|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help. |
 |
|
|
Thread Tools |
07-06-2008, 11:59 PM
|
#1 (permalink) |
|
Registered User
Join Date: Jul 2008
Posts: 1
OS: Vista Home
|
Pop-ups, performance issues, windows/system32/dzruzw.dll
DSS Scan is below, horrible system performance. Iexplorer gets absolutely dominated with pop-ups when open it. Some possible touble areas are the random .dll files in the system32 folder. Any help is greatly appreciated. Sorry I couldn't be more specific, but I really don't know much about this.
Deckard's System Scanner v20071014.68 Run by Mike on 2008-07-07 02:20:26 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- Last 5 Restore Point(s) -- 15: 2008-07-06 06:28:17 UTC - RP600 - Scheduled Checkpoint 14: 2008-07-05 17:13:37 UTC - RP599 - Scheduled Checkpoint 13: 2008-07-04 23:09:54 UTC - RP598 - Scheduled Checkpoint 12: 2008-07-03 07:00:26 UTC - RP597 - Windows Update 11: 2008-07-02 19:11:16 UTC - RP596 - Scheduled Checkpoint -- First Restore Point -- 1: 2008-06-23 15:38:16 UTC - RP586 - Windows Vista Service Pack 1 Backed up registry hives. Performed disk cleanup. -- HijackThis (run as Mike.exe) ------------------------------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:33:54 AM, on 7/7/2008 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\hp\support\hpsysdrv.exe C:\Program Files\HP\HP Software Update\hpwuSchd2.exe C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\WINDOWS\System32\rundll32.exe C:\Windows\ehome\ehmsas.exe C:\Users\Mike\Desktop\dss.exe C:\Windows\system32\Taskmgr.exe C:\Windows\System32\rundll32.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Mike.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\geBqQJyX.dll,#1 O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Mike\AppData\Local\Temp\qoMghGxY.dll,#1 O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Mike\AppData\Local\Temp\cbXonnLf.dll,c O4 - HKCU\..\Run: [BMf363b484] Rundll32.exe "C:\Users\Mike\AppData\Local\Temp\vptortcb.dll",s O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Global Startup: AutorunsDisabled O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O13 - Gopher Prefix: O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{C6F86646-8A1F-4FA3-B4AF-7531341EE00D}: NameServer = 192.168.1.1 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing) O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 9264 bytes -- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) ----------- backup-20080627-121421-609 O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE backup-20080627-121421-791 O4 - HKLM\..\Run: [Updater] C:\Windows\system32\updater\explorer.exe backup-20080628-042942-216 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll backup-20080628-042942-340 O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe backup-20080628-042942-385 O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" backup-20080628-042942-561 O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll backup-20080628-042942-683 O4 - HKCU\..\Run: [BMf363b484] Rundll32.exe "C:\Users\Mike\AppData\Local\Temp\hqrpixjc.dll",s backup-20080628-042942-860 O4 - HKCU\..\Run: [f0508718] rundll32.exe "C:\Users\Mike\AppData\Local\Temp\drarjoow.dll",b backup-20080628-043014-993 O4 - HKCU\..\Run: [BMf363b484] Rundll32.exe "C:\Users\Mike\AppData\Local\Temp\hqrpixjc.dll",s backup-20080628-043252-296 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- S3 ASPI (Advanced SCSI Programming Interface Driver) - \??\c:\windows\system32\drivers\aspi32.sys S3 RT25USBAP (Nintendo Wi-Fi USB Connector Service) - c:\windows\system32\drivers\rt25usbap.sys <Not Verified; Ralink Technology Inc.; Ralink 802.11g Wireless USB Adapters> -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service> S2 LiveUpdate Notice Ex (LiveUpdate Notice Service Ex) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon (file missing) S2 RoxLiveShare9 (LiveShare P2P Server 9) - "c:\program files\common files\roxio shared\9.0\sharedcom\roxliveshare9.exe" (file missing) S3 PACSPTISVR - "c:\program files\common files\sony shared\avlib\pacsptisvr.exe" <Not Verified; ; PACSPTISVR Module> S4 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour> -- Device Manager: Disabled ---------------------------------------------------- Class GUID: Description: Nintendo Wi-Fi USB Connector Device ID: USB\VID_0411&PID_008B\000D0BED986E Manufacturer: Name: Nintendo Wi-Fi USB Connector PNP Device ID: USB\VID_0411&PID_008B\000D0BED986E Service: -- Files created between 2008-06-07 and 2008-07-07 ----------------------------- 2008-07-07 01:56:03 0 d-------- C:\ie-spyad_zo 2008-07-07 01:54:54 0 d-------- C:\Program Files\SpywareBlaster 2008-07-07 01:49:00 0 d-------- C:\Program Files\Panda Security 2008-06-24 14:20:57 0 d-------- C:\Users\All Users\Spybot - Search & Destroy 2008-06-20 13:25:43 256 --a------ C:\Windows\system32\pool.bin 2008-06-20 13:23:46 0 d-------- C:\Program Files\Common Files\Research In Motion 2008-06-20 13:23:40 0 d-------- C:\Program Files\Research In Motion 2008-06-19 20:35:34 0 d-------- C:\Program Files\Ventrilo 2008-06-19 20:35:08 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-06-19 16:31:45 0 d-------- C:\Users\All Users\Xfire 2008-06-19 16:31:44 0 d-------- C:\Program Files\Xfire 2008-06-14 15:07:40 269156 --a------ C:\Users\Mike\installer-8494-19en-Age-of-Empires-III-English.exe 2008-06-13 16:49:57 10752 --a------ C:\Windows\DCEBoot.exe 2008-06-13 13:01:54 0 d-------- C:\Program Files\NeroInstall.bak 2008-06-13 12:52:05 0 d-------- C:\Users\All Users\Nero 2008-06-13 12:52:05 0 d-------- C:\Program Files\Nero 2008-06-13 12:52:05 0 d-------- C:\Program Files\Common Files\Nero 2008-06-13 12:44:36 25088 --a------ C:\Windows\system32\geBqQJyX.dll 2008-06-07 10:48:22 0 d-------- C:\Program Files\MSN Money Investment Toolbox -- Find3M Report --------------------------------------------------------------- 2008-07-07 01:37:01 0 d-------- C:\Program Files\Warcraft III 2008-07-07 00:56:12 0 d-------- C:\Program Files\Starcraft 2008-07-06 04:39:29 0 d-------- C:\Users\Mike\AppData\Roaming\LimeWire 2008-06-28 00:04:09 0 d-------- C:\Program Files\Common Files\Steam 2008-06-27 12:10:45 0 d-------- C:\Program Files\Trend Micro 2008-06-24 19:44:04 0 d-------- C:\Users\Mike\AppData\Roaming\uTorrent 2008-06-23 12:19:48 174 --ahs---- C:\Program Files\desktop.ini 2008-06-23 12:11:56 0 d-------- C:\Program Files\Windows Sidebar 2008-06-23 12:11:56 0 d-------- C:\Program Files\Windows Calendar 2008-06-23 12:11:56 0 d-------- C:\Program Files\Movie Maker 2008-06-23 12:11:54 0 d-------- C:\Program Files\Windows Photo Gallery 2008-06-23 12:11:54 0 d-------- C:\Program Files\Windows Mail 2008-06-23 12:11:54 0 d-------- C:\Program Files\Windows Journal 2008-06-23 12:11:54 0 d-------- C:\Program Files\Windows Collaboration 2008-06-23 12:11:53 0 d-------- C:\Program Files\Windows Defender 2008-06-21 18:23:50 0 d-------- C:\Program Files\Zune 2008-06-20 19:08:56 0 d-------- C:\Program Files\World of Warcraft 2008-06-20 13:25:39 0 d-------- C:\Users\Mike\AppData\Roaming\Research In Motion 2008-06-20 13:23:46 0 d-------- C:\Program Files\Common Files 2008-06-20 13:20:16 0 d-------- C:\Program Files\Roxio 2008-06-20 13:20:09 0 d-------- C:\Program Files\Common Files\Sonic Shared 2008-06-20 13:20:09 0 d-------- C:\Program Files\Common Files\Roxio Shared 2008-06-20 00:50:58 0 d-------- C:\Users\Mike\AppData\Roaming\Xfire 2008-06-19 16:40:37 0 d-------- C:\Program Files\Mozilla Firefox 3 Beta 4 2008-06-19 16:37:42 0 d-------- C:\Program Files\VideoLAN 2008-06-13 15:57:51 0 d-------- C:\Users\Mike\AppData\Roaming\My Games 2008-06-13 14:18:04 0 d-------- C:\Users\Mike\AppData\Roaming\InstallShield Installation Information 2008-06-13 14  00 0 d-------- C:\Users\Mike\AppData\Roaming\InstallShield2008-06-13 13:36:55 0 d-------- C:\Users\Mike\AppData\Roaming\Firaxis Games 2008-06-13 13:34:30 0 d-------- C:\Users\Mike\AppData\Roaming\DAEMON Tools Pro 2008-06-13 12:58:15 0 d-------- C:\Users\Mike\AppData\Roaming\Nero 2008-06-13 12:48:49 0 d-------- C:\Program Files\Project64 1.6 2008-06-04 19:56:38 0 d-------- C:\Program Files\LimeWire 2008-06-04 13:35:44 0 d-------- C:\Program Files\Sun 2008-06-04 13:35:35 0 d-------- C:\Program Files\Java 2008-06-02 15:03:41 0 d-------- C:\Program Files\Sony 2008-06-02 15:03:39 0 d--h----- C:\Program Files\InstallShield Installation Information 2008-06-02 14:52:16 0 d-------- C:\Users\Mike\AppData\Roaming\Sony Corporation 2008-06-02 14:39:51 0 d-------- C:\Program Files\Common Files\Sony Shared 2008-05-15 20:10:27 0 d-------- C:\Program Files\bobyte 2008-05-12 10:42:12 0 d-------- C:\Program Files\Common Files\Symantec Shared 2008-05-12 10:34:41 0 d-------- C:\Program Files\Symantec -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [09/28/2006 09:42 AM] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/17/2005 03:11 AM] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [11/28/2007 08:51 PM] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM] "pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [12/29/2006 02:52 AM] "MSServer"="C:\Windows\system32\geBqQJyX.dll" [06/13/2008 12:44 PM] "NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [] "NvSvc"="C:\Windows\system32\nvsvc.dll" [07/06/2007 09:15 PM] "NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [07/06/2007 09:15 PM] "NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [07/06/2007 09:15 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Aim6"="" [] "ehTray.exe"="C:\Windows\ehome\ehTray.exe" [01/19/2008 03:33 AM] "msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [10/18/2007 12:34 PM] "MSServer"="C:\Users\Mike\AppData\Local\Temp\qoMghGxY.dll,#1" [] "cmds"="C:\Users\Mike\AppData\Local\Temp\cbXonnLf.dll,c" [] "BMf363b484"="C:\Users\Mike\AppData\Local\Temp\vptortcb.dll,s" [] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"=2 (0x2) "EnableUIADesktopToggle"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "LogonHoursAction"=2 (0x2) "DontDisplayLogonHoursWarnings"=1 (0x1) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{34DF45D1-6319-4A7F-84CA-7498BD0DAEFC}"= C:\Windows\system32\geBqQJyX.dll [06/13/2008 12:44 PM 25088] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}] @="IEEE 1394 Bus host controllers" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}] @="SBP2 IEEE 1394 Devices" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}] @="SecurityDevices" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMf363b484] Rundll32.exe "C:\Users\Mike\AppData\Local\Temp\cxjlsnnx.dll",s [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmds] rundll32.exe C:\Users\Mike\AppData\Local\Temp\cbXonnLf.dll,c [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f0508718] rundll32.exe "C:\Users\Mike\AppData\Local\Temp\nimcuihg.dll",b [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer] rundll32.exe C:\Users\Mike\AppData\Local\Temp\ddcCsqRJ.dll,#1 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] AutoRun\command- F:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f9b3793-99eb-11dc-a979-001a920b9de0}] AutoRun\command- L:\autorun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f9b3795-99eb-11dc-a979-001a920b9de0}] AutoRun\command- M:\autorun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95a2c225-e19c-11db-a724-001a920b9de0}] AutoRun\command- F:\setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e53741c3-6169-11dc-8c0f-806e6f6e6963}] AutoRun\command- E:\SETUP.EXE *Newly Created Service* - PAVBOOT [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] C:\Windows\system32\unregmp2.exe /ShowWMP [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}] C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}] %SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI -- Hosts ----------------------------------------------------------------------- 127.0.0.1 www.007guard.com 127.0.0.1 007guard.com 127.0.0.1 010402.com 127.0.0.1 www.032439.com 127.0.0.1 032439.com 127.0.0.1 www.1001-search.info 127.0.0.1 1001-search.info 127.0.0.1 www.100888290cs.com 127.0.0.1 100888290cs.com 127.0.0.1 www.100sexlinks.com 8660 more entries in hosts file. -- End of Deckard's System Scanner: finished at 2008-07-07 02:42:50 ------------ |
|
     
|
|
07-09-2008, 07:04 PM
|
#2 (permalink) |
|
Analyst, Security Team; Rangemaster, TSF Academy
Join Date: Oct 2007
Location: Georgia
Posts: 2,477
OS: XP SP3
|
Re: Pop-ups, performance issues, windows/system32/dzruzw.dll
Hello and Welcome to TSF.
Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription. Please save this page to Notepad in order to assist you when carrying out the following instructions. Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. ------------------------------------------------------ Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate. Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper. ------------------------------------------------------ Due to the restrictions on Vista, all tools should be started by Right-Click >>> Run As Administrator ------------------------------------------------------ You have remnants of Norton(Symantec) on your system. They can conflict with your other antivirus and/or firewall and cause system instability. Please uninstall the following via Programs and Features in your Control Panel: LiveUpdate 3.2 (Symantec Corporation) LiveUpdate Notice (Symantec Corporation) Please download the Norton Removal Tool and Save it to your Desktop.
The reason your Vista system got infected is likely due to the fact that the UAC has been disabled. Before you go any further, protect this system and re-enable that feature. Click Start>Control Panel>User Accounts and turn it back on. ------------------------------------------------------ I see you have P2P software ( uTorrent and Limewire ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information. Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares. References for the risk of these programs are here, here, and here. I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Programs and Features. If you decide to uninstall uTorrent and Limewire, also delete these Folders if they still exist: C:\Users\Mike\Application Data\uTorrent C:\Users\Mike\Application Data\LimeWire C:\Program Files\uTorrent C:\Program Files\LimeWire ------------------------------------------------------ Download Combofix and Save it to your Desktop. **Note: It is important that it is saved directly to your desktop** ------------------------------------------------------ Close any open browsers. Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix. Get help here ------------------------------------------------------ Double-click on ComboFix.exe & follow the prompts.
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall. ------------------------------------------------------ Right-click HijackThis and select Run as Administrator. Click on 'Do a System Scan and Save a Logfile'. Save the logfile and post it here. ------------------------------------------------------ Please post the following in your next reply: C:\ComboFix.txt new HijackThis log If you have any questions along the way...STOP and ask them before proceeding. |
|
|
|
|
| Thread Tools | |
|
|
