Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

IUSER_ADMIN has hijacked my computer

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: IUSER_ADMIN has hijacked my computer

Unread postby oh2knowhim » October 8th, 2008, 6:57 pm

No one I know has an installation cd.

I have tried deleting the account after we ran all theses tools. It still will not allow me to delete it.

I have two accounts. My account which is administrator, and IUSER_ADMIN.

I have tried deleting it in both modes. All the times before, I was only successful in Safe Mode, but I have tried both modes.

Here is the ComboFix log:

ComboFix 08-10-08.02 - IUSER_Admin 2008-10-08 17:48:15.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.605 [GMT -5:00]
Running from: C:\Documents and Settings\IUSER_Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\IUSER_Admin\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\IE4 Error Log.txt

.
((((((((((((((((((((((((( Files Created from 2008-09-08 to 2008-10-08 )))))))))))))))))))))))))))))))
.

2008-10-07 09:26 . 2008-10-07 09:26 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-10-05 16:37 . 2008-10-05 16:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-05 16:37 . 2008-10-05 16:37 <DIR> d-------- C:\Documents and Settings\IUSER_Admin\Application Data\Malwarebytes
2008-10-05 16:37 . 2008-10-05 16:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-05 16:37 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-05 16:37 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-05 16:35 . 2008-10-05 16:35 <DIR> d-------- C:\_OTMoveIt
2008-10-04 17:46 . 2008-10-08 17:48 <DIR> d-------- C:\quarantine
2008-10-02 15:38 . 2008-10-02 15:38 <DIR> d-------- C:\Program Files\VS Revo Group
2008-10-02 15:13 . 2008-10-02 15:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-02 14:44 . 2008-10-02 15:51 <DIR> d-------- C:\Program Files\Norton Security Scan
2008-10-02 14:44 . 2008-10-02 14:44 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-10-02 14:33 . 2008-10-02 14:33 <DIR> d-------- C:\Documents and Settings\IUSER_Admin\Application Data\Share-to-Web Upload Folder
2008-10-02 14:32 . 2007-07-13 12:30 <DIR> d---s---- C:\Documents and Settings\IUSER_Admin\UserData
2008-10-02 14:32 . 2008-10-02 14:32 <DIR> d-------- C:\Documents and Settings\IUSER_Admin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-08 16:23 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-08 15:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-10-08 09:50 --------- d-----w C:\Program Files\Spyware Doctor
2008-10-07 14:26 --------- d-----w C:\Program Files\Common Files\Real
2008-10-07 14:25 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-10-07 14:25 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-10-05 18:56 --------- d-----w C:\Program Files\lg_fwupdate
2008-09-08 09:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-09-07 06:20 --------- d-----w C:\Documents and Settings\Administrator\Application Data\skypePM
2008-09-07 04:35 --------- d-----w C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-09-03 15:53 --------- d-----w C:\Program Files\Sun
2008-09-03 15:53 --------- d-----w C:\Program Files\Java
2008-08-30 17:54 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-08-29 18:01 --------- d-----w C:\Program Files\Yahoo!
2008-08-23 19:31 --------- d-----w C:\Program Files\NOS
2008-08-23 19:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
2008-08-23 19:28 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-08-23 01:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-14 23:23 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 03:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 03:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2004-10-01 20:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2004-08-04 01:07 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 01:07 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 01:07 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 01:07 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 01:07 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 01:07 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2007-05-17 11:28 549,376 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 01:07 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 01:07 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.


---- C:\WINDOWS\system32\svchost.exe ----
Company: Microsoft Corporation
File Description: Generic Host Process for Win32 Services
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Product Name: Microsoftr Windowsr Operating System
Copyright: c Microsoft Corporation. All rights reserved.
Original file name: svchost.exe
MD5: a4f27dd224f1ca2e5ae2fa67636c7dd2


------- Sigcheck -------

2004-08-03 20:07 14336 a4f27dd224f1ca2e5ae2fa67636c7dd2 C:\WINDOWS\system32\svchost.exe
.
((((((((((((((((((((((((((((( snapshot@2008-10-04_17.54.01.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-30 17:54:38 2,560 ----a-r C:\WINDOWS\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2008-10-07 14:42:09 2,560 ----a-r C:\WINDOWS\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2008-08-30 17:54:38 34,304 ----a-r C:\WINDOWS\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2008-10-07 14:42:10 34,304 ----a-r C:\WINDOWS\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2008-08-30 17:54:38 8,192 ----a-r C:\WINDOWS\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2008-10-07 14:42:10 8,192 ----a-r C:\WINDOWS\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2008-08-30 17:54:38 3,584 ----a-r C:\WINDOWS\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2008-10-07 14:42:10 3,584 ----a-r C:\WINDOWS\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2008-08-30 17:54:38 114,688 ----a-r C:\WINDOWS\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2008-10-07 14:42:10 114,688 ----a-r C:\WINDOWS\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2008-08-30 17:54:38 16,384 ----a-r C:\WINDOWS\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2008-10-07 14:42:10 16,384 ----a-r C:\WINDOWS\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2008-08-30 17:54:38 30,720 ----a-r C:\WINDOWS\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2008-10-07 14:42:10 30,720 ----a-r C:\WINDOWS\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2008-08-30 17:54:38 22,528 ----a-r C:\WINDOWS\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2008-10-07 14:42:09 22,528 ----a-r C:\WINDOWS\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2008-08-30 17:54:38 45,056 ----a-r C:\WINDOWS\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2008-10-07 14:42:10 45,056 ----a-r C:\WINDOWS\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2008-08-30 17:54:38 90,112 ----a-r C:\WINDOWS\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2008-10-07 14:42:09 90,112 ----a-r C:\WINDOWS\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
- 2008-10-02 19:44:14 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-10-07 14:25:23 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-10-02 19:44:14 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-10-07 14:25:23 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-10-02 19:44:14 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-10-07 14:25:23 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-08-11 18:58:31 375,168 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
+ 2006-04-20 12:18:35 360,576 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
- 2007-08-11 18:58:34 375,168 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
+ 2006-04-20 12:18:35 360,576 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
- 2007-09-13 10:12:01 278,528 ----a-w C:\WINDOWS\system32\pncrt.dll
+ 2008-10-07 14:25:40 278,528 ----a-w C:\WINDOWS\system32\pncrt.dll
- 2007-09-13 10:12:07 6,656 ----a-w C:\WINDOWS\system32\pndx5016.dll
+ 2008-10-07 14:25:45 6,656 ----a-w C:\WINDOWS\system32\pndx5016.dll
- 2007-09-13 10:12:07 5,632 ----a-w C:\WINDOWS\system32\pndx5032.dll
+ 2008-10-07 14:25:45 5,632 ----a-w C:\WINDOWS\system32\pndx5032.dll
- 2007-09-13 10:12:27 185,688 ----a-w C:\WINDOWS\system32\rmoc3260.dll
+ 2008-10-07 14:26:04 185,944 ----a-w C:\WINDOWS\system32\rmoc3260.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((((( System Restore )))))))))))))))))))))))))))))))))))))))))))))))))))
.

2008-08-15 11:07 4192 C:\Documents and Settings\Administrator\Application Data\ClearPlay Inc\ClearPlay Easy Updates\1.0.1.4\v_Oh2knowhim@hotmail.com
2008-08-01 12:16 4192 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP316\A0032551.com

C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.0\Setup Files\READER9\Setup.exe
2008-06-12 02:10 341352 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP325\A0032740.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.0\Setup Files\Setup.exe
2008-06-12 02:10 308584 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP325\A0032741.exe

2008-10-07 05:30 51200 C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Current\VSCANDAT1000\DAT\0000\validate.exe
{5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP305\A0031484.exeC:\Program Files\Network Associates\Common Framework\McScript_InUse.exe
2008-10-03 05:30 51200 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP348\A0061623.exe

C:\Program Files\Adobe\Security Update\HotFix64.exe
2008-06-07 03:25 54272 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP324\A0032642.exe

2008-10-07 09:26 90112 C:\Program Files\Common Files\Real\Codecs\atrc.dll
2007-09-13 05:12 77824 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061456.dll

2008-10-07 09:26 77824 C:\Program Files\Common Files\Real\Codecs\cook.dll
2007-09-13 05:12 65536 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061455.dll

2008-10-07 09:26 106496 C:\Program Files\Common Files\Real\Codecs\drv1.dll
2007-09-13 05:12 102400 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061459.dll

2008-10-07 09:26 180224 C:\Program Files\Common Files\Real\Codecs\drv2.dll
2007-09-13 05:12 176128 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061460.dll

2008-10-07 09:26 286720 C:\Program Files\Common Files\Real\Codecs\drvc.dll
2007-09-13 05:12 266240 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061461.dll

2008-10-07 09:26 557056 C:\Program Files\Common Files\Real\Codecs\raac.dll
2007-09-13 05:12 552960 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061454.dll

2008-10-07 09:26 35328 C:\Program Files\Common Files\Real\Codecs\rv10.dll
2007-09-13 05:12 49152 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061462.dll

2008-10-07 09:26 57344 C:\Program Files\Common Files\Real\Codecs\rv20.dll
2007-09-13 05:12 57344 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061463.dll

2008-10-07 09:26 53248 C:\Program Files\Common Files\Real\Codecs\rv30.dll
2007-09-13 05:12 49152 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061464.dll

2008-10-07 09:26 49152 C:\Program Files\Common Files\Real\Codecs\rv40.dll
2007-09-13 05:12 49152 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061465.dll

2008-10-07 09:26 139264 C:\Program Files\Common Files\Real\Codecs\sipr.dll
2007-09-13 05:12 106496 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061453.dll

2008-10-07 09:26 163840 C:\Program Files\Common Files\Real\Common\objb3201.dll
2007-09-13 05:12 172032 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061489.dll

2008-10-07 09:25 1486848 C:\Program Files\Common Files\Real\Common\pnen3260.dll
2007-09-13 05:12 1310720 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061278.dll

2008-10-07 09:25 413696 C:\Program Files\Common Files\Real\Common\pngu3267.dll
2007-09-13 05:12 421888 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061350.dll

2008-10-07 09:25 12800 C:\Program Files\Common Files\Real\Common\pnrs3260.dll
2007-09-13 05:12 28672 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061351.dll

2008-10-07 09:26 147456 C:\Program Files\Common Files\Real\Common\rjbviz.dll
2007-09-13 05:12 147456 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061483.dll

2008-10-07 09:25 12288 C:\Program Files\Common Files\Real\Common\rppr3260.dll
2007-09-13 05:12 28672 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061347.dll

2008-10-07 09:26 26112 C:\Program Files\Common Files\Real\Common\rpun3260.dll
2007-09-13 05:12 36864 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061273.dll

2008-10-07 09:26 30208 C:\Program Files\Common Files\Real\Common\security.dll
2007-09-13 05:12 45056 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061546.dll

2008-10-07 09:25 81920 C:\Program Files\Common Files\Real\Common\twebbrowse.dll
2007-09-13 05:12 81920 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061317.dll

2008-10-07 09:26 110592 C:\Program Files\Common Files\Real\GToolbar\barcontrol.dll
2007-09-13 05:12 110592 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061498.dll

2008-10-07 09:26 1145896 C:\Program Files\Common Files\Real\GToolbar\googletoolbarinstaller.exe
2007-09-13 05:12 1145896 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061497.exe

C:\Program Files\Common Files\Real\GToolbar\googletoolbarinstaller98.exe
2007-09-13 05:12 733712 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061496.exe

2008-10-07 09:26 77824 C:\Program Files\Common Files\Real\Plugins\aacff.dll
2007-09-13 05:12 69632 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061503.dll

2008-10-07 09:26 135168 C:\Program Files\Common Files\Real\Plugins\audplin.dll
2007-09-13 05:12 86016 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061517.dll

2008-10-07 09:25 45056 C:\Program Files\Common Files\Real\Plugins\authmgr.dll
2007-09-13 05:11 53248 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061296.dll

2008-10-07 09:25 17408 C:\Program Files\Common Files\Real\Plugins\cdda3260.dll
2007-09-13 05:11 36864 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061295.dll

2008-10-07 09:25 25088 C:\Program Files\Common Files\Real\Plugins\clbascauth.dll
2007-09-13 05:11 40960 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061294.dll

2008-10-07 09:25 44032 C:\Program Files\Common Files\Real\Plugins\clntxres.dll
2007-09-13 05:12 53248 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061274.dll

2008-10-07 09:26 73728 C:\Program Files\Common Files\Real\Plugins\cont3260.dll
2007-09-13 05:12 65536 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061514.dll

2008-10-07 09:26 233472 C:\Program Files\Common Files\Real\Plugins\fpsechnd.dll
2007-09-13 05:12 233472 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061580.dll

2008-10-07 09:25 204800 C:\Program Files\Common Files\Real\Plugins\httpfsys.dll
2007-09-13 05:11 176128 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061293.dll

2008-10-07 09:25 49152 C:\Program Files\Common Files\Real\Plugins\hxsdp.dll
2007-09-13 05:11 40960 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061292.dll

2008-10-07 09:26 90112 C:\Program Files\Common Files\Real\Plugins\hxxml.dll
2007-09-13 05:12 86016 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061484.dll

2008-10-07 09:26 507904 C:\Program Files\Common Files\Real\Plugins\imgrender.dll
2007-09-13 05:12 532480 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061474.dll

2008-10-07 09:25 86016 C:\Program Files\Common Files\Real\Plugins\memfsys.dll
2007-09-13 05:11 77824 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061291.dll

2008-10-07 09:26 53248 C:\Program Files\Common Files\Real\Plugins\mp3fformat.dll
2007-09-13 05:12 45056 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061481.dll

2008-10-07 09:26 69632 C:\Program Files\Common Files\Real\Plugins\mp3metaff.dll
2007-09-13 05:12 65536 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061482.dll

2008-10-07 09:26 163840 C:\Program Files\Common Files\Real\Plugins\mp3render.dll
2007-09-13 05:12 151552 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061480.dll

2008-10-07 09:26 135168 C:\Program Files\Common Files\Real\Plugins\mp4arender.dll
2007-09-13 05:12 126976 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061502.dll

2008-10-07 09:26 90112 C:\Program Files\Common Files\Real\Plugins\mp4fformat.dll
2007-09-13 05:12 73728 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061501.dll

2008-10-07 09:26 122880 C:\Program Files\Common Files\Real\Plugins\mp4wrtr.dll
2007-09-13 05:12 98304 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061524.dll

2008-10-07 09:26 69632 C:\Program Files\Common Files\Real\Plugins\mpgfformat.dll
2007-09-13 05:12 69632 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061520.dll

2008-10-07 09:26 184320 C:\Program Files\Common Files\Real\Plugins\mpgrender.dll
2007-09-13 05:12 172032 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061519.dll

2008-10-07 09:25 29184 C:\Program Files\Common Files\Real\Plugins\ntlmauth.dll
2007-09-13 05:12 45056 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061290.dll

2008-10-07 09:25 364544 C:\Program Files\Common Files\Real\Plugins\pacplin.dll
2007-09-13 05:12 360448 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061289.dll

2008-10-07 09:26 65536 C:\Program Files\Common Files\Real\Plugins\pdgenxferfsys.dll
2007-09-13 05:12 73728 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061592.dll

2008-10-07 09:25 73728 C:\Program Files\Common Files\Real\Plugins\plusplin.dll
2007-09-13 05:12 57344 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061288.dll

2008-10-07 09:25 24064 C:\Program Files\Common Files\Real\Plugins\pxcb3210.dll
2007-09-13 05:12 40960 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061287.dll

2008-10-07 09:25 31744 C:\Program Files\Common Files\Real\Plugins\ramfformat.dll
2007-09-13 05:12 45056 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061286.dll

2008-10-07 09:25 77824 C:\Program Files\Common Files\Real\Plugins\ramrender.dll
2007-09-13 05:12 57344 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061285.dll

2008-10-07 09:26 159744 C:\Program Files\Common Files\Real\Plugins\rarender.dll
2007-09-13 05:12 151552 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061457.dll

2008-10-07 09:26 19968 C:\Program Files\Common Files\Real\Plugins\recf3260.dll
2007-09-13 05:12 36864 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061515.dll

2008-10-07 09:25 184320 C:\Program Files\Common Files\Real\Plugins\rmfformat.dll
2007-09-13 05:12 176128 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061284.dll

2008-10-07 09:26 278528 C:\Program Files\Common Files\Real\Plugins\rmwrtr.dll
2007-09-13 05:12 282624 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061523.dll

2008-10-07 09:26 35328 C:\Program Files\Common Files\Real\Plugins\rmxfpln.dll
2007-09-13 05:12 65536 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061553.dll

2008-10-07 09:26 90112 C:\Program Files\Common Files\Real\Plugins\rmxrend.dll
2007-09-13 05:12 106496 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061544.dll

2008-10-07 09:25 53248 C:\Program Files\Common Files\Real\Plugins\rn5auth.dll
2007-09-13 05:12 45056 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061283.dll

2008-10-07 09:26 114688 C:\Program Files\Common Files\Real\Plugins\rtfformat.dll
2007-09-13 05:12 110592 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061473.dll

2008-10-07 09:26 135168 C:\Program Files\Common Files\Real\Plugins\rtrender.dll
2007-09-13 05:12 122880 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061472.dll

2008-10-07 09:26 159744 C:\Program Files\Common Files\Real\Plugins\rvrender.dll
2007-09-13 05:12 172032 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061458.dll

2008-10-07 09:26 49152 C:\Program Files\Common Files\Real\Plugins\sdpplin.dll
2007-09-13 05:12 45056 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061477.dll

2008-10-07 09:26 30208 C:\Program Files\Common Files\Real\Plugins\security.dll
2007-09-13 05:12 45056 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061545.dll

2008-10-07 09:25 61440 C:\Program Files\Common Files\Real\Plugins\smlfformat.dll
2007-09-13 05:12 61440 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061282.dll

2008-10-07 09:25 520192 C:\Program Files\Common Files\Real\Plugins\smlrender.dll
2007-09-13 05:12 532480 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061281.dll

2008-10-07 09:25 61440 C:\Program Files\Common Files\Real\Plugins\smmrender.dll
2007-09-13 05:12 57344 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061280.dll

2008-10-07 09:25 86016 C:\Program Files\Common Files\Real\Plugins\smplfsys.dll
2007-09-13 05:12 69632 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061277.dll

2008-10-07 09:26 17920 C:\Program Files\Common Files\Real\Plugins\stubdrm.dll
2007-09-13 05:12 32768 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061476.dll

2008-10-07 09:26 114688 C:\Program Files\Common Files\Real\Plugins\swfformat.dll
2007-09-13 05:12 94208 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061467.dll

2008-10-07 09:26 630784 C:\Program Files\Common Files\Real\Plugins\swfrender.dll
2007-09-13 05:12 614400 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061466.dll

2008-10-07 09:26 57344 C:\Program Files\Common Files\Real\Plugins\tfilesys.dll
2007-09-13 05:12 57344 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061552.dll

2008-10-07 09:26 176128 C:\Program Files\Common Files\Real\Plugins\vidplin.dll
2007-09-13 05:12 167936 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061518.dll

2008-10-07 09:25 376832 C:\Program Files\Common Files\Real\Plugins\vidsite.dll
2007-09-13 05:12 376832 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061279.dll

2008-10-07 09:26 172032 C:\Program Files\Common Files\Real\Plugins\wm9fformat.dll
2007-09-13 05:12 176128 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061510.dll

2008-10-07 09:26 14848 C:\Program Files\Common Files\Real\Plugins\wm9writer.dll
2007-09-13 05:12 28672 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061509.dll

2008-10-07 09:26 172032 C:\Program Files\Common Files\Real\Plugins\wmsechnd.dll
2007-09-13 05:12 180224 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061507.dll

2008-10-07 09:25 167936 C:\Program Files\Common Files\Real\Plugins\zipf3260.dll
2007-09-13 05:12 172032 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061276.dll

2008-10-07 09:26 139264 C:\Program Files\Common Files\Real\RCAPlugins\gct23201.dll
2007-09-13 05:12 155648 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061488.dll

2008-10-07 09:26 77824 C:\Program Files\Common Files\Real\RCAPlugins\gema3201.dll
2007-09-13 05:12 90112 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061491.dll

2008-10-07 09:26 450560 C:\Program Files\Common Files\Real\RCAPlugins\gemx3201.dll
2007-09-13 05:12 450560 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061490.dll

2008-10-07 09:26 102400 C:\Program Files\Common Files\Real\RCAPlugins\locd3210.dll
2007-09-13 05:12 102400 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061513.dll

2008-10-07 09:26 724992 C:\Program Files\Common Files\Real\RCAPlugins\rpcontrols1.dll
2007-09-13 05:12 757760 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061486.dll

2008-10-07 09:26 647168 C:\Program Files\Common Files\Real\RCAPlugins\rpcontrols2.dll
2007-09-13 05:12 692224 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061485.dll

2008-10-07 09:26 348160 C:\Program Files\Common Files\Real\RCAPlugins\sonr3210.dll
2007-09-13 05:12 196608 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061516.dll

2008-10-07 09:26 389120 C:\Program Files\Common Files\Real\RCAPlugins\uisy3201.dll
2007-09-13 05:12 446464 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061487.dll

2008-10-07 09:26 57344 C:\Program Files\Common Files\Real\RCAPlugins\xmlc3201.dll
2007-09-13 05:12 53248 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061492.dll

2008-10-07 09:25 368640 C:\Program Files\Common Files\Real\Update_OB\faus3270.dll
2007-09-13 05:11 397312 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061266.dll

2008-10-07 09:25 24064 C:\Program Files\Common Files\Real\Update_OB\pnmi3270.dll
2007-09-13 05:11 36864 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061267.dll

2008-10-07 09:25 192512 C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe
2007-09-13 05:11 193816 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061259.exe

2008-10-07 09:25 69632 C:\Program Files\Common Files\Real\Update_OB\realonemessagecenter.exe
2007-09-13 05:11 69632 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061270.exe

2008-10-07 09:25 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
2007-09-13 05:11 185632 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061269.exe

2008-10-07 09:25 98304 C:\Program Files\Common Files\Real\Update_OB\rnad3201.dll
2007-09-13 05:11 98304 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061268.dll

2008-10-07 09:25 319488 C:\Program Files\Common Files\Real\Update_OB\rnms3270.dll
2007-09-13 05:11 335872 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061272.dll

2008-10-07 09:25 303104 C:\Program Files\Common Files\Real\Update_OB\rnqu3270.dll
2007-09-13 05:11 311296 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061265.dll

2008-10-07 09:25 176128 C:\Program Files\Common Files\Real\Update_OB\rnup3270.dll
2007-09-13 05:11 184320 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061264.dll

2008-10-07 09:25 58952 C:\Program Files\Common Files\Real\Update_OB\rnxproc.exe
2007-09-13 05:11 58648 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061271.exe

2008-10-07 09:25 79424 C:\Program Files\Common Files\Real\Update_OB\rpelevation.dll
2007-09-13 05:11 124480 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061260.dll

2008-10-07 09:25 311296 C:\Program Files\Common Files\Real\Update_OB\setu3270.dll
2007-09-13 05:11 311296 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061261.dll

2008-10-07 09:25 323584 C:\Program Files\Common Files\Real\Update_OB\upgr3270.dll
2007-09-13 05:11 348160 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061263.dll

2008-10-07 09:25 136768 C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe
2007-09-13 05:11 335872 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP347\A0061262.exe

C:\Program Files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20080825.020\CCERASER.DLL
2008-08-25 09:15 2389552 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP342\A0058854.DLL

C:\Program Files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20080825.020\ECMSVR32.DLL
2008-08-25 09:15 259440 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP342\A0058855.DLL

C:\Program Files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20080825.020\EECTRL.SYS
2008-08-25 09:15 371248 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP342\A0058856.SYS

C:\Program Files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20080825.020\ERASER.SYS
2008-08-25 09:15 99376 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP342\A0058858.SYS

C:\Program Files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20080825.020\hub.scr
2008-08-25 09:15 750 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP342\A0058859.scr

C:\Program Files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20080825.020\NAVENG.SYS
2008-08-25 09:15 89104 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP342\A0058860.SYS

C:\Program Files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20080825.020\NAVENG32.DLL
2008-08-25 09:15 177520 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP342\A0058861.DLL

C:\Program Files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20080825.020\NAVEX15.SYS
2008-08-25 09:15 873552 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP342\A0058862.SYS

C:\Program Files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20080825.020\NAVEX32A.DLL
2008-08-25 09:15 1176944 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP342\A0058863.DLL

C:\Program Files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20080906.003\CCERASER.DLL
2008-09-06 03:00 2393648 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP342\A0058839.DLL

C:\Program Files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20080906.003\ECMSVR32.DLL
2008-08-25 09:15 259440 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP342\A0058840.DLL

C:\Program Files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20080906.003\EECTRL.SYS
2008-09-06 03:00 371248 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP342\A0058841.SYS

C:\Program Files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20080906.003\ERASER.SYS
2008-09-06 03:00 99376 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP342\A0058843.SYS

C:\Program Files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20080906.003\hub.scr
2008-08-25 09:15 750 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP342\A0058844.scr

C:\Program Files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20080906.003\NAVENG.SYS
2008-08-25 09:15 89104 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP342\A0058845.SYS

C:\Program Files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20080906.003\NAVENG32.DLL
2008-08-25 09:15 177520 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP342\A0058846.DLL

C:\Program Files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20080906.003\NAVEX15.SYS
2008-08-25 09:15 873552 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP342\A0058847.SYS

C:\Program Files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20080906.003\NAVEX32A.DLL
2008-08-25 09:15 1176944 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP342\A0058848.DLL

C:\Program Files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\cceraser.dll
2008-08-25 09:15 2389552 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP342\A0058869.dll

C:\Program Files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\ecmsvr32.dll
2008-08-25 09:15 259440 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP342\A0058870.dll

C:\Program Files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\eeCtrl.sys
2008-08-25 09:15 371248 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP342\A0058871.sys

C:\Program Files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\ERASER.sys
2008-08-25 09:15 99376 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP342\A0058873.sys

C:\Program Files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\naveng.sys
2008-10-03 16:42 0 {5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP342
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 TLRecAgent;TLRecAgent;C:\WINDOWS\system32\DRIVERS\TLRecAgent.sys [2008-03-13 36976]
R2 KodakSvc;Kodak AiO Device Service;C:\Program Files\Kodak\printer\center\KodakSvc.exe [2008-02-28 18944]
R2 VService;VService;C:\Program Files\Zoom\Zoom Phone Adaptor\VServ.exe [2008-01-17 104976]
S3 scusbvip;VL1800 USB Driver;C:\WINDOWS\system32\DRIVERS\scusbvip.sys [2008-03-13 609936]
S3 SLVAD_simple;Zoom Virtual Audio Device;C:\WINDOWS\system32\drivers\slvad.sys [2008-03-13 84912]

*Newly Created Service* - ENTDRV51
.
Contents of the 'Scheduled Tasks' folder

2008-08-28 C:\WINDOWS\Tasks\EasyShare Registration Task.job
- C:\WINDOWS\system32\rundll32.exe [2004-08-03 20:07]

2008-10-02 C:\WINDOWS\Tasks\Norton Security Scan for IUSER_Admin.job
- C:\Program Files\Norton Security Scan\Nss.exe [2008-09-19 04:18]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-08 17:50:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-08 17:52:15
ComboFix-quarantined-files.txt 2008-10-08 22:52:11
ComboFix2.txt 2008-10-05 16:57:45
ComboFix3.txt 2008-10-04 23:31:58
ComboFix4.txt 2008-10-04 22:54:44

Pre-Run: 23,833,784,320 bytes free
Post-Run: 23,874,011,136 bytes free

431 --- E O F --- 2008-07-30 17:48:44

********************************************************************************************
----------------------------------------------------------------------------------------------------------------------

Here is the new HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:53:46 PM, on 10/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Zoom\Zoom Phone Adaptor\ZoomMonitor.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zoom\Zoom Phone Adaptor\VServ.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [ZoomMonitor.exe] C:\Program Files\Zoom\Zoom Phone Adaptor\ZoomMonitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4348352218
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 5585284843
O16 - DPF: {FD7C00A9-E676-11D6-A08E-00E09878F0CF} - https://vpn.uth.tmc.edu/vpns/scripts/nsload.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: VService - Unknown owner - C:\Program Files\Zoom\Zoom Phone Adaptor\VServ.exe

--
End of file - 8519 bytes
oh2knowhim
Regular Member
 
Posts: 21
Joined: September 7th, 2008, 6:11 pm
Advertisement
Register to Remove

Re: IUSER_ADMIN has hijacked my computer

Unread postby Bio-Hazard » October 11th, 2008, 4:06 am

Hello!

Sorry for the delay.

Your computer's svchost.exe file is infected and it needs to be replaced. Are you able to get hold of copy of it from another computer, a Windows CD, or from a recovery partition (if one exists). If you are unable to do any of those, we can try the following scan (Dr Web CureIt) to see if the scan can 'heal' the file. A word of warning though, if the scan is unable to heal the file it will quarantine/delete the file and this may cause the computer not to boot. Normally, Windows would protect itself against such events but, without another copy of svchost.exe onboard, it will not be able to replace the deleted file. This is why I've been asking if you can get another copy of the file. Unfortunately, you're in a bit of a Catch22 situation.

Are you able to create a new administrator account?
Is the other user account a normal administrator account?


Dr.Web CureIt

Download to the desktop:Dr.Web CureIt
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the Scan-tab, remove the mark at Heuristic analysis.
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    Image
    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.

Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • Dr Web Cure It Log
  • A fresh HijackThis Log ( after all the above has been done)
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: IUSER_ADMIN has hijacked my computer

Unread postby oh2knowhim » October 11th, 2008, 12:01 pm

We found out yesterday that my brother is going to be able to get a Windows XP cd for us very cheap through his school. we do not know how long it will take to get here. Do I need to message you when I get it or do I just need to start a new topic? I have no idea how to even begin to start this process.

Also, I have an external hard drive connected to this computer. Do I need to check to see if it is infected? I have been saving all my files to it, because I cannot access my D drive. But, I don't know if it is infected.
oh2knowhim
Regular Member
 
Posts: 21
Joined: September 7th, 2008, 6:11 pm

Re: IUSER_ADMIN has hijacked my computer

Unread postby Bio-Hazard » October 11th, 2008, 2:53 pm

We found out yesterday that my brother is going to be able to get a Windows XP cd for us very cheap through his school. we do not know how long it will take to get here. Do I need to message you when I get it or do I just need to start a new topic? I have no idea how to even begin to start this process.


That is good news. It is good to have a Windows XP installation CD. The Windows CD will have to match the version that has been installed on the computer. You are running Microsoft Windows XP Professional so it has to be Microsoft Windows XP Professional CD.

Can you confirm that the computer has a sticker/label with a Windows Pro product key on it.

We just keep this topic open but I would like you to keep me posted how things are going. So I know that you are still planning to come back and finnish the cleaning process.

Also, I have an external hard drive connected to this computer. Do I need to check to see if it is infected? I have been saving all my files to it, because I cannot access my D drive. But, I don't know if it is infected.


Do you have all your personal music, pictures and important documents saved on it? We can look into it bit later. First we need to get this computer cleaned.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: IUSER_ADMIN has hijacked my computer

Unread postby oh2knowhim » October 11th, 2008, 7:37 pm

Where would the sticker be at on the computer?

so far, IUSER_ADMIN is still very much active. I still cannot delete it.
oh2knowhim
Regular Member
 
Posts: 21
Joined: September 7th, 2008, 6:11 pm

Re: IUSER_ADMIN has hijacked my computer

Unread postby Bio-Hazard » October 12th, 2008, 5:28 am

Where would the sticker be at on the computer?


It should be on top of the tower. Here you can see examples of the stickers.

so far, IUSER_ADMIN is still very much active. I still cannot delete it.


Hopefully when we get the CD and we can replace svchost.exe , then we can continue dealing with this.

Are you able to create a new administrator account?
Is the other user account a normal administrator account?

Could you please answer this question from my previous post regarding you external harddrive: Do you have all your personal music, pictures and important documents saved on it?
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: IUSER_ADMIN has hijacked my computer

Unread postby oh2knowhim » October 12th, 2008, 11:48 am

Yes, I do have a sticker. It is on top of the tower.

I have not tried to create a new administrator account. Do you want me to try to? Yes, the other account is a normal administrator account.

Yes, I have all of my music, documents, and pictures saved on my external hard drive. Would that cause it to become infected?
oh2knowhim
Regular Member
 
Posts: 21
Joined: September 7th, 2008, 6:11 pm

Re: IUSER_ADMIN has hijacked my computer

Unread postby Bio-Hazard » October 12th, 2008, 2:31 pm

Yes, I do have a sticker. It is on top of the tower.


That is good.

I have not tried to create a new administrator account. Do you want me to try to? Yes, the other account is a normal administrator account.


Not yet, we will wait for the installation CD to arrive first.

Yes, I have all of my music, documents, and pictures saved on my external hard drive. Would that cause it to become infected?


We need to run a tool to make sure it is not infected. Also that you have back up files all from your important files.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: IUSER_ADMIN has hijacked my computer

Unread postby oh2knowhim » October 14th, 2008, 1:24 am

Ok. That will work. We aren't sure how long it is supposed to take for the disc to arrive. My brother ordered it on Friday, so hopefully it won't be much longer.

I didn't know what I needed to do about the external hard drive. I didn't know if it could also be corrupted. Running a scan later will be fine, I just wanted to make you aware that I did have one and that it was connected to the infected computer. I have, since, disconnected it, just in case.
oh2knowhim
Regular Member
 
Posts: 21
Joined: September 7th, 2008, 6:11 pm

Re: IUSER_ADMIN has hijacked my computer

Unread postby Bio-Hazard » October 17th, 2008, 9:42 am

Hello!

Next time please post on this topic. So my teachers can see the messages as well.

I just found the Windows XP Professional disc that came with my laptop.

Can we install it on my desktop or do we have to have a new disc for a different computer?


Yes we can use this CD to do repair installation of Windows XP Professional. This wont delete your personal data or settings. It will repair the system files.


I STRONGLY RECOMMEND that you make sure that you have all your important personal files, music and photos backed up in your external harddrive.

If you don't know or understand something please don't hesitate to ask.



First Step:

Go to this site How to Perform a Windows XP Repair Install which shows you how to do the repair installation of Windows XP Professional. Read it CAREFULLY. It would be wise to print these instructions.

When it is done try to access your normal user account NOT IUSER_ADMIN. Delete the IUSER_ADMIN user account.

Here are instructions how to do it.

Second Step:

After you have done the repair installation you have to reapply Windows updates. That can take some time. Also Service pack 3 has to be reinstalled.

Go here to get the updates: http://update.microsoft.com/microsoftup ... x?ln=en-us


Third Step:

Please run HijackThis and post a new HijackThis log for me to see.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: IUSER_ADMIN has hijacked my computer

Unread postby oh2knowhim » October 18th, 2008, 4:50 pm

Here is the HijackThis log. I was able to delete IUSER_ADMIN's account and all of it's files. But when i went to download Service Pack 3, it would not let me download it. It said my security zone policy had blocked it.

HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:47:04 PM, on 10/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Zoom\Zoom Phone Adaptor\ZoomMonitor.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zoom\Zoom Phone Adaptor\VServ.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [ZoomMonitor.exe] C:\Program Files\Zoom\Zoom Phone Adaptor\ZoomMonitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.mozilla.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4294171663
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 5585284843
O16 - DPF: {FD7C00A9-E676-11D6-A08E-00E09878F0CF} - https://vpn.uth.tmc.edu/vpns/scripts/nsload.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: VService - Unknown owner - C:\Program Files\Zoom\Zoom Phone Adaptor\VServ.exe

--
End of file - 8343 bytes
oh2knowhim
Regular Member
 
Posts: 21
Joined: September 7th, 2008, 6:11 pm

Re: IUSER_ADMIN has hijacked my computer

Unread postby Bio-Hazard » October 19th, 2008, 4:48 am

Hello!

Great job. We are almost done.


No Firewall

Looking over your log it seems you don't have any evidence of a third party firewall.

As the term conveys a firewall is an extra layer of security installed onto computers which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders.I want you to download a free for personal use firewall NOW from one of these excellent vendors:


If you are using the built-in Windows XP firewall it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to phone home for more instructions. Simply put Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.


Remove programs

Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason it's extremely important that you keep the program up to date and also remove the older more vulnerable versions from your system. Please remove this older version from your computer.

  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present):

    Java(TM) 6 Update 2


ATF-Cleaner

Please download ATF Cleaner by Atribune.

  • Save it to your desktop
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords
    please click No at the prompt.


Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply along with a fresh HijackThis log.

Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • Kaspersky Log
  • A fresh HijackThis Log ( after all the above has been done)
  • How are things running now ?
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: IUSER_ADMIN has hijacked my computer

Unread postby oh2knowhim » October 19th, 2008, 6:10 pm

I CANNOT DOWNLOAD ANYTHING ON MY COMPUTER. IT SAYS SECURITY ZONE POLICY HAS BLOCKED IT. I have checked my security settings and everything is set to the right thing. Besides this problem, everything seem to be running fine.

Here are the two logs you asked for.

Kaspersky Log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, October 19, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, October 19, 2008 09:17:39
Records in database: 1322947
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 44669
Threat name: 7
Infected objects: 7
Suspicious objects: 0
Duration of the scan: 01:39:11


File name / Threat name / Threats count
C:\QooBox\Quarantine\C\WINDOWS\MSSqlServer.dll.vir Infected: Trojan-Downloader.Win32.Delf.npi 1
C:\QooBox\Quarantine\C\WINDOWS\system32\mabidwe.exe.vir Infected: Trojan.Win32.Agent.afya 1
C:\QooBox\Quarantine\C\WINDOWS\system32\soxpeca.exe.vir Infected: Trojan.Win32.Agent.afyd 1
C:\WINDOWS\system32\udxfytw.sys Infected: Trojan.Win32.Agent.afzf 1
C:\_OTMoveIt\MovedFiles\10052008_163520\WINDOWS\system32\tmp0_173781512124.bk.old Infected: Trojan-Clicker.Win32.VB.cam 1
C:\_OTMoveIt\MovedFiles\10052008_163520\WINDOWS\system32\tmp0_383479292051.bk.old Infected: Trojan.Win32.DNSChanger.iox 1
C:\_OTMoveIt\MovedFiles\10052008_163520\WINDOWS\system32\xdufytw.sys Infected: Trojan-Clicker.Win32.VB.bzj 1

The selected area was scanned.
********************************************************************************************
----------------------------------------------------------------------------------------------------------------------

HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:07:01 PM, on 10/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Zoom\Zoom Phone Adaptor\VServ.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Zoom\Zoom Phone Adaptor\ZoomMonitor.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Zoom\Zoom Phone Adaptor\ZoomAgent.exe
C:\Program Files\Tall Emu\Online Armor\oahlp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [ZoomMonitor.exe] C:\Program Files\Zoom\Zoom Phone Adaptor\ZoomMonitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.mozilla.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4294171663
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 5585284843
O16 - DPF: {FD7C00A9-E676-11D6-A08E-00E09878F0CF} - https://vpn.uth.tmc.edu/vpns/scripts/nsload.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: VService - Unknown owner - C:\Program Files\Zoom\Zoom Phone Adaptor\VServ.exe

--
End of file - 9475 bytes
oh2knowhim
Regular Member
 
Posts: 21
Joined: September 7th, 2008, 6:11 pm

Re: IUSER_ADMIN has hijacked my computer

Unread postby Bio-Hazard » October 20th, 2008, 6:57 am

I CANNOT DOWNLOAD ANYTHING ON MY COMPUTER. IT SAYS SECURITY ZONE POLICY HAS BLOCKED IT. I have checked my security settings and everything is set to the right thing.


I see that you have Firefox installed. It might be related to Firefox. Have you tried using Firefox to download anything?

If you havent tried this, could you please do that:
  • Click Start button
  • From the Windows menu, open Control Panel.
  • Switch to Classic View and double-click Internet Options.
  • Select the Security tab.
  • Click the Custom level... button to change the settings for the Internet zone.
  • Scroll down to the option, Launching applications and unsafe files (under "Miscellaneous").
  • Select Prompt (Recommended).
  • Click the OK button.

If that didnt work uninstall Firefox and download (using another computer) IE7 from HERE. Reinstall IE7.



You should have OTMoveIt3 installed on your computer. Could you please run it again.

OTMoveIt3
  • Double-click OTMoveIt3.exe to run it.
  • Copy the lines in the codebox below.
Code: Select all
:files
C:\WINDOWS\system32\udxfytw.sys
:commands
[EmptyTemp]

  • Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3



Optional Fix

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.
To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything bad. This may change,read Viewpoint to Plunge Into Adware.

I recommend that you remove the Viewpoint products; however, decide for yourself.

To uninstall the the Viewpoint components :
  1. Click Start, point to Settings, and then click Control Panel.
  2. In Control Panel, double-click Add or Remove Programs.
  3. In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.


    How to prevent it from being recreated every time you run the AOL software:
    • Open AOL
    • Go to Help on the toolbar
    • Select About AOL
    • Hit Ctrl D and a secret panel can be accessed which will allow you to disable all desktop and IM features associated with Viewpoint.


Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • OTMoveIt3 Log
  • A fresh HijackThis Log ( after all the above has been done)
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: IUSER_ADMIN has hijacked my computer

Unread postby oh2knowhim » October 23rd, 2008, 1:10 am

Here are the two logs you asked for. I apologize for taking so long. Things have been crazy here on my end.

OTMoveIt Log:

========== FILES ==========
File/Folder C:\WINDOWS\system32\udxfytw.sys not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\WARRIO~1\LOCALS~1\Temp\~DF392B.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.5.0 log created on 10222008_232403

********************************************************************************************
----------------------------------------------------------------------------------------------------------------------

HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:58 AM, on 10/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zoom\Zoom Phone Adaptor\VServ.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Zoom\Zoom Phone Adaptor\ZoomMonitor.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Zoom\Zoom Phone Adaptor\ZoomAgent.exe
C:\Program Files\Tall Emu\Online Armor\oahlp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [ZoomMonitor.exe] C:\Program Files\Zoom\Zoom Phone Adaptor\ZoomMonitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.mozilla.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4294171663
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 5585284843
O16 - DPF: {FD7C00A9-E676-11D6-A08E-00E09878F0CF} - https://vpn.uth.tmc.edu/vpns/scripts/nsload.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: VService - Unknown owner - C:\Program Files\Zoom\Zoom Phone Adaptor\VServ.exe

--
End of file - 9646 bytes
oh2knowhim
Regular Member
 
Posts: 21
Joined: September 7th, 2008, 6:11 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 488 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware