 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-26 20:06 . 2008-04-26 20:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-04-26 19:56 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-04-26 19:56 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-04-26 19:50 . 2008-04-26 19:50 114 --a------ C:\shellfix.reg
2008-04-26 19:37 . 2008-04-26 19:37 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-26 19:37 . 2008-04-27 13:35 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-26 08:59 . 2008-04-26 19:17 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-04-26 08:59 . 2008-04-26 19:17 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-04-26 07:33 . 2008-04-26 07:48 <DIR> d-------- C:\VundoFix Backups
2008-04-26 04:32 . 2008-04-27 13:30 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-04-26 04:29 . 2008-04-27 13:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-04-26 04:28 . 2008-04-27 13:31 <DIR> d-------- C:\Program Files\Common Files\Softwin
2008-04-26 02:00 . 2008-04-26 03:21 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-04-26 01:26 . 2008-04-26 01:26 <DIR> d-------- C:\Documents and Settings\Chris\.housecall6.6
2008-04-26 01:08 . 2008-04-26 01:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SRSLabs
2008-04-26 00:34 . 2008-04-26 00:34 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\Crystal Player
2008-04-25 21:05 . 2008-04-26 21:24 0 --a------ C:\WINDOWS\PlayList.Fpl
2008-04-25 21:04 . 2008-04-26 21:30 389,120 --a------ C:\WINDOWS\system32\ACTSKN43.OCX
2008-04-25 21:03 . 2008-04-25 21:03 <DIR> d-------- C:\WINDOWS\system32\FTCodecs
2008-04-25 21:03 . 2006-04-21 00:27 544,768 --a------ C:\WINDOWS\system32\CLVSD.ax
2008-04-25 21:03 . 2008-04-26 21:24 3,599 --a------ C:\WINDOWS\FantasyDVD.ini
2008-04-25 21:03 . 2008-04-26 19:10 2,417 --a------ C:\WINDOWS\ShortCutInf.ini
2008-04-25 20:34 . 2008-04-25 20:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ALM
2008-04-25 09:19 . 2007-04-09 13:23 28,040 --a------ C:\WINDOWS\system32\mdimon.dll
2008-04-25 09:16 . 2008-04-25 09:17 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-04-25 09:16 . 2008-04-25 09:16 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-04-21 17:10 . 2008-03-21 21:30 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2008-04-21 17:10 . 2008-03-21 21:30 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-04-21 17:10 . 2008-03-21 21:30 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-04-03 15:58 . 2008-04-03 15:58 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-04-03 15:58 . 2008-04-03 15:58 <DIR> d-------- C:\WINDOWS\system32\Atheros_L1
2008-04-03 15:58 . 2008-04-03 15:58 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-04-03 15:58 . 2008-04-03 15:58 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-04-03 15:58 . 2007-11-01 01:56 36,864 -ra------ C:\WINDOWS\system32\drivers\l151x86.sys
2008-04-03 15:56 . 2008-04-03 15:56 <DIR> d-------- C:\WINDOWS\ASUSInstAll
2008-04-03 15:55 . 2008-04-03 15:55 <DIR> d-------- C:\Program Files\Realtek
2008-04-03 15:54 . 2007-07-26 10:09 520,192 -r------- C:\WINDOWS\RtlExUpd.dll
2008-04-03 15:54 . 2008-04-26 02:33 315,392 --a------ C:\WINDOWS\HideWin.exe
2008-04-03 15:53 . 2008-04-03 15:53 <DIR> d-------- C:\Program Files\Intel
2008-04-03 15:52 . 2008-04-03 15:52 <DIR> d-------- C:\Intel
2008-04-03 15:52 . 2008-04-03 15:56 11,044 --a------ C:\WINDOWS\Ascd_log.ini
2008-04-03 15:51 . 2008-04-03 15:51 <DIR> dr------- C:\WINDOWS\AsDmiHtm
2008-04-03 15:51 . 2008-04-03 15:51 0 --a------ C:\WINDOWS\msicpl.ini
2008-04-03 15:50 . 2008-04-03 15:52 10,800 --a------ C:\WINDOWS\Ascd_tmp.ini
2008-04-03 15:50 . 2006-10-11 04:33 10,288 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2008-04-03 15:50 . 2004-08-12 09:00 5,810 -ra------ C:\WINDOWS\system32\drivers\ASACPI.sys
2008-04-03 15:47 . 2007-06-28 17:43 17,254 --a------ C:\WINDOWS\system32\nvwsapps.nvb
2008-04-03 15:47 . 2008-04-03 15:47 244 --ah----- C:\sqmnoopt04.sqm
2008-04-03 15:47 . 2008-04-03 15:47 232 --ah----- C:\sqmdata04.sqm
2008-04-03 15:42 . 2004-08-03 23:08 20,480 --a------ C:\WINDOWS\system32\drivers\usbuhci.sys
2008-04-03 15:42 . 2004-08-03 23:08 20,480 --a--c--- C:\WINDOWS\system32\dllcache\usbuhci.sys
2008-04-03 15:42 . 2007-06-29 00:43 17,254 --a------ C:\WINDOWS\system32\nvwsapps.xml
2008-04-03 15:26 . 2008-04-03 15:28 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-03 15:26 . 2008-04-26 01:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-31 22:25 . 2008-03-31 22:25 831,488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 22:25 . 2008-03-31 22:25 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2008-03-31 22:25 . 2008-03-31 22:25 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2008-03-31 22:25 . 2008-03-31 22:25 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2008-03-31 22:25 . 2008-03-31 22:25 682,496 --a------ C:\WINDOWS\system32\DivX.dll
2008-03-31 22:25 . 2008-04-26 02:37 163,840 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 12:34 --------- d-----w C:\Documents and Settings\Chris\Application Data\uTorrent
2008-04-26 18:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-04-26 07:57 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-26 01:40 90,112 -c--a-w C:\windows\unvise32.exe
2008-04-26 01:40 45,056 ----a-w C:\windows\system32\XSIChooser.exe
2008-04-26 01:40 299,520 -c--a-w C:\windows\uninst.exe
2008-04-26 01:40 146,432 -c--a-w C:\windows\system32\WudfHost.exe
2008-04-26 01:38 753,664 ----a-w C:\windows\system32\nvcplui.exe
2008-04-26 01:38 69,632 -c--a-w C:\windows\system32\HPZipm12.exe
2008-04-26 01:38 65,536 -c--a-w C:\windows\system32\HPZinw12.exe
2008-04-26 01:38 61,952 ----a-w C:\windows\system32\HdAShCut.exe
2008-04-26 01:38 61,440 ----a-w C:\windows\system32\dns-sd.exe
2008-04-26 01:38 51,712 -c--a-w C:\windows\system32\migpwd.exe
2008-04-26 01:38 45,056 -c--a-w C:\windows\system32\E2.exe
2008-04-26 01:38 442,368 ----a-w C:\windows\system32\nvappbar.exe
2008-04-26 01:38 425,984 ----a-w C:\windows\system32\keystone.exe
2008-04-26 01:38 172,544 -c--a-w C:\windows\system32\jview.exe
2008-04-26 01:38 15,360 -c--a-w C:\windows\system32\jdbgmgr.exe
2008-04-26 01:38 147,456 ----a-w C:\windows\system32\nvcolor.exe
2008-04-26 01:38 1,339,392 ----a-w C:\windows\system32\nvdspsch.exe
2008-04-26 01:37 524,288 ----a-w C:\windows\system32\DivXsm.exe
2008-04-26 01:36 9,715,200 ----a-w C:\windows\RTLCPL.exe
2008-04-26 01:36 86,016 ----a-w C:\windows\SoundMan.exe
2008-04-26 01:36 73,216 -c--a-w C:\windows\ST6UNST.EXE
2008-04-26 01:36 49,664 -c--a-w C:\windows\system32\clspack.exe
2008-04-26 01:36 49,152 ----a-w C:\windows\system32\ChCfg.exe
2008-04-26 01:36 46,592 -c--a-w C:\windows\setdebug.exe
2008-04-26 01:36 225,280 -c--a-w C:\windows\system32\cpwsave.exe
2008-04-26 01:36 20,480 -c--a-w C:\windows\system32\cliconfg.exe
2008-04-26 01:36 1,826,816 ----a-w C:\windows\SkyTel.exe
2008-04-26 01:36 1,191,936 ----a-w C:\windows\RtlUpd.exe
2008-04-26 01:35 306,688 -c--a-w C:\windows\IsUninst.exe
2008-04-26 01:35 2,165,760 ----a-w C:\windows\MicCal.exe
2008-04-26 01:28 69,632 ----a-w C:\windows\Alcmtr.exe
2008-04-26 01:28 47,104 ----a-w C:\windows\system32\uwdf.exe
2008-04-26 01:28 38,912 ----a-w C:\windows\system32\wdfmgr.exe
2008-04-26 01:28 208,896 -c--a-w C:\windows\alcupd.exe
2008-04-26 01:28 2,808,832 ----a-w C:\windows\alcwzrd.exe
2008-04-26 01:28 139,264 -c--a-w C:\windows\cmuninst.exe
2008-04-26 01:28 139,264 -c--a-w C:\windows\alcrmv.exe
2008-04-26 00:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA Corporation
2008-04-26 00:40 1,512 ----a-w C:\windows\system32\drivers\serv-u.ini
2008-04-25 23:52 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-25 23:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-25 19:51 --------- d-----w C:\Program Files\Common Files\Ahead
2008-04-25 17:56 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-04-15 15:34 --------- d-----w C:\Documents and Settings\Chris\Application Data\Ahead
2008-03-21 20:30 43,528 -c----w C:\windows\system32\drivers\PxHelp20.sys
2008-03-21 20:30 3,596,288 ----a-w C:\windows\system32\qt-dx331.dll
2008-03-21 20:30 200,704 -c--a-w C:\windows\system32\ssldivx.dll
2008-03-21 20:30 120,056 -c--a-w C:\windows\system32\pxcpyi64.exe
2008-03-21 20:30 118,520 -c--a-w C:\windows\system32\pxinsi64.exe
2008-03-21 20:30 1,044,480 -c--a-w C:\windows\system32\libdivx.dll
2008-03-21 20:28 81,920 -c--a-w C:\windows\system32\dpl100.dll
2008-03-21 20:28 593,920 -c--a-w C:\windows\system32\dpuGUI11.dll
2008-03-21 20:28 57,344 -c--a-w C:\windows\system32\dpv11.dll
2008-03-21 20:28 53,248 -c--a-w C:\windows\system32\dpuGUI10.dll
2008-03-21 20:28 344,064 -c--a-w C:\windows\system32\dpus11.dll
2008-03-21 20:28 294,912 -c--a-w C:\windows\system32\dpu11.dll
2008-03-21 20:28 294,912 -c--a-w C:\windows\system32\dpu10.dll
2008-03-21 20:28 196,608 -c--a-w C:\windows\system32\dtu100.dll
2008-03-21 20:28 12,288 -c--a-w C:\windows\system32\DivXWMPExtType.dll
2008-03-14 06:04 46,652 ----a-w C:\windows\system32\drivers\scdemu.sys
2007-07-19 07:21 45,384 -c--a-w C:\Documents and Settings\Chris\Application Data\GDIPFONTCACHEV1.DAT
2007-02-28 00:04 104 -csh--r C:\windows\system32\9117A22488.sys
2002-04-16 11:27 5 -csha-w C:\windows\system32\CdI5T.drv
2007-08-13 15:29 2,828 -csha-w C:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

2006-04-20 13:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2004-08-04 02:07 359040 9f4b36614a0fc234525ba224957de55c C:\windows\$NtUninstallKB917953$\tcpip.sys
2006-07-26 17:05 359808 ba57942c0029b0878afba052a3e33689 C:\windows\system32\dllcache\TCPIP.SYS
2006-07-26 17:05 359808 ba57942c0029b0878afba052a3e33689 C:\windows\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{598F4775-6FB6-477B-9842-E0426824E077}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\windows\system32\ctfmon.exe" [2004-08-04 02:07 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2008-04-26 02:22 5674496]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-15 13:22 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 09:51 172032]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 09:50 204800]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2008-04-26 02:18 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2008-04-26 02:18 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"C-Media Mixer"="Mixer.exe" [2002-07-12 17:33 1581056 C:\WINDOWS\mixer.exe]
"Profiler"="C:\Program Files\Saitek\Software\Profiler.exe" [2004-07-26 13:04 159744]
"SaiSmart"="C:\Program Files\Saitek\Software\SaiSmart.exe" [2004-07-26 13:04 98304]
"NvCplDaemon"="C:\windows\system32\NvCpl.dll" [2007-06-28 17:43 8466432]
"nwiz"="nwiz.exe" [2008-04-26 02:39 1626112 C:\WINDOWS\system32\nwiz.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-04-26 02:11 40448]
"WinSys2"="C:\windows\system32\winsys2.exe" [2008-04-26 02:39 208896]
"NvMediaCenter"="C:\windows\system32\NvMcTray.dll" [2007-06-28 17:43 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-27 07:20 16844800 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2008-04-26 02:36 1826816 C:\WINDOWS\SkyTel.exe]
"Com Service"="comservice.exe" []
"PWRISOVM.EXE"="D:\PowerISO\PWRISOVM.EXE" [2008-04-26 03:10 233472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Com Service"="comservice.exe" []
"Microsoft Updates"="svehost.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 02:07 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - D:\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 18:21:38 147456]
hpoddt01.exe.lnk - D:\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 18:11:12 28672]
Microsoft Office.lnk - D:\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 86016]
ZyXEL G-302 v3 Utility.lnk - C:\Program Files\ZyXEL\G-302v3\G-302v3.exe [2007-11-08 12:45:43 12867584]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuPinnedList"= 0 (0x0)
"NoStartMenuMFUprogramsList"= 0 (0x0)
"NoUserNameInStartMenu"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinters"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXPJaXr]
byXPJaXr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.scg726"= scg726.acm
"msacm.alf2cd"= alf2cd.acm
"vidc.dvsd"= mcdvd_32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"D:\\Firefox\\firefox.exe"=
"D:\\wsftpgui.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"D:\\fear\\FEAR.exe"=
"D:\\Softimage\\XSI_6.01\\Application\\bin\\XSI.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\WINDOWS\\explorer.exe"= C:\\windows\\Explorer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4000:TCP"= 4000:TCP:Bittorrent
"4001:TCP"= 4001:TCP:Bittorrent
"4002:TCP"= 4002:TCP:Bittorrent
"4003:TCP"= 4003:TCP:Bittorrent
"4004:TCP"= 4004:TCP:Bittorrent
"4005:TCP"= 4005:TCP:Bittorrent
"50021:TCP"= 50021:TCP:Bittorrent

R2 Ms-java;Ms-java;C:\WINDOWS\system32\dllcache\ms-java.exe [2004-02-28 09:47]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;C:\windows\system32\DRIVERS\l151x86.sys [2007-11-01 01:56]
R3 SaiNtHid;SaiNtHid;C:\windows\system32\DRIVERS\SaiNtHid.sys [2003-04-10 12:42]
R3 SaiNtSub;SaiNtSub;C:\windows\system32\DRIVERS\SaiNtSub.sys [2003-04-10 12:42]
R3 SjyPkt;SjyPkt;C:\windows\System32\Drivers\SjyPkt.sys [2002-10-02 10:57]
S2 Cap7134;TV Capture Card WDM Video Capture;C:\windows\system32\DRIVERS\Cap7134.sys [2004-11-19 09:57]
S2 NvNdis;NVIDIA NDIS IO Control Driver;C:\windows\system32\Drivers\NvNdis.sys []
S3 PhTVTune;TV Capture Card WDM TV Tuner;C:\windows\system32\DRIVERS\PhTVTune.sys [2004-11-19 09:57]
S3 SaiClass;SaiClass;C:\windows\system32\drivers\SaiNtBus.sys [2004-07-26 12:54]

.
Contents of the 'Scheduled Tasks' folder
"2006-11-07 17:55:49 C:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1154707094.job"
- D:\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 13:43:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 171

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\windows\explorer.exe
-> ?:\windows\System32\CSCDLL.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\spm\spmd.exe
D:\A;cohol120\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-04-27 13:46:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-27 12:46:14

Pre-Run: 2,958,778,368 bytes free
Post-Run: 2,953,170,944 bytes free

302

HIJACK THIS Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:55:17, on 27/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\dllcache\ms-java.exe
C:\windows\system32\nvsvc32.exe
C:\spm\spmd.exe
D:\A;cohol120\Alcohol 120\StarWind\StarWindService.exe
C:\windows\system32\svchost.exe
C:\windows\system32\wscntfy.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\windows\Mixer.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\windows\system32\RUNDLL32.EXE
C:\windows\RTHDCPL.EXE
D:\PowerISO\PWRISOVM.EXE
C:\windows\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
D:\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\ZyXEL\G-302v3\G-302v3.exe
C:\windows\explorer.exe
D:\Microsoft Office\OFFICE11\OUTLOOK.EXE
D:\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
D:\whatsThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blueyonder.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - blank (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {598F4775-6FB6-477B-9842-E0426824E077} - blank (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - blank (file missing)
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinSys2] C:\windows\system32\winsys2.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Com Service] comservice.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] D:\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\RunServices: [Com Service] comservice.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] svehost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZyXEL G-302 v3 Utility.lnk = C:\Program Files\ZyXEL\G-302v3\G-302v3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: byXPJaXr - byXPJaXr.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Ms-java - Unknown owner - C:\WINDOWS\system32\dllcache\ms-java.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SPM License Server (spmd) - mental images GmbH - C:\spm\spmd.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\A;cohol120\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 8452 bytes

The problem appears to be resolved...and I really appreciate the help Crunchie.

Member Avatar for crunchie

I am off to bed, but you can do the following and I will catch up in about 7 hours.

Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

C:\WINDOWS\system32\dllcache\ms-java.exe

=======

Can you please do the following.


===============

Scan with HijackThis and then place a check next to all the following, if present:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - blank (file missing)

O2 - BHO: (no name) - {598F4775-6FB6-477B-9842-E0426824E077} - blank (file missing)

O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - blank (file missing)

O4 - HKLM\..\Run: [WinSys2] C:\windows\system32\winsys2.exe
O4 - HKLM\..\Run: [Com Service] comservice.exe
O4 - HKLM\..\RunServices: [Com Service] comservice.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] svehost.exe

O20 - Winlogon Notify: byXPJaXr - byXPJaXr.dll (file missing)


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

C:\windows\system32\winsys2.exe

Search for...

comservice.exe
svehost.exe

...using "Start | Search...".

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear.

Select the first option to run Windows in Safe Mode hit enter.

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

Member Avatar for 3dgreek

New HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:21:08, on 27/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\dllcache\ms-java.exe
C:\windows\system32\nvsvc32.exe
C:\spm\spmd.exe
D:\A;cohol120\Alcohol 120\StarWind\StarWindService.exe
C:\windows\system32\svchost.exe
C:\windows\system32\wscntfy.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\windows\Mixer.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\windows\system32\RUNDLL32.EXE
C:\windows\RTHDCPL.EXE
D:\PowerISO\PWRISOVM.EXE
C:\windows\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
D:\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\ZyXEL\G-302v3\G-302v3.exe
C:\windows\explorer.exe
D:\uTorrent\utorrent.exe
D:\whatsThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Microsoft Office\OFFICE11\OUTLOOK.EXE
D:\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blueyonder.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [PWRISOVM.EXE] D:\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZyXEL G-302 v3 Utility.lnk = C:\Program Files\ZyXEL\G-302v3\G-302v3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Ms-java - Unknown owner - C:\WINDOWS\system32\dllcache\ms-java.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SPM License Server (spmd) - mental images GmbH - C:\spm\spmd.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\A;cohol120\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 7770 bytes


PC sems to be completely fine now mate.

Thanks again.

Member Avatar for 3dgreek

SOrry, it also said that the ms-java.exe was infected/malware...should I delete it?

Member Avatar for crunchie

Please back your Registry with ERUNT.
Follow the link and scroll down to ERUNT and download it.
http://aumha.org/freeware/freeware.php
For the version with the Installer:
Use the setup program to install ERUNT on your computer
For the zipped version:
Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: To restore your registry, go to the folder and start ERDNT.exe

==

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.bat to your desktop.
Then double click on the fix.bat file on your desktop
You'll see a black screen flash,thats normal.



@echo off
sc stop Ms-java
sc delete Ms-java


==

1. Pleaseopen Notepad Click Start , then Run
Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
KillAll::

File::
C:\WINDOWS\system32\dllcache\ms-java.exeNote: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter youre-enable all the programs that were disabled during the running of ComboFix:Combofix.txt
A new HijackThis log.
Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

th_CFScript.gif 27.09 KB
Member Avatar for 3dgreek

Combofix Log

ComboFix 08-04-26.3 - Chris 2008-04-28 12:43:00.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1630 [GMT 1:00]
Running from: C:\Documents and Settings\All Users\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Chris\Desktop\cfscript.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\dllcache\ms-java.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\thegreek\Local Settings\Temporary Internet Files\
C:\WINDOWS\system32\dllcache\ms-java.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4


((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.

2008-04-28 09:34 . 2008-04-28 09:34 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\Media Player Classic
2008-04-27 18:41 . 2008-04-28 03:31 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\Azureus
2008-04-27 18:41 . 2008-04-27 18:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-04-27 14:38 . 2008-04-27 14:38 <DIR> d-------- C:\Documents and Settings\thegreek
2008-04-26 21:24 . 2008-04-28 09:53 0 --a------ C:\WINDOWS\FantasyDVDPlatinum.ini
2008-04-26 21:07 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-26 21:07 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-26 21:07 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-26 21:07 . 2008-04-23 22:14 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-26 21:07 . 2008-04-23 22:14 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-04-26 21:07 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-26 21:07 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-26 21:07 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-26 20:06 . 2008-04-26 20:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-04-26 19:56 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-04-26 19:56 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-04-26 19:50 . 2008-04-26 19:50 114 --a------ C:\shellfix.reg
2008-04-26 19:37 . 2008-04-26 19:37 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-26 19:37 . 2008-04-27 13:35 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-26 08:59 . 2008-04-26 19:17 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-04-26 08:59 . 2008-04-26 19:17 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-04-26 07:33 . 2008-04-26 07:48 <DIR> d-------- C:\VundoFix Backups
2008-04-26 04:32 . 2008-04-27 13:30 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-04-26 04:29 . 2008-04-27 13:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-04-26 04:28 . 2008-04-27 13:31 <DIR> d-------- C:\Program Files\Common Files\Softwin
2008-04-26 02:00 . 2008-04-26 03:21 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-04-26 01:26 . 2008-04-26 01:26 <DIR> d-------- C:\Documents and Settings\Chris\.housecall6.6
2008-04-26 01:08 . 2008-04-26 01:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SRSLabs
2008-04-26 00:34 . 2008-04-26 00:34 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\Crystal Player
2008-04-25 21:05 . 2008-04-28 09:53 0 --a------ C:\WINDOWS\PlayList.Fpl
2008-04-25 21:04 . 2008-04-28 09:51 389,120 --a------ C:\WINDOWS\system32\ACTSKN43.OCX
2008-04-25 21:03 . 2008-04-25 21:03 <DIR> d-------- C:\WINDOWS\system32\FTCodecs
2008-04-25 21:03 . 2006-04-21 00:27 544,768 --a------ C:\WINDOWS\system32\CLVSD.ax
2008-04-25 21:03 . 2008-04-28 09:53 3,568 --a------ C:\WINDOWS\FantasyDVD.ini
2008-04-25 21:03 . 2008-04-26 19:10 2,417 --a------ C:\WINDOWS\ShortCutInf.ini
2008-04-25 20:34 . 2008-04-25 20:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ALM
2008-04-25 09:19 . 2007-04-09 13:23 28,040 --a------ C:\WINDOWS\system32\mdimon.dll
2008-04-25 09:16 . 2008-04-25 09:17 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-04-25 09:16 . 2008-04-25 09:16 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-04-21 17:10 . 2008-03-21 21:30 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2008-04-21 17:10 . 2008-03-21 21:30 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-04-21 17:10 . 2008-03-21 21:30 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-04-03 15:58 . 2008-04-03 15:58 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-04-03 15:58 . 2008-04-03 15:58 <DIR> d-------- C:\WINDOWS\system32\Atheros_L1
2008-04-03 15:58 . 2008-04-03 15:58 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-04-03 15:58 . 2008-04-03 15:58 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-04-03 15:58 . 2007-11-01 01:56 36,864 -ra------ C:\WINDOWS\system32\drivers\l151x86.sys
2008-04-03 15:56 . 2008-04-03 15:56 <DIR> d-------- C:\WINDOWS\ASUSInstAll
2008-04-03 15:55 . 2008-04-03 15:55 <DIR> d-------- C:\Program Files\Realtek
2008-04-03 15:54 . 2007-07-26 10:09 520,192 -r------- C:\WINDOWS\RtlExUpd.dll
2008-04-03 15:54 . 2008-04-26 02:33 315,392 --a------ C:\WINDOWS\HideWin.exe
2008-04-03 15:53 . 2008-04-03 15:53 <DIR> d-------- C:\Program Files\Intel
2008-04-03 15:52 . 2008-04-03 15:52 <DIR> d-------- C:\Intel
2008-04-03 15:52 . 2008-04-03 15:56 11,044 --a------ C:\WINDOWS\Ascd_log.ini
2008-04-03 15:51 . 2008-04-03 15:51 <DIR> dr------- C:\WINDOWS\AsDmiHtm
2008-04-03 15:51 . 2008-04-03 15:51 0 --a------ C:\WINDOWS\msicpl.ini
2008-04-03 15:50 . 2008-04-03 15:52 10,800 --a------ C:\WINDOWS\Ascd_tmp.ini
2008-04-03 15:50 . 2006-10-11 04:33 10,288 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2008-04-03 15:50 . 2004-08-12 09:00 5,810 -ra------ C:\WINDOWS\system32\drivers\ASACPI.sys
2008-04-03 15:47 . 2007-06-28 17:43 17,254 --a------ C:\WINDOWS\system32\nvwsapps.nvb
2008-04-03 15:47 . 2008-04-03 15:47 244 --ah----- C:\sqmnoopt04.sqm
2008-04-03 15:47 . 2008-04-03 15:47 232 --ah----- C:\sqmdata04.sqm
2008-04-03 15:42 . 2004-08-03 23:08 20,480 --a------ C:\WINDOWS\system32\drivers\usbuhci.sys
2008-04-03 15:42 . 2004-08-03 23:08 20,480 --a--c--- C:\WINDOWS\system32\dllcache\usbuhci.sys
2008-04-03 15:42 . 2007-06-29 00:43 17,254 --a------ C:\WINDOWS\system32\nvwsapps.xml
2008-04-03 15:26 . 2008-04-03 15:28 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-03 15:26 . 2008-04-26 01:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-31 22:25 . 2008-03-31 22:25 831,488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 22:25 . 2008-03-31 22:25 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2008-03-31 22:25 . 2008-03-31 22:25 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2008-03-31 22:25 . 2008-03-31 22:25 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2008-03-31 22:25 . 2008-03-31 22:25 682,496 --a------ C:\WINDOWS\system32\DivX.dll
2008-03-31 22:25 . 2008-04-26 02:37 163,840 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 11:41 --------- d-----w C:\Documents and Settings\Chris\Application Data\uTorrent
2008-04-27 14:52 359,808 ----a-w C:\windows\system32\drivers\TCPIP.SYS
2008-04-26 18:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-04-26 07:57 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-26 01:40 90,112 -c--a-w C:\windows\unvise32.exe
2008-04-26 01:40 45,056 ----a-w C:\windows\system32\XSIChooser.exe
2008-04-26 01:40 299,520 -c--a-w C:\windows\uninst.exe
2008-04-26 01:40 146,432 -c--a-w C:\windows\system32\WudfHost.exe
2008-04-26 01:38 753,664 ----a-w C:\windows\system32\nvcplui.exe
2008-04-26 01:38 69,632 -c--a-w C:\windows\system32\HPZipm12.exe
2008-04-26 01:38 65,536 -c--a-w C:\windows\system32\HPZinw12.exe
2008-04-26 01:38 61,952 ----a-w C:\windows\system32\HdAShCut.exe
2008-04-26 01:38 61,440 ----a-w C:\windows\system32\dns-sd.exe
2008-04-26 01:38 51,712 -c--a-w C:\windows\system32\migpwd.exe
2008-04-26 01:38 45,056 -c--a-w C:\windows\system32\E2.exe
2008-04-26 01:38 442,368 ----a-w C:\windows\system32\nvappbar.exe
2008-04-26 01:38 425,984 ----a-w C:\windows\system32\keystone.exe
2008-04-26 01:38 172,544 -c--a-w C:\windows\system32\jview.exe
2008-04-26 01:38 15,360 -c--a-w C:\windows\system32\jdbgmgr.exe
2008-04-26 01:38 147,456 ----a-w C:\windows\system32\nvcolor.exe
2008-04-26 01:38 1,339,392 ----a-w C:\windows\system32\nvdspsch.exe
2008-04-26 01:37 524,288 ----a-w C:\windows\system32\DivXsm.exe
2008-04-26 01:36 9,715,200 ----a-w C:\windows\RTLCPL.exe
2008-04-26 01:36 86,016 ----a-w C:\windows\SoundMan.exe
2008-04-26 01:36 73,216 -c--a-w C:\windows\ST6UNST.EXE
2008-04-26 01:36 49,664 -c--a-w C:\windows\system32\clspack.exe
2008-04-26 01:36 49,152 ----a-w C:\windows\system32\ChCfg.exe
2008-04-26 01:36 46,592 -c--a-w C:\windows\setdebug.exe
2008-04-26 01:36 225,280 -c--a-w C:\windows\system32\cpwsave.exe
2008-04-26 01:36 20,480 -c--a-w C:\windows\system32\cliconfg.exe
2008-04-26 01:36 1,826,816 ----a-w C:\windows\SkyTel.exe
2008-04-26 01:36 1,191,936 ----a-w C:\windows\RtlUpd.exe
2008-04-26 01:35 306,688 -c--a-w C:\windows\IsUninst.exe
2008-04-26 01:35 2,165,760 ----a-w C:\windows\MicCal.exe
2008-04-26 01:28 69,632 ----a-w C:\windows\Alcmtr.exe
2008-04-26 01:28 47,104 ----a-w C:\windows\system32\uwdf.exe
2008-04-26 01:28 38,912 ----a-w C:\windows\system32\wdfmgr.exe
2008-04-26 01:28 208,896 -c--a-w C:\windows\alcupd.exe
2008-04-26 01:28 2,808,832 ----a-w C:\windows\alcwzrd.exe
2008-04-26 01:28 139,264 -c--a-w C:\windows\cmuninst.exe
2008-04-26 01:28 139,264 -c--a-w C:\windows\alcrmv.exe
2008-04-26 00:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA Corporation
2008-04-26 00:40 1,512 ----a-w C:\windows\system32\drivers\serv-u.ini
2008-04-25 23:52 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-25 23:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-25 19:51 --------- d-----w C:\Program Files\Common Files\Ahead
2008-04-25 17:56 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-04-15 15:34 --------- d-----w C:\Documents and Settings\Chris\Application Data\Ahead
2008-03-21 20:30 43,528 -c----w C:\windows\system32\drivers\PxHelp20.sys
2008-03-21 20:30 3,596,288 ----a-w C:\windows\system32\qt-dx331.dll
2008-03-21 20:30 200,704 -c--a-w C:\windows\system32\ssldivx.dll
2008-03-21 20:30 120,056 -c--a-w C:\windows\system32\pxcpyi64.exe
2008-03-21 20:30 118,520 -c--a-w C:\windows\system32\pxinsi64.exe
2008-03-21 20:30 1,044,480 -c--a-w C:\windows\system32\libdivx.dll
2008-03-21 20:28 81,920 -c--a-w C:\windows\system32\dpl100.dll
2008-03-21 20:28 593,920 -c--a-w C:\windows\system32\dpuGUI11.dll
2008-03-21 20:28 57,344 -c--a-w C:\windows\system32\dpv11.dll
2008-03-21 20:28 53,248 -c--a-w C:\windows\system32\dpuGUI10.dll
2008-03-21 20:28 344,064 -c--a-w C:\windows\system32\dpus11.dll
2008-03-21 20:28 294,912 -c--a-w C:\windows\system32\dpu11.dll
2008-03-21 20:28 294,912 -c--a-w C:\windows\system32\dpu10.dll
2008-03-21 20:28 196,608 -c--a-w C:\windows\system32\dtu100.dll
2008-03-21 20:28 12,288 -c--a-w C:\windows\system32\DivXWMPExtType.dll
2008-03-14 06:04 46,652 ----a-w C:\windows\system32\drivers\scdemu.sys
2007-07-19 07:21 45,384 -c--a-w C:\Documents and Settings\Chris\Application Data\GDIPFONTCACHEV1.DAT
2007-02-28 00:04 104 -csh--r C:\windows\system32\9117A22488.sys
2002-04-16 11:27 5 -csha-w C:\windows\system32\CdI5T.drv
2007-08-13 15:29 2,828 -csha-w C:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

2006-04-20 13:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2004-08-04 02:07 359040 9f4b36614a0fc234525ba224957de55c C:\windows\$NtUninstallKB917953$\tcpip.sys
2008-04-27 15:52 359808 b4e29943b4b04bd5e7381546848e6669 C:\windows\system32\dllcache\TCPIP.SYS
2008-04-27 15:52 359808 b4e29943b4b04bd5e7381546848e6669 C:\windows\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((( snapshot@2008-04-27_13.46.01.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-27 12:40:22 2,048 --s-a-w C:\windows\bootstat.dat
+ 2008-04-28 11:45:27 2,048 --s-a-w C:\windows\bootstat.dat
- 2008-04-25 08:32:32 71,022 ----a-w C:\windows\system32\perfc009.dat
+ 2008-04-27 14:44:30 71,022 ----a-w C:\windows\system32\perfc009.dat
- 2008-04-25 08:32:32 422,572 ----a-w C:\windows\system32\perfh009.dat
+ 2008-04-27 14:44:30 422,572 ----a-w C:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\windows\system32\ctfmon.exe" [2004-08-04 02:07 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2008-04-26 02:22 5674496]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-15 13:22 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 09:51 172032]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 09:50 204800]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2008-04-26 02:18 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2008-04-26 02:18 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"C-Media Mixer"="Mixer.exe" [2002-07-12 17:33 1581056 C:\WINDOWS\mixer.exe]
"Profiler"="C:\Program Files\Saitek\Software\Profiler.exe" [2004-07-26 13:04 159744]
"SaiSmart"="C:\Program Files\Saitek\Software\SaiSmart.exe" [2004-07-26 13:04 98304]
"NvCplDaemon"="C:\windows\system32\NvCpl.dll" [2007-06-28 17:43 8466432]
"nwiz"="nwiz.exe" [2008-04-26 02:39 1626112 C:\WINDOWS\system32\nwiz.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-04-26 02:11 40448]
"NvMediaCenter"="C:\windows\system32\NvMcTray.dll" [2007-06-28 17:43 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-27 07:20 16844800 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2008-04-26 02:36 1826816 C:\WINDOWS\SkyTel.exe]
"PWRISOVM.EXE"="D:\PowerISO\PWRISOVM.EXE" [2008-04-26 03:10 233472]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 02:07 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - D:\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 18:21:38 147456]
hpoddt01.exe.lnk - D:\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 18:11:12 28672]
Microsoft Office.lnk - D:\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 86016]
ZyXEL G-302 v3 Utility.lnk - C:\Program Files\ZyXEL\G-302v3\G-302v3.exe [2007-11-08 12:45:43 12867584]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuPinnedList"= 0 (0x0)
"NoStartMenuMFUprogramsList"= 0 (0x0)
"NoUserNameInStartMenu"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinters"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5C060FE2-B3CA-47DD-B68E-BD1A6E297226}"= C:\windows\system32\yayvUNEX.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.scg726"= scg726.acm
"msacm.alf2cd"= alf2cd.acm
"vidc.dvsd"= mcdvd_32.dll
"vidc.ffds"= d:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"D:\\Firefox\\firefox.exe"=
"D:\\wsftpgui.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"D:\\fear\\FEAR.exe"=
"D:\\Softimage\\XSI_6.01\\Application\\bin\\XSI.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\WINDOWS\\explorer.exe"= C:\\windows\\Explorer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4000:TCP"= 4000:TCP:Bittorrent
"4001:TCP"= 4001:TCP:Bittorrent
"4002:TCP"= 4002:TCP:Bittorrent
"4003:TCP"= 4003:TCP:Bittorrent
"4004:TCP"= 4004:TCP:Bittorrent
"4005:TCP"= 4005:TCP:Bittorrent
"50021:TCP"= 50021:TCP:Bittorrent

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;C:\windows\system32\DRIVERS\l151x86.sys [2007-11-01 01:56]
R3 SaiNtHid;SaiNtHid;C:\windows\system32\DRIVERS\SaiNtHid.sys [2003-04-10 12:42]
R3 SaiNtSub;SaiNtSub;C:\windows\system32\DRIVERS\SaiNtSub.sys [2003-04-10 12:42]
R3 SjyPkt;SjyPkt;C:\windows\System32\Drivers\SjyPkt.sys [2002-10-02 10:57]
S2 Cap7134;TV Capture Card WDM Video Capture;C:\windows\system32\DRIVERS\Cap7134.sys [2004-11-19 09:57]
S2 NvNdis;NVIDIA NDIS IO Control Driver;C:\windows\system32\Drivers\NvNdis.sys []
S3 PhTVTune;TV Capture Card WDM TV Tuner;C:\windows\system32\DRIVERS\PhTVTune.sys [2004-11-19 09:57]
S3 SaiClass;SaiClass;C:\windows\system32\drivers\SaiNtBus.sys [2004-07-26 12:54]

.
Contents of the 'Scheduled Tasks' folder
"2006-11-07 17:55:49 C:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1154707094.job"
- D:\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 12:46:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 171

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\spm\spmd.exe
D:\A;cohol120\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-04-28 12:48:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-28 11:48:44
ComboFix2.txt 2008-04-27 13:38:18
ComboFix3.txt 2008-04-27 12:46:26

Pre-Run: 3,075,403,776 bytes free
Post-Run: 3,086,737,408 bytes free

300


HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:17, on 28/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\windows\system32\nvsvc32.exe
C:\spm\spmd.exe
D:\A;cohol120\Alcohol 120\StarWind\StarWindService.exe
C:\windows\system32\svchost.exe
C:\windows\system32\wscntfy.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\windows\Mixer.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\windows\system32\RUNDLL32.EXE
C:\windows\RTHDCPL.EXE
D:\PowerISO\PWRISOVM.EXE
C:\windows\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
D:\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\ZyXEL\G-302v3\G-302v3.exe
C:\windows\explorer.exe
C:\windows\system32\notepad.exe
D:\whatsThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blueyonder.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [PWRISOVM.EXE] D:\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZyXEL G-302 v3 Utility.lnk = C:\Program Files\ZyXEL\G-302v3\G-302v3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SPM License Server (spmd) - mental images GmbH - C:\spm\spmd.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\A;cohol120\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 7445 bytes

Is that all you need or are there any more tests I should run?

Member Avatar for crunchie

Looks all good now. There was no need to run combofix the extra time though :).

==

Let's get rid of Combofix now that we are finished with it. Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.






When shown the disclaimer, Select "2"


The above procedure will: Delete the following: ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

==

Congratulations! Your log looks clean.

===============

Now that your PC is clean you need to follow these easy steps to keeping it this way:

Download CCleaner and install, then run it. It will clear out your temp folders.Uncheck "Cookies" under "Internet Explorer".
Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
Close when finished.
Secure your Internet Explorer by going here and following the instructions there.

Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.

Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.

Install and keep updated, AVG anti-spyware, Ad-Aware SE and Spybot S&D.
Run them all on a regular basis, following the maker's recommendations.

Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

Empty the Recycle Bin.

For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start | Run and type msconfig and press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.

Check the box labelled 'Turn off System restore'.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

Note that all previous restore points will be lost.

===============

If you have any more problems, post back.

-

Happy surfing,

crunchie.

th_CF_Cleanup.png 9.98 KB
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.