Don't know what it is.

mywifesmule · 05-15-2005, 03:11 PM

Hi all, I hope you guys can help. It all started about a week and a half to two weeks ago. When I started my computer a warning sign, which covered my desktop said, warning you could be at risk to hyjackers, adware,malware, etc.
When I clicked on it it opened a search containing a list of sites that sell adware, malware, antivirus programs etc. I have since been able to remove the warning sign through the purchace of and downloading of spyware and antivirus programs but I still can not see my desktop wallpaper. When I right click on my desktop I don't get the usual options of creating new folder etc. what I get is the type of options you get when you right click on a web page. When I rt. click and choose properties I get: Protocol: file protocol
Type: HTML file
Connection: not encripted
Address: file//C\windows\web\desktop.html
(url)

I can not see my desktop wallpaper, its like a mask or overlay is hiding it, the only time I can see the wallpaper is when my computer shuts down or starts up but only temporarily. Also the programs on my desktop are highlighted like I have selected them all.
I must have tried a dozen different antivirus, adware removal programs, I have been able to get rid of only the warning sign.

Here are some of the reports I have compiled with spyware doctor,HJT,HJT analyzer.

Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Spyware Doctor\swdoctor.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.97.7
Scan saved at 3:38:35 PM, on 05/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\Program Files\SpyCatcher\DeleteSatellite.exe
C:\WINDOWS\system32\combo.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Documents and Settings\Paul\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [combo.exe] combo.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

End of KRC HijackThis Analyzer Log.
====================================================================

Spyware Doctor Activity Report
Generated on 05/15/2005 3:23:04 PM
Spyware Doctor Homepage PC Tools Homepage Technical Support
Scans (basic information only):
Scan Results:
scan start: 05/15/2005 3:23:18 PM
scan stop: 05/15/2005 3:33:42 PM
scanned items: 80482
found items: 12
found and ignored: 0
tools used: General Scanner, Process Scanner, Hosts scanner, LSP Scanner, Registry Scanner, Cookie Scanner, Browser Defaults, Favorites and ZoneMap Scanner, Browser Scanner, Disk Scanner

Infection Name Location Risk
BroadcastPC C:\Program Files\Common Files\Java\breg.exe High
FlashEnhancer C:\Program Files\common files\java\xclean.exe Elevated
FlashEnhancer C:\Program Files\common files\Java\Xcpy1.exe Elevated
Morpheus C:\Program Files\StreamCast\Morpheus Info
Morpheus C:\Program Files\StreamCast\Morpheus\Downloads Info
Trojan.Stubby C:\WINDOWS\farmmext.exe Medium
VX2.aBetterInternet C:\WINDOWS\satmat.exe Elevated
IEPlugin C:\WINDOWS\systb.exe Medium
Transponder.DLMax C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP600\A0110876.inf High
Transponder.LocalNRD C:\WINDOWS\INF\localNrd.inf High
Transponder.LocalNRD C:\WINDOWS\localNRD.dll High
Common Components for Integrated Search Technologies (IST) Items C:\WINDOWS\preInsln.exe Medium

Other Sections:

Copyright © 2003-2005. Distributed by PC Tools. Legal Notice

:\Documents and Settings\Paul\Desktop

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD

FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL

WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM32\combo.exe: UPX!
C:\WINDOWS\SYSTEM32\dcuasaaa.exe: UPX!
C:\WINDOWS\SYSTEM32\mhjsoehd.exe: UPX!
C:\WINDOWS\SYSTEM32\scombo.exe: UPX!
C:\WINDOWS\SYSTEM32\scombop.exe: UPX!
C:\WINDOWS\SYSTEM32\sqsaaaaa.exe: UPX!
C:\WINDOWS\SYSTEM32\DFRG.MSC:

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ

AAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\infbwsl.exe: UPX!
C:\WINDOWS\jqesoqb.exe: UPX!
C:\WINDOWS\jqxvqqw.exe: UPX!
C:\WINDOWS\kglvxyq.exe: UPX!
C:\WINDOWS\mdeoblb.exe: UPX!
C:\WINDOWS\pkeshli.exe: UPX!
C:\WINDOWS\psvfrjx.exe: UPX!
C:\WINDOWS\The Three Stooges 2.scr: UPX!
C:\WINDOWS\Unwash5.exe: UPX!
C:\WINDOWS\uylnpqs.exe: UPX!
C:\WINDOWS\xmacdma.exe: UPX!
Finished
bye

I now no longer use IE as my browser, I have changed to firefox.
I hope we can get to the bottom of this your help would greatly appriciated, if you need any more info let me know, thanks.

**Pancake** · 05-15-2005, 10:15 PM

Can you please update your HJT to v1.99.1 and then post a new log.

mywifesmule · 05-16-2005, 03:31 PM

Quote:

Originally Posted by mywifesmule

Hi all, I hope you guys can help. It all started about a week and a half to two weeks ago. When I started my computer a warning sign, which covered my desktop said, warning you could be at risk to hyjackers, adware,malware, etc.
When I clicked on it it opened a search containing a list of sites that sell adware, malware, antivirus programs etc. I have since been able to remove the warning sign through the purchace of and downloading of spyware and antivirus programs but I still can not see my desktop wallpaper. When I right click on my desktop I don't get the usual options of creating new folder etc. what I get is the type of options you get when you right click on a web page. When I rt. click and choose properties I get: Protocol: file protocol
Type: HTML file
Connection: not encripted
Address: file//C\windows\web\desktop.html
(url)

I can not see my desktop wallpaper, its like a mask or overlay is hiding it, the only time I can see the wallpaper is when my computer shuts down or starts up but only temporarily. Also the programs on my desktop are highlighted like I have selected them all.
I must have tried a dozen different antivirus, adware removal programs, I have been able to get rid of only the warning sign.

Here are some of the reports I have compiled with spyware doctor,HJT,HJT analyzer.

Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Spyware Doctor\swdoctor.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.97.7
Scan saved at 3:38:35 PM, on 05/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\Program Files\SpyCatcher\DeleteSatellite.exe
C:\WINDOWS\system32\combo.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Documents and Settings\Paul\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [combo.exe] combo.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

End of KRC HijackThis Analyzer Log.
====================================================================

Spyware Doctor Activity Report
Generated on 05/15/2005 3:23:04 PM
Spyware Doctor Homepage PC Tools Homepage Technical Support
Scans (basic information only):
Scan Results:
scan start: 05/15/2005 3:23:18 PM
scan stop: 05/15/2005 3:33:42 PM
scanned items: 80482
found items: 12
found and ignored: 0
tools used: General Scanner, Process Scanner, Hosts scanner, LSP Scanner, Registry Scanner, Cookie Scanner, Browser Defaults, Favorites and ZoneMap Scanner, Browser Scanner, Disk Scanner

Infection Name Location Risk
BroadcastPC C:\Program Files\Common Files\Java\breg.exe High
FlashEnhancer C:\Program Files\common files\java\xclean.exe Elevated
FlashEnhancer C:\Program Files\common files\Java\Xcpy1.exe Elevated
Morpheus C:\Program Files\StreamCast\Morpheus Info
Morpheus C:\Program Files\StreamCast\Morpheus\Downloads Info
Trojan.Stubby C:\WINDOWS\farmmext.exe Medium
VX2.aBetterInternet C:\WINDOWS\satmat.exe Elevated
IEPlugin C:\WINDOWS\systb.exe Medium
Transponder.DLMax C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP600\A0110876.inf High
Transponder.LocalNRD C:\WINDOWS\INF\localNrd.inf High
Transponder.LocalNRD C:\WINDOWS\localNRD.dll High
Common Components for Integrated Search Technologies (IST) Items C:\WINDOWS\preInsln.exe Medium

Other Sections:

Copyright © 2003-2005. Distributed by PC Tools. Legal Notice

:\Documents and Settings\Paul\Desktop

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD

FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL

WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM32\combo.exe: UPX!
C:\WINDOWS\SYSTEM32\dcuasaaa.exe: UPX!
C:\WINDOWS\SYSTEM32\mhjsoehd.exe: UPX!
C:\WINDOWS\SYSTEM32\scombo.exe: UPX!
C:\WINDOWS\SYSTEM32\scombop.exe: UPX!
C:\WINDOWS\SYSTEM32\sqsaaaaa.exe: UPX!
C:\WINDOWS\SYSTEM32\DFRG.MSC:

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ

AAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\infbwsl.exe: UPX!
C:\WINDOWS\jqesoqb.exe: UPX!
C:\WINDOWS\jqxvqqw.exe: UPX!
C:\WINDOWS\kglvxyq.exe: UPX!
C:\WINDOWS\mdeoblb.exe: UPX!
C:\WINDOWS\pkeshli.exe: UPX!
C:\WINDOWS\psvfrjx.exe: UPX!
C:\WINDOWS\The Three Stooges 2.scr: UPX!
C:\WINDOWS\Unwash5.exe: UPX!
C:\WINDOWS\uylnpqs.exe: UPX!
C:\WINDOWS\xmacdma.exe: UPX!
Finished
bye

I now no longer use IE as my browser, I have changed to firefox.
I hope we can get to the bottom of this your help would greatly appriciated, if you need any more info let me know, thanks.

########################################################

Thanks for the help here it is.

Logfile of HijackThis v1.99.1
Scan saved at 5:21:40 PM, on 05/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\SpyCatcher\DeleteSatellite.exe
C:\WINDOWS\system32\combo.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Documents and Settings\Paul\Desktop\Q3E Minimizer_v1.45.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Paul\Desktop\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O4 - HKLM\..\Run: [combo.exe] combo.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

**Pancake** · 05-16-2005, 06:19 PM

Hi and Welcome
It may help you if you print out or copy this page for easy reference.. Make sure to work through the fixes in the exact order its listed..These instructions only apply to HJT v1.99.1

Please Keep your browser and all open programs closed (except firewalls and antivirus) when you are carrying out the fixes..

Download any of the required programs before attempting to start any of the fixes.

Please do NOT run Hijack This in a TEMPorary folder or on the Desktop. I recommend c:/program files/HJT/

Turn off System Restore instructions (WinXP)
Rightclick My Computer | Properties | System Restore | check “Turn off System Restore”, <Apply>, <OK>. Reboot. When we have confirmed that your log file is clean, you may renable System Restore and create a new restore point.

SHOW HIDDEN FILES AND FOLDERS.
To show hidden files instructions (WinXP)
Doubleclick My Computer | Tools | Folder Options | View tab
Select Show Hidden Files and Folders
Uncheck Hide extensions for known file types
Uncheck Hide protected operating system files (Recommended)
Select Apply to All Folders | Yes | Apply | OK
------------------------------------------------------------------

Download and run Adaware,SpyBot (check for updates) for a preliminary cleanup first.Some files below may not be present after running the above programs.Full instructions below.

How to setup Ad-Aware

Download Ad-Aware
Save aawsepersonal.exe into its own directory, NOT in a TEMPorary folder or on the Desktop. I recommend c:/program files/Adaware/
Doubleclick aawsepersonal.exe. Make sure to direct the program to install in the c:/program files/adaware/ directory, NOT the default directory.
Open AdAware from Start | Programs | Lavasoft | AdAware.
Select <Check for updates now>, <Proceed>
After installation, run the program and click the start button.Then click the next button. This lets ad-aware scan your computer.
After ad-aware is done running, hit the next button. Then right click the area with the listed spy ware objects.Choose the "Select all objects" option.
At this point all the boxes next to the items should be checked. Then hit the next button.
It will ask if you want to delete the selected objects. Hit the Okay button.
Now most of the spyware should have been deleted from your hard drive.

----------------------------------------------------------------------

How to setup Spybot Search & Destroy

Download SpyBot
Save spybotsd13.exe into its own directory, NOT in a TEMPorary folder or on the Desktop.
I recommend c:/program files/spybot/
Doubleclick spybotsd13.exe. Make sure to direct the program to install in the c:/program files/spybot/ directory, NOT the default directory.
Open Spybot from Start | Programs | Spybot | Spybot S&D
Select <Search for Updates>. Let it install all updates. This is very important!
Select <Immunize>
Select <Check for Problems>
Check all entries that are in RED. Only RED, NOTHING ELSE. For your records, write/print out each item that you have fixed. Date it.
Select <Fix Selected Problems>
Close Spybot//

---------------------------------------------------------------------

Files highlighted in BLACK will need to be removed from your hard drive.

------------------------------------------------------------------

Please start by putting HJT in SAFE MODE. During reboot, tap the F8 key. Select Safe Mode and then run "Hijack This"
------------------------------------------------------------------

Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.

O4 - HKLM\..\Run: [combo.exe] combo.exe

------------------------------------------------------------------

Download Killbox v2.0.0.175 and unzip the file to your Desktop .

Right click and drag your cursor over the below files to highlight them and then.use Control+C to copy them to the clipboard..Open KILLBOX and go to File...."Paste From Clipboard". All the files should now appear in the box (click on the Tab and check to make sure that only the files I have identified as malware and marked for deletion are there) . Then checkmark the "Delete on Reboot" box..and click the red X. You will get a message saying "File will be deleted on next reboot" , Process and Reboot now?" Click "Yes" and post a new log when you have rebooted.

C:\WINDOWS\SYSTEM32\combo.exe
C:\WINDOWS\SYSTEM32\dcuasaaa.exe
C:\WINDOWS\SYSTEM32\mhjsoehd.exe
C:\WINDOWS\SYSTEM32\scombo.exe
C:\WINDOWS\SYSTEM32\scombop.exe
C:\WINDOWS\SYSTEM32\sqsaaaaa.exe
C:\WINDOWS\infbwsl.exe
C:\WINDOWS\jqesoqb.exe
C:\WINDOWS\jqxvqqw.exe
C:\WINDOWS\kglvxyq.exe
C:\WINDOWS\mdeoblb.exe
C:\WINDOWS\pkeshli.exe
C:\WINDOWS\psvfrjx.exe
C:\WINDOWS\uylnpqs.exe
C:\WINDOWS\xmacdma.exe

-------------------------------------------------------------------
Check that you have carried out all the above steps/fixes and then reboot into Normal Mode and download Cleanup This will clean out your tempory files.

When finished please post a new log......

mywifesmule · 05-17-2005, 04:54 PM

Quote:

Originally Posted by mywifesmule

########################################################

Thanks for the help here it is.

Logfile of HijackThis v1.99.1
Scan saved at 5:21:40 PM, on 05/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\SpyCatcher\DeleteSatellite.exe
C:\WINDOWS\system32\combo.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Documents and Settings\Paul\Desktop\Q3E Minimizer_v1.45.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Paul\Desktop\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O4 - HKLM\..\Run: [combo.exe] combo.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

###########################################################
Dear, pancake

When you said right click and drag your cursor over the below files to highlight them, I am assuming you ment from the hijack log. There were no files with the exact names you listed to copy to the clipboard. After I rebooted I still have the same problem. I believe I followed your instructions correctly. Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 6:41:35 PM, on 05/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\SpyCatcher\DeleteSatellite.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Paul\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

I appriciate all your efforts. hope to here from you soon. Thanks.

**Pancake** · 05-17-2005, 06:33 PM

Your log looks ok but just do a manual check and see that all these files have been deleted.Run HJT again in safe mode.

Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click End Process for each one if they are still listed.

C:\WINDOWS\SYSTEM32\combo.exe
C:\WINDOWS\SYSTEM32\dcuasaaa.exe
C:\WINDOWS\SYSTEM32\mhjsoehd.exe
C:\WINDOWS\SYSTEM32\scombo.exe
C:\WINDOWS\SYSTEM32\scombop.exe
C:\WINDOWS\SYSTEM32\sqsaaaaa.exe
C:\WINDOWS\infbwsl.exe
C:\WINDOWS\jqesoqb.exe
C:\WINDOWS\jqxvqqw.exe
C:\WINDOWS\kglvxyq.exe
C:\WINDOWS\mdeoblb.exe
C:\WINDOWS\pkeshli.exe
C:\WINDOWS\psvfrjx.exe
C:\WINDOWS\uylnpqs.exe
C:\WINDOWS\xmacdma.exe

Open Windows Explorer and delete the following highlighted file/s if present.

C:\WINDOWS\SYSTEM32\combo.exe
C:\WINDOWS\SYSTEM32\dcuasaaa.exe
C:\WINDOWS\SYSTEM32\mhjsoehd.exe
C:\WINDOWS\SYSTEM32\scombo.exe
C:\WINDOWS\SYSTEM32\scombop.exe
C:\WINDOWS\SYSTEM32\sqsaaaaa.exe
C:\WINDOWS\infbwsl.exe
C:\WINDOWS\jqesoqb.exe
C:\WINDOWS\jqxvqqw.exe
C:\WINDOWS\kglvxyq.exe
C:\WINDOWS\mdeoblb.exe
C:\WINDOWS\pkeshli.exe
C:\WINDOWS\psvfrjx.exe
C:\WINDOWS\uylnpqs.exe
C:\WINDOWS\xmacdma.exe

mywifesmule · 05-17-2005, 08:02 PM

Quote:

Originally Posted by mywifesmule

###########################################################
Dear, pancake

When you said right click and drag your cursor over the below files to highlight them, I am assuming you ment from the hijack log. There were no files with the exact names you listed to copy to the clipboard. After I rebooted I still have the same problem. I believe I followed your instructions correctly. Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 6:41:35 PM, on 05/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\SpyCatcher\DeleteSatellite.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Paul\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

I appriciate all your efforts. hope to here from you soon. Thanks.

Dear, Pancake

I was able to find all but two files and delete them in safe mode by going into windows explorer. The 2 files I could't find were :

c:windows\psvfrjx.exe
c:windows\xmacdma.exe

The problem still remains. Man I thought we might have had it. Heres the new log.

Logfile of HijackThis v1.99.1
Scan saved at 9:45:16 PM, on 05/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\SpyCatcher\DeleteSatellite.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\PROGRA~1\SPYWAR~3\swdoctor.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Paul\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~3\swdoctor.exe /Q
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Are you getting aggravated yet, I know I am. Again thanks for the help, I await your reply, thanks.

**Pancake** · 05-17-2005, 09:21 PM

I have been through you log and there is still no sign of malware.If you still have the desktop problem try this....

Right click on you Desktop and go to Propeties/ Desktop/Customize Desktop /Web/ and make sure any/all boxes are unticked.
------------------------------

We can do one more check for hidden malware..
Download rkfiles

Unzip the files to a folder of its own.
It needs to be run in safe mode for it to work correctly.

.....Open the folder and run the RKFILES.BAT
It will take 10 minutes or so.....when the the text opens, with the results, save and copy the log. The output will be displayed and saved in c:\log.txt.

Reboot computer back to a normal mode and post the C:\Log.txt please.

mywifesmule · 05-19-2005, 06:44 PM

Quote:

Originally Posted by mywifesmule

Dear, Pancake

I was able to find all but two files and delete them in safe mode by going into windows explorer. The 2 files I could't find were :

c:windows\psvfrjx.exe
c:windows\xmacdma.exe

The problem still remains. Man I thought we might have had it. Heres the new log.

Logfile of HijackThis v1.99.1
Scan saved at 9:45:16 PM, on 05/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\SpyCatcher\DeleteSatellite.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\PROGRA~1\SPYWAR~3\swdoctor.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Paul\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~3\swdoctor.exe /Q
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Are you getting aggravated yet, I know I am. Again thanks for the help, I await your reply, thanks.

Dear, pancake

Like I said in my first post (When I right click on my desktop I don't get the usual options of creating new folder etc. what I get is the type of options you get when you right click on a web page. When I rt. click and choose properties I get: Protocol: file protocol
Type: HTML file
Connection: not encripted
Address: file//C\windows\web\desktop.html
(url)

So I can't ( Right click on you Desktop and go to Propeties/ Desktop/Customize Desktop /Web/ and make sure any/all boxes are unticked.)

I did find something strange on my c: drive.

c:!SUBMIT\bcre.exe
c:!SUBMIT\satmat.exe

This don't look to good.

along with,

c:system volume info\restore\21d7d692-4662...\rp610
c:system volume info\restore\21d7d692-4662...\rp610\snapshot
c:system volume info\restore\21d7d692-4662...\rp610\snapshot\repository
c:system volume info\restore\21d7d692-4662...\rp610\snapshot\repository\f5
c:system volume info\restore\21d7d692-4662...\rp611
c:system volume info\restore\21d7d692-4662...\rp611\snapshot
c:system volume info\restore\21d7d692-4662...\rp611\snapshot\repository
c:system volume info\restore\21d7d692-4662...\rp611\snapshot\repository\f5
c:system volume info\restore\21d7d692-4662...\rp612
c:system volume info\restore\21d7d692-4662...\rp612\snapshot
c:system volume info\restore\21d7d692-4662...\rp612\snapshot\rep......
c:system volume info\restore\21d7d692-4662...\rp613
c:system volume info\restore\21d7d692-4662...\rp613\........

These folders have all kinds of extentions, exe, dll, cfg, ini.
Have any idea?

The log was uneventful I know these 2 files:

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\The Three Stooges 2.scr: UPX!
C:\WINDOWS\Unwash5.exe: UPX!

I was told I should dump everything and reinstall windows, what do you think? I'm not to sure how to do this. I look forward to your reply. Thanks again.

mywifesmule · 05-19-2005, 06:54 PM

Quote:

Originally Posted by mywifesmule

Dear, pancake

Like I said in my first post (When I right click on my desktop I don't get the usual options of creating new folder etc. what I get is the type of options you get when you right click on a web page. When I rt. click and choose properties I get: Protocol: file protocol
Type: HTML file
Connection: not encripted
Address: file//C\windows\web\desktop.html
(url)

So I can't ( Right click on you Desktop and go to Propeties/ Desktop/Customize Desktop /Web/ and make sure any/all boxes are unticked.)

I did find something strange on my c: drive.

c:!SUBMIT\bcre.exe
c:!SUBMIT\satmat.exe

This don't look to good.

along with,

c:system volume info\restore\21d7d692-4662...\rp610
c:system volume info\restore\21d7d692-4662...\rp610\snapshot
c:system volume info\restore\21d7d692-4662...\rp610\snapshot\repository
c:system volume info\restore\21d7d692-4662...\rp610\snapshot\repository\f5
c:system volume info\restore\21d7d692-4662...\rp611
c:system volume info\restore\21d7d692-4662...\rp611\snapshot
c:system volume info\restore\21d7d692-4662...\rp611\snapshot\repository
c:system volume info\restore\21d7d692-4662...\rp611\snapshot\repository\f5
c:system volume info\restore\21d7d692-4662...\rp612
c:system volume info\restore\21d7d692-4662...\rp612\snapshot
c:system volume info\restore\21d7d692-4662...\rp612\snapshot\rep......
c:system volume info\restore\21d7d692-4662...\rp613
c:system volume info\restore\21d7d692-4662...\rp613\........

These folders have all kinds of extentions, exe, dll, cfg, ini.
Have any idea?

The log was uneventful I know these 2 files:

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\The Three Stooges 2.scr: UPX!
C:\WINDOWS\Unwash5.exe: UPX!

I was told I should dump everything and reinstall windows, what do you think? I'm not to sure how to do this. I look forward to your reply. Thanks again.

Oh yeah I forgot, I did a scan with my spyware doctor program and I still have all this crap I had before I deleted it all, it just keeps showing up.

Infection Name Location Risk
BroadcastPC C:\Program Files\Common Files\Java\breg.exe High
FlashEnhancer C:\Program Files\common files\java\xclean.exe Elevated
FlashEnhancer C:\Program Files\common files\Java\Xcpy1.exe Elevated
Morpheus C:\Program Files\StreamCast\Morpheus Info
Morpheus C:\Program Files\StreamCast\Morpheus\Downloads Info
Trojan.Stubby C:\WINDOWS\farmmext.exe Medium
VX2.aBetterInternet C:\WINDOWS\satmat.exe Elevated
IEPlugin C:\WINDOWS\systb.exe Medium
Transponder.LocalNRD C:\WINDOWS\INF\localNrd.inf High
Transponder.LocalNRD C:\WINDOWS\localNRD.dll High
Common Components for Integrated Search Technologies (IST) Items C:\WINDOWS\preInsln.exe Medium

**Pancake** · 05-19-2005, 11:48 PM

It seems as though you have a lot of hidden malware...Boot into safe mode and delete these file.Start by Going into HijackThis->Config->Misc. Tools->Open process manager and Select any of the following and click End Process for each one if they are still listed.[

C:\WINDOWS\farmmext.exe
C:\WINDOWS\satmat.exe
C:\WINDOWS\systb.exe
C:\WINDOWS\INF\localNrd.inf
C:\WINDOWS\localNRD.dll
C:\WINDOWS\preInsln.exe
c:\Windows\bcre.exe
C:\Program Files\common files\java\xclean.exe
C:\Program Files\common files\Java\Xcpy1.exe

As you cant get from the desktop,go this way....
Go to Start/ Settings/Control Panel/Display/Desktop/Customize Desktop /Web/ and make sure any/all boxes are unticked.)

Post a fresh log when done.

mywifesmule · 05-20-2005, 03:33 PM

Quote:

Originally Posted by mywifesmule

Oh yeah I forgot, I did a scan with my spyware doctor program and I still have all this crap I had before I deleted it all, it just keeps showing up.

Infection Name Location Risk
BroadcastPC C:\Program Files\Common Files\Java\breg.exe High
FlashEnhancer C:\Program Files\common files\java\xclean.exe Elevated
FlashEnhancer C:\Program Files\common files\Java\Xcpy1.exe Elevated
Morpheus C:\Program Files\StreamCast\Morpheus Info
Morpheus C:\Program Files\StreamCast\Morpheus\Downloads Info
Trojan.Stubby C:\WINDOWS\farmmext.exe Medium
VX2.aBetterInternet C:\WINDOWS\satmat.exe Elevated
IEPlugin C:\WINDOWS\systb.exe Medium
Transponder.LocalNRD C:\WINDOWS\INF\localNrd.inf High
Transponder.LocalNRD C:\WINDOWS\localNRD.dll High
Common Components for Integrated Search Technologies (IST) Items C:\WINDOWS\preInsln.exe Medium

####################################################

Dear, Pancake

Good news, finally, I have my desktop wallpaper back. I went to
start\settings\control panel\display\desktop\costomize desktop\web, the security box was checked, don't know how that happened.

I couldn't find any of the files you listed in windows. Here is the log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Paul\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

How does this look? I still have that other crap I listed in my last post, but I do believe we are making progress. I was able to delete the

c:!SUBMIT\bcre.exe
c:!SUBMIT\satmat.exe

but not the

c:system volume info\restore\21d7d692-4662...\rp610
c:system volume info\restore\21d7d692-4662...\rp610\snapshot
c:system volume info\restore\21d7d692-4662...\rp610\snapshot\repository
c:system volume info\restore\21d7d692-4662...\rp610\snapshot\repository\f5
c:system volume info\restore\21d7d692-4662...\rp611
c:system volume info\restore\21d7d692-4662...\rp611\snapshot
c:system volume info\restore\21d7d692-4662...\rp611\snapshot\repository
c:system volume info\restore\21d7d692-4662...\rp611\snapshot\repository\f5
c:system volume info\restore\21d7d692-4662...\rp612
c:system volume info\restore\21d7d692-4662...\rp612\snapshot
c:system volume info\restore\21d7d692-4662...\rp612\snapshot\rep......
c:system volume info\restore\21d7d692-4662...\rp613
c:system volume info\restore\21d7d692-4662...\rp613\........

What next? As always thanks for the help.

**Pancake** · 05-20-2005, 06:24 PM

With the LocalNRD you can clean it all from your registry.Just follow these instructions.

http://66.102.7.104/search?q=cache:Y...LocalNRD&hl=en

mywifesmule · 05-22-2005, 07:48 AM

Quote:

Originally Posted by mywifesmule

####################################################

Dear, Pancake

Good news, finally, I have my desktop wallpaper back. I went to
start\settings\control panel\display\desktop\costomize desktop\web, the security box was checked, don't know how that happened.

I couldn't find any of the files you listed in windows. Here is the log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Paul\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

How does this look? I still have that other crap I listed in my last post, but I do believe we are making progress. I was able to delete the

c:!SUBMIT\bcre.exe
c:!SUBMIT\satmat.exe

but not the

c:system volume info\restore\21d7d692-4662...\rp610
c:system volume info\restore\21d7d692-4662...\rp610\snapshot
c:system volume info\restore\21d7d692-4662...\rp610\snapshot\repository
c:system volume info\restore\21d7d692-4662...\rp610\snapshot\repository\f5
c:system volume info\restore\21d7d692-4662...\rp611
c:system volume info\restore\21d7d692-4662...\rp611\snapshot
c:system volume info\restore\21d7d692-4662...\rp611\snapshot\repository
c:system volume info\restore\21d7d692-4662...\rp611\snapshot\repository\f5
c:system volume info\restore\21d7d692-4662...\rp612
c:system volume info\restore\21d7d692-4662...\rp612\snapshot
c:system volume info\restore\21d7d692-4662...\rp612\snapshot\rep......
c:system volume info\restore\21d7d692-4662...\rp613
c:system volume info\restore\21d7d692-4662...\rp613\........

What next? As always thanks for the help.

####################################################
Dear, pancake

Well, I could not find preinsln.exe or polall1l.exe on my computer.

I tried to unregister the dll you told me but I keep getting an error "windows cannot find systemroot+\<B style="color:black;background-color:#ffff66">localnrd</B>.dll"
, make sure you type the name correctly............... I think I'm following the instructions correctly.

I've noticed My computer is running much faster than it has in quite a while, all thanks to you. I appriciate all the help you have given me over the past week. I believe i'm back up and running fine. If you have any comments I am all ears, thanks again.

**Pancake** · 05-22-2005, 06:56 PM

All I can suggest is that you try a few online scans and see if that finds anything.

PandaSoft
eTrust Antivirus

05-15-2005, 03:11 PM	#1 (permalink)
mywifesmule Registered User Join Date: May 2005 Location: New Hampshire Posts: 8 OS: xp	Don't know what it is. Hi all, I hope you guys can help. It all started about a week and a half to two weeks ago. When I started my computer a warning sign, which covered my desktop said, warning you could be at risk to hyjackers, adware,malware, etc. When I clicked on it it opened a search containing a list of sites that sell adware, malware, antivirus programs etc. I have since been able to remove the warning sign through the purchace of and downloading of spyware and antivirus programs but I still can not see my desktop wallpaper. When I right click on my desktop I don't get the usual options of creating new folder etc. what I get is the type of options you get when you right click on a web page. When I rt. click and choose properties I get: Protocol: file protocol Type: HTML file Connection: not encripted Address: file//C\windows\web\desktop.html (url) I can not see my desktop wallpaper, its like a mask or overlay is hiding it, the only time I can see the wallpaper is when my computer shuts down or starts up but only temporarily. Also the programs on my desktop are highlighted like I have selected them all. I must have tried a dozen different antivirus, adware removal programs, I have been able to get rid of only the warning sign. Here are some of the reports I have compiled with spyware doctor,HJT,HJT analyzer. Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Webroot\Washer\wwDisp.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Spyware Doctor\swdoctor.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.97.7 Scan saved at 3:38:35 PM, on 05/15/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE C:\Program Files\SpyCatcher\DeleteSatellite.exe C:\WINDOWS\system32\combo.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Documents and Settings\Paul\Desktop\HijackThis.exe O4 - HKLM\..\Run: [combo.exe] combo.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe End of KRC HijackThis Analyzer Log. ==================================================================== Spyware Doctor Activity Report Generated on 05/15/2005 3:23:04 PM Spyware Doctor Homepage PC Tools Homepage Technical Support Scans (basic information only): Scan Results: scan start: 05/15/2005 3:23:18 PM scan stop: 05/15/2005 3:33:42 PM scanned items: 80482 found items: 12 found and ignored: 0 tools used: General Scanner, Process Scanner, Hosts scanner, LSP Scanner, Registry Scanner, Cookie Scanner, Browser Defaults, Favorites and ZoneMap Scanner, Browser Scanner, Disk Scanner Infection Name Location Risk BroadcastPC C:\Program Files\Common Files\Java\breg.exe High FlashEnhancer C:\Program Files\common files\java\xclean.exe Elevated FlashEnhancer C:\Program Files\common files\Java\Xcpy1.exe Elevated Morpheus C:\Program Files\StreamCast\Morpheus Info Morpheus C:\Program Files\StreamCast\Morpheus\Downloads Info Trojan.Stubby C:\WINDOWS\farmmext.exe Medium VX2.aBetterInternet C:\WINDOWS\satmat.exe Elevated IEPlugin C:\WINDOWS\systb.exe Medium Transponder.DLMax C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP600\A0110876.inf High Transponder.LocalNRD C:\WINDOWS\INF\localNrd.inf High Transponder.LocalNRD C:\WINDOWS\localNRD.dll High Common Components for Integrated Search Technologies (IST) Items C:\WINDOWS\preInsln.exe Medium Other Sections: Copyright © 2003-2005. Distributed by PC Tools. Legal Notice :\Documents and Settings\Paul\Desktop PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Files Found in system Folder............ ------------------------ C:\WINDOWS\SYSTEM32\combo.exe: UPX! C:\WINDOWS\SYSTEM32\dcuasaaa.exe: UPX! C:\WINDOWS\SYSTEM32\mhjsoehd.exe: UPX! C:\WINDOWS\SYSTEM32\scombo.exe: UPX! C:\WINDOWS\SYSTEM32\scombop.exe: UPX! C:\WINDOWS\SYSTEM32\sqsaaaaa.exe: UPX! C:\WINDOWS\SYSTEM32\DFRG.MSC: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ AAAAAwGpEc213 Files Found in all users startup Folder............ ------------------------ Files Found in all users windows Folder............ ------------------------ C:\WINDOWS\infbwsl.exe: UPX! C:\WINDOWS\jqesoqb.exe: UPX! C:\WINDOWS\jqxvqqw.exe: UPX! C:\WINDOWS\kglvxyq.exe: UPX! C:\WINDOWS\mdeoblb.exe: UPX! C:\WINDOWS\pkeshli.exe: UPX! C:\WINDOWS\psvfrjx.exe: UPX! C:\WINDOWS\The Three Stooges 2.scr: UPX! C:\WINDOWS\Unwash5.exe: UPX! C:\WINDOWS\uylnpqs.exe: UPX! C:\WINDOWS\xmacdma.exe: UPX! Finished bye I now no longer use IE as my browser, I have changed to firefox. I hope we can get to the bottom of this your help would greatly appriciated, if you need any more info let me know, thanks.

05-15-2005, 10:15 PM	#2 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,404 OS: XP Pro SP3	Can you please update your HJT to v1.99.1 and then post a new log. __________________ Eddy

05-16-2005, 06:19 PM	#4 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,404 OS: XP Pro SP3	Hi and Welcome It may help you if you print out or copy this page for easy reference.. Make sure to work through the fixes in the exact order its listed..These instructions only apply to HJT v1.99.1 Please Keep your browser and all open programs closed (except firewalls and antivirus) when you are carrying out the fixes.. Download any of the required programs before attempting to start any of the fixes. Please do NOT run Hijack This in a TEMPorary folder or on the Desktop. I recommend c:/program files/HJT/ Turn off System Restore instructions (WinXP) Rightclick My Computer \| Properties \| System Restore \| check “Turn off System Restore”, <Apply>, <OK>. Reboot. When we have confirmed that your log file is clean, you may renable System Restore and create a new restore point. SHOW HIDDEN FILES AND FOLDERS. To show hidden files instructions (WinXP) Doubleclick My Computer \| Tools \| Folder Options \| View tab Select Show Hidden Files and Folders Uncheck Hide extensions for known file types Uncheck Hide protected operating system files (Recommended) Select Apply to All Folders \| Yes \| Apply \| OK ------------------------------------------------------------------ Download and run Adaware,SpyBot (check for updates) for a preliminary cleanup first.Some files below may not be present after running the above programs.Full instructions below. How to setup Ad-Aware Download Ad-Aware Save aawsepersonal.exe into its own directory, NOT in a TEMPorary folder or on the Desktop. I recommend c:/program files/Adaware/ Doubleclick aawsepersonal.exe. Make sure to direct the program to install in the c:/program files/adaware/ directory, NOT the default directory. Open AdAware from Start \| Programs \| Lavasoft \| AdAware. Select <Check for updates now>, <Proceed> After installation, run the program and click the start button.Then click the next button. This lets ad-aware scan your computer. After ad-aware is done running, hit the next button. Then right click the area with the listed spy ware objects.Choose the "Select all objects" option. At this point all the boxes next to the items should be checked. Then hit the next button. It will ask if you want to delete the selected objects. Hit the Okay button. Now most of the spyware should have been deleted from your hard drive. ---------------------------------------------------------------------- How to setup Spybot Search & Destroy Download SpyBot Save spybotsd13.exe into its own directory, NOT in a TEMPorary folder or on the Desktop. I recommend c:/program files/spybot/ Doubleclick spybotsd13.exe. Make sure to direct the program to install in the c:/program files/spybot/ directory, NOT the default directory. Open Spybot from Start \| Programs \| Spybot \| Spybot S&D Select <Search for Updates>. Let it install all updates. This is very important! Select <Immunize> Select <Check for Problems> Check all entries that are in RED. Only RED, NOTHING ELSE. For your records, write/print out each item that you have fixed. Date it. Select <Fix Selected Problems> Close Spybot// --------------------------------------------------------------------- Files highlighted in BLACK will need to be removed from your hard drive. ------------------------------------------------------------------ Please start by putting HJT in SAFE MODE. During reboot, tap the F8 key. Select Safe Mode and then run "Hijack This" ------------------------------------------------------------------ Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT. O4 - HKLM\..\Run: [combo.exe] combo.exe ------------------------------------------------------------------ Download Killbox v2.0.0.175 and unzip the file to your Desktop . Right click and drag your cursor over the below files to highlight them and then.use Control+C to copy them to the clipboard..Open KILLBOX and go to File...."Paste From Clipboard". All the files should now appear in the box (click on the Tab and check to make sure that only the files I have identified as malware and marked for deletion are there) . Then checkmark the "Delete on Reboot" box..and click the red X. You will get a message saying "File will be deleted on next reboot" , Process and Reboot now?" Click "Yes" and post a new log when you have rebooted. C:\WINDOWS\SYSTEM32\combo.exe C:\WINDOWS\SYSTEM32\dcuasaaa.exe C:\WINDOWS\SYSTEM32\mhjsoehd.exe C:\WINDOWS\SYSTEM32\scombo.exe C:\WINDOWS\SYSTEM32\scombop.exe C:\WINDOWS\SYSTEM32\sqsaaaaa.exe C:\WINDOWS\infbwsl.exe C:\WINDOWS\jqesoqb.exe C:\WINDOWS\jqxvqqw.exe C:\WINDOWS\kglvxyq.exe C:\WINDOWS\mdeoblb.exe C:\WINDOWS\pkeshli.exe C:\WINDOWS\psvfrjx.exe C:\WINDOWS\uylnpqs.exe C:\WINDOWS\xmacdma.exe ------------------------------------------------------------------- Check that you have carried out all the above steps/fixes and then reboot into Normal Mode and download Cleanup This will clean out your tempory files. When finished please post a new log...... __________________ Eddy

05-17-2005, 06:33 PM	#6 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,404 OS: XP Pro SP3	Your log looks ok but just do a manual check and see that all these files have been deleted.Run HJT again in safe mode. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click End Process for each one if they are still listed. C:\WINDOWS\SYSTEM32\combo.exe C:\WINDOWS\SYSTEM32\dcuasaaa.exe C:\WINDOWS\SYSTEM32\mhjsoehd.exe C:\WINDOWS\SYSTEM32\scombo.exe C:\WINDOWS\SYSTEM32\scombop.exe C:\WINDOWS\SYSTEM32\sqsaaaaa.exe C:\WINDOWS\infbwsl.exe C:\WINDOWS\jqesoqb.exe C:\WINDOWS\jqxvqqw.exe C:\WINDOWS\kglvxyq.exe C:\WINDOWS\mdeoblb.exe C:\WINDOWS\pkeshli.exe C:\WINDOWS\psvfrjx.exe C:\WINDOWS\uylnpqs.exe C:\WINDOWS\xmacdma.exe Open Windows Explorer and delete the following highlighted file/s if present. C:\WINDOWS\SYSTEM32\combo.exe C:\WINDOWS\SYSTEM32\dcuasaaa.exe C:\WINDOWS\SYSTEM32\mhjsoehd.exe C:\WINDOWS\SYSTEM32\scombo.exe C:\WINDOWS\SYSTEM32\scombop.exe C:\WINDOWS\SYSTEM32\sqsaaaaa.exe C:\WINDOWS\infbwsl.exe C:\WINDOWS\jqesoqb.exe C:\WINDOWS\jqxvqqw.exe C:\WINDOWS\kglvxyq.exe C:\WINDOWS\mdeoblb.exe C:\WINDOWS\pkeshli.exe C:\WINDOWS\psvfrjx.exe C:\WINDOWS\uylnpqs.exe C:\WINDOWS\xmacdma.exe __________________ Eddy Last edited by Pancake; 05-17-2005 at 06:34 PM.

05-17-2005, 09:21 PM	#8 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,404 OS: XP Pro SP3	I have been through you log and there is still no sign of malware.If you still have the desktop problem try this.... Right click on you Desktop and go to Propeties/ Desktop/Customize Desktop /Web/ and make sure any/all boxes are unticked. ------------------------------ We can do one more check for hidden malware.. Download rkfiles Unzip the files to a folder of its own. It needs to be run in safe mode for it to work correctly. .....Open the folder and run the RKFILES.BAT It will take 10 minutes or so.....when the the text opens, with the results, save and copy the log. The output will be displayed and saved in c:\log.txt. Reboot computer back to a normal mode and post the C:\Log.txt please. __________________ Eddy

05-19-2005, 11:48 PM	#11 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,404 OS: XP Pro SP3	It seems as though you have a lot of hidden malware...Boot into safe mode and delete these file.Start by Going into HijackThis->Config->Misc. Tools->Open process manager and Select any of the following and click End Process for each one if they are still listed.[ C:\WINDOWS\farmmext.exe C:\WINDOWS\satmat.exe C:\WINDOWS\systb.exe C:\WINDOWS\INF\localNrd.inf C:\WINDOWS\localNRD.dll C:\WINDOWS\preInsln.exe c:\Windows\bcre.exe C:\Program Files\common files\java\xclean.exe C:\Program Files\common files\Java\Xcpy1.exe As you cant get from the desktop,go this way.... Go to Start/ Settings/Control Panel/Display/Desktop/Customize Desktop /Web/ and make sure any/all boxes are unticked.) Post a fresh log when done. __________________ Eddy Last edited by Pancake; 05-19-2005 at 11:50 PM.

05-20-2005, 06:24 PM	#13 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,404 OS: XP Pro SP3	With the LocalNRD you can clean it all from your registry.Just follow these instructions. http://66.102.7.104/search?q=cache:Y...LocalNRD&hl=en __________________ Eddy

05-22-2005, 06:56 PM	#15 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,404 OS: XP Pro SP3	All I can suggest is that you try a few online scans and see if that finds anything. PandaSoft eTrust Antivirus __________________ Eddy