Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Anybody help please?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Anybody help please?

Unread postby pc plodder » February 28th, 2009, 5:06 am

Hi, i'm new to this forum so i hope i'm posting correctly. :?
I have problems with my p.c. I keep getting infected with all sorts of stuff, up until now nothing terminal but my log looks to have suspisious entries and as i don't know what i'm doing i wondered if an expert could run an eye over it and tell me what and if anything needs deleting. :?

P.C is an Elonex desktop
XP home edition SP3 and all updated
Eset nod32 antivirus
Superantispyware
Spywareblaster
Hijack this
CWshredder are all loaded

Log as follows

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:20:15, on 25/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\system32\csrss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\WINDOWS.0\system32\dldncoms.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS.0\system32\nvsvc32.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\SearchIndexer.exe
C:\WINDOWS.0\RTHDCPL.EXE
C:\WINDOWS.0\system32\RUNDLL32.EXE
C:\Program Files\Dell V105\dldnmon.exe
C:\Program Files\Dell V105\dldnMsdMon.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\WINDOWS.0\STK02N\STK02NM.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS.0\System32\alg.exe
C:\WINDOWS.0\system32\wuauclt.exe
C:\WINDOWS.0\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS.0\system32\userinit.exe,C:\WINDOWS.0\system32\twex.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEDfenderBHO - {FC8A493F-D236-4653-9A03-2BF4FD94F643} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [dldnmon.exe] "C:\Program Files\Dell V105\dldnmon.exe"
O4 - HKLM\..\Run: [dldnamon] "C:\Program Files\Dell V105\dldnamon.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Exif Launcher S.lnk = C:\Program Files\FinePixViewerS\QuickDCF2.exe
O4 - Global Startup: STK02N 2.3 PNP Monitor.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://gameadvisor.futuremark.com/global/msc3121.cab
O23 - Service: dldnCATSCustConnectService - Unknown owner - C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\\dldnserv.exe
O23 - Service: dldn_device - - C:\WINDOWS.0\system32\dldncoms.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS.0\System32\TuneUpDefragService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 6412 bytes

Thanks in anticipation
Steve
pc plodder
Regular Member
 
Posts: 17
Joined: February 28th, 2009, 4:56 am
Advertisement
Register to Remove

Re: Anybody help please?

Unread postby John B. » March 5th, 2009, 11:48 am

Hi! :hello2: and welcome to the Malware Removal forums.
My name is John Brouwer - if it helps, you can call me John for short. I'll be glad to help you with your computer problems.

HijackThis logs can take some time to research, so please be patient with me. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happens.

These rules are good for you to know:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • If you don't reply within five days after my last instructions this topic will be closed. If you will not be able to reply within five days please tell me how long it will take so the topic will not be closed.

These rules are to make my voluntary work more comfortable:
  • Please be patient. The work I do is voluntary and I also have a private life (school, work, friends and hobbies).
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • Please reply to this thread. Do not start a new topic.
  • Also, don't post logs as attachments. Other helpers like to view the logs as well and opening a lot of attachments is irritating. It can also contain malware.

Finally, please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:
  • Start HijackThis
  • Click on the Open The Misc Tool Section button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop and post the contents in a reply to this topic. Also post a new HijackThis log.

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: Anybody help please?

Unread postby pc plodder » March 5th, 2009, 12:36 pm

Hi John
Thanks for replying to my post via the 72 hour section.

I understand how busy you all are with these logs and appreciate all the techs work on our behalf.

I will post logs a s a p
pc plodder
Regular Member
 
Posts: 17
Joined: February 28th, 2009, 4:56 am

Re: Anybody help please?

Unread postby pc plodder » March 5th, 2009, 1:34 pm

Hi again John

Lists you require are below

Uninstall list

ABBYY FineReader 6.0 Sprint
Abra Academy 2 - Returning Cast
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
ArcSoft PhotoImpression 5
ArcSoft VideoImpression 2
Atlantis Quest
Dell V105
Elf Bowling The Last Insult
ESET Smart Security
EVEREST Home Edition v2.20
FUJIFILM FinePixViewer S Ver.2.1
Futuremark Measurement Services Client
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Java(TM) 6 Update 12
K-Lite Codec Pack 3.9.0 Standard
Mahjong Escape Ancient Japan (remove only)
Mahjong Mysteries of the Past 1.00
Mahjong The Endless Journey
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Pandora's Box
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works 7.0
Mozilla Firefox (3.0.1)
NVIDIA Drivers
Panda ActiveScan 2.0
Paranormal Agency
Realtek High Definition Audio Driver
Ricochet Xtreme
ScanToWeb
Scientific Atlanta WebSTAR 100 & 200 series Cable Modem
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960715)
Spelling Dictionaries Support For Adobe Reader 8
SpywareBlaster 4.1
STK02N 2.3
SUPERAntiSpyware Free Edition
Totem Tribe
TRS2006
TuneUp Utilities 2008
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Window Washer
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WinRAR archiver
Yahoo! Install Manager
Yahoo! Toolbar


Hijack this log 2

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:14:31, on 05/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\WINDOWS.0\system32\dldncoms.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS.0\system32\nvsvc32.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS.0\system32\SearchIndexer.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\RTHDCPL.EXE
C:\WINDOWS.0\system32\RUNDLL32.EXE
C:\Program Files\Dell V105\dldnmon.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Dell V105\dldnMsdMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\WINDOWS.0\STK02N\STK02NM.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS.0\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS.0\system32\userinit.exe,C:\WINDOWS.0\system32\twex.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: IEDfenderBHO - {FC8A493F-D236-4653-9A03-2BF4FD94F643} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [dldnmon.exe] "C:\Program Files\Dell V105\dldnmon.exe"
O4 - HKLM\..\Run: [dldnamon] "C:\Program Files\Dell V105\dldnamon.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Exif Launcher S.lnk = C:\Program Files\FinePixViewerS\QuickDCF2.exe
O4 - Global Startup: STK02N 2.3 PNP Monitor.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD7/JSCDL/jdk/ ... dl.sun.com
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://gameadvisor.futuremark.com/global/msc3121.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: dldnCATSCustConnectService - Unknown owner - C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\\dldnserv.exe
O23 - Service: dldn_device - - C:\WINDOWS.0\system32\dldncoms.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS.0\System32\TuneUpDefragService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 7392 bytes

Regards
pc plodder
Regular Member
 
Posts: 17
Joined: February 28th, 2009, 4:56 am

Re: Anybody help please?

Unread postby John B. » March 5th, 2009, 2:12 pm

Hi,

Before I start I would like to know if you know about these lines:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


This is what they represent:
http://www.bleepingcomputer.com/tutoria ... tml#O6Diag
This section corresponds to an Administrative lock down for changing the options or homepage in Internet explorer by changing certain settings in the registry.


They could be set by you, or if you are not the owner of the computer maybe the owner has set it. It could also have been malware, so that is why I am asking.

Are you the real owner of this computer or is this a corporate machine? Or have you set those restrictions yourself because you want to protect it against, for instance, children.

Please let me know if this is a corporate machine and if you have set those or not.

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: Anybody help please?

Unread postby pc plodder » March 6th, 2009, 12:17 pm

Hello John

No i'm afraid i know nothing of this. I am not that p.c literate. I have not set anything to do with internet explorer.

I can remember i had loads of trouble with it (internet explorer 7) when it was downloaded and installed with a windows update. I lost the internet options icon on the control panel and it took ages of searching, uninstalling and reinstalling to get the icon back up.

Many people have told me i should have downloaded the update from microsoft and then clicked "custom install" and not installed IE7 as they said it was still in beta whatever that means.

My internet options icon looks different to other peoples who have IE6 still installed.

That's about all i can tell you John. This is my own p.c not on any network, just in my home.

Sorry to sound vague but i am not that much up on computing that's why i posted the log on the forum. I didn't know if anything needed deleting so i leave well alone and hope more experienced people can help.

Regards
Steve
pc plodder
Regular Member
 
Posts: 17
Joined: February 28th, 2009, 4:56 am

Re: Anybody help please?

Unread postby John B. » March 6th, 2009, 5:27 pm

Hi Steve,

Not a problem at all, just needed to know that. Let's fix some orphaned stuff and run a scanner. I have spotted some malware but do not yet know what it exactly is.

Step 1: Remove HijackThis entries
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    O2 - BHO: IEDfenderBHO - {FC8A493F-D236-4653-9A03-2BF4FD94F643} - (no file)

    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

Step 2: Download and Run ComboFix
Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. For information on how to disable your anti virus program please see this:
http://www.bleepingcomputer.com/forums/topic114351.html

Go on with the ComboFix guide when it opens its log please close it.

Remember that the ComboFix log is saved here: C:\ComboFix.txt

Step 3: Post logs
Please post the following logs in a reply to this topic:
  • New HijackThis log
  • ComboFix log

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: Anybody help please?

Unread postby pc plodder » March 6th, 2009, 8:52 pm

O.K John i will do as you asked.

I have a problem in that i am away now until monday afternoon so i'm sorry i won't be able to start it until then, it's something i can't get out of.

Please accept my apologies for this. I appreciate the help you are giving me and the way you put things so i can understand them.

I will post the requested logs a s a p on monday.

Have a good weekend my friend
Regards
Steve
pc plodder
Regular Member
 
Posts: 17
Joined: February 28th, 2009, 4:56 am

Re: Anybody help please?

Unread postby John B. » March 7th, 2009, 4:55 am

Hi Steve,

Thanks for letting me know and I will keep this topic open until Thursday.

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: Anybody help please?

Unread postby pc plodder » March 9th, 2009, 7:51 am

Hello John

Hope you had a good weekend.

I have run the scans as you asked (took me a while to read and understand the combofix tutorial but i carefully went through it very carefully and it went as the tutorial said...Phew)

Scans are below.

BTW 2 things

I deleted the 06 policy restrictions in Hijack this log (2) as you asked but noticed there were another 2 the same. I have left these just in case you wanted them left, please advise if you want me to delete these also.

It maybe a clue for you or might be another problem. Sometimes when i click restart the p.c shuts down and i have to boot it up again, as i say this may be an XP issue and not maleware but i thought i should tell you anyway.

combofix log

ComboFix 09-03-06.02 - The Prout Family 2009-03-09 11:33:13.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.196 [GMT 0:00]
Running from: c:\documents and settings\The Prout Family.ELONEX\Desktop\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated)
FW: ESET Personal firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Microsoft Common
c:\windows.0\system32\a.exe
c:\windows.0\system32\twain32
c:\windows.0\system32\twain32\local.ds
c:\windows.0\system32\twain32\user(10)(2).ds
c:\windows.0\system32\twain32\user(11)(2).ds
c:\windows.0\system32\twain32\user(12)(2).ds
c:\windows.0\system32\twain32\user(13)(2).ds
c:\windows.0\system32\twain32\user(14)(2).ds
c:\windows.0\system32\twain32\user(15)(2).ds
c:\windows.0\system32\twain32\user(16)(2).ds
c:\windows.0\system32\twain32\user(17)(2).ds
c:\windows.0\system32\twain32\user(2)(2).ds
c:\windows.0\system32\twain32\user(2)(5).ds
c:\windows.0\system32\twain32\user(2)(6).ds
c:\windows.0\system32\twain32\user(3)(3).ds
c:\windows.0\system32\twain32\user(3)(4).ds
c:\windows.0\system32\twain32\user(4)(3).ds
c:\windows.0\system32\twain32\user(4)(4).ds
c:\windows.0\system32\twain32\user(5)(3).ds
c:\windows.0\system32\twain32\user(5)(4).ds
c:\windows.0\system32\twain32\user(6)(3).ds
c:\windows.0\system32\twain32\user(6)(4).ds
c:\windows.0\system32\twain32\user(7)(3).ds
c:\windows.0\system32\twain32\user(7)(4).ds
c:\windows.0\system32\twain32\user(8)(3).ds
c:\windows.0\system32\twain32\user(8)(4).ds
c:\windows.0\system32\twain32\user(9)(3).ds
c:\windows.0\system32\twain32\user(9)(4).ds
c:\windows.0\system32\twain32\user.ds
c:\windows.0\system32\twain32\user.ds.lll

.
((((((((((((((((((((((((( Files Created from 2009-02-09 to 2009-03-09 )))))))))))))))))))))))))))))))
.

2009-03-05 15:09 . 2009-03-05 15:09 <DIR> d-------- c:\windows.0\Sun
2009-03-05 15:09 . 2009-03-05 15:08 410,984 --a------ c:\windows.0\system32\deploytk.dll
2009-03-05 15:09 . 2009-03-05 15:08 73,728 --a------ c:\windows.0\system32\javacpl.cpl
2009-03-05 15:08 . 2009-03-05 15:08 <DIR> d-------- c:\program files\Java
2009-03-02 23:56 . 2009-03-07 15:20 <DIR> d-------- c:\documents and settings\The Prout Family.ELONEX\Application Data\Abra Academy2
2009-03-02 11:23 . 2009-03-02 11:23 <DIR> d-------- c:\documents and settings\The Prout Family.ELONEX\Application Data\ESET
2009-03-02 11:22 . 2009-03-02 11:22 <DIR> d-------- c:\program files\ESET
2009-03-02 11:22 . 2009-03-02 11:22 <DIR> d-------- c:\documents and settings\All Users.WINDOWS.0\Application Data\ESET
2009-02-27 00:21 . 2009-02-27 00:21 <DIR> d-------- c:\documents and settings\All Users.WINDOWS.0\Application Data\ThumbnailCache4R
2009-02-25 20:10 . 2009-02-25 20:10 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-25 20:10 . 2009-02-25 20:10 <DIR> d-------- c:\documents and settings\The Prout Family.ELONEX\Application Data\SUPERAntiSpyware.com
2009-02-25 20:10 . 2009-02-25 20:10 <DIR> d-------- c:\documents and settings\All Users.WINDOWS.0\Application Data\SUPERAntiSpyware.com
2009-02-25 19:57 . 2009-02-25 19:58 <DIR> d-------- c:\windows.0\LastGood(2).Tmp
2009-02-24 21:26 . 2009-01-09 19:19 1,089,593 -----c--- c:\windows.0\system32\dllcache\ntprint.cat
2009-02-20 10:56 . 2009-02-20 10:56 <DIR> d-------- c:\documents and settings\The Prout Family.ELONEX\Application Data\Skunk Studios
2009-02-17 10:56 . 2008-06-19 16:24 28,544 --a------ c:\windows.0\system32\drivers\pavboot.sys
2009-02-12 20:38 . 2009-02-12 20:42 <DIR> d-------- c:\documents and settings\The Prout Family.ELONEX\Application Data\ArcSoft
2009-02-12 20:37 . 2009-02-12 20:37 <DIR> d-------- c:\program files\Common Files\ArcSoft
2009-02-12 20:37 . 2003-03-18 22:14 499,712 -ra------ c:\windows.0\system32\msvcp71.dll
2009-02-12 20:37 . 2005-04-27 16:36 245,408 --a------ c:\windows.0\system32\unicows.dll
2009-02-12 20:36 . 2006-11-10 15:05 18,688 --a------ c:\windows.0\system32\drivers\afc.sys
2009-02-12 20:35 . 2009-02-12 20:37 <DIR> d-------- c:\program files\ArcSoft
2009-02-12 20:35 . 1995-08-01 04:44 212,480 --a------ c:\windows.0\PCDLIB32.DLL
2009-02-12 20:34 . 2009-02-12 20:34 <DIR> d-------- c:\windows.0\STK02N
2009-02-12 20:34 . 2007-03-12 14:25 101,520 --a------ c:\windows.0\system32\drivers\STK02NW2.sys
2009-02-12 20:34 . 2007-03-12 14:28 40,960 --a------ c:\windows.0\system32\STK02NP.ax
2009-02-12 20:34 . 2007-03-12 14:25 33,728 --a------ c:\windows.0\system32\drivers\STK02NW1.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-09 11:17 --------- d---a-w c:\documents and settings\All Users.WINDOWS.0\Application Data\TEMP
2009-03-09 11:17 --------- d-----w c:\program files\SpywareBlaster
2009-03-07 16:15 --------- d---a-w c:\program files\Between The Worlds
2009-03-04 17:48 --------- d-----w c:\program files\Sky Games
2009-03-04 17:48 --------- d-----w c:\program files\GameHouse
2009-03-02 23:50 --------- d-----w c:\program files\LeeGTs Games
2009-02-25 20:09 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-25 19:58 --------- d-----w c:\documents and settings\The Prout Family.ELONEX\Application Data\Network Associates
2009-02-25 19:58 --------- d-----w c:\documents and settings\All Users.WINDOWS.0\Application Data\Network Associates
2009-02-25 19:51 --------- d-----w c:\program files\Mystery Legends - Sleepy Hollow
2009-02-20 10:58 --------- d-----w c:\documents and settings\All Users.WINDOWS.0\Application Data\Enkord
2009-02-20 10:52 --------- d-----w c:\documents and settings\All Users.WINDOWS.0\Application Data\MumboJumbo
2009-02-12 20:37 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-09 18:03 --------- d-----w c:\program files\Mahjong Quest 2
2009-01-29 21:33 --------- d-----w c:\program files\MahJong Quest 3 - Balance of Life
2009-01-29 12:00 --------- d---a-w c:\program files\Haunted Hotel 2 - Believe the Lies
2009-01-29 10:19 --------- d-----w c:\program files\Reference Assemblies
2009-01-29 10:19 --------- d-----w c:\program files\MSBuild
2009-01-24 19:53 --------- d-----w c:\program files\The Wizard's Pen
2009-01-24 19:48 --------- d-----w c:\program files\Steveredrum
2009-01-24 19:48 --------- d-----w c:\documents and settings\The Prout Family.ELONEX\Application Data\Meridian93
2009-01-24 19:46 --------- d-----w c:\documents and settings\The Prout Family.ELONEX\Application Data\Shape games
2009-01-24 19:37 --------- d-----w c:\program files\Games
2009-01-24 19:35 --------- d-----w c:\program files\Mahjong The Endless Journey
2009-01-24 19:28 --------- d-----w c:\documents and settings\The Prout Family.ELONEX\Application Data\Jetsetter
2009-01-24 19:24 --------- d-----w c:\program files\Gourmania
2009-01-24 19:21 --------- d-----w c:\documents and settings\All Users.WINDOWS.0\Application Data\PlayPond
2009-01-24 19:16 --------- d-----w c:\documents and settings\The Prout Family.ELONEX\Application Data\PlayFirst
2009-01-24 19:16 --------- d-----w c:\documents and settings\All Users.WINDOWS.0\Application Data\PlayFirst
2009-01-22 19:55 --------- d-----w c:\program files\BFG
2009-01-22 19:04 --------- d-----w c:\program files\Panda Security
2009-01-22 17:45 --------- d-----w c:\program files\EPSON
2009-01-11 20:05 --------- d-----w c:\program files\Abbyy FineReader 6.0 Sprint
2009-01-11 20:04 --------- d-----w c:\documents and settings\The Prout Family.ELONEX\Application Data\Dell Imaging Toolbox
2009-01-11 19:59 --------- d-----w c:\program files\Dell V105
2009-01-11 19:55 --------- d-----w c:\program files\Dell
2007-10-26 13:14 774,144 ----a-w c:\program files\RngInterstitial.dll
2008-06-16 18:53 32,768 --sha-w c:\windows.0\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008061620080617\index.dat
2008-08-30 18:44 32,768 --sha-w c:\windows.0\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008083020080831\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2007-11-26 1206600]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]
"ctfmon.exe"="c:\windows.0\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows.0\system32\NvMcTray.dll" [2008-09-17 86016]
"dldnmon.exe"="c:\program files\Dell V105\dldnmon.exe" [2008-06-24 668912]
"dldnamon"="c:\program files\Dell V105\dldnamon.exe" [2008-06-24 16624]
"NvCplDaemon"="c:\windows.0\system32\NvCpl.dll" [2008-09-17 13574144]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-10-24 1451264]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-05 148888]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-14 c:\windows.0\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows.0\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows.0\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users.WINDOWS.0\Start Menu\Programs\Startup\
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2008-02-09 303104]
STK02N 2.3 PNP Monitor.lnk - c:\windows.0\STK02N\STK02NM.exe [2009-02-12 163840]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-09-17 22:55 1657376 c:\windows.0\system32\nwiz.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows.0\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS.0\\system32\\dldncoms.exe"=
"c:\\Program Files\\Dell V105\\dldnmon.exe"=
"c:\\WINDOWS.0\\system32\\spool\\drivers\\w32x86\\3\\dldnpswx.exe"=
"c:\\WINDOWS.0\\system32\\spool\\drivers\\w32x86\\3\\dldnjswx.exe"=
"c:\\Program Files\\Dell V105\\dldnlscn.exe"=

R0 pavboot;pavboot;c:\windows.0\system32\drivers\pavboot.sys [2009-02-17 28544]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 dldn_device;dldn_device;c:\windows.0\system32\dldncoms.exe -service --> c:\windows.0\system32\dldncoms.exe -service [?]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2008-10-24 468224]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [2008-04-16 598856]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
R3 WebSTARXP;Scientific Atlanta WebSTAR 100 & 200 series Cable Modem;c:\windows.0\system32\drivers\SACMXP1.sys [2003-11-20 14848]
S2 dldnCATSCustConnectService;dldnCATSCustConnectService;c:\windows.0\system32\spool\drivers\w32x86\3\dldnserv.exe [2009-01-11 99568]
S3 WebSTARNdis;WebSTAR DPX USB Cable Modem Adapter;c:\windows.0\system32\drivers\WebSTAR.sys [2008-04-16 15417]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-02-20 c:\windows.0\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2007-12-21 14:17]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-CTFMON - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.yahoo.com/
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-09 11:37:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\ESET\ESET Security\CurrentVersion\Info]
@Denied: (3) (LocalSystem)
"AppDataDir"="c:\\Documents and Settings\\All Users.WINDOWS.0\\Application Data\\ESET\\ESET Smart Security\\"
"DataDir"="ESET\\ESET Smart Security\\"
"EditionName"="Student Edition"
"InstallDir"="c:\\Program Files\\ESET\\ESET Smart Security\\"
"LanguageId"=dword:00000409
"ProductBase"=dword:00000001
"ProductCode"="{4CEBE5E6-D1FD-4BDF-8C9C-29A9A3CC2B7C}"
"ProductName"="ESET Smart Security"
"ProductType"="ess"
"ProductVersion"="3.0.684.0"
"UniqueId"="0006AC9E49ABC1A1"
"ScannerBuild"=dword:00000ed0
"ScannerVersionId"=dword:00000de1
"ScannerVersion"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1224)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows.0\system32\dldncoms.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows.0\system32\nvsvc32.exe
c:\windows.0\system32\searchindexer.exe
c:\windows.0\system32\rundll32.exe
c:\program files\Dell V105\dldnmsdmon.exe
c:\windows.0\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-09 11:38:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-09 11:38:54

Pre-Run: 231,497,908,224 bytes free
Post-Run: 231,436,660,736 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

243 --- E O F --- 2009-02-25 20:01:34


Hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:49:59, on 09/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\WINDOWS.0\system32\dldncoms.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS.0\system32\nvsvc32.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS.0\system32\SearchIndexer.exe
C:\WINDOWS.0\RTHDCPL.EXE
C:\WINDOWS.0\system32\RUNDLL32.EXE
C:\Program Files\Dell V105\dldnmon.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell V105\dldnMsdMon.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\WINDOWS.0\STK02N\STK02NM.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS.0\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [dldnmon.exe] "C:\Program Files\Dell V105\dldnmon.exe"
O4 - HKLM\..\Run: [dldnamon] "C:\Program Files\Dell V105\dldnamon.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Exif Launcher S.lnk = C:\Program Files\FinePixViewerS\QuickDCF2.exe
O4 - Global Startup: STK02N 2.3 PNP Monitor.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD7/JSCDL/jdk/ ... dl.sun.com
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://gameadvisor.futuremark.com/global/msc3121.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: dldnCATSCustConnectService - Unknown owner - C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\\dldnserv.exe
O23 - Service: dldn_device - - C:\WINDOWS.0\system32\dldncoms.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS.0\System32\TuneUpDefragService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 6783 bytes
pc plodder
Regular Member
 
Posts: 17
Joined: February 28th, 2009, 4:56 am

Re: Anybody help please?

Unread postby John B. » March 9th, 2009, 11:03 am

Hi,

I have run the scans as you asked (took me a while to read and understand the combofix tutorial but i carefully went through it very carefully and it went as the tutorial said...Phew)

Looks like you did it really good. Everything was disabled and the scanner did what it should.

I deleted the 06 policy restrictions in Hijack this log (2) as you asked but noticed there were another 2 the same. I have left these just in case you wanted them left, please advise if you want me to delete these also.

Sorry for not making that clear. They should have been deleted.

It maybe a clue for you or might be another problem. Sometimes when i click restart the p.c shuts down and i have to boot it up again, as i say this may be an XP issue and not maleware but i thought i should tell you anyway.

We will target these things after you are all clean.

Your log looks much better, but I just want to be sure ComboFix got all. That is why we will run one more scanner.

Step 1: Remove HijackThis entries
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

Step 2: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Step 3: Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Close the Notepad file.
  • The log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Step 4: Show your hidden files
To enable the viewing of Hidden files follow these steps:
  • Close all programs so that you are at your desktop.
  • Double-click on the My Computer icon (or click Start, then select My Computer)
  • Select the Tools menu and click Folder Options.
  • After the new window appears select the View tab.
  • Put a checkmark in the checkbox labeled Display the contents of system folders.
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  • Remove the checkmark from the checkbox labeled Hide protected operating system files.
  • Press the Apply button and then the OK button and shutdown My Computer.
    Now your computer is configured to show all hidden files.

Step 5: Delete file
Use Explorer to navigate to and delete the following file (if present):

C:\WINDOWS.0\system32\twex.exe

Now just exit Explorer.

Step 6: Reboot your computer
To make sure everything has taken effect.

Step 7: Post logs
Please post the following logs in a reply to this topic (use multiple posts if needed):
  • Tell me how your computers. Explain in detail what problems you still have (if any).
  • New HijackThis log
  • MalwareBytes' Anti-Malware log

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: Anybody help please?

Unread postby pc plodder » March 10th, 2009, 8:25 am

Thanks for the reply John.

I will run the scans you asked for and delete the 2 06 entries.

Have to post it tomorrow though as i have to go to work now.

Thanks again for all your help

Regards
Steve
pc plodder
Regular Member
 
Posts: 17
Joined: February 28th, 2009, 4:56 am

Re: Anybody help please?

Unread postby John B. » March 10th, 2009, 1:06 pm

No problem, Steve.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: Anybody help please?

Unread postby pc plodder » March 11th, 2009, 8:10 am

Hi John

I've done all you asked in your last post and the logs are listed below for your inspection.

I opened explorer and looked for the file in windows sytem 32 folder but all that was in there was twext.dll. Hope i did this correctly as i've never used explorer before. I did also search for it with the search function but it said nothing was found. Your advise on this if you would be so kind (if i did it correctly and should i leave twext.dll there)

I have put the file system back as it was i.e reversed all the check marks etc that you told me to do, i did this after all your instructions had been completed.

The system seems to be running better and quicker than before. So far when i restart my system it does it o.k and hasn't shut down aas it usually does now and then, or maybe i've just been lucky.

Anyway logs for your inspection


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:56:00, on 11/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\WINDOWS.0\system32\dldncoms.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS.0\system32\nvsvc32.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\SearchIndexer.exe
C:\WINDOWS.0\RTHDCPL.EXE
C:\WINDOWS.0\system32\RUNDLL32.EXE
C:\Program Files\Dell V105\dldnmon.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Dell V105\dldnMsdMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\WINDOWS.0\STK02N\STK02NM.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS.0\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [dldnmon.exe] "C:\Program Files\Dell V105\dldnmon.exe"
O4 - HKLM\..\Run: [dldnamon] "C:\Program Files\Dell V105\dldnamon.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Exif Launcher S.lnk = C:\Program Files\FinePixViewerS\QuickDCF2.exe
O4 - Global Startup: STK02N 2.3 PNP Monitor.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD7/JSCDL/jdk/ ... dl.sun.com
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://gameadvisor.futuremark.com/global/msc3121.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: dldnCATSCustConnectService - Unknown owner - C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\\dldnserv.exe
O23 - Service: dldn_device - - C:\WINDOWS.0\system32\dldncoms.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS.0\System32\TuneUpDefragService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 6849 bytes


Anti maleware log

Malwarebytes' Anti-Malware 1.34
Database version: 1835
Windows 5.1.2600 Service Pack 3

11/03/2009 11:40:01
mbam-log-2009-03-11 (11-40-01).txt

Scan type: Full Scan (C:\|)
Objects scanned: 179138
Time elapsed: 27 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\VAV (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\The Prout Family.ELONEX\Start Menu\Programs\extravideo (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS.0\system32\drivers\etc\services (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Regards
Steve
pc plodder
Regular Member
 
Posts: 17
Joined: February 28th, 2009, 4:56 am

Re: Anybody help please?

Unread postby John B. » March 11th, 2009, 12:39 pm

Hi Steve,

Your advise on this if you would be so kind (if i did it correctly and should i leave twext.dll there)

Well, take a look at this:
http://www.processlibrary.com/directory/files/twext/
twext.dll is a module associated with Microsoft® Windows® Operating System from Microsoft Corporation.

You did right by keeping it, in case you do not understand the above ;)

The system seems to be running better and quicker than before. So far when i restart my system it does it o.k and hasn't shut down aas it usually does now and then, or maybe i've just been lucky.

What I hoped to hear.

This is my normal post for when you are clear - which you now are - or seem to be.
Please advise of any problems you still have. If you think you're clean please give one more reply so that I can archive this topic.

Now that you are clean, I got some tips & tricks for you to keep your computer clean and secure. The first few (like removing dangerous tools and Windows Update) have to be done, the others are optional (beginning with SpywareBlaster).

It may seem like your system will be too much protected with all these things installed, but a lot of programs aren't running always on the background so don't slow down your computer. Please take a look at the following things:
  • Uninstall tools - The following will not only uninstall ComboFix but also clean up some other dangerous tools and backups, clean up the System Restore points and hide the system files.
    • Go to Start
    • Click on Run
    • Type ComboFix /u (Note: This command is case sensitive.)
    After doing that with ComboFix, do this with OTCleanIt to remove the tools not removed by ComboFix.
    • Download OTCleanIt from http://download.bleepingcomputer.com/ol ... leanIt.exe to your desktop.
    • Click the OTCleanIt icon on your desktop.
    • Click the CleanUp button.
    • If you get any pop ups asking if it is OK let the program proceed.
    • At the end the program will ask to let it reboot the computer. Let it do so.
    You may delete any logs and other tools left on the desktop.
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialise and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
  • Visit Microsoft's Update Site Frequently - It is important that you visit http://update.microsoft.com/ regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install WinPatrol - As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. You can download it from this website:
    WinPatrol
    The developer is a well-known man in the MalWare Removal business. If you really like WinPatrol think about upgrading to the PLUS version. It will give you additional features and you will only have to pay once, for your whole malware-free life.
  • Install MVPS HOSTS - This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
    For information on how to download and install, please read this tutorial here:
    WinHelp2002
    Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.
  • Use an alternative Internet Browser - Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
    Firefox << Most used, I use this one myself.
    Opera
  • Bookmark general cleanup link - It could be that your computer is becoming slower and slower. This is not always the cause of malware. Most of the times it's malware when you're computer is suddenly getting slow or doing strange. When the slowdown increases slowly, check (so now bookmark) this link for tips & tricks:
    What to do if your Computer's running slowly
  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Stand Up and Be Counted!
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints called Malware Complaints. Please register there first! Then follow the instructions here:
http://images.malwarecomplaints.info/We ... general=on

>> Here << you can see how you can help us.

May your God go with you..

John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 56 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware