Multiple Spyware or Virus Problems!

procrastinator8 · 04-03-2007, 09:30 PM

I'm glad I found you guys!
I followed any of the steps I could of the 5 steps.

To start, when I boot up the computer I get a window
"suchost.exe has generated erros and will be closed by windows. You will need to restart the program. An error log has been created."
I have no idea what suchost is.

The next window that pops up is
"Error loading cwcprops.cpl. The specified module could not be found."

Before running Ad-Aware on my computer I was getting a black screen as the wallpaper with a fake Windows Security Message and Brave Sentry was on my computer. I also had an icon in the right hand tray saying that Windows Updates were detected and must be downloaded immediately. After running Ad-Aware I tried to change my desktop wallpaper and everything is grayed out and can not be selected except the pattern option. I've never had that happen!

So moving on from there with the 5 steps...
I removed the programs listed in Step 1 and in the spyware warrior. Brave Sentry was listed and I clicked remove but it is still coming up in my Start Menu.

Step 2 - I had already run Ad-Aware and when I tried to run the Panda Online Scan it immediately popped up the error messge
"iexplore.exe has generated errors and will be closed by Windows"
This also clodsed the techsupport forum window and I could not open that back up in Internet explorer without getting the above error for your site. So for now I'm using Mozilla.

Step 3 - I was able to dowload Spyware Blaster and IE-Spyad but the site for Spyware Guard kept pulling up a download for Spyware Doctor so I wasn't sure if I should install that.

Step 4 - I couldn't update my Windows Operating System because Windows won't allow you to if you're using Mozilla - only Internet Explorer, and if I'm on Internet Explorer I get the "iexplore.exe has generated errors..." window for that site

Step 5 - I included the main.txt and attached the extra.txt from the Deckard's System Scanner

Please help! I haven't had any problems in awhile and now all of a sudden the computer is being bombarded! Please let me know if you have any other questions and let me know what I need to do to clean up my system. Thanks in advance for your help!

Deckard's System Scanner v20070328.36
Run by Administrator on 2007-04-04 at 00:03:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as Administrator.exe) ---------------------------------------

HijackThis failed to provide a log after three minutes; running clone instead.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-04-04 00:11:40
Platform: Windows 2000 Service Pack 4 (5.00.2195)
MSIE: Internet Explorer (6.0.2800.1106)

Running processes:
C:\WINNT\system32\SMSS.EXE
C:\WINNT\system32\WINLOGON.EXE
C:\WINNT\system32\SERVICES.EXE
C:\WINNT\system32\LSASS.EXE
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee.com\Agent\McTskshd.exe
C:\WINNT\explorer.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINNT\system32\ltcm000c.exe
C:\WINNT\system32\promon.exe
C:\WINNT\LOGI_MWX.EXE
C:\WINNT\system32\CTFMON.EXE
C:\WINNT\system32\tp4mon.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\Program Files\HijackThis\Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0E2A7E75-BCBB-BA4D-BD1E-BFEEFFF1BDE8} - C:\WINNT\system32\sbeyh.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINNT\system32\tmpEE.tmp.dll
O2 - BHO: (no name) - {5ffc25f6-4e73-4592-af06-8d6b32cafde6} - C:\WINNT\system32\iasDSK.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar3.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\Program Files\McAfee.com\VSO\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Kaspersky Antivirus] KasperskyAV.exe
O4 - HKLM\..\Run: [Halflife] halflife2.exe
O4 - HKLM\..\Run: [Config Loader Alt] iexporer.exe
O4 - HKLM\..\Run: [IAimCMRtc] c:\winnt\temp\IAimCMRtc.exe
O4 - HKLM\..\Run: [n4l] c:\winnt\system32\n4l.exe
O4 - HKLM\..\Run: [lVjtZ.exe] c:\winnt\system32\lVjtZ.exe
O4 - HKLM\..\Run: [g] c:\winnt\temp\g.exe
O4 - HKLM\..\Run: [8p88soZma] c:\winnt\temp\8p88soZma.exe
O4 - HKLM\..\Run: [zYDnE3] c:\winnt\temp\zYDnE3.exe
O4 - HKLM\..\Run: [ViKiHxX] c:\winnt\system32\ViKiHxX.exe
O4 - HKLM\..\Run: [wESQ.exe] c:\winnt\system32\wESQ.exe
O4 - HKLM\..\Run: [Windows Processe Manager] mspn32.exe
O4 - HKLM\..\Run: [e3egn] c:\winnt\temp\e3egn.exe
O4 - HKLM\..\Run: [Ammbqy] c:\winnt\system32\Ammbqy.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134780742\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINNT\bywvtu.dll",setvm
O4 - HKLM\..\Run: [3Com] C:\WINNT\TEMP\FE.tmp
O4 - HKLM\..\Run: [Svcs: Dnscache] C:\WINNT\TEMP\9695\explorer.exe
O4 - HKLM\..\RunServices: [Kaspersky Antivirus] KasperskyAV.exe
O4 - HKLM\..\RunServices: [Halflife] halflife2.exe
O4 - HKLM\..\RunServices: [Config Loader Alt] iexporer.exe
O4 - HKLM\..\RunServices: [Windows Processe Manager] mspn32.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [Windows Processe Manager] mspn32.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\Regclean.exe" -startminimize
O4 - HKCU\..\Run: [Brave-Sentry] C:\Program Files\BraveSentry\BraveSentry.exe
O4 - HKCU\..\RunServices: [Windows Processe Manager] mspn32.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\maxspeed.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra 'Tools' menuitem: (no name) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: https://access.sapphire.com (HKCU)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O21 - SSODL: DCOM Server 60787 - {2C1CD3D7-86AC-4068-93BC-A02304B60787} - (no file)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe /com
O23 - Service: Google Updater Service (gusvc) - Google - "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - "C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe"
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - C:\Program Files\McAfee.com\Agent\McTskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\Program Files\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINNT\system32\QCONSVC.EXE
O23 - Service: qpyfydz - Unknown owner - "\\139.84.141.65\ADMIN$\halflife2.exe" -service
O23 - Service: Microsoft Service Manager (winmdgr) - Unknown owner - "C:\WINNT\winsvcmgr.exe"

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 ANC - c:\winnt\system32\drivers\anc.sys
R1 Cdr4_2K - c:\winnt\system32\drivers\cdr4_2k.sys
R1 Cdralw2k - c:\winnt\system32\drivers\cdralw2k.sys
R1 IBMTPCHK - c:\winnt\system32\drivers\ibmbldid.sys
R1 TPHKDRV - c:\winnt\system32\drivers\tphkdrv.sys
R1 TPPWR - c:\winnt\system32\drivers\tppwr.sys
R2 driverpp (Plug and Play Support Driver) - c:\winnt\system32\msdrives\driverpp.sys
R2 irda (IrDA Protocol) - c:\winnt\system32\drivers\irda.sys
R3 IBMPMDRV - c:\winnt\system32\drivers\ibmpmdrv.sys
R3 ltck000c (Xircom MPCI+ Modem 56 WinGlobal Driver) - c:\winnt\system32\drivers\ltck000c.sys
R3 MxlW2k - c:\winnt\system32\drivers\mxlw2k.sys
R3 NSCIRDA (NSC Infrared Device Driver) - c:\winnt\system32\drivers\nscirda.sys
R3 Rasirda (WAN Miniport (IrDA Modem)) - c:\winnt\system32\drivers\rasirda.sys
R3 S3GSavageMX - c:\winnt\system32\drivers\s3gsavm.sys
R3 TwoTrack (IBM PS/2 TrackPoint Filter Driver) - c:\winnt\system32\drivers\twotrack.sys

S3 cwcspud (Crystal SoundFusion(tm) Driver) - c:\winnt\system32\drivers\cwcspud.sys (file missing)
S3 cwcwdm (Crystal SoundFusion(tm) WDM Driver) - c:\winnt\system32\drivers\cwcwdm.sys
S3 haxdrv - c:\winnt\system32\haxdrv.sys (file missing)
S3 MPE (BDA MPE Filter) - c:\winnt\system32\drivers\mpe.sys
S3 NaiAvFilter1 - c:\winnt\system32\drivers\naiavf5x.sys
S3 ntldr.sys - c:\ntldr.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 gb - c:\winnt\system32\svchost.exe -k netsvcs
R2 IBMPMSVC (IBM PM Service) - c:\winnt\system32\ibmpmsvc.exe
R2 Irmon (Infrared Monitor) - c:\winnt\system32\svchost.exe -k netsvcs
R2 McAfeeFramework (McAfee Framework Service) - c:\program files\network associates\common framework\frameworkservice.exe /servicestart

S2 McTaskManager (Network Associates Task Manager) - "c:\program files\network associates\virusscan\vstskmgr.exe"
S2 QCONSVC - system32\qconsvc.exe
S2 winmdgr (Microsoft Service Manager) - "c:\winnt\winsvcmgr.exe" (file missing)
S3 qpyfydz - "\\139.84.141.65\admin$\halflife2.exe" -service (file missing)

-- Scheduled Tasks -------------------------------------------------------------

2007-03-30 04:00:00 504 --a------ C:\WINNT\Tasks\SpywareBot Scheduled Scan.job<SPYWAR~1.JOB>
2004-08-06 10:18:27 410 --a------ C:\WINNT\Tasks\BMMTask.job

-- Files created between 2007-03-04 and 2007-04-04 -----------------------------

2007-04-03 23:50:34 0 d-------- C:\ie-spyad
2007-04-03 23:41:39 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~1>
2007-04-03 23:24:33 208896 --a------ C:\WINNT\system32\wmpns.dll
2007-03-29 09:57:43 0 --a------ C:\WINNT\system32\plasting__<PLASTI~1>
2007-03-29 09:57:41 9728 --a------ C:\WINNT\system32\winctl.dll
2007-03-29 09:57:36 15872 --a------ C:\WINNT\system32\winctl.exe
2007-03-28 23:18:37 0 d-------- C:\Documents and Settings\Default User\Application Data\Google
2007-03-28 22:20:13 127240 --a------ C:\WINNT\system32\abcdefgh.dll
2007-03-28 22:14:15 69120 --a------ C:\WINNT\msdrv.exe
2007-03-28 22:13:57 32768 --a------ C:\WINNT\msdrvctrl.exe<MSDRVC~1.EXE>
2007-03-28 22:12:49 0 d-------- C:\WINNT\system32\msdrives
2007-03-28 22:07:36 169984 --a------ C:\WINNT\system32\bzam.dll
2007-03-28 22:07:26 12800 --a------ C:\WINNT\system32\netfilter.dll<NETFIL~1.DLL>
2007-03-28 22

57 54784 --a------ C:\WINNT\system32\instcat.dll
2007-03-28 22

06 13824 --a------ C:\WINNT\system32\max1d1641.exe<MAX1D1~1.EXE>
2007-03-28 22:05:49 1 --a------ C:\WINNT\system32\kr_done1
2007-03-28 22:04:09 1190394 --a------ C:\Documents and Settings\Administrator\Application Data\Install.dat
2007-03-22 23:43:14 106539 --a------ C:\WINNT\bywvtu.dll
2007-03-21 17:28:06 0 d-------- C:\Program Files\Lavasoft
2007-03-21 17:27:14 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-03-21 17:23:27 4322304 --a------ C:\Documents and Settings\Administrator\aawsepersonal.exe<AAWSEP~1.EXE>
2007-03-21 00:26:45 0 d-------- C:\Documents and Settings\Administrator\Application Data\Registry Cleaner<REGIST~1>
2007-03-21 00:25:35 0 d-------- C:\Program Files\Registry Cleaner Trial<REGIST~1>
2007-03-21 00:08:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\SpywareBot<SPYWAR~1>
2007-03-16 19:29:43 19716 --a------ C:\WINNT\system32\iasDSK.dll
2007-03-16 19:29:42 27251 --a------ C:\WINNT\system32\qopqq.exe
2007-03-16 19:24:41 8535 --a------ C:\WINNT\system32\mlljigd.dll
2007-03-16 19:19:46 0 d-------- C:\WINNT\system32\bak

-- Find3M Report ---------------------------------------------------------------

2007-04-03 23:22:56 0 d-------- C:\Program Files\Plaxo
2007-04-03 21:44:00 1285502 ---h----- C:\WINNT\ShellIconCache<SHELLI~1>
2007-03-28 22:08:51 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft<MICROS~1>
2007-03-28 21:02:48 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-03-28 21:02:44 0 d-------- C:\Program Files\iTunes
2007-03-28 21:02:33 0 d-------- C:\Program Files\REGSHAVE
2007-03-28 21:02:30 0 d-------- C:\Program Files\PestPatrol<PESTPA~1>
2007-03-21 17:29:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-03-15 17:53:03 0 d-------- C:\Program Files\Common Files\Network Associates<NETWOR~1>
2007-02-13 14:37:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Viewpoint<VIEWPO~1>
2007-02-09 19:12:00 0 d-------- C:\Program Files\Google
2007-02-04 01:03:05 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_3d8.dat<PERFLI~4.DAT>

-- Registry Dump ---------------------------------------------------------------

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="ctfmon.exe"
"Spyware Begone"="c:\\freescan\\freescan.exe -FastScan"
"Windows Processe Manager"="mspn32.exe"
"Registry Cleaner"="\"C:\\Program Files\\Registry Cleaner Trial\\Regclean.exe\" -startminimize"
"Brave-Sentry"="C:\\Program Files\\BraveSentry\\BraveSentry.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices]
"Windows Processe Manager"="mspn32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"QCWLICON"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\QCWLICON.EXE"
"XircWinModem4"="ltcm000c.exe 9"
"Promon.exe"="Promon.exe"
"UC_Start"="C:\\Program Files\\IBM\\Updater\\\\ucstartup.exe"
"SoundFusion"="RunDll32 cwcprops.cpl,CrystalControlWnd"
"TPHOTKEY"="C:\\PROGRA~1\\ThinkPad\\PkgMgr\\HOTKEY\\TPHKMGR.exe"
"BMMLREF"="C:\\Program Files\\ThinkPad\\Utilities\\BMMLREF.EXE"
"BMMMONWND"="rundll32.exe C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\BatInfEx.dll,BMMAutonomicMonitor"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"Kaspersky Antivirus"="KasperskyAV.exe"
"Halflife"="halflife2.exe"
"Config Loader Alt"="iexporer.exe"
"IAimCMRtc"="c:\\winnt\\temp\\IAimCMRtc.exe"
"n4l"="c:\\winnt\\system32\\n4l.exe"
"lVjtZ.exe"="c:\\winnt\\system32\\lVjtZ.exe"
"g"="c:\\winnt\\temp\\g.exe"
"8p88soZma"="c:\\winnt\\temp\\8p88soZma.exe"
"zYDnE3"="c:\\winnt\\temp\\zYDnE3.exe"
"ViKiHxX"="c:\\winnt\\system32\\ViKiHxX.exe"
"wESQ.exe"="c:\\winnt\\system32\\wESQ.exe"
"Windows Processe Manager"="mspn32.exe"
"e3egn"="c:\\winnt\\temp\\e3egn.exe"
"Ammbqy"="c:\\winnt\\system32\\Ammbqy.exe"
"PPMemCheck"="C:\\PROGRA~1\\PESTPA~1\\PPMemCheck.exe"
"PestPatrol Control Center"="C:\\PROGRA~1\\PESTPA~1\\PPControl.exe"
"CookiePatrol"="C:\\PROGRA~1\\PESTPA~1\\CookiePatrol.exe"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"Logitech Utility"="LOGI_MWX.EXE"
"EPSON Stylus Photo R200 Series"="C:\\WINNT\\system32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2H1.EXE /P30 \"EPSON Stylus Photo R200 Series\" /O6 \"USB001\" /M \"Stylus Photo R200\""
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1134780742\\ee\\AOLSoftware.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TrackPointSrv"="tp4mon.exe"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"SpywareBot"="C:\\Program Files\\SpywareBot\\SpywareBot.exe -boot"
"SoundService"="rundll32.exe \"C:\\WINNT\\bywvtu.dll\",setvm"
"3Com"="C:\\WINNT\\TEMP\\FE.tmp"
"Svcs: Dnscache"="C:\\WINNT\\TEMP\\9695\\explorer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Kaspersky Antivirus"="KasperskyAV.exe"
"Halflife"="halflife2.exe"
"Config Loader Alt"="iexporer.exe"
"Windows Processe Manager"="mspn32.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"Windows Processe Manager"="mspn32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"DCOM Server 60787"="{2C1CD3D7-86AC-4068-93BC-A02304B60787}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Kaspersky Antivirus"="KasperskyAV.exe"
"Configuration Loader"="winmgrp.exe"
"Config Loader Alt"="iexporer.exe"
"WinNT Auth Manager"="msgfix.exe"
"e02FRhd9Q"="winesnpn.exe"
"Itu"="C:\\WINNT\\system32\\??anregw.exe"
"Windows Processe Manager"="mspn32.exe"
"ctfmon.exe"="ctfmon.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Wallpaper"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"msdrvctrl"="C:\\WINNT\\msdrvctrl.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0

HKLM\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
gb

-- End of Deckard's System Scanner: finished at 2007-04-04 at 00:13:58 ---------

procrastinator8 · 04-09-2007, 03:45 PM

BUMP

This is getting worse now. I can't open Internet Explorer without an error. When I try to open My Computer or Control Panel after I click on it my screen blinks and then it acts like I haven't tried to open them. I followed all the steps I could and I'm not sure what to do!

Ried · 04-09-2007, 06:06 PM

Hello procrastinator8 and welcome to TSF,

This system is terribly infected.

I'll be working on a fix for you and have the instructions posted for you this evening.

Ried · 04-09-2007, 06:40 PM

Hi,

This is so bad, we're going to run a few tools first to try to bring it a bit under control and go after what's left. This will take a few rounds so please stay with me.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions completely and in the sequence listed below.

***************************************************

Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% -(Drive that contains the Windows Directory, typically C:\SDFix)

-----------------------------------------------------------------

Please download SmitfraudFix (by S!Ri) to your Desktop. Do not run it yet.

----------------------------------------------------

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

Disconnect this PC from the internet.

--------------------------------------------------------------------

Go to Start>Run then copy/paste the following red text into the Run box then click OK

"%userprofile%\desktop\combofix.exe" /wow-drv gb qpyfydz /v mlljigd iasDSK sbeyh winctl abcdefgh bzam

When finished, it shall produce a log for you. We'll need that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------------

After ComboFix reboots into Normal Mode, restart your system into Safe Mode:

Reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

--------------------------------------------------------------------

Using 'My Computer', navigate to and delete the following Files if they still exist:

C:\WINNT\system32\ tmpEE.tmp.dll
C:\WINNT\system32\ kr_done1
C:\WINNT\ bywvtu.dll
C:\WINNT\system32\ qopqq.exe
C:\WINNT\system32\ winctl.exe

--------------------------------------------------------------------

Open the extracted SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt I'll need that in your next reply.

--------------------------------------------------------------------

One more time, restart your system back into Safe Mode.

--------------------------------------------------------------------

Double-click on SmitfraudFix.exe to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot into Normal Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

--------------------------------------------------------------------

Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:
· "Security Info"
· "Warning Message"
· "Security Desktop"
· "Warning Homepage"
· "Desktop Uninstall"

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

--------------------------------------------------------------------

Double-click on SmitfraudFix.exe to start the tool.
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Notes

1. If you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

2. As many of the variants of Smitfraud have begun invading the Hosts file, this tool will reset your Hosts file as a necessary precaution. You will also have to reset any specific modifications you may require such as Hosts MVPS.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Post the ComboFix.txt in your next reply.

--------------------------------------------------------------------

Run a scan with HijackThis and save the log.

--------------------------------------------------------------------

Please include the following in your next reply in the order listed: (Use multiple posts if needed)

C:\ComboFix2.txt
C:\SDFix\Report.txt
C:\rapport.txt
C:\ComboFix.txt
New HijackThis log
Update on system behavior

Has your Anti-Virus expired?

procrastinator8 · 04-09-2007, 09:12 PM

I followed all the directions. At the end the Hijack scan is freezing and I reconnected my LAN connection but I can't access the internet now with eith Internet Explorer or Mozilla. I'm on another computer so I can't send the txt files. During the steps I did encounter a few things that wouldn't work.

For SmitFraudFix.exe I tried to enter 2 but I kept getting a McAfee Virus scan window pop up saying "A suspicious script has been detected" and I tried to bypass that bu then I got a "registry error" stating "Cannot import cleanup.reg: Error accessing the registry." When I rebooted in Normal mode I got the error that I had mentioned before "Error loading cwcprops.cpl"

When I tried to run SmitFraudFix.exe again I got the same pop up with the Suspicious script... from McAfee.

HiJack was able to finish up and I saved the txt file but I'm not sure how to get everything to you now that the internet is not working. It is detecting the LAN connection definitely but then IE and Mozilla are not connecting.

Ried · 04-10-2007, 08:48 AM

It sounds as though McAfee 'disinfected' the SmitfraudFix tool. See if the clean.reg is located in the McAfee Quarantine folder--if it is, restore it and run SmitfraudFix Option 2 and 3 over again. Disable McAfee while doing so!

If the file is not recoverable, you'll need to download SmitfraudFix again and repeat the instructions given in my last post.

Do you have access to another computer? Copy the reports to any removable media from this PC and post them to me using another PC.

04-03-2007, 09:30 PM	#1 (permalink)
procrastinator8 Registered User Join Date: Apr 2007 Posts: 3 OS: Win2000	cwcprops.cpl error, suchost.exe error, can't unistall Brave Sentry I'm glad I found you guys! I followed any of the steps I could of the 5 steps. To start, when I boot up the computer I get a window "suchost.exe has generated erros and will be closed by windows. You will need to restart the program. An error log has been created." I have no idea what suchost is. The next window that pops up is "Error loading cwcprops.cpl. The specified module could not be found." Before running Ad-Aware on my computer I was getting a black screen as the wallpaper with a fake Windows Security Message and Brave Sentry was on my computer. I also had an icon in the right hand tray saying that Windows Updates were detected and must be downloaded immediately. After running Ad-Aware I tried to change my desktop wallpaper and everything is grayed out and can not be selected except the pattern option. I've never had that happen! So moving on from there with the 5 steps... I removed the programs listed in Step 1 and in the spyware warrior. Brave Sentry was listed and I clicked remove but it is still coming up in my Start Menu. Step 2 - I had already run Ad-Aware and when I tried to run the Panda Online Scan it immediately popped up the error messge "iexplore.exe has generated errors and will be closed by Windows" This also clodsed the techsupport forum window and I could not open that back up in Internet explorer without getting the above error for your site. So for now I'm using Mozilla. Step 3 - I was able to dowload Spyware Blaster and IE-Spyad but the site for Spyware Guard kept pulling up a download for Spyware Doctor so I wasn't sure if I should install that. Step 4 - I couldn't update my Windows Operating System because Windows won't allow you to if you're using Mozilla - only Internet Explorer, and if I'm on Internet Explorer I get the "iexplore.exe has generated errors..." window for that site Step 5 - I included the main.txt and attached the extra.txt from the Deckard's System Scanner Please help! I haven't had any problems in awhile and now all of a sudden the computer is being bombarded! Please let me know if you have any other questions and let me know what I need to do to clean up my system. Thanks in advance for your help! Deckard's System Scanner v20070328.36 Run by Administrator on 2007-04-04 at 00:03:55 Computer is in Normal Mode. -------------------------------------------------------------------------------- Backed up registry hives. Performed disk cleanup. -- HijackThis (run as Administrator.exe) --------------------------------------- HijackThis failed to provide a log after three minutes; running clone instead. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of HijackThis v1.99.1 Scan saved at 2007-04-04 00:11:40 Platform: Windows 2000 Service Pack 4 (5.00.2195) MSIE: Internet Explorer (6.0.2800.1106) Running processes: C:\WINNT\system32\SMSS.EXE C:\WINNT\system32\WINLOGON.EXE C:\WINNT\system32\SERVICES.EXE C:\WINNT\system32\LSASS.EXE C:\WINNT\system32\ibmpmsvc.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe C:\WINNT\system32\svchost.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\McAfee.com\Agent\McTskshd.exe C:\WINNT\explorer.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe C:\WINNT\system32\svchost.exe C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE C:\WINNT\system32\ltcm000c.exe C:\WINNT\system32\promon.exe C:\WINNT\LOGI_MWX.EXE C:\WINNT\system32\CTFMON.EXE C:\WINNT\system32\tp4mon.exe C:\Program Files\Webshots\webshots.scr C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Administrator\Desktop\dss.exe C:\Program Files\HijackThis\Administrator.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft.com/isapi/redir...ie&ar=iesearch O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {0E2A7E75-BCBB-BA4D-BD1E-BFEEFFF1BDE8} - C:\WINNT\system32\sbeyh.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINNT\system32\tmpEE.tmp.dll O2 - BHO: (no name) - {5ffc25f6-4e73-4592-af06-8d6b32cafde6} - C:\WINNT\system32\iasDSK.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar3.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\Program Files\McAfee.com\VSO\mcvsshl.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar3.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9 O4 - HKLM\..\Run: [Promon.exe] Promon.exe O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Kaspersky Antivirus] KasperskyAV.exe O4 - HKLM\..\Run: [Halflife] halflife2.exe O4 - HKLM\..\Run: [Config Loader Alt] iexporer.exe O4 - HKLM\..\Run: [IAimCMRtc] c:\winnt\temp\IAimCMRtc.exe O4 - HKLM\..\Run: [n4l] c:\winnt\system32\n4l.exe O4 - HKLM\..\Run: [lVjtZ.exe] c:\winnt\system32\lVjtZ.exe O4 - HKLM\..\Run: [g] c:\winnt\temp\g.exe O4 - HKLM\..\Run: [8p88soZma] c:\winnt\temp\8p88soZma.exe O4 - HKLM\..\Run: [zYDnE3] c:\winnt\temp\zYDnE3.exe O4 - HKLM\..\Run: [ViKiHxX] c:\winnt\system32\ViKiHxX.exe O4 - HKLM\..\Run: [wESQ.exe] c:\winnt\system32\wESQ.exe O4 - HKLM\..\Run: [Windows Processe Manager] mspn32.exe O4 - HKLM\..\Run: [e3egn] c:\winnt\temp\e3egn.exe O4 - HKLM\..\Run: [Ammbqy] c:\winnt\system32\Ammbqy.exe O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200" O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134780742\ee\AOLSoftware.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINNT\bywvtu.dll",setvm O4 - HKLM\..\Run: [3Com] C:\WINNT\TEMP\FE.tmp O4 - HKLM\..\Run: [Svcs: Dnscache] C:\WINNT\TEMP\9695\explorer.exe O4 - HKLM\..\RunServices: [Kaspersky Antivirus] KasperskyAV.exe O4 - HKLM\..\RunServices: [Halflife] halflife2.exe O4 - HKLM\..\RunServices: [Config Loader Alt] iexporer.exe O4 - HKLM\..\RunServices: [Windows Processe Manager] mspn32.exe O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan O4 - HKCU\..\Run: [Windows Processe Manager] mspn32.exe O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\Regclean.exe" -startminimize O4 - HKCU\..\Run: [Brave-Sentry] C:\Program Files\BraveSentry\BraveSentry.exe O4 - HKCU\..\RunServices: [Windows Processe Manager] mspn32.exe O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\maxspeed.exe (file missing) O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\maxspeed.exe (file missing) O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra 'Tools' menuitem: (no name) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O15 - Trusted Zone: https://access.sapphire.com (HKCU) O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL O21 - SSODL: DCOM Server 60787 - {2C1CD3D7-86AC-4068-93BC-A02304B60787} - (no file) O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe /com O23 - Service: Google Updater Service (gusvc) - Google - "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - "C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe" O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - C:\Program Files\McAfee.com\Agent\McTskshd.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\Program Files\McAfee.com\Agent\mcupdmgr.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: QCONSVC - IBM Corp. - C:\WINNT\system32\QCONSVC.EXE O23 - Service: qpyfydz - Unknown owner - "\\139.84.141.65\ADMIN$\halflife2.exe" -service O23 - Service: Microsoft Service Manager (winmdgr) - Unknown owner - "C:\WINNT\winsvcmgr.exe" -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R1 ANC - c:\winnt\system32\drivers\anc.sys R1 Cdr4_2K - c:\winnt\system32\drivers\cdr4_2k.sys R1 Cdralw2k - c:\winnt\system32\drivers\cdralw2k.sys R1 IBMTPCHK - c:\winnt\system32\drivers\ibmbldid.sys R1 TPHKDRV - c:\winnt\system32\drivers\tphkdrv.sys R1 TPPWR - c:\winnt\system32\drivers\tppwr.sys R2 driverpp (Plug and Play Support Driver) - c:\winnt\system32\msdrives\driverpp.sys R2 irda (IrDA Protocol) - c:\winnt\system32\drivers\irda.sys R3 IBMPMDRV - c:\winnt\system32\drivers\ibmpmdrv.sys R3 ltck000c (Xircom MPCI+ Modem 56 WinGlobal Driver) - c:\winnt\system32\drivers\ltck000c.sys R3 MxlW2k - c:\winnt\system32\drivers\mxlw2k.sys R3 NSCIRDA (NSC Infrared Device Driver) - c:\winnt\system32\drivers\nscirda.sys R3 Rasirda (WAN Miniport (IrDA Modem)) - c:\winnt\system32\drivers\rasirda.sys R3 S3GSavageMX - c:\winnt\system32\drivers\s3gsavm.sys R3 TwoTrack (IBM PS/2 TrackPoint Filter Driver) - c:\winnt\system32\drivers\twotrack.sys S3 cwcspud (Crystal SoundFusion(tm) Driver) - c:\winnt\system32\drivers\cwcspud.sys (file missing) S3 cwcwdm (Crystal SoundFusion(tm) WDM Driver) - c:\winnt\system32\drivers\cwcwdm.sys S3 haxdrv - c:\winnt\system32\haxdrv.sys (file missing) S3 MPE (BDA MPE Filter) - c:\winnt\system32\drivers\mpe.sys S3 NaiAvFilter1 - c:\winnt\system32\drivers\naiavf5x.sys S3 ntldr.sys - c:\ntldr.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 gb - c:\winnt\system32\svchost.exe -k netsvcs R2 IBMPMSVC (IBM PM Service) - c:\winnt\system32\ibmpmsvc.exe R2 Irmon (Infrared Monitor) - c:\winnt\system32\svchost.exe -k netsvcs R2 McAfeeFramework (McAfee Framework Service) - c:\program files\network associates\common framework\frameworkservice.exe /servicestart S2 McTaskManager (Network Associates Task Manager) - "c:\program files\network associates\virusscan\vstskmgr.exe" S2 QCONSVC - system32\qconsvc.exe S2 winmdgr (Microsoft Service Manager) - "c:\winnt\winsvcmgr.exe" (file missing) S3 qpyfydz - "\\139.84.141.65\admin$\halflife2.exe" -service (file missing) -- Scheduled Tasks ------------------------------------------------------------- 2007-03-30 04:00:00 504 --a------ C:\WINNT\Tasks\SpywareBot Scheduled Scan.job<SPYWAR~1.JOB> 2004-08-06 10:18:27 410 --a------ C:\WINNT\Tasks\BMMTask.job -- Files created between 2007-03-04 and 2007-04-04 ----------------------------- 2007-04-03 23:50:34 0 d-------- C:\ie-spyad 2007-04-03 23:41:39 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~1> 2007-04-03 23:24:33 208896 --a------ C:\WINNT\system32\wmpns.dll 2007-03-29 09:57:43 0 --a------ C:\WINNT\system32\plasting__<PLASTI~1> 2007-03-29 09:57:41 9728 --a------ C:\WINNT\system32\winctl.dll 2007-03-29 09:57:36 15872 --a------ C:\WINNT\system32\winctl.exe 2007-03-28 23:18:37 0 d-------- C:\Documents and Settings\Default User\Application Data\Google 2007-03-28 22:20:13 127240 --a------ C:\WINNT\system32\abcdefgh.dll 2007-03-28 22:14:15 69120 --a------ C:\WINNT\msdrv.exe 2007-03-28 22:13:57 32768 --a------ C:\WINNT\msdrvctrl.exe<MSDRVC~1.EXE> 2007-03-28 22:12:49 0 d-------- C:\WINNT\system32\msdrives 2007-03-28 22:07:36 169984 --a------ C:\WINNT\system32\bzam.dll 2007-03-28 22:07:26 12800 --a------ C:\WINNT\system32\netfilter.dll<NETFIL~1.DLL> 2007-03-28 2257 54784 --a------ C:\WINNT\system32\instcat.dll 2007-03-28 2206 13824 --a------ C:\WINNT\system32\max1d1641.exe<MAX1D1~1.EXE> 2007-03-28 22:05:49 1 --a------ C:\WINNT\system32\kr_done1 2007-03-28 22:04:09 1190394 --a------ C:\Documents and Settings\Administrator\Application Data\Install.dat 2007-03-22 23:43:14 106539 --a------ C:\WINNT\bywvtu.dll 2007-03-21 17:28:06 0 d-------- C:\Program Files\Lavasoft 2007-03-21 17:27:14 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1> 2007-03-21 17:23:27 4322304 --a------ C:\Documents and Settings\Administrator\aawsepersonal.exe<AAWSEP~1.EXE> 2007-03-21 00:26:45 0 d-------- C:\Documents and Settings\Administrator\Application Data\Registry Cleaner<REGIST~1> 2007-03-21 00:25:35 0 d-------- C:\Program Files\Registry Cleaner Trial<REGIST~1> 2007-03-21 00:08:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\SpywareBot<SPYWAR~1> 2007-03-16 19:29:43 19716 --a------ C:\WINNT\system32\iasDSK.dll 2007-03-16 19:29:42 27251 --a------ C:\WINNT\system32\qopqq.exe 2007-03-16 19:24:41 8535 --a------ C:\WINNT\system32\mlljigd.dll 2007-03-16 19:19:46 0 d-------- C:\WINNT\system32\bak -- Find3M Report --------------------------------------------------------------- 2007-04-03 23:22:56 0 d-------- C:\Program Files\Plaxo 2007-04-03 21:44:00 1285502 ---h----- C:\WINNT\ShellIconCache<SHELLI~1> 2007-03-28 22:08:51 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft<MICROS~1> 2007-03-28 21:02:48 0 d-------- C:\Program Files\QuickTime<QUICKT~1> 2007-03-28 21:02:44 0 d-------- C:\Program Files\iTunes 2007-03-28 21:02:33 0 d-------- C:\Program Files\REGSHAVE 2007-03-28 21:02:30 0 d-------- C:\Program Files\PestPatrol<PESTPA~1> 2007-03-21 17:29:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft 2007-03-15 17:53:03 0 d-------- C:\Program Files\Common Files\Network Associates<NETWOR~1> 2007-02-13 14:37:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Viewpoint<VIEWPO~1> 2007-02-09 19:12:00 0 d-------- C:\Program Files\Google 2007-02-04 01:03:05 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_3d8.dat<PERFLI~4.DAT> -- Registry Dump --------------------------------------------------------------- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "ctfmon.exe"="ctfmon.exe" "Spyware Begone"="c:\\freescan\\freescan.exe -FastScan" "Windows Processe Manager"="mspn32.exe" "Registry Cleaner"="\"C:\\Program Files\\Registry Cleaner Trial\\Regclean.exe\" -startminimize" "Brave-Sentry"="C:\\Program Files\\BraveSentry\\BraveSentry.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices] "Windows Processe Manager"="mspn32.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "Synchronization Manager"="mobsync.exe /logon" "QCWLICON"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\QCWLICON.EXE" "XircWinModem4"="ltcm000c.exe 9" "Promon.exe"="Promon.exe" "UC_Start"="C:\\Program Files\\IBM\\Updater\\\\ucstartup.exe" "SoundFusion"="RunDll32 cwcprops.cpl,CrystalControlWnd" "TPHOTKEY"="C:\\PROGRA~1\\ThinkPad\\PkgMgr\\HOTKEY\\TPHKMGR.exe" "BMMLREF"="C:\\Program Files\\ThinkPad\\Utilities\\BMMLREF.EXE" "BMMMONWND"="rundll32.exe C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\BatInfEx.dll,BMMAutonomicMonitor" "vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe" "ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE" "McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey" "Kaspersky Antivirus"="KasperskyAV.exe" "Halflife"="halflife2.exe" "Config Loader Alt"="iexporer.exe" "IAimCMRtc"="c:\\winnt\\temp\\IAimCMRtc.exe" "n4l"="c:\\winnt\\system32\\n4l.exe" "lVjtZ.exe"="c:\\winnt\\system32\\lVjtZ.exe" "g"="c:\\winnt\\temp\\g.exe" "8p88soZma"="c:\\winnt\\temp\\8p88soZma.exe" "zYDnE3"="c:\\winnt\\temp\\zYDnE3.exe" "ViKiHxX"="c:\\winnt\\system32\\ViKiHxX.exe" "wESQ.exe"="c:\\winnt\\system32\\wESQ.exe" "Windows Processe Manager"="mspn32.exe" "e3egn"="c:\\winnt\\temp\\e3egn.exe" "Ammbqy"="c:\\winnt\\system32\\Ammbqy.exe" "PPMemCheck"="C:\\PROGRA~1\\PESTPA~1\\PPMemCheck.exe" "PestPatrol Control Center"="C:\\PROGRA~1\\PESTPA~1\\PPControl.exe" "CookiePatrol"="C:\\PROGRA~1\\PESTPA~1\\CookiePatrol.exe" "REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN" "Logitech Utility"="LOGI_MWX.EXE" "EPSON Stylus Photo R200 Series"="C:\\WINNT\\system32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2H1.EXE /P30 \"EPSON Stylus Photo R200 Series\" /O6 \"USB001\" /M \"Stylus Photo R200\"" "HostManager"="C:\\Program Files\\Common Files\\AOL\\1134780742\\ee\\AOLSoftware.exe" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "TrackPointSrv"="tp4mon.exe" "VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask" "VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe" "OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe" "MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe" "MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe" "SpywareBot"="C:\\Program Files\\SpywareBot\\SpywareBot.exe -boot" "SoundService"="rundll32.exe \"C:\\WINNT\\bywvtu.dll\",setvm" "3Com"="C:\\WINNT\\TEMP\\FE.tmp" "Svcs: Dnscache"="C:\\WINNT\\TEMP\\9695\\explorer.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices] "Kaspersky Antivirus"="KasperskyAV.exe" "Halflife"="halflife2.exe" "Config Loader Alt"="iexporer.exe" "Windows Processe Manager"="mspn32.exe" [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop" [HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices] "Windows Processe Manager"="mspn32.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] "DCOM Server 60787"="{2C1CD3D7-86AC-4068-93BC-A02304B60787}" [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "Kaspersky Antivirus"="KasperskyAV.exe" "Configuration Loader"="winmgrp.exe" "Config Loader Alt"="iexporer.exe" "WinNT Auth Manager"="msgfix.exe" "e02FRhd9Q"="winesnpn.exe" "Itu"="C:\\WINNT\\system32\\??anregw.exe" "Windows Processe Manager"="mspn32.exe" "ctfmon.exe"="ctfmon.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "Wallpaper"="" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run] "msdrvctrl"="C:\\WINNT\\msdrvctrl.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoActiveDesktop"=dword:00000000 "ForceActiveDesktopOn"=dword:00000000 [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] rpcss REG_MULTI_SZ RpcSs\0\0 wugroup REG_MULTI_SZ wuauserv\0\0 BITSgroup REG_MULTI_SZ BITS\0\0 HKLM\software\Microsoft\Windows NT\CurrentVersion\Svchost netsvcs gb -- End of Deckard's System Scanner: finished at 2007-04-04 at 00:13:58 --------- Last edited by procrastinator8 : 04-03-2007 at 09:46 PM. Reason: I wanted to post with a better title

04-09-2007, 03:45 PM	#2 (permalink)
procrastinator8 Registered User Join Date: Apr 2007 Posts: 3 OS: Win2000	Re: Multiple Spyware or Virus Problems! BUMP This is getting worse now. I can't open Internet Explorer without an error. When I try to open My Computer or Control Panel after I click on it my screen blinks and then it acts like I haven't tried to open them. I followed all the steps I could and I'm not sure what to do!

04-09-2007, 06:06 PM	#3 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 19,079 OS: WinXP and Vista	Re: Multiple Spyware or Virus Problems! Hello procrastinator8 and welcome to TSF, This system is terribly infected. I'll be working on a fix for you and have the instructions posted for you this evening. __________________ Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Keep this site free for all. Please consider, donating "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-09-2007, 06:40 PM	#4 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 19,079 OS: WinXP and Vista	Re: Multiple Spyware or Virus Problems! Hi, This is so bad, we're going to run a few tools first to try to bring it a bit under control and go after what's left. This will take a few rounds so please stay with me. Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions completely and in the sequence listed below. ************************************************* Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% -(Drive that contains the Windows Directory, typically C:\SDFix) ----------------------------------------------------------------- Please download SmitfraudFix (by S!Ri) to your Desktop. Do not run it yet. ---------------------------------------------------- Download Combofix and save it to your desktop. Note: It is important that it is saved directly to your desktop -------------------------------------------------------------------- Disconnect this PC from the internet. -------------------------------------------------------------------- Go to Start>Run then copy/paste the following red text into the Run box then click OK "%userprofile%\desktop\combofix.exe" /wow-drv gb qpyfydz /v mlljigd iasDSK sbeyh winctl abcdefgh bzam When finished, it shall produce a log for you. We'll need that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall -------------------------------------------------------------------- After ComboFix reboots into Normal Mode, restart your system into Safe Mode: Reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. 5) Login with your usual account. Make sure to close any open browsers. -------------------------------------------------------------------- Go to My Computer->Tools->Folder Options->View** tab: * Under the Hidden files and folders heading: * select Show hidden files and folders. * Uncheck Hide protected operating system files (recommended) option. Also, make sure there is no checkmark beside Hide file extensions for known file types. Click OK. -------------------------------------------------------------------- Using 'My Computer', navigate to and delete the following Files if they still exist: C:\WINNT\system32\ tmpEE.tmp.dll C:\WINNT\system32\ kr_done1 C:\WINNT\ bywvtu.dll C:\WINNT\system32\ qopqq.exe C:\WINNT\system32\ winctl.exe -------------------------------------------------------------------- Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt I'll need that in your next reply. -------------------------------------------------------------------- One more time, restart your system back into Safe Mode. -------------------------------------------------------------------- Double-click on SmitfraudFix.exe to start the tool. Select option #2 - Clean by typing 2 and press Enter. Wait for the tool to complete and disk cleanup to finish. You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot into Normal Mode. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply. -------------------------------------------------------------------- Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present: · "Security Info" · "Warning Message" · "Security Desktop" · "Warning Homepage" · "Desktop Uninstall" Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK. -------------------------------------------------------------------- Double-click on SmitfraudFix.exe to start the tool. Select option #3 - Delete Trusted zone by typing 3 and press Enter Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter. Notes 1. If you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. 2. As many of the variants of Smitfraud have begun invading the Hosts file, this tool will reset your Hosts file as a necessary precaution. You will also have to reset any specific modifications you may require such as Hosts MVPS. -------------------------------------------------------------------- Double click on combofix.exe & follow the prompts. When finished, it shall produce a log for you. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall Post the ComboFix.txt in your next reply. -------------------------------------------------------------------- Run a scan with HijackThis and save the log. -------------------------------------------------------------------- Please include the following in your next reply in the order listed: (Use multiple posts if needed) C:\ComboFix2.txt C:\SDFix\Report.txt C:\rapport.txt C:\ComboFix.txt New HijackThis log Update on system behavior Has your Anti-Virus expired? __________________ Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Keep this site free for all. Please consider, donating "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul." Last edited by Ried : 04-09-2007 at 06:52 PM.

04-09-2007, 09:12 PM	#5 (permalink)
procrastinator8 Registered User Join Date: Apr 2007 Posts: 3 OS: Win2000	Re: Multiple Spyware or Virus Problems! I followed all the directions. At the end the Hijack scan is freezing and I reconnected my LAN connection but I can't access the internet now with eith Internet Explorer or Mozilla. I'm on another computer so I can't send the txt files. During the steps I did encounter a few things that wouldn't work. For SmitFraudFix.exe I tried to enter 2 but I kept getting a McAfee Virus scan window pop up saying "A suspicious script has been detected" and I tried to bypass that bu then I got a "registry error" stating "Cannot import cleanup.reg: Error accessing the registry." When I rebooted in Normal mode I got the error that I had mentioned before "Error loading cwcprops.cpl" When I tried to run SmitFraudFix.exe again I got the same pop up with the Suspicious script... from McAfee. HiJack was able to finish up and I saved the txt file but I'm not sure how to get everything to you now that the internet is not working. It is detecting the LAN connection definitely but then IE and Mozilla are not connecting.

04-10-2007, 08:48 AM	#6 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 19,079 OS: WinXP and Vista	Re: Multiple Spyware or Virus Problems! It sounds as though McAfee 'disinfected' the SmitfraudFix tool. See if the clean.reg is located in the McAfee Quarantine folder--if it is, restore it and run SmitfraudFix Option 2 and 3 over again. Disable McAfee while doing so! If the file is not recoverable, you'll need to download SmitfraudFix again and repeat the instructions given in my last post. Do you have access to another computer? Copy the reports to any removable media from this PC and post them to me using another PC. __________________ Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Keep this site free for all. Please consider, donating "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."