Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Would Appreciate Assistance with Haywire PC

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Would Appreciate Assistance with Haywire PC

Unread postby Haystacks » November 6th, 2007, 8:34 pm

Morning MR

I was directed here via Hijackthis Website after PC has gone progressively more mental over last 24 hours. Was recommended Hijackthis from more computer savvy buddy than I.

Running Windows XP Professional and NAV 2006 - recently started getting error messages saying that NAV needed to be uninstalled and re-installed. These went away if you clicked ok and the NAV status always showed Green OK. Have subsequently delved into NAV Home and found that all the Antivirus Status settngs are on RED for error - so I'm presumably being swamped through faulty NAV?

NAV flagged 'trojan.vundo' yesterday rapidly followed by 'downloader'. I downloaded and ran a removal tool for the vundo via the Symantec virus database and followed instructions for getting rid of the 'dowloader' bug. NAV log showed both quarantined and I subsequently deleted both.

IE had now gone very slow and I was getting pop ups ranging from sex sites to mainstream bank and charity sites with the odd poker type thing too. IE started to freeze and my Google homepage was hijacked by Ask.com and some others.

I re-ran NAV full system scan along with Spybot S&D and AD-Aware 2007 SE. Each scan threw up various things which once identified and deleted either seemed to come back or be replaced by something stronger and more nasty.

Spybot threw up 2Search (log file), Antispyware 2007 (2 x directory + Reg Key), Virtumonde (Reg Key x 3), Smitfraud-C (Reg Key) and cookies Cassava, Directtrack, Double click, Mediaplex, TagAsaurus, Webtrends Live and Zedo.

I downloaded AVG Free and that again threw up Mediaplex and Zedo cookies (not long after I'd deleted them from the Spybot scan) and Worm.aimven, Adware.webhancer and other tracking cookies. It was as if I was under seige with the missiles getting more damaging.

After deleting the products of AVG scan I'm now getting rogue programmes opening up on or around startup - some I'm aware of by name and some I'm not. There seem to be alot of crazy unknown processes running in Windows Task Manager. Add/Remove via the control panel doesn't seem to acknowledge the full population of programmes on the machine.

I've downloaded Hijack this and it lives in its own file.

I've downloaded AVG Antivirus free as a fall back should I have to go the whole hog and hit the NAV Removal beast.

Last AVG Report below:-

Am ready to generate Hijack this Log once requested.

Thanks a bunch in advance for your assistance

Dave


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 23:58:02 06/11/2007

+ Scan result:



D:\FOUND.003\FILE0010.CHK -> Adware.WebHancer : Cleaned.
D:\Documents and Settings\Dave\Cookies\dave@carphonewarehouse.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\Dave\Cookies\dave@ice.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\Dave\Cookies\dave@ads.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
D:\Documents and Settings\Dave\Cookies\dave@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
D:\Documents and Settings\Dave\Cookies\dave@ehg-pcsecurityshield.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\Dave\Cookies\dave@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
D:\Documents and Settings\Dave\Cookies\dave@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
D:\Documents and Settings\Dave\Cookies\dave@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.
D:\Documents and Settings\Dave\Cookies\dave@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.
D:\Documents and Settings\Dave\Cookies\dave@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
D:\Documents and Settings\Dave\Cookies\dave@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
D:\Program Files\AIM95\icbmft.ocm -> Worm.AimVen : Cleaned.


::Report end
Haystacks
Active Member
 
Posts: 2
Joined: November 6th, 2007, 6:08 pm
Advertisement
Register to Remove

Unread postby SNOWHITE » November 7th, 2007, 1:11 am

Hello Haystacks :)

My name is SNOWHITE and I will be helping you with your Malware problem.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
Note: If you don't have HijackThis installed on your computer, dss will prompt you to download and install it for you, please allow this to happen !

Regards,
User avatar
SNOWHITE
Regular Member
 
Posts: 94
Joined: February 12th, 2007, 2:06 pm

DSS Logs

Unread postby Haystacks » November 7th, 2007, 9:37 am

Hello Snowhite

thanks for your prompt reply...

Please find Main.txt log from DSS....followed by extra.txt.

Since initial post I have run AVG again and the worm.aimven was back along with Zedo and Mediaplex. A lot of the pop ups have a Zedo prefix in the URL.

Downloader came back again but NAV (in whatever state it is in) claims to have dealt with it.

Am also getting pop up messages from Spybot asking permission to accept modification of files/registries.

I have latest version of Hijackthis in it's own folder.

Hope all this assists

Many thanks

'Stacks


Deckard's System Scanner v20071014.68
Run by Dave on 2007-11-07 13:24:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2007-11-07 13:24:41 UTC - RP3 - Deckard's System Scanner Restore Point
2: 2007-11-06 19:42:47 UTC - RP2 - Removed Ad-Aware 2007
1: 2007-11-06 17:24:43 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Dave.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:26:05, on 07/11/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
D:\WINDOWS\system32\crypserv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
D:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
D:\Program Files\Hewlett-Packard\HP Business Inkjet 2800 series\Toolbox\HPWPTBX.exe
D:\WINDOWS\System32\qttask.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\PowerISO\PWRISOVM.EXE
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Winamp\Winampa.exe
D:\WINDOWS\Mixer.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\WINDOWS\System32\wuauclt.exe
D:\Documents and Settings\Dave\Desktop\dss.exe
D:\Program Files\Messenger\msmsgs.exe
D:\PROGRA~1\HIJACK~1\Dave.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.nofrontteeth.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - D:\WINDOWS\system32\hggdecd.dll
O2 - BHO: (no name) - {7CAFBD4F-D00F-4B75-8828-0D5F91BA0F7D} - D:\WINDOWS\System32\tuvtt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\windows\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - D:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PrinTray] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [HPWPTOOLBOX] D:\Program Files\Hewlett-Packard\HP Business Inkjet 2800 series\Toolbox\HPWPTBX.exe "-i"
O4 - HKLM\..\Run: [QuickTime Task] D:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] D:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] D:\Program Files\Common Files\Symantec Shared\SymProbe.exe -r "D:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [RealTray] D:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [hp Update 2100C] c:\sj644\hpupdate.exe
O4 - HKLM\..\Run: [FileFreedom] C:\Program Files\FileFreedom\filefreedom.exe
O4 - HKLM\..\Run: [DownloadAccelerator] D:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AdaptecDirectCD] File "d:\program files\common files\roxio shared\system\directcd.exe"" does not exist.
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [8cfd7076] rundll32.exe "D:\WINDOWS\System32\glaohtee.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = D:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security2.norton.com/SSC/SharedC ... vSniff.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedC ... /cabsa.cab
O20 - Winlogon Notify: hggdecd - D:\WINDOWS\SYSTEM32\hggdecd.dll
O23 - Service: Autodesk Licensing Service - Autodesk - D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - D:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Crypkey License - Kenonic Controls Ltd. - D:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - D:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 11139 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - D:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe,2
.js - JSFile - shell\open\command - "D:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1"
.scr - AutoCADScriptFile - shell\open\command - "D:\WINDOWS\System32\notepad.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 NetworkX - d:\windows\system32\ckldrv.sys
R1 SCDEmu - d:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R1 tvtool - d:\program files\tvtool 6.0\tvtool.sys
R2 SqtechUsb (SCAN05C/D USB Driver) - d:\windows\system32\drivers\fusb100.sys <Not Verified; Service & Quality Technology; Fusb100.sys>
R3 cmpci (C-Media PCI Audio Driver (WDM)) - d:\windows\system32\drivers\cmaudio.sys <Not Verified; C-Media Inc; C-Media Audio Driver (WDM)>

S2 LXARScan (Lexmark X73 MFP Scanner) - d:\windows\system32\drivers\lxarscan.sys (file missing)
S3 alcan5wn (Alcatel SpeedTouch USB ADSL PPP Networking Driver (NDISWAN)) - d:\windows\system32\drivers\alcan5wn.sys <Not Verified; Alcatel Bell; Alcatel USB ADSL NDIS WAN Miniport driver>
S3 alcaudsl (Alcatel Speed Touch ADSL Modem ATM Transport) - d:\windows\system32\drivers\alcaudsl.sys <Not Verified; Alcatel Bell; Alcatel Speed Touch USB ADSL Modem>
S3 C-Dilla - d:\windows\system32\drivers\cdant.sys <Not Verified; Macrovision; Licence Management System>
S3 STV674 (Xtra Digital Camera) - d:\windows\system32\drivers\stv674.sys (file missing)
S3 STV674m (Xtra Digital Cameram) - d:\windows\system32\drivers\stv674m.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 C-DillaSrv - d:\windows\system32\drivers\cdantsrv.exe <Not Verified; C-Dilla Ltd; CD-Secure/CD-Compress Windows NT>
R2 Crypkey License - crypserv.exe <Not Verified; Kenonic Controls Ltd.; CrypKey Software Licensing System>

S2 CLTNetCnService (Symantec Lic NetConnect service) - "d:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}
Description: USB Scanner
Device ID: ROOT\IMAGE\0000
Manufacturer: UMAX #0050
Name: USB Scanner
PNP Device ID: ROOT\IMAGE\0000
Service: SqtechUsb

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Parallel Device
Device ID: ROOT\LEGACY_HPFECP14\0000
Manufacturer:
Name: Parallel Device
PNP Device ID: ROOT\LEGACY_HPFECP14\0000
Service: HPFECP14


-- Scheduled Tasks -------------------------------------------------------------

2007-11-06 18:15:44 506 --a------ D:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job
2007-11-02 20:00:02 544 --a------ D:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Dave.job


-- Files created between 2007-10-07 and 2007-11-07 -----------------------------

2100-02-23 14:35:34 768 --a------ D:\Program Files\x73_lut.dat
2100-02-08 16:03:54 53248 --a------ D:\Program Files\ACMonitor_X73.exe <Not Verified; Silitek Corp.; ACMonitor>
2007-11-07 13:19:18 86080 --a------ D:\WINDOWS\System32\glaohtee.dll
2007-11-07 13:16:20 79936 --a------ D:\WINDOWS\System32\hupgnhej.dll
2007-11-07 07:03:21 0 d-------- D:\Documents and Settings\Elaine\Application Data\Grisoft
2007-11-06 23:38:54 327257 ---hs---- D:\WINDOWS\System32\ttvut.ini2
2007-11-06 22:31:06 0 d-------- D:\Documents and Settings\Dave\Application Data\Grisoft
2007-11-06 22:30:37 0 d-------- D:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2007-11-06 19:11:17 0 d-------- D:\Documents and Settings\Dave\Application Data\Lavasoft
2007-11-06 18:15:28 0 d-------- D:\Documents and Settings\Dave\Application Data\AntiSpyware
2007-11-06 13:11:21 87104 -----n--- D:\WINDOWS\System32\jdbhvjyf.dll
2007-11-06 13:08:23 81472 --a------ D:\WINDOWS\System32\oekqvfgw.dll
2007-11-06 13:08:19 8284 --a------ D:\WINDOWS\System32\wwnibtem.dll
2007-11-06 13:05:36 294621 ---hs---- D:\WINDOWS\System32\ttvut.bak2
2007-11-06 11:28:06 0 d-------- D:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2007-11-05 22:24:57 83008 --a------ D:\WINDOWS\System32\hspagswb.dll
2007-11-05 18:52:40 6505 ---hs---- D:\WINDOWS\System32\ttvut.bak1
2007-11-05 18:52:15 320608 --a------ D:\WINDOWS\System32\tuvtt.dll
2007-11-05 10:24:07 0 d--h----- D:\Program Files\ApplePie
2007-11-05 10:24:05 145929 --a------ D:\WINDOWS\System32\sysdl132.exe
2007-11-05 10:04:15 36352 --a------ D:\WINDOWS\System32\hggdecd.dll


-- Find3M Report ---------------------------------------------------------------

2007-09-05 12:27:08 7932090 --a------ D:\DWG2PDF.exe <Not Verified; AutoDWG; AutoDWG DWG2PDF Converter>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
05/11/2007 10:04 36352 --a------ D:\WINDOWS\system32\hggdecd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7CAFBD4F-D00F-4B75-8828-0D5F91BA0F7D}]
05/11/2007 18:52 320608 --a------ D:\WINDOWS\System32\tuvtt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"nwiz"="nwiz.exe" []
"NeroCheck"="D:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50]
"PrinTray"="D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" []
"Lexmark X1100 Series"="D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [19/08/2003 14:43]
"HPWPTOOLBOX"="D:\Program Files\Hewlett-Packard\HP Business Inkjet 2800 series\Toolbox\HPWPTBX.exe" [21/10/2004 03:31]
"QuickTime Task"="D:\WINDOWS\System32\qttask.exe" [23/04/2002 15:26]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [30/10/2006 09:36]
"PWRISOVM.EXE"="D:\Program Files\PowerISO\PWRISOVM.EXE" [18/03/2006 02:24]
"ccApp"="D:\Program Files\Common Files\Symantec Shared\ccApp.exe" [22/01/2007 22:19]
"SSC_UserPrompt"="D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [03/11/2004 00:59]
"NAV CfgWiz"="D:\Program Files\Common Files\Symantec Shared\SymProbe.exe" []
"Symantec PIF AlertEng"="D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [12/03/2007 18:30]
"WinampAgent"="D:\Program Files\Winamp\Winampa.exe" [13/12/2003 01:50]
"SpeedTouch USB Diagnostics"="D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" []
"RealTray"="D:\Program Files\Real\RealPlayer\realplay.exe" [05/01/2005 22:55]
"NAV Agent"="D:\PROGRA~1\NORTON~1\navapw32.exe" [21/04/2003 01:02]
"hp Update 2100C"="c:\sj644\hpupdate.exe" [24/01/2002 16:24]
"FileFreedom"="C:\Program Files\FileFreedom\filefreedom.exe" [22/02/2002 01:08]
"DownloadAccelerator"="D:\PROGRA~1\DAP\DAP.exe" []
"C-Media Mixer"="Mixer.exe" [30/04/2001 15:55 D:\WINDOWS\mixer.exe]
"AdaptecDirectCD"="File d:\program files\common files\roxio shared\system\directcd.exe" []
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/01/2005 22:55]
"!AVG Anti-Spyware"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11/06/2007 09:25]
"8cfd7076"="D:\WINDOWS\System32\glaohtee.dll" [07/11/2007 13:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\System32\ctfmon.exe" [23/08/2001 12:00]
"MsnMsgr"="D:\Program Files\MSN Messenger\MsnMsgr.exe" [19/01/2007 12:54]
"swg"="D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [23/06/2007 09:08]
"SpybotSD TeaTimer"="D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [31/08/2007 16:46]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=D:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

D:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [13/07/2003 18:03:35]
Image Transfer.lnk - D:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [30/05/2004 16:51:45]
AutoCAD Startup Accelerator.lnk - D:\Program Files\Common Files\Autodesk Shared\acstart16.exe [05/03/2005 14:18:22]
WinZip Quick Pick.lnk - D:\Program Files\WinZip\WZQKPICK.EXE [21/02/2002 21:08:51]
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 01:01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{ED0ACB58-556F-21DA-DDFE-6D20F3F611BB}"= D:\WINDOWS\system32\kb1ss1p.dll [01/01/1999 00:01 36864]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"= D:\WINDOWS\system32\hggdecd.dll [05/11/2007 10:04 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggdecd]
hggdecd.dll 05/11/2007 10:04 36352 D:\WINDOWS\system32\hggdecd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 D:\WINDOWS\System32\tuvtt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Offers]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WNAD]




-- End of Deckard's System Scanner: finished at 2007-11-07 13:27:00 ------------


-------------------------------------------------------------------------


eckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600)
Architecture: X86; Language: English

CPU 0: AMD Athlon(TM)Processor
Percentage of Memory in Use: 65%
Physical Memory (total/avail): 511.47 MiB / 178.4 MiB
Pagefile Memory (total/avail): 1251.1 MiB / 857.17 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1949.22 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 9.76 GiB total, 7.08 GiB free.
D: is Fixed (FAT32) - 14.63 GiB total, 6.16 GiB free.
E: is Fixed (FAT32) - 6.82 GiB total, 1.8 GiB free.
F: is Fixed (FAT32) - 6.9 GiB total, 6.87 GiB free.
G: is CDROM (No Media)
H: is CDROM (CDFS)
I: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 4D040H2 - 38.16 GiB - 4 partitions
\PARTITION0 (bootable) - Unknown - 9.77 GiB - C:
\PARTITION1 - Unknown - 14.65 GiB - D:
\PARTITION2 - Unknown - 6.83 GiB - E:
\PARTITION3 - Unknown - 6.91 GiB - F:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=D:\Documents and Settings\All Users.WINDOWS
APPDATA=D:\Documents and Settings\Dave\Application Data
CLASSPATH=.;D:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=D:\Program Files\Common Files
COMPUTERNAME=JOLLY1
ComSpec=D:\WINDOWS\system32\cmd.exe
HOMEDRIVE=D:
HOMEPATH=\
KENNUNG=123
KUNDEN_KENNUNG=123
LOGONSERVER=\\JOLLY1
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=D:\WINDOWS\system32;D:\WINDOWS;D:\WINDOWS\System32\Wbem;D:\PROGRA~1\COMMON~1\AUTODE~1;D:\PROGRA~1\COMMON~1\ROXIOS~1\DLLSHA~1;D:\WPAT;D:\Program Files\QuickTime\QTSystem\;D:\Program Files\Common Files\Autodesk Shared\;D:\Program Files\Internet Explorer;
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 4 Stepping 4, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0404
ProgramFiles=D:\Program Files
PROMPT=$P$G
PS5ROOT=D:\Program Files\Roxio\Easy CD Creator 6\PhotoSuite\
QTJAVA=D:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
STATIONS_NUMMER=11
SystemDrive=D:
SystemRoot=D:\WINDOWS
TEMP=D:\DOCUME~1\Dave\LOCALS~1\Temp
TMP=D:\DOCUME~1\Dave\LOCALS~1\Temp
USERDOMAIN=JOLLY1
USERNAME=Dave
USERPROFILE=D:\Documents and Settings\Dave
windir=D:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Dave (admin)
Elaine (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

AVG Anti-Spyware 7.5 --> D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
HijackThis 2.0.2 --> "D:\Program Files\Hijackthis\HijackThis.exe" /uninstall


-- Application Event Log -------------------------------------------------------

Event Record #/Type8630 / Error
Event Submitted/Written: 11/07/2007 01:20:55 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 6.0.2600.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type8590 / Error
Event Submitted/Written: 11/07/2007 10:03:41 AM
Event ID/Source: 101 / Automatic LiveUpdate Scheduler
Event Description:
Information Level: error

Initialization of the COM subsystem failed. Error code: 0x8007041D

Event Record #/Type8568 / Error
Event Submitted/Written: 11/07/2007 08:39:58 AM
Event ID/Source: 48 / NSCService
Event Description:
Failed to create the COM Module!

Event Record #/Type8535 / Error
Event Submitted/Written: 11/07/2007 01:06:24 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 6.0.2600.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type8534 / Error
Event Submitted/Written: 11/07/2007 01:04:18 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 6.0.2600.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type125218 / Error
Event Submitted/Written: 11/07/2007 11:41:00 AM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 119 minutes.
NtpClient has no source of accurate time.

Event Record #/Type125217 / Error
Event Submitted/Written: 11/07/2007 11:41:00 AM
Event ID/Source: 17 / W32Time
Event Description:
Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 120
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Event Record #/Type125181 / Error
Event Submitted/Written: 11/07/2007 10:40:59 AM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 59 minutes.
NtpClient has no source of accurate time.

Event Record #/Type125180 / Error
Event Submitted/Written: 11/07/2007 10:40:59 AM
Event ID/Source: 17 / W32Time
Event Description:
Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Event Record #/Type125161 / Error
Event Submitted/Written: 11/07/2007 10:10:58 AM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 29 minutes.
NtpClient has no source of accurate time.



-- End of Deckard's System Scanner: finished at 2007-11-07 13:27:00 ------------
Haystacks
Active Member
 
Posts: 2
Joined: November 6th, 2007, 6:08 pm

Unread postby SNOWHITE » November 8th, 2007, 12:36 am

Hello Haystacks,

Did you encounter any error messages while running dss ?

Please follow the steps below exactly in the order they are written:

Step #1

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.

Step #2

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Step #3

    Open HijackThis, click Config, click Misc Tools
    Click "Open Uninstall Manager"
    Click "Save List" (generates uninstall_list.txt)
    Click Save, copy and paste the results in your next post.



Please post back with vundofix report and new HijackThis log and uninstall list.

Regards,
User avatar
SNOWHITE
Regular Member
 
Posts: 94
Joined: February 12th, 2007, 2:06 pm

Re: Would Appreciate Assistance with Haywire PC

Unread postby Gary R » November 20th, 2007, 7:22 am

Due to lack of response this topic is now closed.

If you are the originator of this topic, and you need it re-opened please send an email to 'admin at malwareremoval.com', including a link to this topic.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.

Gary R
User avatar
Gary R
Administrator
Administrator
 
Posts: 21782
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 23 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware