TechSpot

System wont Let me Run ComboFix

By Djay
Jan 16, 2008
  1. windows xp
    Dimesion 2400

    hi :)

    i recently had a problem with my computer... it started running slow and there where lots of system error pop-ups and what not... each pop up leading me to StorageProtector... realizing it was spyware i managed to delete StorageProctector or well most of it but it seems to keep coming back after awhile... the main files that where affiliated with it where;
    C:\WINDOWS\system32\ddabb.dll
    C:\WINDOWS\system32\ddabb.exe
    C:\WINDOWS\system32\ssqrspm.dll
    C:\WINDOWS\system32\awtqr.dll

    i managed to delete these using VundoFix:
    C:\WINDOWS\system32\ssqrspm.dll
    C:\WINDOWS\system32\awtqr.dll

    but the other two seem to recreate during start up if deleted... Though the pop-ups stopped im sure it will come back again seeing as though it did before... So i figured i could see whats creating them using ComboFix and get some advice from there.... but it would seem ComboFix doesnt run... when i double-click on it it starts with the blue screen saying ComboFix-pause... in the screen it say please wait... but nothing ever happens... it just jumps to a new blue blank cmd screen... i tried to uninstall ComboFix and then reinstall but i would seem ComboFix isnt listed on add/remove programs nor in the C:\Program Files folder (sorry im not sure if its supposed to)... but it is listed in C:. i deleted it and reinstall it but it does the same thing (blank cmd screen)... and i really need to see what creating those two folders so i can get rid of the malware for could... help please!!!!
     
  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  3. Djay

    Djay TS Rookie Topic Starter

    Hi Kimsland and thanx for your assistance with this problem

    I finished the steps you gave me.... these are my results in order

    First up... The Rapport from SmitFraudFix

    [Note: since the file was so big and would take to much room here i broke it into three files and attached them]
     
  4. Djay

    Djay TS Rookie Topic Starter

    Second up... VirtumundoBe Gone


    [01/16/2008, 21:28:40] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\darryl\Desktop\VirtumundoBeGone.exe" )
    [01/16/2008, 21:28:55] - Detected System Information:
    [01/16/2008, 21:28:55] - Windows Version: 5.1.2600, Service Pack 2
    [01/16/2008, 21:28:55] - Current Username: darryl (Admin)
    [01/16/2008, 21:28:55] - Windows is in SAFE mode.
    [01/16/2008, 21:28:55] - Searching for Browser Helper Objects:
    [01/16/2008, 21:28:55] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
    [01/16/2008, 21:28:55] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
    [01/16/2008, 21:28:55] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
    [01/16/2008, 21:28:55] - BHO 4: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
    [01/16/2008, 21:28:55] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [01/16/2008, 21:28:55] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
    [01/16/2008, 21:28:55] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [01/16/2008, 21:28:55] - No filename found. Continuing.
    [01/16/2008, 21:28:55] - BHO 7: {863BB7E9-19A0-4298-A129-A544D0FFD112} ()
    [01/16/2008, 21:28:55] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [01/16/2008, 21:28:55] - No filename found. Continuing.
    [01/16/2008, 21:28:55] - BHO 8: {88E36414-7F4B-44D4-8C9F-2E46F3D038C8} ()
    [01/16/2008, 21:28:55] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [01/16/2008, 21:28:55] - Checking for HKLM\...\Winlogon\Notify\ddabb
    [01/16/2008, 21:28:55] - Key not found: HKLM\...\Winlogon\Notify\ddabb, continuing.
    [01/16/2008, 21:28:55] - BHO 9: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
    [01/16/2008, 21:28:55] - BHO 10: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} (Windows Live Toolbar Helper)
    [01/16/2008, 21:28:55] - BHO 11: {C9187B87-AE11-407B-A88A-DAD9790A4609} ()
    [01/16/2008, 21:28:55] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [01/16/2008, 21:28:55] - No filename found. Continuing.
    [01/16/2008, 21:28:55] - BHO 12: {FC1B64D9-3499-4791-82D5-AABAC3FAEA45} ()
    [01/16/2008, 21:28:55] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [01/16/2008, 21:28:55] - No filename found. Continuing.
    [01/16/2008, 21:28:55] - Finished Searching Browser Helper Objects
    [01/16/2008, 21:28:55] - Finishing up...
    [01/16/2008, 21:28:55] - Nothing found! Exiting...

    [01/16/2008, 21:30:33] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\darryl\Desktop\VirtumundoBeGone.exe" )
    [01/16/2008, 21:30:35] - Detected System Information:
    [01/16/2008, 21:30:35] - Windows Version: 5.1.2600, Service Pack 2
    [01/16/2008, 21:30:35] - Current Username: darryl (Admin)
    [01/16/2008, 21:30:35] - Windows is in SAFE mode.
    [01/16/2008, 21:30:35] - Searching for Browser Helper Objects:
    [01/16/2008, 21:30:35] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
    [01/16/2008, 21:30:35] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
    [01/16/2008, 21:30:35] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
    [01/16/2008, 21:30:35] - BHO 4: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
    [01/16/2008, 21:30:35] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [01/16/2008, 21:30:35] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
    [01/16/2008, 21:30:35] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [01/16/2008, 21:30:35] - No filename found. Continuing.
    [01/16/2008, 21:30:35] - BHO 7: {863BB7E9-19A0-4298-A129-A544D0FFD112} ()
    [01/16/2008, 21:30:35] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [01/16/2008, 21:30:35] - No filename found. Continuing.
    [01/16/2008, 21:30:35] - BHO 8: {88E36414-7F4B-44D4-8C9F-2E46F3D038C8} ()
    [01/16/2008, 21:30:35] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [01/16/2008, 21:30:35] - Checking for HKLM\...\Winlogon\Notify\ddabb
    [01/16/2008, 21:30:35] - Key not found: HKLM\...\Winlogon\Notify\ddabb, continuing.
    [01/16/2008, 21:30:35] - BHO 9: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
    [01/16/2008, 21:30:35] - BHO 10: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} (Windows Live Toolbar Helper)
    [01/16/2008, 21:30:35] - BHO 11: {C9187B87-AE11-407B-A88A-DAD9790A4609} ()
    [01/16/2008, 21:30:35] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [01/16/2008, 21:30:35] - No filename found. Continuing.
    [01/16/2008, 21:30:35] - BHO 12: {FC1B64D9-3499-4791-82D5-AABAC3FAEA45} ()
    [01/16/2008, 21:30:35] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [01/16/2008, 21:30:35] - No filename found. Continuing.
    [01/16/2008, 21:30:35] - Finished Searching Browser Helper Objects
    [01/16/2008, 21:30:35] - Finishing up...
    [01/16/2008, 21:30:35] - Nothing found! Exiting...
     
  5. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    A Security and the Web technical support member will help you with this.
    Please be patient, as the time in responding to you can vary.
    Due to checking all your reports
    And attending to others

    If you believe that you have waited for too long (over a day) then you can reply back with support still required, to this message.
     
  6. Djay

    Djay TS Rookie Topic Starter

    Next up is DSS because Panda Antirootkit found absolutely nothing and ComboFix still didnt run so i installed it instead

    [Note: too many characters to fit in thread so i attached it... also i didnt know which file was most important or if you needed the others so i attached all three]
     
  7. Djay

    Djay TS Rookie Topic Starter

    oh.. its understandable... i just wanted u to see tha final HJT... system seems to be running smooth and weird system32 files are gone... no pop ups or my antivirus detecting creating of suspect dll files.. so i think everythings good for now... thanx again :)... here's my final HJT btw

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:45:23 AM, on 1/17/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\SYSTEM32\taskmgr.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\SYSTEM32\cidaemon.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\Crusty.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: (no name) - - (no file)
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {863BB7E9-19A0-4298-A129-A544D0FFD112} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: (no name) - {C9187B87-AE11-407B-A88A-DAD9790A4609} - (no file)
    O2 - BHO: (no name) - {FC1B64D9-3499-4791-82D5-AABAC3FAEA45} - (no file)
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (file missing)
    O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\verizon\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
    O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
    O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr .exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB
    O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager/plugin/IENetOpPlugin.ocx
    O20 - AppInit_DLLs:
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 9192 bytes
     
  8. AlbertLionheart

    AlbertLionheart TechSpot Chancellor Posts: 2,026

    DJay you have a few nasties in the hijack this log - use the program to remove the following and run it again:
    First get rid of one of you anti-virus programs - one is enough.
    Second, run crusty from c:\program files\hijackthis for best results.
    Fix these
    R3 - URLSearchHook: (no name) - - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {863BB7E9-19A0-4298-A129-A544D0FFD112} - (no file)
    O2 - BHO: (no name) - {C9187B87-AE11-407B-A88A-DAD9790A4609} - (no file)
    O2 - BHO: (no name) - {FC1B64D9-3499-4791-82D5-AABAC3FAEA45} - (no file)
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (file missing)
    O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
    O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
     
  9. Djay

    Djay TS Rookie Topic Starter

    thanx AlbertLH
    i figured tha first 5 werent good... i went on and deleted them.. here's my HJT which looks alot better/cleaner than it did b4 i got tha malware
    thanx again for further help

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:42:45 PM, on 1/18/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Trend Micro\HijackThis\Crusty.exe
    C:\Program Files\MSN Messenger\usnsvc.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\verizon\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
    O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr .exe" /background
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB
    O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager/plugin/IENetOpPlugin.ocx
    O20 - AppInit_DLLs:
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

    --
    End of file - 7229 bytes
     
  10. AlbertLionheart

    AlbertLionheart TechSpot Chancellor Posts: 2,026

    The log looks OK - best of luck!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...