cannot access control panel normally

Hi all,
I have a problem i cannot access my control panel the usuall way.
i downloaded a tax program and along with it came (unknowningly) a spyware/virus program. I now cannot access the control panel to hopefully delete this thing. What can I do? I am using W2000pro...thanks

 

Hijackthis scan log.........bodawg

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:43:32 PM, on 2/3/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\tlntsvr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\faxsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Video Add-on\icthis.exe
C:\Program Files\Video Add-on\isfmntr.exe
C:\Program Files\eAcceleration\Station\station.exe
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\Program Files\Video Add-on\icmntr.exe
C:\Program Files\Video Add-on\isfmm.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Video Add-on\isfmm.exe
C:\Program Files\Video Add-on\isfmm.exe
C:\Program Files\Video Add-on\isfmm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Sotfone Tracker Class - {10C52A42-DB8B-4ade-AA4A-CED6A8282B85} - C:\Program Files\Sotfone\1202014956.dll
O2 - BHO: (no name) - {43BF8E0C-886D-4103-8DDB-2DFE0E8A0168} - C:\Program Files\Video Add-on\isfmdl.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {B753C7C5-0942-4b7f-BC27-942B52BDAC66} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - C:\Program Files\Video Add-on\isfmdl.dll
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-ABCD-7DD20B8622FF} - C:\Program Files\Helper\1202014953.dll
O2 - BHO: TBSB04757 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Freeze.com Toolbar\freeze_us.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Freeze.com Toolbar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - C:\Program Files\Freeze.com Toolbar\freeze_us.dll (file missing)
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\RunServices: [Auto File System Conversion Utility] C:\WINNT\system32\scricon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpeedItUpEX] C:\Program Files\Speeditup Free\SpeedItUp.exe -MINI
O4 - HKCU\..\RunServices: [Auto File System Conversion Utility] C:\WINNT\system32\scricon.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Video Add-on\icthis.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Video Add-on\isfmntr.exe
O4 - HKUS\.DEFAULT\..\Run: [Auto File System Conversion Utility] C:\WINNT\system32\scricon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [Auto File System Conversion Utility] C:\WINNT\system32\scricon.exe (User 'Default user')
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRxdm429YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra 'Tools' menuitem: Block This Page - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.freeietool.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.freeietool.com/redirect.php (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Bejeweled 2\Images\stg_drm.ocx
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/no...ularScreenSaversFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - http://d.69.25.47.103.downloads.est...255.247.242_1502&=&req=1196212733173OneCC.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1186931097352
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Bejeweled 2\Images\armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.gamehouse.com/games/beje2/popcaploader.cab
O20 - Winlogon Notify: crypt - crypts.dll (file missing)
O22 - SharedTaskScheduler: exegeses - {1817ab5d-25bf-4d5e-ba90-6e5fe658fc5f} - (no file)
O22 - SharedTaskScheduler: cured - {7265100a-17e1-41bf-bd08-63b95a25a9c3} - C:\WINNT\system32\ofcpi.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ms hexidecimal defx (mshexdefx) - Unknown owner - C:\WINNT\system32\dllcache\ivchost.exe (file missing)
O23 - Service: OneStep Search Service - Unknown owner - C:\Program Files\OneStepSearch\onestep.exe (file missing)
O24 - Desktop Component 0: (no name) - http://static.blingo.com/images/d3/logos/logo-small.gif

--
End of file - 7579 bytes

 

Hi Bodawg

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter "; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool "; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Please post the Smitfraud Log.

Thanks
Geri

 

Smidfix log per Geri

Geri,
i hope this what you wanted.
SmitFraudFix v2.281

Scan done at 22:47:44.44, Mon 02/04/2008
Run from C:\Documents and Settings\HomeUser\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\tlntsvr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\faxsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\eAcceleration\OnAccess\scan.exe
C:\Program Files\eAcceleration\Station\station.exe
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\Program Files\eAcceleration\OnAccess\OnAccess.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\eAcceleration\OnAccess\dguard.exe
C:\WINNT\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32

C:\WINNT\system32\bubbj.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\HomeUser


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\HomeUser\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\HomeUser\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Helper\ FOUND !
C:\Program Files\Sotfone\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source "= "http://static.blingo.com/images/d3/logos/logo-small.gif "
"SubscribedURL "= "http://static.blingo.com/images/d3/logos/logo-small.gif "
"FriendlyName "=" "

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{1817ab5d-25bf-4d5e-ba90-6e5fe658fc5f} "= "exegeses "


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{7265100a-17e1-41bf-bd08-63b95a25a9c3} "= "cured "

[HKEY_CLASSES_ROOT\CLSID\{7265100a-17e1-41bf-bd08-63b95a25a9c3}\InProcServer32]
@= "C:\WINNT\system32\ofcpi.dll "

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7265100a-17e1-41bf-bd08-63b95a25a9c3}\InProcServer32]
@= "C:\WINNT\system32\ofcpi.dll "



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs "=" "


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System "=" "


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Ralink Technology Inc.
DNS Server Search Order: 192.168.0.1

Description: Ralink Technology Inc.
DNS Server Search Order: 192.168.1.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{60B91236-CDDF-4043-B9E1-E87EA9B07EA9}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{6A5842BD-8D07-4177-833E-CBE3537CB81C}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{60B91236-CDDF-4043-B9E1-E87EA9B07EA9}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6A5842BD-8D07-4177-833E-CBE3537CB81C}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{60B91236-CDDF-4043-B9E1-E87EA9B07EA9}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6A5842BD-8D07-4177-833E-CBE3537CB81C}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

 

Hi
OK Good, do this next.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter ".
• Choose your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ? "; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter ".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.


Now do this.

Please download Deckard's System Scanner (dss.exe) and save it to your Desktop.
Note: You must be logged onto an account with administrator privileges to complete the following.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy and then paste the contents of main.txt and extra.txt in your next reply.

Please post the "main.txt" log only for now.

Please post the Smitfraud log and the dss main txt log.

Thanks
Geri

 

Smitfraud scan results

Geri,
here are the scan results as of 17:45 2/5/08
hope this shows my machine is clean???

SmitFraudFix v2.281

Scan done at 17:36:04.71, Tue 02/05/2008
Run from C:\Documents and Settings\HomeUser\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{1817ab5d-25bf-4d5e-ba90-6e5fe658fc5f} "= "exegeses "


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{7265100a-17e1-41bf-bd08-63b95a25a9c3} "= "cured "

[HKEY_CLASSES_ROOT\CLSID\{7265100a-17e1-41bf-bd08-63b95a25a9c3}\InProcServer32]
@= "C:\WINNT\system32\ofcpi.dll "

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7265100a-17e1-41bf-bd08-63b95a25a9c3}\InProcServer32]
@= "C:\WINNT\system32\ofcpi.dll "


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINNT\system32\bubbj.dll Deleted
C:\Program Files\Helper\ Deleted
C:\Program Files\Sotfone\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{60B91236-CDDF-4043-B9E1-E87EA9B07EA9}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{6A5842BD-8D07-4177-833E-CBE3537CB81C}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{60B91236-CDDF-4043-B9E1-E87EA9B07EA9}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6A5842BD-8D07-4177-833E-CBE3537CB81C}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{60B91236-CDDF-4043-B9E1-E87EA9B07EA9}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6A5842BD-8D07-4177-833E-CBE3537CB81C}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System "=" "


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{7265100a-17e1-41bf-bd08-63b95a25a9c3} "= "cured "

[HKEY_CLASSES_ROOT\CLSID\{7265100a-17e1-41bf-bd08-63b95a25a9c3}\InProcServer32]
@= "C:\WINNT\system32\ofcpi.dll "

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7265100a-17e1-41bf-bd08-63b95a25a9c3}\InProcServer32]
@= "C:\WINNT\system32\ofcpi.dll "



»»»»»»»»»»»»»»»»»»»»»»»» End

 

DSS scan report

Geri,
here is the results of the dss scan at 18:00 hrs 2/5/08
i will be standing by for your reply to "is my machine finally clean "

Deckard's System Scanner v20071014.68
Run by HomeUser on 2008-02-05 17:58:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 248 MiB (256 MiB recommended).


-- HijackThis (run as HomeUser.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:58:51 PM, on 2/5/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\tlntsvr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\faxsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\eAcceleration\OnAccess\scan.exe
C:\Program Files\eAcceleration\Station\station.exe
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\Program Files\eAcceleration\OnAccess\dguard.exe
C:\Program Files\eAcceleration\OnAccess\OnAccess.exe
C:\Documents and Settings\HomeUser\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\HomeUser.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {B753C7C5-0942-4b7f-BC27-942B52BDAC66} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [OnAccess] "C:\Program Files\eAcceleration\OnAccess\OnAccess.exe" -e
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\.DEFAULT\..\Run: [Auto File System Conversion Utility] C:\WINNT\system32\scricon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [Auto File System Conversion Utility] C:\WINNT\system32\scricon.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra 'Tools' menuitem: Block This Page - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - http://d.69.25.47.103.downloads.est...255.247.242_1502&=&req=1196212733173OneCC.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1186931097352
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: crypt - crypts.dll (file missing)
O22 - SharedTaskScheduler: cured - {7265100a-17e1-41bf-bd08-63b95a25a9c3} - C:\WINNT\system32\ofcpi.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ms hexidecimal defx (mshexdefx) - Unknown owner - C:\WINNT\system32\dllcache\ivchost.exe (file missing)

--
End of file - 4419 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080203-134657-160 O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
backup-20080203-134657-235 O4 - HKCU\..\Run: [SpeedItUpEX] C:\Program Files\Speeditup Free\SpeedItUp.exe -MINI
backup-20080203-134657-381 O2 - BHO: Sotfone Tracker Class - {10C52A42-DB8B-4ade-AA4A-CED6A8282B85} - C:\Program Files\Sotfone\1202014956.dll
backup-20080203-134657-463 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
backup-20080203-134657-889 O3 - Toolbar: Freeze.com Toolbar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - C:\Program Files\Freeze.com Toolbar\freeze_us.dll (file missing)
backup-20080203-135815-105 O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.freeietool.com/redirect.php (file missing)
backup-20080203-135815-110 O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
backup-20080203-135815-118 O2 - BHO: (no name) - {43BF8E0C-886D-4103-8DDB-2DFE0E8A0168} - C:\Program Files\Video Add-on\isfmdl.dll
backup-20080203-135815-187 O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
backup-20080203-135815-220 O23 - Service: ms hexidecimal defx (mshexdefx) - Unknown owner - C:\WINNT\system32\dllcache\ivchost.exe (file missing)
backup-20080203-135815-299 O23 - Service: OneStep Search Service - Unknown owner - C:\Program Files\OneStepSearch\onestep.exe (file missing)
backup-20080203-135815-304 O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.gamehouse.com/games/beje2/popcaploader.cab
backup-20080203-135815-385 O2 - BHO: TBSB04757 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Freeze.com Toolbar\freeze_us.dll (file missing)
backup-20080203-135815-583 O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRxdm429YYUS
backup-20080203-135815-618 O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
backup-20080203-135815-642 O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Bejeweled 2\Images\stg_drm.ocx
backup-20080203-135815-760 O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
backup-20080203-135815-783 O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.freeietool.com/redirect.php (file missing)
backup-20080203-135815-805 O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/no...ularScreenSaversFWBInitialSetup1.0.0.15-3.cab
backup-20080203-135815-923 O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Bejeweled 2\Images\armhelper.ocx

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 VIAPFD - c:\winnt\system32\drivers\viapfd.sys <Not Verified; VIA Technologies. Inc.; VIA PFD driver>
R2 mdmxsdk - c:\winnt\system32\drivers\mdmxsdk.sys <Not Verified; Conexant; Diagnostic Interface>
R2 SetupNT - c:\winnt\system32\setupnt.sys
R3 HSF_DPV - c:\winnt\system32\drivers\usr_mdmv.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
R3 HSFHWBS2 - c:\winnt\system32\drivers\usr_bsc2.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
R3 RT2500USB (Wireless USB Card Driver) - c:\winnt\system32\drivers\rt2500usb.sys <Not Verified; Ralink Technology Inc.; Ralink 802.11g Wireless USB Adapters>
R3 winachsf - c:\winnt\system32\drivers\hsf_usr.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>

S3 3C460B (3Com 3C460B USB Ethernet Adapter Driver) - c:\winnt\system32\drivers\3c460b.sys <Not Verified; 3Com Corporation; 3Com 3C460B 10/100 Mbps USB Ethernet Network Adapter>
S3 MPE (BDA MPE Filter) - c:\winnt\system32\drivers\mpe.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
S3 NtApm (NT Apm/Legacy Interface Driver) - c:\winnt\system32\drivers\ntapm.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
S3 ROOTMODEM (Microsoft Legacy Modem Driver) - c:\winnt\system32\drivers\rootmdm.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 mshexdefx (ms hexidecimal defx) - "c:\winnt\system32\dllcache\ivchost.exe" (file missing)
S4 OneStep Search Service - "c:\program files\onestepsearch\onestep.exe" "c:\program files\onestepsearch\onestep.dll" service (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {D45B1C18-C8FA-11D1-9F77-0000F805F530}
Description: NT Apm/Legacy Interface Node
Device ID: ROOT\NTAPM\0000
Manufacturer: Microsoft
Name: NT Apm/Legacy Interface Node
PNP Device ID: ROOT\NTAPM\0000
Service: NtApm


-- Scheduled Tasks -------------------------------------------------------------

2008-02-02 23:32:46 386 --a------ C:\WINNT\Tasks\rpc.job


-- Files created between 2008-01-05 and 2008-02-05 -----------------------------

2008-02-04 22:47:48 1752 --a------ C:\WINNT\system32\tmp.reg
2008-02-04 22:46:16 25600 --a------ C:\WINNT\system32\WS2Fix.exe
2008-02-04 22:46:16 289144 --a------ C:\WINNT\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-02-04 22:46:16 85504 --a------ C:\WINNT\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-02-04 22:46:16 288417 --a------ C:\WINNT\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-02-04 22:46:16 53248 --a------ C:\WINNT\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-02-04 22:46:16 81920 --a------ C:\WINNT\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-02-04 22:46:16 51200 --a------ C:\WINNT\system32\dumphive.exe
2008-02-03 17:03:39 0 d-------- C:\Documents and Settings\HomeUser\Application Data\TrojanHunter
2008-02-03 16:39:10 0 d-------- C:\Program Files\TrojanHunter 5.0
2008-02-03 13:43:18 0 d-------- C:\Program Files\Trend Micro
2008-02-03 00:11:49 1632 --a------ C:\WINNT\system32\d3d8caps.dat
2008-02-03 00:11:44 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_2c8.dat
2008-02-02 23:46:49 0 d-------- C:\windows
2008-02-02 23:37:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Winferno
2008-02-02 23:32:02 0 d-------- C:\Documents and Settings\HomeUser\Application Data\ShoppingReport
2008-02-02 21:34:35 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-02-02 08:59:37 0 d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-01-29 12:53:34 249856 --a------ C:\WINNT\system32\pdfmona.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-01-29 12:53:34 51716 --a------ C:\WINNT\system32\pdf995mon.dll
2008-01-29 12:53:34 0 d-------- C:\Documents and Settings\All Users\Application Data\pdf995
2008-01-29 12:53:17 0 d-------- C:\Documents and Settings\HomeUser\Application Data\TaxCut
2008-01-29 12:52:41 0 d-a------ C:\Program Files\TaxCut07
2008-01-29 12:52:41 0 d-a------ C:\Program Files\PDF995
2008-01-29 12:51:13 0 d-------- C:\Documents and Settings\All Users\Application Data\TaxCut
2008-01-26 20:48:26 57344 --a------ C:\WINNT\uneng.exe <Not Verified; Roxio; Roxio Update Wizard>
2008-01-26 20:48:26 0 d-a------ C:\Program Files\Common Files\Adaptec Shared
2008-01-26 20:48:21 208896 --a------ C:\WINNT\system32\wmpns.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows Media Player>
2008-01-26 20:48:09 225280 --a------ C:\WINNT\system32\wmpdxm.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows Media Player>
2008-01-26 20:48:09 106496 --a------ C:\WINNT\system32\wmpasf.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows Media Player>
2008-01-26 20:47:50 52224 --a------ C:\WINNT\system32\mspmsnsv.dll <Not Verified; Microsoft Corporation; Windows Media Device Manager>
2008-01-26 20:47:47 997888 --a------ C:\WINNT\system32\wmvdmoe2.dll <Not Verified; Microsoft Corporation; Microsoft® Windows Media Services>
2008-01-26 20:47:47 892416 --a------ C:\WINNT\system32\wmspdmoe.dll <Not Verified; Microsoft Corporation; Microsoft® Windows Media Services>
2008-01-26 20:47:47 1111040 --a------ C:\WINNT\system32\wmsdmoe2.dll <Not Verified; Microsoft Corporation; Microsoft® Windows Media Services>
2008-01-26 17:01:32 0 d--hs---- C:\WINNT\ftpcache
2008-01-23 19:14:40 0 d-------- C:\Documents and Settings\HomeUser\Application Data\MailWasherPro
2008-01-19 14:34:35 0 d-a------ C:\Program Files\Common Files\eSellerate
2008-01-16 12:47:44 0 d-a------ C:\Program Files\MSN Games
2008-01-12 23:29:27 0 d-------- C:\My Download Files
2008-01-12 23:28:15 774144 --a------ C:\Program Files\RngInterstitial.dll <Not Verified; RealNetworks, Inc.; RealNetworks, Inc. RngInterstitial>
2008-01-12 22:05:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Arcadetown
2008-01-08 18:13:24 0 d-------- C:\Documents and Settings\HomeUser\Application Data\Zylom
2008-01-08 18:13:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Zylom
2008-01-05 23:09:06 0 d-------- C:\Documents and Settings\HomeUser\Application Data\iWinArcade
2008-01-05 23:08:52 0 d-------- C:\Documents and Settings\All Users\Application Data\iWin Games


-- Find3M Report ---------------------------------------------------------------

2008-02-03 20:56:34 0 d-------- C:\Documents and Settings\HomeUser\Application Data\eAcceleration
2008-02-03 20:43:06 0 d-a------ C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-30 18:41:12 0 d-------- C:\Documents and Settings\HomeUser\Application Data\LimeWire
2008-01-27 16:50:47 31 --a------ C:\WINNT\popcinfo.dat
2008-01-26 20:48:26 0 d-a------ C:\Program Files\Common Files
2008-01-26 11:06:33 0 d-a------ C:\Program Files\Shockwave.com
2008-01-26 10:16:15 0 d-a------ C:\Program Files\eAcceleration
2008-01-23 19:30:19 0 d-a------ C:\Program Files\Yahoo!
2008-01-08 19:20:55 0 d-------- C:\Documents and Settings\HomeUser\Application Data\GameHouse
2008-01-08 19:14:39 0 d-a------ C:\Program Files\Google
2008-01-08 18:13:24 0 d-------- C:\Documents and Settings\HomeUser\Application Data\Identities
2008-01-04 22:05:26 20 --a------ C:\WINNT\popcinfot.dat
2008-01-04 20:51:06 0 --a------ C:\WINNT\popcreg.dat
2008-01-03 17:28:58 0 d-------- C:\Documents and Settings\HomeUser\Application Data\SpinTop
2007-12-16 12:00:49 0 d-a------ C:\Program Files\MyWebSearch
2007-12-06 09:50:06 0 d-a------ C:\Program Files\Common Files\Motive


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoftwareStation "= "C:\Program Files\eAcceleration\Station\station.exe" [05/08/07 06:12p]
"webscan "= "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" [11/05/07 02:02p]
"Synchronization Manager "= "mobsync.exe" [06/19/03 11:05a C:\WINNT\system32\mobsync.exe]
"OnAccess "= "C:\Program Files\eAcceleration\OnAccess\OnAccess.exe" [10/24/06 06:21p]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr "= "C:\Program Files\MSN Messenger\MsnMsgr.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop "=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"Auto File System Conversion Utility "=C:\WINNT\system32\scricon.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Auto File System Conversion Utility "=C:\WINNT\system32\scricon.exe
"Picasa Media Detector "=C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{7265100a-17e1-41bf-bd08-63b95a25a9c3} "= C:\WINNT\system32\ofcpi.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{1A42F606-3E21-4AB5-9565-E7C8EF6B0929} "= C:\PROGRA~1\EACCEL~1\OnAccess\sehk.dll [10/24/06 06:21p 71256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt]
crypts.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Auto File System Conversion Utility "= C:\WINNT\system32\scricon.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@= "Driver "




-- End of Deckard's System Scanner: finished at 2008-02-05 17:59:22 ------------

 

Hi

Please do the following.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Now this.

Download ComboFix from [color= "Red"]Here[/color] to your Desktop.
It's best to disable realtime protection applications as they sometimes interfere with the tool. Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


Please post the SDFix and Combofix logs.

Thanks
Geri

 

SDfix scan

Geri here is the combo scan, 18:00hrs 2/6/08

ComboFix 08-02.05.3 - HomeUser 02/06/2008 17:50:31.1 - NTFSx86 MINIMAL
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.181 [GMT -6:00]
Running from: C:\Documents and Settings\HomeUser\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\HomeUser\Application Data\ShoppingReport
C:\Documents and Settings\HomeUser\Application Data\ShoppingReport\cs\Config.xml
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.

2008-02-06 17:50 . 02/06/08 05:50p 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_180.dat
2008-02-06 11:12 . 02/06/08 11:13a 336 --a------ C:\Program Files\temp995.bat
2008-02-05 18:18 . 02/06/08 05:18p 464,854 ---h----- C:\WINNT\ShellIconCache
2008-02-05 17:58 . 02/05/08 05:58p <DIR> d-------- C:\Deckard
2008-02-04 22:47 . 02/05/08 05:36p 1,752 --a------ C:\WINNT\system32\tmp.reg
2008-02-04 22:46 . 09/05/07 11:22p 289,144 --a------ C:\WINNT\system32\VCCLSID.exe
2008-02-04 22:46 . 04/27/06 04:49p 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
2008-02-04 22:46 . 02/05/08 12:23a 85,504 --a------ C:\WINNT\system32\VACFix.exe
2008-02-04 22:46 . 01/27/08 02:37p 81,920 --a------ C:\WINNT\system32\IEDFix.exe
2008-02-04 22:46 . 06/05/03 08:13p 53,248 --a------ C:\WINNT\system32\Process.exe
2008-02-04 22:46 . 07/31/04 05:50p 51,200 --a------ C:\WINNT\system32\dumphive.exe
2008-02-04 22:46 . 10/03/07 11:36p 25,600 --a------ C:\WINNT\system32\WS2Fix.exe
2008-02-03 19:53 . 02/03/08 09:07p <DIR> d-------- C:\SDFix
2008-02-03 17:03 . 02/03/08 05:03p <DIR> d-------- C:\Documents and Settings\HomeUser\Application Data\TrojanHunter
2008-02-03 16:39 . 02/03/08 04:39p <DIR> d-a------ C:\Program Files\TrojanHunter 5.0
2008-02-03 13:43 . 02/03/08 01:43p <DIR> d-a------ C:\Program Files\Trend Micro
2008-02-03 00:11 . 02/03/08 12:11a 1,632 --a------ C:\WINNT\system32\d3d8caps.dat
2008-02-02 23:46 . 02/02/08 11:46p <DIR> d-------- C:\windows
2008-02-02 23:37 . 02/02/08 11:37p <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Winferno
2008-02-02 21:34 . 02/06/08 05:07p <DIR> d-a------ C:\Program Files\Mozilla Thunderbird
2008-02-02 08:59 . 02/02/08 09:00a <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-01-29 12:53 . 01/29/08 12:53p <DIR> d-------- C:\Documents and Settings\HomeUser\Application Data\TaxCut
2008-01-29 12:53 . 01/29/08 12:53p <DIR> d-------- C:\Documents and Settings\All Users\Application Data\pdf995
2008-01-29 12:53 . 01/29/08 12:53p 249,856 --a------ C:\WINNT\system32\pdfmona.dll
2008-01-29 12:53 . 01/29/08 12:53p 51,716 --a------ C:\WINNT\system32\pdf995mon.dll
2008-01-29 12:53 . 08/24/07 11:13a 142 --a------ C:\WINNT\wpd99.drv
2008-01-29 12:52 . 02/06/08 11:15a <DIR> d-a------ C:\Program Files\TaxCut07
2008-01-29 12:52 . 02/06/08 11:12a <DIR> d-a------ C:\Program Files\PDF995
2008-01-29 12:51 . 01/29/08 12:51p <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TaxCut
2008-01-26 20:48 . 01/26/08 08:48p <DIR> d-a------ C:\Program Files\Common Files\Adaptec Shared
2008-01-26 17:01 . 01/26/08 05:01p <DIR> d--hs---- C:\WINNT\ftpcache
2008-01-23 19:14 . 01/23/08 07:29p <DIR> d-------- C:\Documents and Settings\HomeUser\Application Data\MailWasherPro
2008-01-19 14:34 . 01/19/08 02:34p <DIR> d-a------ C:\Program Files\Common Files\eSellerate
2008-01-16 12:47 . 01/26/08 11:06a <DIR> d-a------ C:\Program Files\MSN Games
2008-01-12 23:29 . 01/13/08 06:55p <DIR> d-------- C:\My Download Files
2008-01-12 23:28 . 01/12/08 11:28p 774,144 --a------ C:\Program Files\RngInterstitial.dll
2008-01-12 22:05 . 01/12/08 10:05p <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Arcadetown
2008-01-08 20:59 . 01/08/08 08:59p 1,920,054 --a------ C:\WINNT\CrawlerWallpaper.bmp
2008-01-08 18:13 . 01/08/08 06:13p <DIR> d-------- C:\Documents and Settings\HomeUser\Application Data\Zylom
2008-01-08 18:13 . 01/08/08 06:13p <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Zylom

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 02:56 --------- d-----w C:\Documents and Settings\HomeUser\Application Data\eAcceleration
2008-02-04 02:43 --------- d---a-w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-31 00:41 --------- d-----w C:\Documents and Settings\HomeUser\Application Data\LimeWire
2008-01-27 02:48 57,344 ----a-w C:\WINNT\uneng.exe
2008-01-27 02:48 49,152 ----a-w C:\WINNT\system32\cdrtc.dll
2008-01-27 02:48 45,056 ----a-w C:\WINNT\system32\cdral.dll
2008-01-26 17:06 --------- d---a-w C:\Program Files\Shockwave.com
2008-01-26 16:16 --------- d---a-w C:\Program Files\eAcceleration
2008-01-24 01:30 --------- d---a-w C:\Program Files\Yahoo!
2008-01-09 01:20 --------- d-----w C:\Documents and Settings\HomeUser\Application Data\GameHouse
2008-01-09 01:14 --------- d---a-w C:\Program Files\Google
2008-01-06 05:09 --------- d-----w C:\Documents and Settings\HomeUser\Application Data\iWinArcade
2008-01-06 05:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\iWin Games
2008-01-03 23:28 --------- d-----w C:\Documents and Settings\HomeUser\Application Data\SpinTop
2007-12-31 01:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\n7-89-o9-3r-4t-r9
2007-12-20 14:10 499,712 ----a-w C:\WINNT\system32\msvcp71.dll
2007-12-20 14:10 348,160 ----a-w C:\WINNT\system32\msvcr71.dll
2007-12-15 04:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2007-12-06 15:50 --------- d---a-w C:\Program Files\Common Files\Motive
2007-12-06 15:49 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Motive
2007-08-01 00:21 1,126 ----a-w C:\Program Files\INSTALL.LOG
2007-07-31 22:20 271 ---ha-w C:\Program Files\desktop.ini
2007-07-31 22:20 21,952 -c-ha-w C:\Program Files\folder.htt
2007-05-14 22:03 445,696 -c----w C:\WINNT\inf\rt73.sys
2002-06-04 07:06 65,536 -c----w C:\WINNT\inf\copyinf.exe
1999-12-07 12:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr "= "C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoftwareStation "= "C:\Program Files\eAcceleration\Station\station.exe" [05/08/07 06:12p 136904]
"webscan "= "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" [12/19/07 08:20p 771504]
"Synchronization Manager "= "mobsync.exe" [06/19/03 11:05a 111376 C:\WINNT\system32\mobsync.exe]
"OnAccess "= "C:\Program Files\eAcceleration\OnAccess\OnAccess.exe" [10/24/06 06:21p 112216]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Auto File System Conversion Utility "= "C:\WINNT\system32\scricon.exe" [ ]
"Picasa Media Detector "= "C:\Program Files\Picasa2\PicasaMediaDetector.exe" [09/27/07 07:17p 443968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop "= "C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [06/19/03 11:05a 186640]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Auto File System Conversion Utility "= "C:\WINNT\system32\scricon.exe" [ ]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{7265100a-17e1-41bf-bd08-63b95a25a9c3} "= C:\WINNT\system32\ofcpi.dll [ ]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1A42F606-3E21-4AB5-9565-E7C8EF6B0929} "= C:\PROGRA~1\EACCEL~1\OnAccess\sehk.dll [10/24/06 06:21p 71256]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Auto File System Conversion Utility REG_SZ C:\WINNT\system32\scricon.exe

R1 VIAPFD;VIAPFD;C:\WINNT\system32\Drivers\VIAPFD.SYS [05/04/01 09:24a]
S2 mshexdefx;ms hexidecimal defx; "C:\WINNT\system32\dllcache\ivchost.exe" []
S2 SetupNT;SetupNT;C:\WINNT\system32\SetupNT.sys [10/25/00 02:27p]
S3 3C460B;3Com 3C460B USB Ethernet Adapter Driver;C:\WINNT\system32\DRIVERS\3C460B.SYS [11/20/00 03:11p]
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINNT\system32\DRIVERS\NtApm.sys [09/25/99 04:36a]
S3 trid3d;trid3d;C:\WINNT\system32\DRIVERS\trid3dm.sys [03/09/01 10:04a]
S4 OneStep Search Service;OneStep Search Service; "C:\Program Files\OneStepSearch\onestep.exe" "C:\Program Files\OneStepSearch\onestep.dll" Service []

.
Contents of the 'Scheduled Tasks' folder
"2008-02-03 05:32:46 C:\WINNT\Tasks\rpc.job "
- C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 17:51:38
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 02/06/2008 17:52:22
ComboFix-quarantined-files.txt 2008-02-06 23:52:01
.
2008-02-04 02:43:07 --- E O F ---

 

SDfix scan results

Geri, here is the SD scan results 18:30 hrs 2/6/08

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 18:24:03
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

 

Hi Bodawg

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

iWinArcade
iWin Games - anything doing with iwin
OneStepSearch
Winferno or RegistryPowerCleaner

Please note any other programs that you dont recognize in that list and post them in your next response

StopSign is not a recommended Anti-Virus or Spyware Application, You would do better getting rid of it and getting another AV.

Now please do this.
Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

Folder::
C:\Documents and Settings\HomeUser\Application Data\iWinArcade
C:\Documents and Settings\All Users\Application Data\iWin Games
C:\Program Files\OneStepSearch
C:\Program Files\Winferno\RegistryPowerCleaner

File::
C:\WINNT\system32\ofcpi.dll
C:\WINNT\popcinfot.dat
C:\WINNT\popcreg.dat
C:\WINNT\system32\dllcache\ivchost.exe 
C:\WINDOWS\SYSTEM32\crypts.dll
C:\WINNT\system32\scricon.exe

Driver::
mshexdefx

Registry
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
 "Auto File System Conversion Utility "=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
 "{7265100a-17e1-41bf-bd08-63b95a25a9c3} "=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices]
 "Auto File System Conversion Utility "=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
 "Auto File System Conversion Utility "=- 

Please post the new Combofix log.

Thanks
Geri

 

I need help, accessing add/remove program

I have a problem of accessing the add/remove program in the control panel.
When I click on the add/remove program Icon it just gives me a grayed out window. There are no list of programs installed on my computer as there should be and to top that off I have to reboot computer to remove the window. Can someone please help me?

thanks.....Bo

 

Hi Bodawg
OK, Just run the Combofix script as asked and post the log.

Then do this,

Please download Deckard's System Scanner (dss.exe) and save it to your Desktop.
Note: You must be logged onto an account with administrator privileges to complete the following.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy and then paste the contents of main.txt and extra.txt in your next reply.

Please post the "main.txt" log only for now.

Post the combofix log and the dss main txt log.

Thanks
Geri

 

Geri,
thanks for the reply. I have one question tho, combo.fix should I run it with computer in safe mode?

 

Hi
No, not safe mode, Follow the instructions for combofix script in post # 12.

Geri

 

Combo.fix bodawg per Geri

Hey Geri,
here is the combo.fix with cfs also 2.12.08 18:30 hrs.

ComboFix 08-02-13.2 - HomeUser 02/12/2008 18:18:18.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.88 [GMT -6:00]
Running from: C:\Documents and Settings\HomeUser\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HomeUser\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-13 to 2008-02-13 )))))))))))))))))))))))))))))))
.

2008-02-12 18:09 . 02/12/08 06:09p 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_2ac.dat
2008-02-09 23:59 . 02/09/08 11:59p <DIR> d-------- C:\Program Files\RegSupreme Pro
2008-02-09 23:59 . 02/09/08 11:59p 23 --a------ C:\WINNT\system32\bbfcfeecabd_d.ocx
2008-02-09 23:09 . 02/09/08 11:09p <DIR> d-------- C:\Program Files\ESET
2008-02-09 23:09 . 02/09/08 11:09p <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-02-09 23:03 . 02/11/08 10:32p 830,066 ---h----- C:\WINNT\ShellIconCache
2008-02-09 20:44 . 02/09/08 08:44p <DIR> d-------- C:\Program Files\Lavasoft
2008-02-09 20:43 . 02/09/08 08:43p <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-09 16:42 . 02/09/08 04:42p <DIR> d-------- C:\Program Files\HP DeskJet 810C Series
2008-02-09 16:42 . 02/09/08 04:42p 243 --a------ C:\WINNT\HPFTBX11.INI
2008-02-08 21:14 . 02/08/08 09:14p 170 --a------ C:\WINNT\system32\SDRemoveDB.db
2008-02-08 21:13 . 06/14/05 12:09p 1,060,864 --a------ C:\WINNT\system32\MFC71.dll
2008-02-08 21:13 . 02/08/08 09:13p 63 --a------ C:\WINNT\system\SysSD.dll
2008-02-08 10:08 . 02/08/08 09:01p <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-07 20:39 . 02/08/08 09:05p <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-06 23:13 . 02/10/08 03:06p <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-06 23:00 . 02/06/08 11:00p <DIR> d-------- C:\Documents and Settings\All Users\Application Data\pdf995
2008-02-06 17:49 . 11/02/04 04:48p 236,816 --a------ C:\kmd.exe
2008-02-05 17:58 . 02/05/08 05:58p <DIR> d-------- C:\Deckard
2008-02-04 22:47 . 02/05/08 05:36p 1,752 --a------ C:\WINNT\system32\tmp.reg
2008-02-04 22:46 . 09/05/07 11:22p 289,144 --a------ C:\WINNT\system32\VCCLSID.exe
2008-02-04 22:46 . 04/27/06 04:49p 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
2008-02-04 22:46 . 02/05/08 12:23a 85,504 --a------ C:\WINNT\system32\VACFix.exe
2008-02-04 22:46 . 01/27/08 02:37p 81,920 --a------ C:\WINNT\system32\IEDFix.exe
2008-02-04 22:46 . 07/31/04 05:50p 51,200 --a------ C:\WINNT\system32\dumphive.exe
2008-02-04 22:46 . 10/03/07 11:36p 25,600 --a------ C:\WINNT\system32\WS2Fix.exe
2008-02-03 19:53 . 02/05/08 08:09p <DIR> d-------- C:\SDFix
2008-02-03 17:03 . 02/03/08 05:03p <DIR> d-------- C:\Documents and Settings\HomeUser\Application Data\TrojanHunter
2008-02-03 16:39 . 02/03/08 04:39p <DIR> d-a------ C:\Program Files\TrojanHunter 5.0
2008-02-03 13:43 . 02/03/08 01:43p <DIR> d-a------ C:\Program Files\Trend Micro
2008-02-03 00:11 . 02/03/08 12:11a 1,632 --a------ C:\WINNT\system32\d3d8caps.dat
2008-02-02 23:46 . 02/02/08 11:46p <DIR> d-------- C:\windows
2008-02-02 23:37 . 02/06/08 10:57p <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Winferno
2008-02-02 21:34 . 02/12/08 05:47p <DIR> d-a------ C:\Program Files\Mozilla Thunderbird
2008-02-02 08:59 . 02/02/08 09:00a <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-01-29 12:53 . 01/29/08 12:53p <DIR> d-------- C:\Documents and Settings\HomeUser\Application Data\TaxCut
2008-01-29 12:53 . 02/06/08 09:12p 249,856 --a------ C:\WINNT\system32\pdfmona.dll
2008-01-29 12:53 . 02/06/08 09:12p 51,716 --a------ C:\WINNT\system32\pdf995mon.dll
2008-01-29 12:53 . 08/24/07 11:13a 142 --a------ C:\WINNT\wpd99.drv
2008-01-26 20:48 . 01/26/08 08:48p <DIR> d-a------ C:\Program Files\Common Files\Adaptec Shared
2008-01-26 17:01 . 01/26/08 05:01p <DIR> d--hs---- C:\WINNT\ftpcache
2008-01-23 19:14 . 01/23/08 07:29p <DIR> d-------- C:\Documents and Settings\HomeUser\Application Data\MailWasherPro
2008-01-19 14:34 . 01/19/08 02:34p <DIR> d-a------ C:\Program Files\Common Files\eSellerate

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 02:43 --------- d---a-w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-31 00:41 --------- d-----w C:\Documents and Settings\HomeUser\Application Data\LimeWire
2008-01-27 02:48 57,344 ----a-w C:\WINNT\uneng.exe
2008-01-27 02:48 49,152 ----a-w C:\WINNT\system32\cdrtc.dll
2008-01-27 02:48 45,056 ----a-w C:\WINNT\system32\cdral.dll
2008-01-26 17:06 --------- d---a-w C:\Program Files\Shockwave.com
2008-01-24 01:30 --------- d---a-w C:\Program Files\Yahoo!
2008-01-13 05:28 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2008-01-13 04:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Arcadetown
2008-01-09 01:20 --------- d-----w C:\Documents and Settings\HomeUser\Application Data\GameHouse
2008-01-09 01:14 --------- d---a-w C:\Program Files\Google
2008-01-09 00:13 --------- d-----w C:\Documents and Settings\HomeUser\Application Data\Zylom
2008-01-09 00:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Zylom
2008-01-03 23:28 --------- d-----w C:\Documents and Settings\HomeUser\Application Data\SpinTop
2007-12-31 01:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\n7-89-o9-3r-4t-r9
2007-12-21 14:21 33,800 ----a-w C:\WINNT\system32\drivers\epfwtdir.sys
2007-12-21 14:20 30,216 ----a-w C:\WINNT\system32\drivers\easdrv.sys
2007-12-21 14:19 39,944 ----a-w C:\WINNT\system32\drivers\eamon.sys
2007-12-20 14:10 499,712 ----a-w C:\WINNT\system32\msvcp71.dll
2007-12-20 14:10 348,160 ----a-w C:\WINNT\system32\msvcr71.dll
2007-12-15 04:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2007-12-14 17:32 12,632 ----a-w C:\WINNT\system32\lsdelete.exe
2007-08-01 00:21 1,126 ----a-w C:\Program Files\INSTALL.LOG
2007-07-31 22:20 271 ---ha-w C:\Program Files\desktop.ini
2007-07-31 22:20 21,952 -c-ha-w C:\Program Files\folder.htt
2007-05-14 22:03 445,696 -c----w C:\WINNT\inf\rt73.sys
2002-06-04 07:06 65,536 -c----w C:\WINNT\inf\copyinf.exe
1999-12-07 12:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager "= "mobsync.exe" [06/19/03 11:05a 111376 C:\WINNT\system32\mobsync.exe]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/08 10:16p 39792]
"egui "= "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [12/21/07 08:21a 1443072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector "= "C:\Program Files\Picasa2\PicasaMediaDetector.exe" [09/27/07 07:17p 443968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop "= "C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [06/19/03 11:05a 186640]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Auto File System Conversion Utility REG_SZ C:\WINNT\system32\scricon.exe

R1 epfwtdir;epfwtdir;C:\WINNT\system32\DRIVERS\epfwtdir.sys [12/21/07 08:21a]
R1 VIAPFD;VIAPFD;C:\WINNT\system32\Drivers\VIAPFD.SYS [05/04/01 09:24a]
R2 HPFECP11;HPFECP11;C:\WINNT\system32\drivers\HPFECP11.SYS [05/03/99 03:19a]
R2 SetupNT;SetupNT;C:\WINNT\system32\SetupNT.sys [10/25/00 02:27p]
R3 trid3d;trid3d;C:\WINNT\system32\DRIVERS\trid3dm.sys [03/09/01 10:04a]
S2 mshexdefx;ms hexidecimal defx; "C:\WINNT\system32\dllcache\ivchost.exe" []
S3 3C460B;3Com 3C460B USB Ethernet Adapter Driver;C:\WINNT\system32\DRIVERS\3C460B.SYS [11/20/00 03:11p]
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINNT\system32\DRIVERS\NtApm.sys [09/25/99 04:36a]
S4 OneStep Search Service;OneStep Search Service; "C:\Program Files\OneStepSearch\onestep.exe" "C:\Program Files\OneStepSearch\onestep.dll" Service []

.
Contents of the 'Scheduled Tasks' folder
"2008-02-03 05:32:46 C:\WINNT\Tasks\rpc.job "
- C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-12 18:19:11
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 02/12/2008 18:19:43
ComboFix-quarantined-files.txt 2008-02-13 00:19:33
ComboFix2.txt 2008-02-13 00:11:04
ComboFix3.txt 2008-02-06 23:52:22
.
2008-02-04 02:43:07 --- E O F ---

 

Hi
Did you download Spyware Detector ?

If so please delete it from add/remove programs if listed.

Please do not download or install anything unless told to do so.
Thanks

Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete these files (if present):

C:\WINNT\system32\bbfcfeecabd_d.ocx


Lets scan a couple files.

Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan "box on the top of the page: one at a time.
  
  • C:\WINNT\system32\SDRemoveDB.db
    C:\WINNT\system\SysSD.dll
• Click on the submit button
  
• Please post the results in your next reply.

Please post the Jotti results.

Thanks
Geri

 

Jotti scan for C:\winnt\system32\sdremoveDB.db

Geri,
Hi.
here is the Jotti scan for Sdremove.db
18:07 hrs 2/13/2008

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: SDremoveDB.db
Status: OK
MD5: 5122538d366525c0efaad30a52376916
Packers detected: -
Bit9 reports: File not found

Scanner results
Scan taken on 13 Feb 2008 23:56:34 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

 

C:\winnt\system\sysssd.dll scan

Geri,
c:\winnt\system\syssd.dll scan 18:15hrs 2/13/08

Scan taken on 14 Feb 2008 00:10:28 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing