Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help
pop ups .CThelper. hjt log attached pop ups .CThelper. hjt log attached
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help.

Reply
 
Thread Tools
Old 05-24-2008, 05:01 AM   #1 (permalink)
Registered User
 
Join Date: May 2005
Posts: 11
OS: xp


pop ups .CThelper. hjt log attached
Deckard's System Scanner v20071014.68
Run by gayle on 2008-05-24 21:37:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
90: 2008-05-24 11:37:12 UTC - RP232 - Deckard's System Scanner Restore Point
89: 2008-05-24 11:23:01 UTC - RP231 - Software Distribution Service 3.0
88: 2008-05-23 11:57:22 UTC - RP230 - System Checkpoint
87: 2008-05-22 11:49:59 UTC - RP229 - System Checkpoint
86: 2008-05-21 11:44:20 UTC - RP228 - System Checkpoint


-- First Restore Point --
1: 2008-03-06 08:20:18 UTC - RP143 - Installed Windows Installer KB893803v2.


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-24 21:38:19
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe
C:\Program Files\Syncrosoft\POS\H2O\cledx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\gayle\Local Settings\Temporary Internet Files\Content.IE5\CT234D6R\dss[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?wl=true
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet Cable
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - SITEguard - (no file)
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1211627989796
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\..\svchost.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


--
End of file - 6529 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 CLEDX (Team H2O CLEDX service) - c:\windows\system32\drivers\cledx.sys <Not Verified; Team H2O; CLEDX>

S3 PciCon - h:\pcicon.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

S2 msupdate (Microsoft security update service) - c:\windows\system32\..\svchost.exe (file missing)
S3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-24 21:00:00 350 --a------ C:\WINDOWS\Tasks\At22.job
2008-05-24 20:58:01 254 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-05-24 20:00:00 350 --a------ C:\WINDOWS\Tasks\At21.job
2008-05-24 19:00:00 350 --a------ C:\WINDOWS\Tasks\At20.job
2008-05-24 18:00:00 350 --a------ C:\WINDOWS\Tasks\At19.job
2008-05-24 17:00:00 350 --a------ C:\WINDOWS\Tasks\At18.job
2008-05-24 16:00:00 350 --a------ C:\WINDOWS\Tasks\At17.job
2008-05-24 15:00:00 350 --a------ C:\WINDOWS\Tasks\At16.job
2008-05-24 14:00:00 350 --a------ C:\WINDOWS\Tasks\At15.job
2008-05-24 13:00:00 350 --a------ C:\WINDOWS\Tasks\At14.job
2008-05-24 12:00:00 350 --a------ C:\WINDOWS\Tasks\At13.job
2008-05-24 11:00:00 350 --a------ C:\WINDOWS\Tasks\At12.job
2008-05-24 10:00:00 350 --a------ C:\WINDOWS\Tasks\At11.job
2008-05-24 09:00:00 350 --a------ C:\WINDOWS\Tasks\At10.job
2008-05-24 08:00:00 350 --a------ C:\WINDOWS\Tasks\At9.job
2008-05-24 07:00:00 350 --a------ C:\WINDOWS\Tasks\At8.job
2008-05-24 06:00:00 350 --a------ C:\WINDOWS\Tasks\At7.job
2008-05-24 05:00:00 350 --a------ C:\WINDOWS\Tasks\At6.job
2008-05-24 04:00:00 350 --a------ C:\WINDOWS\Tasks\At5.job
2008-05-24 03:00:00 350 --a------ C:\WINDOWS\Tasks\At4.job
2008-05-24 02:00:00 350 --a------ C:\WINDOWS\Tasks\At3.job
2008-05-24 01:00:00 350 --a------ C:\WINDOWS\Tasks\At2.job
2008-05-24 00:00:00 350 --a------ C:\WINDOWS\Tasks\At1.job
2008-05-23 23:00:00 350 --a------ C:\WINDOWS\Tasks\At24.job
2008-05-23 22:00:00 350 --a------ C:\WINDOWS\Tasks\At23.job
2008-05-21 21:38:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-04-24 and 2008-05-24 -----------------------------

2008-05-24 21:19:57 0 d-------- C:\WINDOWS\LastGood
2008-05-24 21:16:25 0 d-------- C:\Documents and Settings\gayle\Application Data\WinRAR
2008-05-24 21:05:06 0 d-------- C:\ie-spyad_zo
2008-05-24 21:00:34 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2008-05-24 21:00:33 0 d-------- C:\Program Files\SpywareBlaster
2008-05-24 19:09:36 0 d-------- C:\Program Files\Panda Security
2008-05-23 21:08:39 0 d-------- C:\Documents and Settings\gayle\Application Data\Winamp
2008-05-23 21:08:03 0 d-------- C:\Documents and Settings\gayle\Application Data\DivX
2008-05-20 19:35:43 0 dr-h----- C:\Documents and Settings\dan\Recent
2008-05-15 19:59:55 0 d-------- C:\Program Files\Windows Media Connect 2
2008-05-15 19:53:22 0 d-------- C:\WINDOWS\system32\LogFiles
2008-05-15 19:53:22 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-05-05 11:49:55 0 d-------- C:\Program Files\ImTOO
2008-04-29 18:02:18 0 d-------- C:\Program Files\Flagship Studios


-- Find3M Report ---------------------------------------------------------------

2008-05-22 22:27:59 0 d-------- C:\Documents and Settings\gayle\Application Data\Adobe
2008-05-07 20:18:27 0 d-------- C:\Program Files\Activision Value
2008-04-27 15:30:01 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-04-21 14:42:11 0 d-------- C:\Program Files\Apple Software Update
2008-04-19 23:39:01 0 d-------- C:\Program Files\DivX
2008-04-19 14:35:29 0 d-------- C:\Program Files\Nokia
2008-04-19 14:35:04 0 d-------- C:\Program Files\MSXML 6.0
2008-04-19 14:34:41 0 d-------- C:\Program Files\Common Files\Nokia
2008-04-19 07:07:12 0 d-------- C:\Program Files\Common Files
2008-04-19 07:07:12 0 d-------- C:\Program Files\Common Files\PCSuite
2008-04-19 0753 0 d-------- C:\Program Files\DIFX
2008-04-19 0743 0 d-------- C:\Program Files\PC Connectivity Solution
2008-04-08 21:09:58 0 d-------- C:\Program Files\Windows Live
2008-04-07 16:31:08 0 d-------- C:\Program Files\iTunes
2008-04-07 16:30:57 0 d-------- C:\Program Files\iPod
2008-04-07 16:28:38 0 d-------- C:\Program Files\QuickTime
2008-04-01 07:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-04-01 07:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-04-01 07:25:46 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-04-01 07:25:46 831488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-04-01 07:25:46 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-30 08:23:11 0 d-------- C:\Program Files\CCleaner
2008-03-29 1920 0 d-------- C:\Program Files\Common Files\iS3
2008-03-22 06:30:08 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-03-22 06:28:54 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-03-22 06:28:54 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-03-22 06:28:20 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-09 13:49:10 4608 --a------ C:\WINDOWS\system32\w95inf32.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2008-03-09 13:49:10 2272 --a------ C:\WINDOWS\system32\w95inf16.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE84A6AA-A333-4B92-B276-C11E2212E4FE}]
12/15/2006 06:34 PM 599472 --a------ C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [03/19/2004 06:33 PM C:\WINDOWS\system32\CTHELPER.EXE]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [12/03/2002 06:06 PM]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/11/2000 01:00 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/05/2007 01:41 AM]
"nwiz"="nwiz.exe" [12/05/2007 01:41 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/05/2007 01:41 AM]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [09/17/2003 10:43 AM]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [06/18/2003 01:00 AM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 07:50 PM]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [10/23/2005 12:00 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/13/2008 11:11 PM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [01/16/2008 08:54 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
"C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
"C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
"C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc




-- End of Deckard's System Scanner: finished at 2008-05-24 21:40:35 ------------


hi, i am having some performance issues with my computer, with a cthelper popup coming up everytime i turn on/off my computer. also there is an issue with on my desktop, the bottom half of my desktop picture has turned black, and all the icons, green start menu button etc, basically anything on the bottom of my screen, seems inactive, nothing happens when i click on them.

i have attached extra.txt and activescan as well
Attached Files
File Type: txt extra.txt (24.8 KB, 0 views)
File Type: txt ActiveScan.txt (39.1 KB, 0 views)
khornedaemon is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 05-28-2008, 05:45 AM   #2 (permalink)
Registered User
 
Join Date: May 2005
Posts: 11
OS: xp


Re: pop ups .CThelper. hjt log attached
*bump*
khornedaemon is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 05-31-2008, 09:46 PM   #3 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 19,098
OS: WinXP and Vista


Re: pop ups .CThelper. hjt log attached
Hello khornedaemon,

This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  2. Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.
__________________

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Keep this site free for all. Please consider, donating

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 06-03-2008, 12:23 AM   #4 (permalink)
Registered User
 
Join Date: May 2005
Posts: 11
OS: xp


Re: pop ups .CThelper. hjt log attached
ComboFix 08-06-01.6 - gayle 2008-06-03 16:28:27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1101 [GMT 10:00]
Running from: C:\Documents and Settings\gayle\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\gayle\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\gayle\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSUPDATE
-------\Service_msupdate


((((((((((((((((((((((((( Files Created from 2008-05-03 to 2008-06-03 )))))))))))))))))))))))))))))))
.

2008-05-27 20:51 . 2008-05-27 20:51 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-05-27 20:51 . 2008-05-27 20:51 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-05-27 20:06 . 2008-05-27 20:06 <DIR> d-------- C:\Documents and Settings\gayle\Application Data\Creative
2008-05-27 20:06 . 2008-05-31 17:22 <DIR> d-------- C:\Documents and Settings\gayle\Application Data\Apple Computer
2008-05-27 19:50 . 2008-05-27 20:20 <DIR> d-------- C:\Documents and Settings\gayle\Application Data\Nokia
2008-05-25 13:27 . 2008-05-25 13:27 <DIR> d-------- C:\Documents and Settings\gayle\Application Data\skypePM
2008-05-25 13:24 . 2008-05-25 13:46 <DIR> d-------- C:\Documents and Settings\gayle\Application Data\Skype
2008-05-24 21:36 . 2008-05-24 21:36 <DIR> d-------- C:\Deckard
2008-05-24 21:05 . 2008-05-24 21:05 <DIR> d-------- C:\ie-spyad_zo
2008-05-24 21:00 . 2008-05-24 21:00 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-24 21:00 . 2005-04-15 19:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-05-24 21:00 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-05-24 21:00 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-05-24 19:09 . 2008-05-24 19:09 <DIR> d-------- C:\Program Files\Panda Security
2008-05-23 21:08 . 2008-05-23 22:28 <DIR> d-------- C:\Documents and Settings\gayle\Application Data\Winamp
2008-05-23 21:08 . 2008-05-23 21:08 <DIR> d-------- C:\Documents and Settings\gayle\Application Data\DivX
2008-05-15 20:00 . 2006-10-05 00:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-05-15 20:00 . 2006-10-05 00:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-05-15 20:00 . 2006-10-05 00:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-05-15 19:59 . 2008-05-15 19:59 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-05-15 19:53 . 2008-05-15 19:53 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-05-15 19:53 . 2008-05-15 19:56 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-05-05 11:49 . 2008-05-05 11:49 <DIR> d-------- C:\Program Files\ImTOO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-03 06:41 9,031,712 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-03 06:34 121,964 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-27 10:51 --------- d-----w C:\Program Files\Nokia
2008-05-20 22:29 --------- d-----w C:\Documents and Settings\dan\Application Data\DNA
2008-05-14 07:43 --------- d-----w C:\Documents and Settings\dan\Application Data\Skype
2008-05-14 06:03 --------- d-----w C:\Documents and Settings\dan\Application Data\skypePM
2008-05-07 10:18 --------- d-----w C:\Program Files\Activision Value
2008-04-29 11:44 3,080,704 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-04-29 11:44 1,697,280 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-04-29 08:02 --------- d-----w C:\Program Files\Flagship Studios
2008-04-27 17:06 1,690,624 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-04-27 05:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-04-21 04:42 --------- d-----w C:\Program Files\Apple Software Update
2008-04-20 00:33 --------- d-----w C:\Documents and Settings\dan\Application Data\Nokia Multimedia Player
2008-04-20 00:31 --------- d-----w C:\Documents and Settings\dan\Application Data\Nokia
2008-04-19 13:39 --------- d-----w C:\Program Files\DivX
2008-04-19 04:35 --------- d-----w C:\Program Files\MSXML 6.0
2008-04-19 04:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nokia
2008-04-18 21:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-04-18 21:12 --------- d-----w C:\Documents and Settings\dan\Application Data\PC Suite
2008-04-18 21:11 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-04-18 21:11 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-04-18 21:06 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-04-18 21:06 --------- d-----w C:\Program Files\DIFX
2008-04-15 15:26 2,670,080 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-04-08 11:09 --------- d-----w C:\Program Files\Windows Live
2008-04-07 06:31 --------- d-----w C:\Program Files\iTunes
2008-04-07 06:30 --------- d-----w C:\Program Files\iPod
2008-04-07 06:28 --------- d-----w C:\Program Files\QuickTime
2008-04-02 09:26 2,747,392 ----a-w C:\WINDOWS\Internet Logs\xDBCB.tmp
2008-03-31 21:25 831,488 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-03-31 21:25 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-03-31 21:25 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-03-31 21:25 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-21 20:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-21 05:44 2,431,488 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-03-21 05:44 2,406,912 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-03-21 05:36 2,431,488 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-03-16 06:40 2,459,136 ----a-w C:\WINDOWS\Internet Logs\xDBA6.tmp
2008-03-13 13:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-03-13 13:11 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-03-09 22:40 2,747,904 ----a-w C:\WINDOWS\Internet Logs\xDB8A.tmp
2008-03-09 03:49 4,608 ----a-w C:\WINDOWS\system32\w95inf32.dll
2008-03-09 03:49 2,272 ----a-w C:\WINDOWS\system32\w95inf16.dll
2008-02-14 09:46 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:56 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2004-03-19 18:33 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 18:06 45056]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43 57344]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2003-06-18 01:00 45056]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 19:50 155648]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 00:00 385024]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-16 08:54 37376]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10 271360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
--a------ 2007-09-06 23:08 136136 C:\Program Files\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
--a------ 2005-10-23 00:00 385024 C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-12-10 21:52 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-08-04 00:56 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
--a------ 2007-06-19 10:17 1241088 C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-02-06 18:37 21898024 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-10-23 00:00]
S3 CCCP106;CIF USB Camera (2110A);C:\WINDOWS\system32\DRIVERS\cccp106.sys [2003-04-28 16:08]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;C:\WINDOWS\system32\drivers\nmwcdnsu.sys [2008-02-01 15:17]
S3 nmwcdnsuc;Nokia USB Flashing Generic;C:\WINDOWS\system32\drivers\nmwcdnsuc.sys [2008-02-01 15:17]
S3 pccsmcfd;PCCS Mode Change Filter Driver;C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys [2007-09-17 15:53]
S3 PciCon;PciCon;H:\PciCon.sys []
S3 upperdev;upperdev;C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys [2007-11-29 10:39]
S3 UsbserFilt;UsbserFilt;C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys [2007-11-29 10:39]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2008-05-28 11:38:21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-02 14:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\System32\Y866f04y.exe
"2008-06-02 23:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\System32\Y866f04y.exe
"2008-06-03 00:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\System32\Y866f04y.exe
"2008-06-03 01:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\System32\Y866f04y.exe
"2008-06-03 02:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\System32\Y866f04y.exe
"2008-06-03 03:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\System32\Y866f04y.exe
"2008-06-03 04:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\System32\Y866f04y.exe
"2008-06-03 05:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\System32\Y866f04y.exe
"2008-06-03 06:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\System32\Y866f04y.exe
"2008-06-02 07:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\System32\Y866f04y.exe
"2008-06-02 08:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\System32\Y866f04y.exe
"2008-06-02 15:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\System32\Y866f04y.exe
"2008-06-02 09:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\System32\Y866f04y.exe
"2008-06-02 10:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\System32\Y866f04y.exe
"2008-06-02 11:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\System32\Y866f04y.exe
"2008-06-02 12:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\System32\Y866f04y.exe
"2008-06-02 13:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\System32\Y866f04y.exe
"2008-06-02 16:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\System32\Y866f04y.exe
"2008-06-02 17:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\System32\Y866f04y.exe
"2008-06-02 18:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\System32\Y866f04y.exe
"2008-06-02 19:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\System32\Y866f04y.exe
"2008-06-02 20:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\System32\Y866f04y.exe
"2008-06-02 21:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\System32\Y866f04y.exe
"2008-06-02 22:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\System32\Y866f04y.exe
"2008-06-03 06:35:42 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-03 16:38:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\system32\urlmon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-06-03 16:57:48 - machine was rebooted [gayle]
ComboFix-quarantined-files.txt 2008-06-03 06:53:00

Pre-Run: 75,471,536,128 bytes free
Post-Run: 75,951,153,152 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

272 --- E O F --- 2008-02-04 08:05:59




Deckard's System Scanner v20071014.68
Run by gayle on 2008-06-03 17:21:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as gayle.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:22:12 PM, on 6/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\gayle\Desktop\dss.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\gayle.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1211627989796
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6286 bytes

-- Files created between 2008-05-03 and 2008-06-03 -----------------------------

2008-06-03 17:22:02 0 d-------- C:\Program Files\Trend Micro
2008-06-03 16:27:54 0 d-------- C:\cmdcons
2008-06-03 16:26:10 68096 --a------ C:\WINDOWS\zip.exe
2008-06-03 16:26:10 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-03 16:26:10 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-03 16:26:10 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-03 16:26:10 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-03 16:26:10 98816 --a------ C:\WINDOWS\sed.exe
2008-06-03 16:26:10 80412 --a------ C:\WINDOWS\grep.exe
2008-06-03 16:26:10 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-27 20:51:31 0 d-------- C:\Program Files\Common Files\PCSuite
2008-05-27 20:51:30 0 d-------- C:\Program Files\Common Files\Nokia
2008-05-27 2046 0 d-------- C:\Documents and Settings\gayle\Application Data\Creative
2008-05-27 2010 0 d-------- C:\Documents and Settings\gayle\Application Data\Apple Computer
2008-05-27 19:50:12 0 d-------- C:\Documents and Settings\gayle\Application Data\Nokia
2008-05-25 13:27:04 0 d-------- C:\Documents and Settings\gayle\Application Data\skypePM
2008-05-25 13:24:24 0 d-------- C:\Documents and Settings\gayle\Application Data\Skype
2008-05-24 21:16:25 0 d-------- C:\Documents and Settings\gayle\Application Data\WinRAR
2008-05-24 21:05:06 0 d-------- C:\ie-spyad_zo
2008-05-24 21:00:34 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2008-05-24 21:00:33 0 d-------- C:\Program Files\SpywareBlaster
2008-05-24 19:09:36 0 d-------- C:\Program Files\Panda Security
2008-05-23 21:08:39 0 d-------- C:\Documents and Settings\gayle\Application Data\Winamp
2008-05-23 21:08:03 0 d-------- C:\Documents and Settings\gayle\Application Data\DivX
2008-05-20 19:35:43 0 dr-h----- C:\Documents and Settings\dan\Recent
2008-05-15 19:59:55 0 d-------- C:\Program Files\Windows Media Connect 2
2008-05-15 19:53:22 0 d-------- C:\WINDOWS\system32\LogFiles
2008-05-15 19:53:22 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-05-05 11:49:55 0 d-------- C:\Program Files\ImTOO


-- Find3M Report ---------------------------------------------------------------

2008-05-28 20:12:46 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-05-27 20:51:31 0 d-------- C:\Program Files\Common Files
2008-05-27 20:51:30 0 d-------- C:\Program Files\Nokia
2008-05-22 22:27:59 0 d-------- C:\Documents and Settings\gayle\Application Data\Adobe
2008-05-07 20:18:27 0 d-------- C:\Program Files\Activision Value
2008-04-29 18:02:18 0 d-------- C:\Program Files\Flagship Studios
2008-04-21 14:42:11 0 d-------- C:\Program Files\Apple Software Update
2008-04-19 23:39:01 0 d-------- C:\Program Files\DivX
2008-04-19 14:35:04 0 d-------- C:\Program Files\MSXML 6.0
2008-04-19 0753 0 d-------- C:\Program Files\DIFX
2008-04-19 0743 0 d-------- C:\Program Files\PC Connectivity Solution
2008-04-08 21:09:58 0 d-------- C:\Program Files\Windows Live
2008-04-07 16:31:08 0 d-------- C:\Program Files\iTunes
2008-04-07 16:30:57 0 d-------- C:\Program Files\iPod
2008-04-07 16:28:38 0 d-------- C:\Program Files\QuickTime
2008-04-01 07:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-04-01 07:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-04-01 07:25:46 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-04-01 07:25:46 831488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-04-01 07:25:46 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-22 06:30:08 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-03-22 06:28:54 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-03-22 06:28:54 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-03-22 06:28:20 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-09 13:49:10 4608 --a------ C:\WINDOWS\system32\w95inf32.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2008-03-09 13:49:10 2272 --a------ C:\WINDOWS\system32\w95inf16.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE84A6AA-A333-4B92-B276-C11E2212E4FE}]
12/15/2006 06:34 PM 599472 --a------ C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [03/19/2004 06:33 PM C:\WINDOWS\system32\CTHELPER.EXE]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [12/03/2002 06:06 PM]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/11/2000 01:00 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/05/2007 01:41 AM]
"nwiz"="nwiz.exe" [12/05/2007 01:41 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/05/2007 01:41 AM]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [09/17/2003 10:43 AM]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [06/18/2003 01:00 AM]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 07:50 PM]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [10/23/2005 12:00 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/13/2008 11:11 PM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [01/16/2008 08:54 AM]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [06/18/2007 03:10 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [08/04/2004 12:56 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
"C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
"C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
"C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc




-- End of Deckard's System Scanner: finished at 2008-06-03 17:22:45 ------------

hi, here are a couple of scans for you to view. thank you
khornedaemon is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 06-03-2008, 07:16 PM   #5 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 19,098
OS: WinXP and Vista


Re: pop ups .CThelper. hjt log attached
You're welcome, khornedaemon. : )

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Code:
File::
C:\WINDOWS\System32\Y866f04y.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------

Run a new scan with HijackThis.exe (not dss.exe) and save the log.

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
New HijackThis log
Update on system behavior
__________________

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Keep this site free for all. Please consider, donating

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 06-10-2008, 03:09 PM   #6 (permalink)
Registered User
 
Join Date: May 2005
Posts: 11
OS: xp


Re: pop ups .CThelper. hjt log attached
hi system seems to be improving, the desktop pic is back to normal and i can use everything on the desktop now, but i am still getting that cthelper pop ups when i turn my computer on and off, and last night when i was logged on to another account i was having trouble with nothing working so i had to turn it off at the switch. but anyway here are the logs you requested.

thanks again

d


ComboFix 08-06-01.6 - gayle 2008-06-10 19:19:58.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1177 [GMT 10:00]
Running from: C:\Documents and Settings\gayle\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\gayle\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-05-10 to 2008-06-10 )))))))))))))))))))))))))))))))
.

2008-06-08 16:03 . 2008-06-08 16:03 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-08 16:03 . 2008-06-08 16:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-03 17:22 . 2008-06-03 17:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-27 20:51 . 2008-05-27 20:51 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-05-27 20:51 . 2008-05-27 20:51 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-05-27 20:06 . 2008-05-27 20:06 <DIR> d-------- C:\Documents and Settings\gayle\Application Data\Creative
2008-05-27 20:06 . 2008-05-31 17:22 <DIR> d-------- C:\Documents and Settings\gayle\Application Data\Apple Computer
2008-05-27 19:50 . 2008-05-27 20:20 <DIR> d-------- C:\Documents and Settings\gayle\Application Data\Nokia
2008-05-25 13:27 . 2008-05-25 13:27 <DIR> d-------- C:\Documents and Settings\gayle\Application Data\skypePM
2008-05-25 13:24 . 2008-05-25 13:46 <DIR> d-------- C:\Documents and Settings\gayle\Application Data\Skype
2008-05-24 21:36 . 2008-05-24 21:36 <DIR> d-------- C:\Deckard
2008-05-24 21:05 . 2008-05-24 21:05 <DIR> d-------- C:\ie-spyad_zo
2008-05-24 21:00 . 2008-05-24 21:00 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-24 21:00 . 2005-04-15 19:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-05-24 21:00 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-05-24 21:00 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-05-24 19:09 . 2008-05-24 19:09 <DIR> d-------- C:\Program Files\Panda Security
2008-05-23 21:08 . 2008-05-23 22:28 <DIR> d-------- C:\Documents and Settings\gayle\Application Data\Winamp
2008-05-23 21:08 . 2008-05-23 21:08 <DIR> d-------- C:\Documents and Settings\gayle\Application Data\DivX
2008-05-15 20:00 . 2006-10-05 00:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-05-15 20:00 . 2006-10-05 00:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-05-15 20:00 . 2006-10-05 00:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-05-15 19:59 . 2008-05-15 19:59 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-05-15 19:53 . 2008-05-15 19:53 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-05-15 19:53 . 2008-05-15 19:56 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-10 09:08 --------- d-----w C:\Documents and Settings\dan\Application Data\DNA
2008-06-10 07:59 9,748,512 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-03 07:56 2,158,510 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-03 07:55 122,420 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-27 10:51 --------- d-----w C:\Program Files\Nokia
2008-05-14 07:43 --------- d-----w C:\Documents and Settings\dan\Application Data\Skype
2008-05-14 06:03 --------- d-----w C:\Documents and Settings\dan\Application Data\skypePM
2008-05-07 10:18 --------- d-----w C:\Program Files\Activision Value
2008-05-05 01:49 --------- d-----w C:\Program Files\ImTOO
2008-04-29 11:44 3,080,704 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-04-29 11:44 1,697,280 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-04-29 08:02 --------- d-----w C:\Program Files\Flagship Studios
2008-04-27 17:06 1,690,624 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-04-27 05:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-04-21 04:42 --------- d-----w C:\Program Files\Apple Software Update
2008-04-20 00:33 --------- d-----w C:\Documents and Settings\dan\Application Data\Nokia Multimedia Player
2008-04-20 00:31 --------- d-----w C:\Documents and Settings\dan\Application Data\Nokia
2008-04-19 13:39 --------- d-----w C:\Program Files\DivX
2008-04-19 04:35 --------- d-----w C:\Program Files\MSXML 6.0
2008-04-19 04:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nokia
2008-04-18 21:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-04-18 21:12 --------- d-----w C:\Documents and Settings\dan\Application Data\PC Suite
2008-04-18 21:11 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-04-18 21:11 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-04-18 21:06 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-04-18 21:06 --------- d-----w C:\Program Files\DIFX
2008-04-15 15:26 2,670,080 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-04-02 09:26 2,747,392 ----a-w C:\WINDOWS\Internet Logs\xDBCB.tmp
2008-03-31 21:25 831,488 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-03-31 21:25 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-03-31 21:25 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-03-31 21:25 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-21 20:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-21 05:44 2,431,488 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-03-21 05:44 2,406,912 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-03-21 05:36 2,431,488 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-03-16 06:40 2,459,136 ----a-w C:\WINDOWS\Internet Logs\xDBA6.tmp
2008-03-13 13:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-03-13 13:11 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-02-14 09:46 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((( snapshot@2008-06-03_16.44.38.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-03 06:35:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-10 09:11:47 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-05-24 02:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 05:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 05:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-06-03 06:35:45 311,616 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-06-10 09:15:11 313,492 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2008-05-30 16:08:57 9,284,942 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2008-06-09 09:22:54 9,374,888 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
- 2008-04-27 15:33:21 11,567,616 ----a-w C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
+ 2008-06-07 04:07:50 11,588,096 ----a-w C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:56 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2004-03-19 18:33 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 18:06 45056]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43 57344]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2003-06-18 01:00 45056]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 19:50 155648]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 00:00 385024]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10 271360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
--a------ 2007-09-06 23:08 136136 C:\Program Files\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
--a------ 2005-10-23 00:00 385024 C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-12-10 21:52 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-08-04 00:56 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
--a------ 2007-06-19 10:17 1241088 C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-02-06 18:37 21898024 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-10-23 00:00]
S3 CCCP106;CIF USB Camera (2110A);C:\WINDOWS\system32\DRIVERS\cccp106.sys [2003-04-28 16:08]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;C:\WINDOWS\system32\drivers\nmwcdnsu.sys [2008-02-01 15:17]
S3 nmwcdnsuc;Nokia USB Flashing Generic;C:\WINDOWS\system32\drivers\nmwcdnsuc.sys [2008-02-01 15:17]