Tech Support Forum - View Single Post - 2nd thread, malware: blue screen, bugs &amp; more

mrskoz · 06-14-2008, 09:49 AM

Hello,

I had previously posted a thread about some problems, but didn't receive a reply, so the moderator/analyst amateur removed it for me (THANK YOU!!!) so I could start again (i uninstalled everything and started over) & run new logs.

I previously was able to run almost all 5 steps. I couldn't download spyware blaster last time, could only run it from a flash drive. This time, I can't even do that. Any program or word or file containing the word "spyware" shuts down as soon as you attempt to access it, including browser windows. I also updated everything for XP except SP3. Is that advised? It failed last time, repeatedly, so I didn't try this time.

And this time when I ran Deckard there was no file anywhere called extra.txt that I attached previously to my old thread.

I found the bugs screensaver, but have not been able to find the virus/malware, whichever is causing all the problems: we have a blue screen, disabled display settings (no desktop or screensaver tabs) on all XP administrator accts and at times, military time is showing.

Other problems: upon restart my own acct (no blue screen yet on mine), was completely disabled, said it was in use by another process, and when it let me in, it was a fresh new XP acct, all my settings gone. I was able to get it back after logging on & off a couple times. Something is also trying to install unknown hardware. I've refused.

I hope this is specific enough. I am posting the one log I was able to retrieve. Please let me know what other info I can offer.
-----------------------------

Deckard's System Scanner v20071014.68
Run by CHRISTOPHER on 2008-06-14 11:37:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-14 11:37:48
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Microsoft Shared\DAO\DADDYKOZ\SVCHOST.EXE
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\D-Link Media Server\MediaGUI.exe
C:\Program Files\D-Link Media Server\MediaServer.exe
C:\Documents and Settings\CHRISTOPHER\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [User Themes] C:\Program Files\Common Files\Microsoft Shared\DAO\DADDYKOZ\SVCHOST.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [dlcqmon.exe] "C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe"
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O18 - Protocol: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: dlcq_device - Unknown owner - C:\WINDOWS\system32\dlcqcoms.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Zune Network Sharing Service (ZuneNetworkSvc) - Unknown owner - C:\Program Files\Zune\ZuneNss.exe

--
End of file - 5886 bytes

-- Files created between 2008-05-14 and 2008-06-14 -----------------------------

2008-06-13 07:29:52 0 dr-h----- C:\Documents and Settings\CHRISTOPHER\Recent
2008-06-13 07

17 47360 --a------ C:\Documents and Settings\CHRISTOPHER\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-06-13 07

16 0 d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\Vso
2008-06-05 14:50:33 0 d-------- C:\Documents and Settings\GENEVIEVE\Application Data\ESET
2008-06-05 14:39:06 0 d-------- C:\Documents and Settings\LAURYN\Application Data\ESET
2008-06-05 06:39:32 0 d-------- C:\Program Files\MSXML 6.0
2008-06-05 06:22:50 0 d-------- C:\Documents and Settings\BRITTNEY\Application Data\ESET
2008-06-04 17:41:52 0 d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\ESET
2008-06-04 17:41:00 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-06-04 17:39:00 0 d-------- C:\Program Files\iPod
2008-06-04 17:38:52 0 d-------- C:\Program Files\iTunes
2008-06-04 14:46:50 0 d-------- C:\WINDOWS\system32\scripting
2008-06-04 14:46:50 0 d-------- C:\WINDOWS\system32\en
2008-06-04 14:46:50 0 d-------- C:\WINDOWS\system32\bits
2008-06-04 14:46:50 0 d-------- C:\WINDOWS\l2schemas
2008-06-04 14:45:16 0 d-------- C:\WINDOWS\ServicePackFiles
2008-06-04 14:42:56 0 d-------- C:\WINDOWS\network diagnostic
2008-06-04 14:39:34 1845248 --a------ C:\WINDOWS\system32\win32k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-04 14:38:52 15360 --a------ C:\WINDOWS\system32\asfsipc.dll <Not Verified; Microsoft Corporation; Microsoft (R) DRM>
2008-06-04 14:38:28 0 d-------- C:\WINDOWS\EHome
2008-06-04 14:32:53 7680 --a------ C:\WINDOWS\system32\spdwnwxp.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-04 14:23:38 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-06-04 10:20:51 0 d-------- C:\Program Files\Panda Security
2008-06-03 23:25:26 0 d-------- C:\Program Files\Enigma Software Group
2008-06-03 21:11:10 0 d-------- C:\Documents and Settings\GENEVIEVE\Application Data\SUPERAntiSpyware.com
2008-06-03 21:11:10 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-03 20:56:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-05-18 12:31:14 0 d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\HPAppData

-- Find3M Report ---------------------------------------------------------------

2008-06-14 00:34:12 0 d-------- C:\Program Files\D-Link Media Server
2008-06-13 07:11:30 0 d-------- C:\Program Files\Qualcomm
2008-06-13 07

18 33 --a------ C:\Documents and Settings\CHRISTOPHER\Application Data\pcouffin.log
2008-06-13 07

17 1144 --a------ C:\Documents and Settings\CHRISTOPHER\Application Data\pcouffin.inf
2008-06-13 07

17 7824 --a------ C:\Documents and Settings\CHRISTOPHER\Application Data\pcouffin.cat
2008-06-12 12:39:38 0 d-------- C:\Program Files\BitLord
2008-06-10 19:41:56 0 d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\.purple
2008-06-05 06:21:08 0 d-------- C:\Program Files\Apple Software Update
2008-06-04 17:37:49 0 d-------- C:\Program Files\QuickTime
2008-06-04 17:36:28 0 d-------- C:\Program Files\Java
2008-06-04 15:03:23 0 d-------- C:\Program Files\Windows NT
2008-06-04 15:03:22 0 d-------- C:\Program Files\Movie Maker
2008-06-04 15:03:21 0 d-------- C:\Program Files\Messenger
2008-06-03 23:35:47 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-06-03 20:51:51 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-03 20:33:49 3168 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-03 20:13:08 0 d-------- C:\Program Files\The Learning Company
2008-06-03 20:07:59 0 d-------- C:\Program Files\GameHouse
2008-06-03 20:03:07 0 d-------- C:\Program Files\PopCap Games
2008-05-26 18:18:44 0 d-------- C:\Program Files\dl_Cats
2008-05-20 06:41:18 0 d-------- C:\Program Files\Picasa2
2008-05-18 14:42:11 0 d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\uTorrent
2008-05-01 06:28:35 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-30 09:05:10 85 --a------ C:\WINDOWS\popcinfo.dat
2008-04-29 12:33:37 137447 --a------ C:\WINDOWS\HPHins15.dat
2008-04-29 12:29:29 0 d-------- C:\Program Files\HP
2008-04-29 12:26:29 0 d-------- C:\Program Files\Common Files
2008-04-29 12:26:29 0 d-------- C:\Program Files\Common Files\HP
2008-04-22 18:03:04 0 d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\Adobe
2008-04-15 00:04:03 0 d-------- C:\Program Files\ItsDeductible2006
2008-03-18 19:36:14 36734 --a------ C:\WINDOWS\system32\OggDSuninst.exe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"User Themes"="C:\Program Files\Common Files\Microsoft Shared\DAO\DADDYKOZ\SVCHOST.exe" [08/16/2007 11:40 PM]
"WD Button Manager"="WDBtnMgr.exe" [03/18/2007 07:59 PM C:\WINDOWS\system32\WDBtnMgr.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [02/07/2007 04:24 PM]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [03/11/2003 05:24 PM]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [08/19/2003 11:43 AM]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [02/07/2007 04:21 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 11:44 AM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [09/20/2005 11:35 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 11:36 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 11:32 AM]
"FaxCenterServer"="C:\Program Files\Dell PC Fax\fm3032.exe" [12/12/2006 04:22 AM]
"dlcqmon.exe"="C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe" [01/12/2007 01:21 PM]
"CmPCIaudio"="CMICNFG3.CPL" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [12/21/2007 08:21 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 08:05 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)
"ForceActiveDesktopOn"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoteBurner]
C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProfileWatcher]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
"C:\Program Files\Zune\ZuneLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ZuneNetworkSvc"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e3b6ae5-416c-11dc-a119-0016e665bbdc}]
AutoRun\command- H:\LaunchU3.exe -a

-- End of Deckard's System Scanner: finished at 2008-06-14 11:38:56 ------------