1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

computer reboots or freezes at login (win xp)

Discussion in 'Malware and Virus Removal Archive' started by mva5493, 2007/07/29.

  1. 2007/07/29
    mva5493

    mva5493 Well-Known Member Thread Starter

    Joined:
    2007/01/29
    Messages:
    287
    Likes Received:
    0
    Hi, I am continuing this thread as suggested from Dave in windows xp http://www.windowsbbs.com/showthread.php?t=66359
    As requested here are the hijack this log, the main.txt from dss, and rapport.txt from smitfraudfix.

    Logfile of HijackThis v1.99.1
    Scan saved at 2:37:40 PM, on 7/29/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\cmd.exe
    C:\Documents and Settings\Brent\dss.exe
    C:\PROGRA~1\HIJACK~1\Brent.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows.com/fileassoc/0409/xml/redir.asp?Ext=pdf
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\System32\tmp18F.tmp.dll
    O2 - BHO: (no name) - {34ef652a-f955-4e9a-84d9-5b4d27400418} - C:\WINDOWS\system32\dinGR1.dll
    O2 - BHO: (no name) - {37E7FC45-438C-3F52-F63B-19E33B97F9CC} - C:\WINDOWS\System32\snbvesu.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: (no name) - {B9697716-61E6-4FBC-89FD-EAC504D9EFE3} - C:\WINDOWS\system32\hggdabb.dll
    O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{304E6~1\Bar888.dll
    O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{304E6~1\Bar888.dll
    O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\Program Files\OIN Search\OINSearch.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe "
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe "
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [{B04E6D12-07C9-1033-1028-020409200001}] "C:\Program Files\Common Files\{B04E6D12-07C9-1033-1028-020409200001}\Update.exe" te-110-12-0000213
    O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
    O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe
    O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\awttuu.dll ",realset
    O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
    O4 - HKLM\..\Run: [runner1] C:\WINDOWS\updater.exe 61A847B5BBF72810358B2B27128065E9C084320161C4661227A755E9C2933154389A
    O4 - HKLM\..\Run: [{B04E6D12-07CA-1033-1028-020409200001}] "C:\Program Files\Common Files\{B04E6D12-07CA-1033-1028-020409200001}\Update.exe" te-110-12-0000213
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [Ncao] "C:\WINDOWS\System32\MANTEC~1\msiexec.exe" -vt ndrv
    O4 - HKCU\..\Run: [Epunt] "C:\Documents and Settings\Brent\My Documents\A?pPatch\?explore.exe" 99001275
    O4 - HKCU\..\Run: [imqu] C:\PROGRA~1\COMMON~1\imqu\imqum.exe
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKCU\..\Run: [Microsoft Visual Enhance V2.1] C:\WINDOWS\iuntfs32.exe
    O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
    O4 - HKCU\..\Run: [Qhaen] "C:\Documents and Settings\Brent\My Documents\?ystem32\??plorer.exe "
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm231YYUS
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\winhealer.dll
    O10 - Hijacked Internet access by WebHancer
    O10 - Hijacked Internet access by WebHancer
    O10 - Hijacked Internet access by WebHancer
    O10 - Unknown file in Winsock LSP: c:\windows\system32\winhealer.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15-3.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: A3dxq - C:\WINDOWS\System32\a3dxq.dll
    O20 - Winlogon Notify: dinGR1 - C:\WINDOWS\SYSTEM32\dinGR1.dll
    O20 - Winlogon Notify: hggdabb - C:\WINDOWS\SYSTEM32\hggdabb.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
    O21 - SSODL: DCOM Server 60787 - {2C1CD3D7-86AC-4068-93BC-A02304B60787} - C:\WINDOWS\System32\sdetvtv.dll
    O21 - SSODL: JMUiuwkK - {B04E6D13-1AE4-C7B9-9151-9F96A1BD395B} - C:\WINDOWS\System32\ksxc.dll
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U3VzYW4\command.exe
    O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000213 (file missing)
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe



    main.txt from dss
    Deckard's System Scanner v20070711.54
    Run by Brent on 2007-07-29 at 14:36:17
    Computer is in Safe Mode.
    --------------------------------------------------------------------------------

    -- System Restore --------------------------------------------------------------

    Failed to create restore point; computer is in safe mode.


    -- Last 5 Restore Point(s) --
    86: 2007-07-28 05:13:32 UTC - RP637 - Restore Operation
    85: 2007-07-28 02:27:34 UTC - RP636 - Restore Operation
    84: 2007-04-19 21:10:08 UTC - RP635 - Restore Operation
    83: 2007-04-19 21:04:35 UTC - RP634 - Restore Operation
    82: 2007-04-19 21:03:11 UTC - RP633 - Restore Operation


    -- First Restore Point --
    1: 2007-01-27 01:28:30 UTC - RP552 - System Checkpoint


    Backed up registry hives.

    Performed disk cleanup.


    -- HijackThis (run as Brent.exe) -----------------------------------------------

    Logfile of HijackThis v1.99.1
    Scan saved at 2:37:40 PM, on 7/29/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\cmd.exe
    C:\Documents and Settings\Brent\dss.exe
    C:\PROGRA~1\HIJACK~1\Brent.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows.com/fileassoc/0409/xml/redir.asp?Ext=pdf
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\System32\tmp18F.tmp.dll
    O2 - BHO: (no name) - {34ef652a-f955-4e9a-84d9-5b4d27400418} - C:\WINDOWS\system32\dinGR1.dll
    O2 - BHO: (no name) - {37E7FC45-438C-3F52-F63B-19E33B97F9CC} - C:\WINDOWS\System32\snbvesu.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: (no name) - {B9697716-61E6-4FBC-89FD-EAC504D9EFE3} - C:\WINDOWS\system32\hggdabb.dll
    O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{304E6~1\Bar888.dll
    O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{304E6~1\Bar888.dll
    O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\Program Files\OIN Search\OINSearch.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe "
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe "
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [{B04E6D12-07C9-1033-1028-020409200001}] "C:\Program Files\Common Files\{B04E6D12-07C9-1033-1028-020409200001}\Update.exe" te-110-12-0000213
    O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
    O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe
    O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\awttuu.dll ",realset
    O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
    O4 - HKLM\..\Run: [runner1] C:\WINDOWS\updater.exe 61A847B5BBF72810358B2B27128065E9C084320161C4661227A755E9C2933154389A
    O4 - HKLM\..\Run: [{B04E6D12-07CA-1033-1028-020409200001}] "C:\Program Files\Common Files\{B04E6D12-07CA-1033-1028-020409200001}\Update.exe" te-110-12-0000213
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [Ncao] "C:\WINDOWS\System32\MANTEC~1\msiexec.exe" -vt ndrv
    O4 - HKCU\..\Run: [Epunt] "C:\Documents and Settings\Brent\My Documents\A?pPatch\?explore.exe" 99001275
    O4 - HKCU\..\Run: [imqu] C:\PROGRA~1\COMMON~1\imqu\imqum.exe
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKCU\..\Run: [Microsoft Visual Enhance V2.1] C:\WINDOWS\iuntfs32.exe
    O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
    O4 - HKCU\..\Run: [Qhaen] "C:\Documents and Settings\Brent\My Documents\?ystem32\??plorer.exe "
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm231YYUS
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\winhealer.dll
    O10 - Hijacked Internet access by WebHancer
    O10 - Hijacked Internet access by WebHancer
    O10 - Hijacked Internet access by WebHancer
    O10 - Unknown file in Winsock LSP: c:\windows\system32\winhealer.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
    O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15-3.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: A3dxq - C:\WINDOWS\System32\a3dxq.dll
    O20 - Winlogon Notify: dinGR1 - C:\WINDOWS\SYSTEM32\dinGR1.dll
    O20 - Winlogon Notify: hggdabb - C:\WINDOWS\SYSTEM32\hggdabb.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
    O21 - SSODL: DCOM Server 60787 - {2C1CD3D7-86AC-4068-93BC-A02304B60787} - C:\WINDOWS\System32\sdetvtv.dll
    O21 - SSODL: JMUiuwkK - {B04E6D13-1AE4-C7B9-9151-9F96A1BD395B} - C:\WINDOWS\System32\ksxc.dll
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U3VzYW4\command.exe
    O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000213 (file missing)
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


    -- File Associations -----------------------------------------------------------

    All associations okay.


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

    3 ntldr.sys - c:\ntldr.sys (file missing) <Verified; Conexant; Diagnostic Interface>
    1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
    3 Runtime - c:\windows\system32\drivers\runtime.sys (file missing) <Verified; Conexant; SoftK56>
    1 tmtdi (Trend Micro TDI Driver) - c:\windows\system32\drivers\tmtdi.sys <Not Verified; Trend Micro Inc.; Trend Micro Network Security Component 1.0>
    2 tm_cfw (Common Firewall Driver) - c:\windows\system32\drivers\tm_cfw.sys <Not Verified; Trend Micro Inc.; Trend Network Security Component 1.0>
    3 wanatw (WAN Miniport (ATW)) - system32\drivers\wanatw4.sys (file missing) <Verified; Trend Micro Inc.; VSAPI>
    2 wincom32 - c:\windows\system32\wincom32.sys
    2 windev-4134-6407 - c:\windows\system32\windev-4134-6407.sys

    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

    2 cmdService (Command Service) - c:\windows\u3vzyw4\command.exe
    2 COM+ Messages - c:\windows\system32\svchosts.exe (file missing)
    2 ldrsvc - c:\windows\system32\svchost.exe
    2 Network Monitor - c:\program files\network monitor\netmon.exe
    2 PcCtlCom (Trend Micro Central Control Component) - c:\program files\trend micro\internet security 2005\pcctlcom.exe <Not Verified; Trend Micro Incorporated.; Trend Micro Internet Security>
    2 Tmntsrv (Trend Micro Real-time Service) - c:\program files\trend micro\internet security 2005\tmntsrv.exe <Not Verified; Trend Micro Incorporated.; Trend Micro Internet Security>
    2 TmPfw (Trend Micro Personal Firewall) - c:\program files\trend micro\internet security 2005\tmpfw.exe <Not Verified; Trend Micro Inc.; Trend Network Security Component 1.0>
    2 tmproxy (Trend Micro Proxy Service) - c:\program files\trend micro\internet security 2005\tmproxy.exe <Not Verified; Trend Micro Inc.; Trend Micro Network Security Components 1.0>
    2 uploadmgr (Upload Manager) - c:\windows\system32\svchost.exe
    2 WmdmPmSp (Portable Media Serial Number) - c:\windows\system32\svchost.exe


    -- Scheduled Tasks -------------------------------------------------------------

    2007-04-18 17:39:00 342 --a------ C:\WINDOWS\Tasks\HP Usg Daily.job
    2007-04-01 21:40:00 318 --a------ C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#140#CN3CN340S2J3.job
    2003-01-03 19:39:07 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 1.job


    -- Files created between 2007-06-29 and 2007-07-29 -----------------------------

    2007-07-28 13:03:36 502308 --a------ C:\Documents and Settings\Brent\dss.exe
    2007-07-28 13:03:35 488144 --a------ C:\Documents and Settings\Brent\HJTsetup.exe <Not Verified; Soeperman Enterprises Ltd; >
    2007-07-28 01:25:27 5558 --a------ C:\WINDOWS\System32\tmp.reg
    2007-07-28 01:18:39 288417 --a------ C:\WINDOWS\System32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
    2007-07-28 01:18:39 53248 --a------ C:\WINDOWS\System32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
    2007-07-28 01:18:39 51200 --a------ C:\WINDOWS\System32\dumphive.exe
    2007-07-28 01:18:34 0 d-------- C:\Documents and Settings\Brent\SmitfraudFix <SMITFR~1>
    2007-07-28 01:18:19 886519 --a------ C:\Documents and Settings\Brent\SmitfraudFix.exe <SMITFR~1.EXE>
    2007-07-27 22:36:09 0 d-------- C:\Program Files\Common Files\{B04E6D12-07CA-1033-1028-020409200001}
    2007-07-27 22:36:07 0 d-------- C:\WINDOWS\System32\?dobe
    2007-07-27 22:35:32 0 d-------- C:\Program Files\DeluxeCommunications
    2007-07-27 19:28:19 86016 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
    2007-07-27 19:28:16 0 d-------- C:\Program Files\SSRemoval Tool
    2007-07-27 13:27:53 0 d-------- C:\Documents and Settings\Brent\Application Data\Webroot


    -- Find3M Report ---------------------------------------------------------------

    2007-07-28 13:36:07 4096 --a------ C:\WINDOWS\comdlg64.dll
    2007-07-27 22:36:04 0 d-------- C:\Program Files\NewDotNet
    2007-07-27 22:35:32 0 d-------- C:\Program Files\Common Files\{304E6D12-07C9-1033-1028-020409200001}
    2007-07-27 22:35:21 0 d-------- C:\Program Files\LimeWire
    2007-07-27 19:02:51 0 --a------ C:\WINDOWS\System32\dlh9jkd1q8.exe
    2007-07-27 13:25:44 7680 --a------ C:\WINDOWS\System32\comdlg77.dll
    2007-07-26 23:45:55 81920 --a------ C:\WINDOWS\System32\WinHealer.dll


    -- Registry Dump ---------------------------------------------------------------

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    {00A6FAF1-072E-44cf-8957-5838F569A31D} C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    {02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    {07B18EA1-A523-4961-B6BB-170DE4475CCA} C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    {1557B435-8242-4686-9AA3-9265BF7525A4} C:\WINDOWS\System32\tmp18F.tmp.dll
    {34ef652a-f955-4e9a-84d9-5b4d27400418} C:\WINDOWS\system32\dinGR1.dll
    {37E7FC45-438C-3F52-F63B-19E33B97F9CC} C:\WINDOWS\System32\snbvesu.dll
    {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} C:\Program Files\Yahoo!\Common\yiesrvc.dll
    {B9697716-61E6-4FBC-89FD-EAC504D9EFE3} C:\WINDOWS\system32\hggdabb.dll
    {C1B4DEC2-2623-438e-9CA2-C9043AB28508} C:\PROGRA~1\COMMON~1\{304E6~1\Bar888.dll
    {c900b400-cdfe-11d3-976a-00e02913a9e0} C:\Program Files\webHancer\programs\whiehlpr.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "IgfxTray "= "C:\\WINDOWS\\System32\\igfxtray.exe "
    "HotKeysCmds "= "C:\\WINDOWS\\System32\\hkcmd.exe "
    "DVDSentry "= "C:\\WINDOWS\\System32\\DSentry.exe "
    "RealTray "= "C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER "
    "MMTray "= "C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe "
    "AdaptecDirectCD "= "\ "C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\" "
    "PrinTray "= "C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe "
    "lxamsp32.exe "= "lxamsp32.exe "
    "QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
    "Lexmark X1100 Series "= "\ "C:\\Program Files\\Lexmark X1100 Series\\lxbkbmgr.exe\" "
    "HPDJ Taskbar Utility "= "C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb09.exe "
    "HPHUPD05 "= "C:\\Program Files\\Hewlett-Packard\\{45B6180B-DCAB-4093-8EE8-6164457517F0}\\hphupd05.exe "
    "HP Component Manager "= "\ "C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\" "
    "HP Software Update "= "\ "C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd.exe\" "
    "HPHmon05 "= "C:\\WINDOWS\\System32\\hphmon05.exe "
    "Share-to-Web Namespace Daemon "= "C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe "
    "CamMonitor "= "C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\\\Unload\\hpqcmon.exe "
    "{B04E6D12-07C9-1033-1028-020409200001} "= "\ "C:\\Program Files\\Common Files\\{B04E6D12-07C9-1033-1028-020409200001}\\Update.exe\" te-110-12-0000213 "
    "My Web Search Bar "= "rundll32 C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\MWSBAR.DLL,S "
    "MyWebSearch Email Plugin "= "C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\mwsoemon.exe "
    "SunJavaUpdateSched "= "C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe "
    "webHancer Agent "= "C:\\Program Files\\webHancer\\Programs\\whagent.exe "
    "Lexmark_X79-55 "= "C:\\WINDOWS\\System32\\lsasss.exe "
    "BootService "= "rundll32.exe \ "C:\\WINDOWS\\awttuu.dll\ ",realset "
    "spoolsvv "= "C:\\WINDOWS\\System32\\spoolsvv.exe "
    "runner1 "= "C:\\WINDOWS\\updater.exe 61A847B5BBF72810358B2B27128065E9C084320161C4661227A755E9C2933154389A "
    "{B04E6D12-07CA-1033-1028-020409200001} "= "\ "C:\\Program Files\\Common Files\\{B04E6D12-07CA-1033-1028-020409200001}\\Update.exe\" te-110-12-0000213 "
    "UserFaultCheck "=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
    "KernelFaultCheck "=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "DellSupport "= "\ "C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup "
    "Yahoo! Pager "= "\ "C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet "
    "Ncao "= "\ "C:\\WINDOWS\\System32\\MANTEC~1\\msiexec.exe\" -vt ndrv "
    "Epunt "= "\ "C:\\Documents and Settings\\Brent\\My Documents\\A?pPatch\\?explore.exe\" 99001275 "
    "imqu "= "C:\\PROGRA~1\\COMMON~1\\imqu\\imqum.exe "
    "MyWebSearch Email Plugin "= "C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\mwsoemon.exe "
    "Microsoft Visual Enhance V2.1 "= "C:\\WINDOWS\\iuntfs32.exe "
    "IpWins "= "C:\\Program Files\\Ipwindows\\ipwins.exe "
    "Qhaen "= "\ "C:\\Documents and Settings\\Brent\\My Documents\\?ystem32\\??plorer.exe\" "

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "Symantec Network Driver Update Warning "= "C:\\PROGRA~1\\Symantec\\LIVEUP~1\\SNDWarn.EXE "
    "ALUAlert "= "C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe "
    "Symantec NetDriver Warning "= "C:\\PROGRA~1\\SYMNET~1\\SNDWarn.exe "
    "Yahoo! Pager "= "\ "C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
    "{2C1CD3D7-86AC-4068-93BC-A02304B60787} "= "DCOM Server 60787 "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{B9697716-61E6-4FBC-89FD-EAC504D9EFE3} "=" "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "DCOM Server 60787 "= "{2C1CD3D7-86AC-4068-93BC-A02304B60787} "
    "JMUiuwkK "= "{B04E6D13-1AE4-C7B9-9151-9F96A1BD395B} "

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\A3dxq
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dinGR1
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggdabb
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsys2freg

    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
    Authentication Packages REG_MULTI_SZ msv1_0\0\0
    Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
    Notification Packages REG_MULTI_SZ scecli\0\0


    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0

    hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
    ldrsvc



    -- End of Deckard's System Scanner: finished at 2007-07-29 at 14:39:59 ---------


    and rapport.txt from smitfraud.exe
    SmitFraudFix v2.207

    Scan done at 13:42:32.64, Sun 07/29/2007
    Run from C:\Documents and Settings\Brent\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{2C1CD3D7-86AC-4068-93BC-A02304B60787} "= "DCOM Server 60787 "

    [HKEY_CLASSES_ROOT\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B60787}\InProcServer32]
    @= "C:\WINDOWS\System32\sdetvtv.dll "

    [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B60787}\InProcServer32]
    @= "C:\WINDOWS\System32\sdetvtv.dll "


    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


    »»»»»»»»»»»»»»»»»»»»»»»» DNS



    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System "=" "
     
  2. 2007/07/29
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Wow!! Quite a mess there. :eek: This could take some time ......... are you up to it? If so, follow along, and do each step completely and in the order given.

    First, you need to gather some tools. If the computer is still offline (which is actually a good idea till we get some of this cleaned up), save these to yours, then transfer over to the desktop of infected comp.

    1. Download SDFix by AndyManchesta
    2. Download ComboFix by sUBs
    3. Download ATF Cleaner by Atribune
    4. Download Download LSPFix.exe

    Lets assume the comp is still booting to safe mode, and that's where you are at this point. Copy the above to the desktop. Open Add/Remove Programs in the control panel. Uninstall the following if listed. Do Not reboot if prompted!

    NewDotNet
    WebHancer

    Close the Control Panel and the Add/Remove console.

    Double click LSPFix.exe to run the program, check the box 'I know what I'm doing' and click finish.

    Double click ATF-Cleaner.exe to run the program. Click 'Select All' then click Empty Selected. When you receive the 'Done' message, click Exit.

    Scan again with HijackThis, place a check next to the following entries if present, then click Fix Checked.

    O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\System32\tmp18F.tmp.dll
    O2 - BHO: (no name) - {34ef652a-f955-4e9a-84d9-5b4d27400418} - C:\WINDOWS\system32\dinGR1.dll
    O2 - BHO: (no name) - {37E7FC45-438C-3F52-F63B-19E33B97F9CC} - C:\WINDOWS\System32\snbvesu.dll
    O2 - BHO: (no name) - {B9697716-61E6-4FBC-89FD-EAC504D9EFE3} - C:\WINDOWS\system32\hggdabb.dll
    O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{304E6~1\Bar888.dll
    O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
    O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{304E6~1\Bar888.dll
    O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\Program Files\OIN Search\OINSearch.dll
    O4 - HKLM\..\Run: [{B04E6D12-07C9-1033-1028-020409200001}] "C:\Program Files\Common Files\{B04E6D12-07C9-1033-1028-020409200001}\Update.exe" te-110-12-0000213
    O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
    O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\awttuu.dll ",realset
    O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
    O4 - HKLM\..\Run: [runner1] C:\WINDOWS\updater.exe 61A847B5BBF72810358B2B27128065E9C084320161C4661227 A755E9C2933154389A
    O4 - HKLM\..\Run: [{B04E6D12-07CA-1033-1028-020409200001}] "C:\Program Files\Common Files\{B04E6D12-07CA-1033-1028-020409200001}\Update.exe" te-110-12-0000213
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [Ncao] "C:\WINDOWS\System32\MANTEC~1\msiexec.exe" -vt ndrv
    O4 - HKCU\..\Run: [Epunt] "C:\Documents and Settings\Brent\My Documents\A?pPatch\?explore.exe" 99001275
    O4 - HKCU\..\Run: [imqu] C:\PROGRA~1\COMMON~1\imqu\imqum.exe
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
    O4 - HKCU\..\Run: [Qhaen] "C:\Documents and Settings\Brent\My Documents\?ystem32\??plorer.exe "
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: A3dxq - C:\WINDOWS\System32\a3dxq.dll
    O20 - Winlogon Notify: dinGR1 - C:\WINDOWS\SYSTEM32\dinGR1.dll
    O20 - Winlogon Notify: hggdabb - C:\WINDOWS\SYSTEM32\hggdabb.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
    O21 - SSODL: DCOM Server 60787 - {2C1CD3D7-86AC-4068-93BC-A02304B60787} - C:\WINDOWS\System32\sdetvtv.dll
    O21 - SSODL: JMUiuwkK - {B04E6D13-1AE4-C7B9-9151-9F96A1BD395B} - C:\WINDOWS\System32\ksxc.dll
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U3VzYW4\command.exe

    Close HijackThis.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    1. Open the extracted SDFix folder and double click RunThis.bat to start the script.
    2. Type Y to begin the cleanup process.
    3. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    4. Press any Key and it will restart the PC.
    5. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    6. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt ...... close it for now.

    Double click combofix.exe Follow the prompts.
    Don't click on the window while the fix is running, because that will cause your system to hang.

    When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

    Please post the combofix.txt log, the report.txt log from SDFix, and a fresh HijackThis log.
     

  3. to hide this advert.

  4. 2007/07/29
    mva5493

    mva5493 Well-Known Member Thread Starter

    Joined:
    2007/01/29
    Messages:
    287
    Likes Received:
    0
    I was afraid it was going to be quite a mess. yes I suppose I have to be up to it, I could give it back as is, but i like to think i am a nicer person than that...
     
  5. 2007/07/29
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    You are indeed a nice person. If you run into any issues or have any other questions while completing those steps, don't hesitate to stop and ask before proceeding. ;)
     
  6. 2007/07/29
    mva5493

    mva5493 Well-Known Member Thread Starter

    Joined:
    2007/01/29
    Messages:
    287
    Likes Received:
    0
    I am having problems running sdfix...the virtual memory error....the scan can't finish before the virtual memory error comes back. when it comes up it stops everything else from running. I looked at the processes running and made a list...any chance someone can tell me what is necessary and what is not???
    explorer.exe
    cmd.exe
    iexplore.exe
    taskmgr.exe
    lsass.exe
    saveddump.exe
    services.exe
    winlogon.exe
    csrss.exe
    smss.exe
    system
    system ldle process system


    I am still running in safe mode, still can't boot in normal, computer reboots at login or freezes with no start bar, looks like it is loading but freezes just before it load completely.
     
  7. 2007/07/29
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    saveddump.exe and iexplore.exe, if you can get them to stay killed. You can also end task on explorer.exe and run things via Task Manager>File>New Task (run)>Browse

    What is the exact error message?
     
  8. 2007/07/29
    mva5493

    mva5493 Well-Known Member Thread Starter

    Joined:
    2007/01/29
    Messages:
    287
    Likes Received:
    0
    the exact message... your system is low on virtual memory. Windows in increasing the size of your virtual memory paging file. During this process, memory request for some applications may be denied. For more information, see help. It happens when sdfix is checking files, it get to 50% checked then terminates.
     
  9. 2007/07/29
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    If still receiving the virtual memory error with Explorer shut down, you can try making a few adjustments. Right click My Computer and select Properties, then click the Advanced tab. Click Settings in the Performance section, select 'Adjust for best performance' and click Apply. Click the Advanced tab and verify Programs is selected for both Processor Scheduling and Memory Usage. Make note of the Total pagefile size in the Virtual Memory section. Select System Managed Size and click Set. OK your way out. If prompted to restart do so, then return to safe mode and try SDFix again.

    BTW, you can restart Explorer at any time by typing explorer at the Task Manager>File>New Task (run) line.
     
  10. 2007/07/29
    mva5493

    mva5493 Well-Known Member Thread Starter

    Joined:
    2007/01/29
    Messages:
    287
    Likes Received:
    0
    will try, thanks for going through this me with me, btw if this was my personal machine I probably would have fdisked the hard drive and started from scratch. (may still if i can't get it too work properly)
     
  11. 2007/07/29
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    You're quite welcome. I won't say 'Uncle' till you do. :)

    When you first open the System Properties dialog, take a look at the amount of RAM installed (listed on the General tab). Typically, the virtual memory would be at a minimum of 1.5 times that amount, and the maximum is 3 times. You could set custom settings for the virtual memory if need be, based on those numbers.
     
  12. 2007/07/29
    mva5493

    mva5493 Well-Known Member Thread Starter

    Joined:
    2007/01/29
    Messages:
    287
    Likes Received:
    0
    ok, i made the first suggested changes to the virtual memory and tried to run sdfix again, still got the same problem with the virtual memory, when I clicked or to remove the window, it terminated sdfix but also gave me two new errors. It said find.exe could not be executed as well as md5file.exe. I didn't load either of those, sdfix was the only thing I was running. I am rebooting it now, but I believe the ram is 256 mg.

    I don't think I am ready to say uncle yet, even though it is frustrating, I fell like I am learning things I didn't know before, so at least I will have knowledge along with the headache.
     
  13. 2007/07/29
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    That's part of SDFix. It did that because it was running at the time.

    Tenacity has it's rewards :)
     
  14. 2007/07/30
    mva5493

    mva5493 Well-Known Member Thread Starter

    Joined:
    2007/01/29
    Messages:
    287
    Likes Received:
    0
    I am wondering is there any way to run sdfix in dos mode since it is a batch file? Maybe that would help with my virtual memory error, I am still have problems with it coming up and stopping the scan.
     
  15. 2007/07/30
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    You cannot run it in command prompt only mode.

    Since you mentioned iexplore running see if this helps. Download Process Explorer and place it on the computer, then extract to it's own folder. Open the folder and start the program. Click iexplore.exe in the list to select it, then click Process>Suspend on the menu. Select explorer.exe, then Process>Kill Process. If saveddump.exe is running, kill it as well. If it restarts, suspend it. Now click File>Run and browse to sdfix to run it. Leave Process Explorer running!
     
  16. 2007/07/30
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    If you still cannot get SDFix to run to completion, try running ComboFix first.
     
  17. 2007/07/30
    mva5493

    mva5493 Well-Known Member Thread Starter

    Joined:
    2007/01/29
    Messages:
    287
    Likes Received:
    0
    I got it to finish the scan, it said it need to reboot windows...it froze at that point I rebooted... and now it won't reboot in safe mode, it does boot to xp now without hanging up or rebooting at the login screen. Still getting the virtual memory error and the windows has recovered from a serious error send/don/t send microsoft report. Does combofix need to be run in safe mode?
     
  18. 2007/07/30
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    No.

    What happens when you attempt to boot in safe mode?

    If by chance the random reboots stop now, those 'recovered from a serious error' messages should stop as well.
     
    Last edited: 2007/07/30
  19. 2007/07/30
    mva5493

    mva5493 Well-Known Member Thread Starter

    Joined:
    2007/01/29
    Messages:
    287
    Likes Received:
    0
    it hangs at the login screen.. before it would ask me which user and then the password. now when I choose safe mode the username and password screen comes up but it goes away, doesn't allow me to input the password and it hangs on the logo ..saying that is is starting windows
     
  20. 2007/07/30
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    That's very odd. :confused: I'll look around.

    Go ahead and run ComboFix, then post the log and a fresh HijackThis log. Did SDFix create a log in the SDFix folder? If so, post it as well.
     
  21. 2007/07/30
    mva5493

    mva5493 Well-Known Member Thread Starter

    Joined:
    2007/01/29
    Messages:
    287
    Likes Received:
    0
    okay... I will see what we have now (I am just about afraid to look, lol)
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.