|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
Thread Tools |
12-21-2007, 04:24 PM
|
#1 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 12
OS: windows xp
|
help, control panel hijacked by theserials.com
Hi, I've been fighting for a few days this spyware executable i installed (in Firefox), did some research and am trying HijackThis now, I read you guys are gods with the logs.
Could really use your help-- I can't believe I fell for this, I downloaded what seemed to be a legit serial. The .exe i opened not only installed spyware (the usual desktop shortcuts to dating and poker etc, and popups saying "click here to fix your spyware!!") but also i can no longer access my control panel. I cannot get to add/remove programs. When I try, it says ""This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator." I'm freaking out, it seems I have to wipe and reinstall. I ran AdAware, it found 184 things it cleaned out but nothing changed. I tried installing SpyBot (from the credible safer-networking.org) but it would crash before installing every time i clicked on the .exe. I dont know if thats the spyware crashing it or if i just need to download it again. I rebooted in safe mode and was able to delete a bunch of junk and files it installed, including this Program File folder "Helper" it made containing "Helper8.dll" Deleting this gave me temporary access to my control panel. Thinking that fixed it, I restarted in normal mode but Helper8.dll was back.  So now I just ran HijackThis, here is my log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:36:22 PM, on 12/21/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray .exe C:\Program Files\EPOX\USDM\USDM .EXE C:\Program Files\Java\jre1.6.0_01\bin\jusched .exe C:\WINDOWS\TEMP\win5C1 .exe C:\WINDOWS\mgrs .exe C:\WINDOWS\lsass .exe C:\WINDOWS\system32\ctfmon .exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/ie R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.uk/ie R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe F3 - REG:win.ini: load=C:\WINDOWS\system32\jkkji.exe O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [Office SturtUp] osa9.exe O4 - HKLM\..\Run: [gfxtray] rundll32 ctccw32.dll,findwnd O4 - HKLM\..\Run: [EOMD Agent] C:\WINDOWS\system32\Sys32\EOMD.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [EPoXUSDM] "C:\Program Files\EPOX\USDM\USDM .EXE" "5000" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [iformdad] rundll32.exe "C:\Program Files\iformdad\kfivctol.dll",Init O4 - HKLM\..\Run: [fwjanadm] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\fwjanadm.dll" O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvdug.dll,startup O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win5C1 .exe O4 - HKLM\..\Run: [smgr] mgrs.exe O4 - HKLM\..\Run: [lsass] C:\WINDOWS\lsass .exe O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [nltide1] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user') O4 - Startup: findfast.exe O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1132891728015 O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe -- End of file - 7297 bytes |
|
     |
|
12-22-2007, 12:46 PM
|
#2 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 12
OS: windows xp
|
Re: help, control panel hijacked by theserials.com
also-- i'll go ahead and jump to conclusions and run dss.exe, because otherwise I'll be away from my computer for a few days for christmas.
(I also installed SpywareBlaster.) I did not think i would be able to run dss.exe because it "needs administrator privilidges" and my computer has been telling me I dont have them anymore, thanks to the spyware. But it worked...! Here are my extra.txt and main.txt files, thanks so much for looking: -----MAIN.TXT-------- Deckard's System Scanner v20071014.68 Run by Administrator on 2007-12-22 14:30:33 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 81: 2007-12-22 19:30:35 UTC - RP128 - Deckard's System Scanner Restore Point 80: 2007-12-22 08:00:14 UTC - RP127 - Software Distribution Service 3.0 79: 2007-12-22 01:25:54 UTC - RP126 - System Checkpoint 78: 2007-12-20 23:43:06 UTC - RP125 - Installed Ad-Aware 2007 77: 2007-12-20 09:24:00 UTC - RP124 - Last known good configuration -- First Restore Point -- 1: 2007-12-20 09:23:52 UTC - RP48 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis (run as Administrator.exe) --------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:32:20 PM, on 12/22/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray .exe C:\Program Files\EPOX\USDM\USDM .EXE C:\Program Files\Java\jre1.6.0_01\bin\jusched .exe C:\WINDOWS\mgrs .exe C:\WINDOWS\lsass .exe C:\WINDOWS\system32\ctfmon .exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Administrator\Desktop\dss.exe C:\PROGRA~1\HIJACK~1\Administrator.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/ie R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.uk/ie R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe F3 - REG:win.ini: load=C:\WINDOWS\system32\jkkji.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {3C20F3EF-915F-4078-B842-CFBE0F5F44D3} - C:\WINDOWS\system32\jkkji.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {76F262CF-0308-0FB4-F7A3-043266F3A47C} - C:\Program Files\Kbysvaim\obmpjhjl.dll (file missing) O2 - BHO: (no name) - {DB0B918E-A0A8-482B-8D75-A682816B0C7B} - C:\WINDOWS\system32\cbxxurq.dll O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [Office SturtUp] osa9.exe O4 - HKLM\..\Run: [gfxtray] rundll32 ctccw32.dll,findwnd O4 - HKLM\..\Run: [EOMD Agent] C:\WINDOWS\system32\Sys32\EOMD.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [EPoXUSDM] "C:\Program Files\EPOX\USDM\USDM .EXE" "5000" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iformdad] rundll32.exe "C:\Program Files\iformdad\kfivctol.dll",Init O4 - HKLM\..\Run: [fwjanadm] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\fwjanadm.dll" O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvdug.dll,startup O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win5C1 .exe O4 - HKLM\..\Run: [smgr] mgrs.exe O4 - HKLM\..\Run: [lsass] C:\WINDOWS\lsass .exe O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [nltide1] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user') O4 - Startup: findfast.exe O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1132891728015 O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll O20 - Winlogon Notify: cbxxurq - C:\WINDOWS\SYSTEM32\cbxxurq.dll O20 - Winlogon Notify: winexy32 - C:\WINDOWS\SYSTEM32\winexy32.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe -- End of file - 8028 bytes -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R0 giveio - c:\windows\system32\giveio.sys R0 speedfan - c:\windows\system32\speedfan.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver> R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver> R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu> R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt> R2 EPoXUSDM - c:\windows\system32\drivers\epoxusdm.sys R3 NVR0Dev - c:\windows\nvoclock.sys <Not Verified; NVidia Corp.; NVidia System Utility Driver> S0 si3132 - c:\windows\system32\drivers\si3132.sys <Not Verified; Silicon Image, Inc.; SiI 3132 SATALink controller> S3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service> R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour> R2 nTuneService (nTune Service) - c:\program files\nvidia corporation\ntune\ntuneservice.exe /startservice <Not Verified; NVIDIA; NVIDIA nTune> S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)> S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe -- Device Manager: Disabled ---------------------------------------------------- Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: NVIDIA nForce Networking Controller Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0057\4&349D6C1B&0&01 Manufacturer: NVIDIA Name: NVIDIA nForce Networking Controller PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0057\4&349D6C1B&0&01 Service: NVENETFD -- Scheduled Tasks ------------------------------------------------------------- 2007-12-22 05:07:00 284 --a------ C:\WINDOWS\Tasks\defrag.job 2007-12-20 06:51:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job -- Files created between 2007-11-22 and 2007-12-22 ----------------------------- 2007-12-22 14:23:43 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library> 2007-12-22 14:23:43 0 d-------- C:\Program Files\SpywareBlaster 2007-12-22 07:28:06 0 dr-h----- C:\Documents and Settings\Administrator\Recent 2007-12-22 03:00:16 0 d-------- C:\WINDOWS\LastGood 2007-12-21 20:25:54 262144 --a------ C:\Documents and Settings\chris\NTUSER.DAT 2007-12-21 17:12:52 0 d-------- C:\Program Files\Helper 2007-12-21 17:12:51 26624 --a------ C:\WINDOWS\lsass .exe <Not Verified; MskSoftStudy Corp.; Anti-Virus Project (AVP) spyware removal module> 2007-12-21 04:50:44 9728 --a------ C:\WINDOWS\system32\spoolvs.exe 2007-12-21 04:50:44 9728 -----n--- C:\WINDOWS\shell.exe 2007-12-21 04:50:43 12288 --a------ C:\WINDOWS\mgrs .exe 2007-12-20 18:43:06 0 d-------- C:\Program Files\Lavasoft 2007-12-20 18:43:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2007-12-20 18:07:47 0 --a------ C:\WINDOWS\tpp1 2007-12-20 05:14:06 9728 --a------ C:\WINDOWS\system32\printer.exe 2007-12-20 05:13:08 335360 --a------ C:\WINDOWS\system32\jkkji.exe 2007-12-20 05  15 9728 --a------ C:\WINDOWS\system32\spoolvs .exe2007-12-20 05 13 363008 --a------ C:\WINDOWS\lsass .exe <Not Verified; MskSoftStudy Corp.; Anti-Virus Project (AVP) spyware removal module>2007-12-20 04:43:27 0 d--h----- C:\WINDOWS\system32\GroupPolicy 2007-12-20 04:33:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\ultra 2007-12-20 04:33:03 18944 --a------ C:\WINDOWS\system32\wowfx.dll 2007-12-20 04:33:02 9728 --a------ C:\Documents and Settings\Administrator\Application Data\printer.exe 2007-12-20 04:26:02 347648 --a------ C:\WINDOWS\mgrs.exe 2007-12-20 04:25:00 15360 --a------ C:\WINDOWS\system32\drvdugr.dll 2007-12-20 04:25:00 101888 --a------ C:\WINDOWS\system32\drvdug.dll 2007-12-20 04:23:42 9365 --ahs---- C:\WINDOWS\system32\ijkkj.ini2 2007-12-20 04:23:30 331776 --a------ C:\WINDOWS\system32\jkkji.dll 2007-12-20 04:17:22 0 d-------- C:\WINDOWS\system32\njprckha 2007-12-20 04:17:22 38912 --a------ C:\WINDOWS\system32\cbxuurq.dll 2007-12-20 04:17:15 23040 --a------ C:\WINDOWS\system32\winexy32.dll 2007-12-20 04:17:13 40448 --a------ C:\WINDOWS\system32\cbxxurq.dll 2007-12-20 04:05:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Azureus 2007-12-20 04:05:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\Azureus 2007-12-19 04:22:47 0 d-------- C:\CODE_UNKNOWN 2007-12-16 00:56:39 0 d-------- C:\Program Files\Azureus 2007-12-10 14:18:22 946 --a------ C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache -- Find3M Report --------------------------------------------------------------- 2007-12-22 01:04:47 0 d-------- C:\Program Files\iTunes 2007-12-21 17:12:07 352256 --a------ C:\WINDOWS\system32\ctfmon.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> 2007-12-21 04:17:38 0 d-------- C:\Program Files\Common Files 2007-12-21 04:16:19 0 d-------- C:\Program Files\MagicISO 2007-12-20 22:42:26 0 d-------- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor 2007-12-20 05:01:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe 2007-12-20 04:50:53 0 d-------- C:\Program Files\QuickTime 2007-12-20 04:19:59 283 --a------ C:\WINDOWS\comm.bin 2007-12-01 13:00:06 0 d-------- C:\Documents and Settings\Administrator\Application Data\dvdcss 2007-11-16 05:10:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\.purple 2007-11-16 01:55:05 0 d-------- C:\Program Files\Pidgin 2007-11-05 14:33:17 0 d-------- C:\Program Files\MSN Messenger 2007-11-04 21:58:58 0 d-------- C:\Program Files\DVD Shrink 2007-11-01 18:21:36 0 d-------- C:\Program Files\iPod 2007-11-01 18:19:39 0 d-------- C:\Program Files\Apple Software Update 2007-11-01 18:19:28 0 d-------- C:\Program Files\Common Files\Apple -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3C20F3EF-915F-4078-B842-CFBE0F5F44D3}] 12/20/2007 04:23 AM 331776 --a------ C:\WINDOWS\system32\jkkji.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{76F262CF-0308-0FB4-F7A3-043266F3A47C}] C:\Program Files\Kbysvaim\obmpjhjl.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB0B918E-A0A8-482B-8D75-A682816B0C7B}] 12/20/2007 04:17 AM 40448 --a------ C:\WINDOWS\system32\cbxxurq.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [12/21/2007 05:12 PM] "NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [12/21/2007 05:12 PM] "Office SturtUp"="osa9.exe" [] "gfxtray"="ctccw32.dll" [11/25/2005 12:38 AM C:\WINDOWS\system32\ctccw32.dll] "EOMD Agent"="C:\WINDOWS\system32\Sys32\EOMD.exe" [] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [03/09/2006 10:29 AM] "nwiz"="nwiz.exe" [03/09/2006 10:29 AM C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [03/09/2006 10:29 AM] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [12/21/2007 05:12 PM] "EPoXUSDM"="C:\Program Files\EPOX\USDM\USDM .exe" [12/21/2007 05:12 PM] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [12/21/2007 05:12 PM] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [] "iformdad"="C:\Program Files\iformdad\kfivctol.dll" [] "fwjanadm"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\fwjanadm.dll" [] "CTDrive"="C:\WINDOWS\system32\drvdug.dll" [12/20/2007 04:25 AM] "avp"="C:\WINDOWS\TEMP\win5C1 .exe" [] "smgr"="mgrs.exe" [12/21/2007 03:59 AM C:\WINDOWS\mgrs.exe] "lsass"="C:\WINDOWS\lsass .exe" [12/21/2007 05:12 PM] "Printer"="C:\WINDOWS\system32\printer.exe" [04/18/2005 04:55 AM] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [12/21/2007 05:12 PM] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [12/21/2007 05:12 PM] "NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [12/21/2007 05:12 PM] "Windows update loader"="C:\Windows\xpupdate.exe" [] "Spoolsv"="C:\WINDOWS\system32\spoolvs.exe" [04/18/2005 04:55 AM] [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "nltide3"=cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ findfast.exe [4/18/2005 4:55:14 AM] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=1 (0x1) "DisableTaskMgr"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "ShowSuperHidden"=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMHelp"=1 (0x1) "ForceClassicControlPanel"=1 (0x1) "NoResolveTrack"=1 (0x1) "LinkResolveIgnoreLinkInfo"=1 (0x1) "NoResolveSearch"=1 (0x1) "ClearRecentDocsOnExit"=1 (0x1) "NoRecentDocsMenu"=1 (0x1) "NoRecentDocsHistory"=1 (0x1) "NoStartBanner"=1 (0x1) "NoSMConfigurePrograms"=1 (0x1) "NoInstrumentation"=1 (0x1) "NoSMBalloonTip"=1 (0x1) "NoControlPanel"=1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSMHelp"=1 (0x1) "ForceClassicControlPanel"=1 (0x1) "NoResolveTrack"=1 (0x1) "LinkResolveIgnoreLinkInfo"=1 (0x1) "NoResolveSearch"=1 (0x1) "ClearRecentDocsOnExit"=1 (0x1) "NoRecentDocsMenu"=1 (0x1) "NoRecentDocsHistory"=1 (0x1) "NoStartBanner"=1 (0x1) "NoSMConfigurePrograms"=1 (0x1) "NoInstrumentation"=1 (0x1) "NoSMBalloonTip"=1 (0x1) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{DB0B918E-A0A8-482B-8D75-A682816B0C7B}"= C:\WINDOWS\system32\cbxxurq.dll [12/20/2007 04:17 AM 40448] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Shell"="Explorer.exe C:\WINDOWS\shell.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxxurq] cbxxurq.dll 12/20/2007 04:17 AM 40448 C:\WINDOWS\system32\cbxxurq.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winexy32] winexy32.dll 12/20/2007 04:17 AM 23040 C:\WINDOWS\system32\winexy32.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=C:\WINDOWS\system32\wowfx.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkkji [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MagicDisc.lnk] path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\MagicDisc.lnk backup=C:\WINDOWS\pss\MagicDisc.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G] AutoRun\command- G:\Setup.exe -- Hosts ----------------------------------------------------------------------- 10.18.250.4 ad.doubleclick.net 10.18.250.4 ad.fastclick.net 10.18.250.4 ads.fastclick.net 10.18.250.4 ar.atwola.com 10.18.250.4 atdmt.com 10.18.250.4 avp.ch 10.18.250.4 avp.com 10.18.250.4 avp.ru 10.18.250.4 awaps.net 10.18.250.4 banner.fastclick.net 90 more entries in hosts file. -- End of Deckard's System Scanner: finished at 2007-12-22 14:32:48 ------------ ---EXTRA.TXT------- Deckard's System Scanner v20071014.68 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Professional (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: AMD Athlon(tm) 64 X2 Dual Core Processor 3800+ CPU 1: AMD Athlon(tm) 64 X2 Dual Core Processor 3800+ Percentage of Memory in Use: 21% Physical Memory (total/avail): 2047.46 MiB / 1603.51 MiB Pagefile Memory (total/avail): 3939.27 MiB / 3653.8 MiB Virtual Memory (total/avail): 2047.88 MiB / 1938.2 MiB C: is Fixed (NTFS) - 465.76 GiB total, 361.86 GiB free. D: is CDROM (UDF) E: is CDROM (No Media) \\.\PHYSICALDRIVE0 - NVIDIA STRIPE 465.77G - 465.77 GiB - 1 partition \PARTITION0 (bootable) - Installable File System - 465.76 GiB - C: -- Security Center ------------------------------------------------------------- AUOptions is scheduled to auto-install. Windows Internal Firewall is enabled. FirstRunDisabled is set. AntiVirusDisableNotify is set. FirewallDisableNotify is set. UpdatesDisableNotify is set. AntivirusOverride is set. FirewallOverride is set. FW: Sygate Personal Firewall Pro v4.6 (Sygate Technologies, Inc.) [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0" "C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)" "C:\\Documents and Settings\\Administrator\\Application Data\\printer.exe"="C:\\Documents and Settings\\Administrator\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\WINDOWS\\system32\\printer.exe"="C:\\WINDOWS\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\WINDOWS\\system32\\spoolvs.exe"="C:\\WINDOWS\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019" "%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\Documents and Settings\\Administrator\\Application Data\\trant.exe"="C:\\Documents and Settings\\Administrator\\Application Data\\trant.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\Documents and Settings\\Administrator\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\Administrator\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019" [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0" "C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)" "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour" "C:\\Program Files\\Synergy\\synergys.exe"="C:\\Program Files\\Synergy\\synergys.exe:*:Enabled:synergys" "C:\\Program Files\\Electric Rain\\Swift 3D\\Version 4.50\\Program\\Swift3D.exe"="C:\\Program Files\\Electric Rain\\Swift 3D\\Version 4.50\\Program\\Swift3D.exe:*:Enabled:Swift 3D" "C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus" "C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\winFB.exe"="C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\winFB.exe:*:Enabled:winFB" "C:\\Documents and Settings\\Administrator\\Application Data\\printer.exe"="C:\\Documents and Settings\\Administrator\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\WINDOWS\\system32\\printer.exe"="C:\\WINDOWS\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\WINDOWS\\system32\\spoolvs.exe"="C:\\WINDOWS\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019" "%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\Documents and Settings\\Administrator\\Application Data\\trant.exe"="C:\\Documents and Settings\\Administrator\\Application Data\\trant.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\Documents and Settings\\Administrator\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\Administrator\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes" -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\Administrator\Application Data CLASSPATH=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=LAURADESKTOP ComSpec=C:\WINDOWS\system32\cmd.exe DEVMGR_SHOW_DETAILS=1 FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\Administrator LOGONSERVER=\\LAURADESKTOP NUMBER_OF_PROCESSORS=2 OS=Windows_NT Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Ahead\Lib\ PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 15 Model 35 Stepping 2, AuthenticAMD PROCESSOR_LEVEL=15 PROCESSOR_REVISION=2302 ProgramFiles=C:\Program Files PROMPT=$P$G QTJAVA=C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp USERDOMAIN=LAURADESKTOP USERNAME=Administrator USERPROFILE=C:\Documents and Settings\Administrator windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- chris (admin) Administrator (admin) -- Add/Remove Programs --------------------------------------------------------- --> C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL --> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL --> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL --> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL --> C:\WINDOWS\UNRecode.exe /UNINSTALL Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF} Adobe After Effects CS3 --> C:\Program Files\Common Files\Adobe\Installers\b7dd24a87e82dcf8af8876fd727b7cf\Setup.exe Adobe After Effects CS3 --> MsiExec.exe /I{8AF3FB06-BDA3-42A3-995C-308812D2F094} Adobe After Effects CS3 Presets --> MsiExec.exe /I{4B215C29-1A3E-4736-92AA-10C83FA56EB9} Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95} Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61} Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394} Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23} Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C} Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C} Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E} Adobe Color Common Settings --> MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9} Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8} Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029} Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5} Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D} Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD} Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2} Adobe Flash CS3 --> MsiExec.exe /I{6B52140A-F189-4945-BFFC-DB3F00B8C589} Adobe Flash CS3 Professional --> C:\Program Files\Common Files\Adobe\Installers\c3c7fe8b09d497ab2b3fd91c9353390\Setup.exe Adobe Flash Player 9 ActiveX --> MsiExec.exe /X{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C} Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe Adobe Flash Video Encoder --> MsiExec.exe /I{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2} Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B} Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245} Adobe Illustrator CS3 --> C:\Program Files\Common Files\Adobe\Installers\a04a925a57548091300ada368235fc6\Setup.exe Adobe Illustrator CS3 --> MsiExec.exe /I{F08E8D2E-F132-4742-9C87-D5FF223A016A} Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078} Adobe MotionPicture Color Files --> MsiExec.exe /I{6B708481-748A-4EB4-97C1-CD386244FF77} Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C} Adobe Photoshop CS3 --> C:\Program Files\Common Files\Adobe\Installers\719d6f144d0c086a0dfa7ff76bb9ac1\Setup.exe Adobe Photoshop CS3 --> MsiExec.exe /I{3D7E3EC9-46CF-4359-9289-39CE01DFB82F} Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003} Adobe Setup --> MsiExec.exe /I{2C294A0B-DF22-4023-B168-8C7645B10019} Adobe Setup --> MsiExec.exe /I{4F3E17F8-F1C8-4A4B-9EB8-1EE2D190CDA9} Adobe Setup --> MsiExec.exe /I{FF11004C-F42A-4A31-9BCF-7F5C8FDBE53C} Adobe Setup --> MsiExec.exe /I{FFC1ADE3-944B-4231-894E-3903C37271D2} Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183} Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312} Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8} Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5} Adobe Video Profiles --> MsiExec.exe /I{845A8DB9-8802-4FD3-9FE3-938A6C46A2EC} Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6} Adobe XMP DVA Panels CS3 --> MsiExec.exe /I{0224CACC-994D-45F8-B973-D65056EA9C2F} Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923} Apple Mobile Device Support --> MsiExec.exe /I{3EBD3749-304E-4A4C-9575-C00E5F015217} Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4} Athlon 64 Processor Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9 Azureus Vuze --> C:\Program Files\Azureus\uninstall.exe DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe" EPoX Unified System Diagnostic Manager (USDM) --> "C:\Program Files\EPoX\USDM\SETUP.EXE" "-UNINSTALL" EPSON Scan --> C:\Program Files\epson\escndv\setup\setup.exe /r Foxit Reader --> C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe getPlus(R)_dll --> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSd.INF, DefaultUninstall GTK+ Runtime 2.12.1 rev a (remove only) --> C:\Program Files\Common Files\GTK\2.0\uninst.exe HijackThis 2.0.2 --> "C:\Program Files\HijackThis\HijackThis.exe" /uninstall Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe" iTunes --> MsiExec.exe /I{B045B608-4A47-4C77-9EAD-06C394503306} Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010} Magic ISO Maker v5.4 (build 0239) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E} Nero 7 Ultra Edition --> MsiExec.exe /I{43FFE159-3199-4188-A1CD-629166AD1033} neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B} NVIDIA Drivers --> C:\WINDOWS\system32\NVUNINST.EXE UninstallGUI NVIDIA nTune --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF} /l1033 NvMixer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D7A6C517-11F2-419F-B5BB-27772B939698}\Setup.exe" -uninstall PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5} Pidgin --> C:\Program Files\Pidgin\pidgin-uninst.exe PowerISO --> "C:\Program Files\PowerISO\uninstall.exe" QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC} sala's WinXP SP2 Terminal Server Patch --> "C:\Program Files\salas Termiserv Patch\uninst.exe" SpeedFan (remove only) --> "C:\Program Files\SpeedFan\uninstall.exe" SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe" Swift 3D v4.50 --> MsiExec.exe /I{006DEADE-E12E-4DA0-AB65-134F0DE9AF9A} Sygate Personal Firewall Pro --> MsiExec.exe /I{10B446B3-4DF4-4489-A168-8A98F7CD807E} Synergy --> "C:\Program Files\Synergy\uninstall.exe" VideoLAN VLC media player 0.8.6b --> C:\Program Files\VideoLAN\VLC\uninstall.exe WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe -- Application Event Log ------------------------------------------------------- Event Record #/Type4007 / Warning Event Submitted/Written: 12/22/2007 01:04:34 AM Event ID/Source: 1001 / MsiInstaller Event Description: Detection of product '{B045B608-4A47-4C77-9EAD-06C394503306}', feature 'iTunes' failed during request for component '{E8A1D3E2-F5D3-4B24-AB93-52F7E602A235}' Event Record #/Type4006 / Warning Event Submitted/Written: 12/22/2007 01:04:34 AM Event ID/Source: 1004 / MsiInstaller Event Description: Detection of product '{B045B608-4A47-4C77-9EAD-06C394503306}', feature 'iTunes', component '{C08B990C-B647-4700-8D9D-68E62B841B72}' failed. The resource 'C:\Program Files\iTunes\iTunesHelper.exe' does not exist. Event Record #/Type4005 / Warning Event Submitted/Written: 12/21/2007 05:30:06 PM Event ID/Source: 6 / crypt32 Event Description: Reached crypt32 threshold of 50 events and will suspend logging for 60 minutes Event Record #/Type4004 / Error Event Submitted/Written: 12/21/2007 05:30:06 PM Event ID/Source: 8 / crypt32 Event Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: 12175 (0x2f8f) Event Record #/Type4003 / Error Event Submitted/Written: 12/21/2007 05:30:06 PM Event ID/Source: 8 / crypt32 Event Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: 12175 (0x2f8f) -- Security Event Log ---------------------------------------------------------- No Errors/Warnings found. -- System Event Log ------------------------------------------------------------ Event Record #/Type4968 / Warning Event Submitted/Written: 12/22/2007 03:12:57 AM Event ID/Source: 51 / Disk Event Description: An error was detected on device \Device\Harddisk1\D during a paging operation. Event Record #/Type4967 / Warning Event Submitted/Written: 12/22/2007 03:12:56 AM Event ID/Source: 51 / Disk Event Description: An error was detected on device \Device\Harddisk1\D during a paging operation. Event Record #/Type4966 / Warning Event Submitted/Written: 12/22/2007 03:12:52 AM Event ID/Source: 51 / Disk Event Description: An error was detected on device \Device\Harddisk1\D during a paging operation. Event Record #/Type4965 / Warning Event Submitted/Written: 12/22/2007 03:12:51 AM Event ID/Source: 51 / Disk Event Description: An error was detected on device \Device\Harddisk1\D during a paging operation. Event Record #/Type4964 / Warning Event Submitted/Written: 12/22/2007 03:12:51 AM Event ID/Source: 51 / Disk Event Description: An error was detected on device \Device\Harddisk1\D during a paging operation. -- End of Deckard's System Scanner: finished at 2007-12-22 14:32:48 ------------ |
|
|
|
|
12-23-2007, 11:29 AM
|
#3 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 21,354
OS: XP
|
Re: help, control panel hijacked by theserials.com
Do a HijackThis scan & place a check next to these items and select "Fix checked":
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe F3 - REG:win.ini: load=C:\WINDOWS\system32\jkkji.exe O2 - BHO: (no name) - {3C20F3EF-915F-4078-B842-CFBE0F5F44D3} - C:\WINDOWS\system32\jkkji.dll O2 - BHO: (no name) - {76F262CF-0308-0FB4-F7A3-043266F3A47C} - C:\Program Files\Kbysvaim\obmpjhjl.dll (file missing) O2 - BHO: (no name) - {DB0B918E-A0A8-482B-8D75-A682816B0C7B} - C:\WINDOWS\system32\cbxxurq.dll O4 - HKLM\..\Run: [Office SturtUp] osa9.exe O4 - HKLM\..\Run: [gfxtray] rundll32 ctccw32.dll,findwnd O4 - HKLM\..\Run: [EOMD Agent] C:\WINDOWS\system32\Sys32\EOMD.exe O4 - HKLM\..\Run: [iformdad] rundll32.exe "C:\Program Files\iformdad\kfivctol.dll",Init O4 - HKLM\..\Run: [fwjanadm] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\fwjanadm.dll" O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvdug.dll,startup O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win5C1 .exe O4 - HKLM\..\Run: [smgr] mgrs.exe O4 - HKLM\..\Run: [lsass] C:\WINDOWS\lsass .exe O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe O4 - HKCU\..\Run: [Windows update loader] C:\WINDOWS\xpupdate.exe O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe O4 - Startup: findfast.exe O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll O20 - Winlogon Notify: cbxxurq - C:\WINDOWS\SYSTEM32\cbxxurq.dll O20 - Winlogon Notify: winexy32 - C:\WINDOWS\SYSTEM32\winexy32.dllE Ignore any prompts for a reboot --------------- www.bleepingcomputer.com www.forospyware.com www.geekstogo.com 1. Please choose from any of the above links. Download the file & Save it to Desktop. 2. Double click on ComboFix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that & a fresh Hijackthis log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall |
|
|
|
|
12-24-2007, 06:38 PM
|
#4 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 12
OS: windows xp
|
Re: help, control panel hijacked by theserials.com
thank you so much for your reply SUBs, I am now away from my computer for the holiday (as I hope you are too :) but as soon as I get back Saturday I will try this and let you know how it goes!
|
|
|
|
|
12-29-2007, 04:23 PM
|
#5 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 12
OS: windows xp
|
Re: help, control panel hijacked by theserials.com
okay I ran HijackThis again and checked and fixed all you suggested, the only thing I couldn't do is, these last two did not show up in the scan this time--
O20 - Winlogon Notify: cbxxurq - C:\WINDOWS\SYSTEM32\cbxxurq.dll O20 - Winlogon Notify: winexy32 - C:\WINDOWS\SYSTEM32\winexy32.dllE There was no prompt for a reboot so i did not reboot, and I still cannot access my control panel, I still get the error message that "This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator." Should I restart?? Also, I ran the scan again to see if they all were gone and all of them did not appear in the third scan except for one: O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll Should that make a difference? I greatly appreciate your help thanks so much. |
|
|
|
