Solved

PC w/ Spyware not allowing Applications to be installed

Posted on 2007-11-13
41
579 Views
Last Modified: 2011-10-19
I scanned a PC using an online spyware program and it determined that the PC had a lot of spyware. Since this was only a scanning feature I tried to d/l various anti spyware programs ad-aware etc., but the program would not completely install. It would reach the 95-99% mark and then fail. This happens to any program that I try to install. I tried installing a newer version of the windows installer - that too fails.

I am pretty sure its due to the spyware/malware on the PC although, the windows updates seem to install w/o any issues. What can I do about getting programs installed on the computer and then wiping out the malware?
0
Comment
Question by:ILSI
  • 22
  • 10
  • 4
  • +1
41 Comments
 
LVL 22

Expert Comment

by:orangutang
ID: 20275351
0
 

Author Comment

by:ILSI
ID: 20275400
I will try this the next time I am at the PC, but do you think it would actually install given my explanation?
0
 
LVL 22

Expert Comment

by:orangutang
ID: 20275553
I really can't say but it does use the Windows Installer. However HijackThis doesn't use Windows Installer so you should be able to run that and send us your log.
0
 
LVL 32

Expert Comment

by:willcomp
ID: 20275713
Try running these 3 programs in safe mode. No installation required.
http://forums.majorgeeks.com/showthread.php?t=134965
http://siri.geekstogo.com/SmitfraudFix.php
http://www.majorgeeks.com/download4954.html

If it's the same batch of goodies I've dealt with recently, SuperAntiSpyware won't install either and combofix (first program on list) will remove most of the malware.
0
 

Author Comment

by:ILSI
ID: 20275764
Thanks to both of you. I will use a combination of the two solutions and see what I come up with.
0
 
LVL 22

Expert Comment

by:orangutang
ID: 20275804
Yeah, that should work but you should also send your HijackThis log after just in case.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20278965
Hijackthis log is an excellent diagnostic tool to start with.
But if you go straight with Combofix, upload the combofix.txt so we can look if there are other nasties that need to be removed using the CFScript within combofix.
0
 

Author Comment

by:ILSI
ID: 20309423
Here is the HijackThis File:

Logfile of HijackThis v1.99.1
Scan saved at 6:05:06 PM, on 11/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Natasha\Desktop\Kareem\alternativ.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50039
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.netzero.net/s/sp?cf=NZDSLCC
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50039
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50039
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: Pop-up Blocker - {4224FF33-C2EB-4039-B8C8-6EED565B9D96} - C:\Program Files\NetZero DSL\PopupBlocker.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\Natasha\LOCALS~1\Temp\tnofdvd.dat
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: NetZero DSL - {8E613EAF-E16E-415C-BD39-F71D6A3B5518} - C:\Program Files\NetZero DSL\Toolbar.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [NetZeroDSL] "C:\Program Files\NetZero DSL\ConnectionCenter.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [CTUPGD] c:\progra~1\toolbar\ct5upd1.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.mcg-sms02
O15 - Trusted Zone: *.mcg-sms03
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://mail.hivresearch.org/iNotes.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50039/QDow.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe

Combo Text File:

ComboFix 07-11-08.1 - Natasha 2007-11-18 18:07:09.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition  5.1.2600.1.1252.1.1033.18.392 [GMT -5:00]
Running from: C:\Documents and Settings\Natasha\Desktop\Kareem\ComboFix.exe
.

(((((((((((((((((((((((((   Files Created from 2007-10-18 to 2007-11-18  )))))))))))))))))))))))))))))))
.

2007-11-18 18:06      51,200      --a------      C:\WINDOWS\NirCmd.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-18 23:01      ---------      d-----w      C:\Program Files\Symantec AntiVirus
2007-11-18 22:49      ---------      d-----w      C:\Program Files\Toolbar
2007-11-12 01:35      ---------      d-----w      C:\Program Files\Common Files\WinTools
2006-10-20 20:49      194,376      ----a-w      C:\Documents and Settings\Natasha\Application Data\shb.dat
2004-09-30 20:43      56,952      ----a-w      C:\Documents and Settings\Natasha\Application Data\GDIPFONTCACHEV1.DAT
2004-07-15 13:13      59,992      ----a-w      C:\Program Files\msnaddin.exe
2004-06-13 19:40      449      ----a-w      C:\Documents and Settings\Natasha\UpdateReg.reg
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4224FF33-C2EB-4039-B8C8-6EED565B9D96}]
2006-10-17 12:38      225752      --a------      C:\Program Files\NetZero DSL\PopupBlocker.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60112085-E1CE-4e0e-823A-EBB1AD98804C}]
2004-08-07 09:41      69632      --a------      C:\DOCUME~1\Natasha\LOCALS~1\Temp\tnofdvd.dat

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87766247-311C-43B4-8499-3D5FEC94A183}]
2005-06-14 02:46      192512      --a------      C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8952A998-1E7E-4716-B23D-3DBE03910972}]
2005-06-14 05:44      617472      --a------      C:\PROGRA~1\Toolbar\toolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8DA5457F-A8AA-4CCF-A842-70E6FD274094}]
2005-04-06 00:50      214016      --a------      C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{339BB23F-A864-48C0-A59F-29EA915965EC}"= C:\PROGRA~1\Toolbar\toolbar.dll [2005-06-14 05:44 617472]
"{8E613EAF-E16E-415C-BD39-F71D6A3B5518}"= C:\Program Files\NetZero DSL\Toolbar.dll [2006-10-17 12:38 263640]

[HKEY_CLASSES_ROOT\CLSID\{339BB23F-A864-48C0-A59F-29EA915965EC}]

[HKEY_CLASSES_ROOT\CLSID\{8E613EAF-E16E-415C-BD39-F71D6A3B5518}]
[HKEY_CLASSES_ROOT\DSLToolbar.NetZero DSL.1]
[HKEY_CLASSES_ROOT\TypeLib\{98C469F7-8C27-489D-B107-44FD6A54C554}]
[HKEY_CLASSES_ROOT\DSLToolbar.NetZero DSL]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{339BB23F-A864-48C0-A59F-29EA915965EC}"= C:\PROGRA~1\Toolbar\toolbar.dll [2005-06-14 05:44 617472]
"{8E613EAF-E16E-415C-BD39-F71D6A3B5518}"= C:\Program Files\NetZero DSL\Toolbar.dll [2006-10-17 12:38 263640]

[HKEY_CLASSES_ROOT\CLSID\{339BB23F-A864-48C0-A59F-29EA915965EC}]

[HKEY_CLASSES_ROOT\CLSID\{8E613EAF-E16E-415C-BD39-F71D6A3B5518}]
[HKEY_CLASSES_ROOT\DSLToolbar.NetZero DSL.1]
[HKEY_CLASSES_ROOT\TypeLib\{98C469F7-8C27-489D-B107-44FD6A54C554}]
[HKEY_CLASSES_ROOT\DSLToolbar.NetZero DSL]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 18:29]
"TBPS"="C:\PROGRA~1\Toolbar\TBPS.exe" [2006-06-29 06:06]
"WinTools"="C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe" [2005-06-14 02:46]
"NetZeroDSL"="C:\Program Files\NetZero DSL\ConnectionCenter.exe" [2006-10-16 13:08]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-08-02 21:00]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-08-18 12:50]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-29 07:50]
"CTUPGD"="c:\progra~1\toolbar\ct5upd1.exe" [2007-10-22 10:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" []
"spc_w"="C:\Program Files\NZSearch\nzspc.exe" [2006-07-11 01:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 14:45]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-03-17 13:00:25]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Desktop Firewall Tray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Desktop Firewall Tray.lnk
backup=C:\WINDOWS\pss\McAfee Desktop Firewall Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
"C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvdfont]
C:\WINDOWS\security\LOGS\dvdfont.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Net]
C:\WINDOWS\winlogon.exe -stealth

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X74-X75]
"C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
"C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"C:\Program Files\Microsoft Money\System\Money Express.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Associates Error Reporting Service]
"C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetZero_uoltray]
C:\Program Files\NetZero\exec.exe regrun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spc_w]
"C:\Program Files\NZSearch\nzspc.exe" -w

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysUpd]
C:\WINDOWS\sysupd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPS]
C:\PROGRA~1\Toolbar\TBPS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

S1 sdcplh;sdcplh;C:\WINDOWS\System32\drivers\sdcplh.sys
S2 TBPSSvc;WebSeach Toolbar support NT service;C:\PROGRA~1\Toolbar\TBPSSvc.exe
S2 WinToolsSvc;WinTools for IE service;C:\Program Files\Common Files\WinTools\WToolsS.exe
S3 480bd693-36ea-41f2-96ae-c13e3d2f8d83;480bd693-36ea-41f2-96ae-c13e3d2f8d83;\??\D:\CDS300\cds300.dll
S3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\System32\drivers\NMSCFG.SYS
S3 NMSSvc;Intel(R) NMS;C:\WINDOWS\System32\NMSSvc.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2003-02-03 18:55:47 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-18 18:09:27
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  MMTray = C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe?w???gp]??V??gp]??SOFTWARE\MusicMatch\MusicMatch Jukebox\4.0\TrayApp????X??????????????????>?w0 ?w????3??w???g?U?????????g?????CY????????gr]??2???????????<???? @???X???X???????????????????Y?????F?Q?????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-18 18:10:08
.
      --- E O F ---

I wont run the other diags until you guys have a look at the files. Thanks.
0
 
LVL 22

Expert Comment

by:orangutang
ID: 20309579
Wow, it appears your computer is very infected with some kind of malware. rpggamergirl should be able to help you. These look suspicious:
Anything with:
C:\PROGRA~1\COMMON~1\WinTools\
c:\progra~1\toolbar\
Also, have you tried running any of the tools in safe mode? You may have to run the Windows Installer service manually before trying to install anything.
0
 
LVL 32

Expert Comment

by:willcomp
ID: 20309744
Run VundoFix to remove wintools. Third program on my previous list of tools.

Download, update, and run SuperAntiSpyWare
http://www.superantispyware.com/download.html

rpggamergirl may have some additional recommendations for specific removal tools, but I don't see anything that VundoFix and SuperAntiSpyware won't take care of.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20317281
it's an old infection, a good scanner like what willcomp suggested should remove those.
I would uninstall/remove anything related to Wintools, Toolbar.


Delete this services --> TBPSSvc, WinToolsSvc
Go to Start Menu > Run > type

cmd

Press OK then type or copy and paste these commands onto the cmd screen pressing Enter after each line:

sc stop TBPSSvc
sc delete TBPSSvc
sc stop WinToolsSvc
sc delete WinToolsSvc

exit


Fix these if still present:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50039
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50039
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50039  
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\Natasha\LOCALS~1\Temp\tnofdvd.dat
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe  
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [CTUPGD] c:\progra~1\toolbar\ct5upd1.exe
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50039/QDow.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe  
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe


Delete these folders if still present:
C:\PROGRA~1\Toolbar
C:\Program Files\Common Files\WinTools


And also run CCleaner or CleanUp or ATF Cleaner:
Download and run ATF Cleaner by Atribune.
http://www.atribune.org/ccount/click.php?id=1
 
Reboot your computer into Safe Mode.
 
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser,
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

OR:
CCleaner:
http://www.ccleaner.com/download/
0
 

Author Comment

by:ILSI
ID: 20343733
So far i have tried to stop/delete the services that rpggamergirl mentioned. I got an OpenService FAILED 1060 - The specified service does not exist as an installed service. I am not sure what you mean by "fix this if still present" followed by the long list. I have d/l the ATF Cleaner and will be running it in safe mode.

I have not been able to run Windows Updates from the link in XP. This computer is running XP SP1. I am still have problems installing certain software. What else can I do?
0
 

Author Comment

by:ILSI
ID: 20343899
I downloaded the SP2 file to run from the computer. I am not sure if I should install this since other installations have failed!
0
 

Author Comment

by:ILSI
ID: 20343962
rpggamegirl - I realized what you meant by the fix - within Hijackthis.

Here is a second HiJackThis Scan:

Logfile of HijackThis v1.99.1
Scan saved at 4:08:43 PM, on 11/24/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\lxcycoms.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\NetZero DSL\ConnectionCenter.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Applications\D2P\setup.exe
D:\Applications\D2P\Install\D2PInstall.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\MSIEXEC.EXE
C:\Documents and Settings\Natasha\Desktop\Kareem\alternativ.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Pop-up Blocker - {4224FF33-C2EB-4039-B8C8-6EED565B9D96} - C:\Program Files\NetZero DSL\PopupBlocker.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: NetZero DSL - {8E613EAF-E16E-415C-BD39-F71D6A3B5518} - C:\Program Files\NetZero DSL\Toolbar.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [NetZeroDSL] "C:\Program Files\NetZero DSL\ConnectionCenter.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [CTUPGD] c:\progra~1\toolbar\ct5upd1.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.mcg-sms02
O15 - Trusted Zone: *.mcg-sms03
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcy_device -   - C:\WINDOWS\System32\lxcycoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20344498
The "service doesn't exist" error, could be because Wintools has been uninstalled, or hijackthis has already fixed the entries, which disabled the service.
Can you show us a Fresh combofix log please? Can you install applications yet?

I'm very sorry for not giving the steps, some Askers don't always like if given step by step instructions, I should have given it, my fault.

Please run Hijackthis again and put a check next to these entries, closed all browsers and other windows(except hijackthis) and click "Fix Checked" button.
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [CTUPGD] c:\progra~1\toolbar\ct5upd1.exe


Please check that this folder is gone, delete if still present:
C:\Program Files\Toolbar <-- this folder

You know this file below right? Disc2Phone, and you installed it yourself.
D:\Applications\D2P\Install\D2PInstall.exe


You might like to run an online Kaspersky scan(won't remove what it finds but a log will be helpful.

OR: install and run scanners like AVG Antispyware, free.
http://free.grisoft.com/doc/download-free-anti-spyware/us/frt/0

Download and install DrWebCureIt, it's also free and should fix the problem.
http://www.freedrweb.com/
0
 

Author Comment

by:ILSI
ID: 20344542
I haven't been able to install some apps (ie. new version of iTunes, Windows Updates, Lexmark printer s/w, The Disc2Phone app claims it was interrupted before the install was completed). Yet I was able to install all of the tools mentioned in this case. I am not at the PC right now, but I will run HJT again and fix those that you mentioned.

Do you think this is the cause of the installation problems for some apps and Windows Updates? I d/l SP2 to install - should I give this a try?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20344574
>>I d/l SP2 to install - should I give this a try?<<
You can try it, but I would suggest first to make sure that your system is free of infections because SP2 won't install properly on an infected machine.


Can you run Combofix and lets look at the log?
Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Upload the log at EE-Stuff.com for us to check please.
0
 

Author Comment

by:ILSI
ID: 20351717
I have combofix installed on the PC. I will run it a second time when I get the chance. Thanks.
0
 

Author Comment

by:ILSI
ID: 20393158
ComboFix 07-12-02.6 - Natasha 2007-12-02 20:05:58.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.1.1252.1.1033.18.271 [GMT -5:00]
Running from: C:\Documents and Settings\Natasha\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((   Files Created from 2007-11-03 to 2007-12-03  )))))))))))))))))))))))))))))))
.

2007-11-24 12:00 . 2007-02-22 17:31      344,064      -ra------      C:\WINDOWS\SYSTEM32\lxcycoin.dll
2007-11-24 12:00 . 2006-09-06 05:17      77,824      -ra------      C:\WINDOWS\SYSTEM32\lxcycfg.dll
2007-11-24 12:00 . 2007-06-20 05:18      1,834      -ra------      C:\WINDOWS\SYSTEM32\lxcy.loc
2007-11-18 21:36 . 2007-11-18 21:36      <DIR>      d--------      C:\Program Files\Lavasoft
2007-11-18 21:36 . 2007-11-18 21:36      <DIR>      d--------      C:\Documents and Settings\Natasha\Application Data\Lavasoft
2007-11-18 20:43 . 2007-11-18 20:45      <DIR>      d--------      C:\Program Files\SUPERAntiSpyware
2007-11-18 20:43 . 2007-11-18 20:43      <DIR>      d--------      C:\Documents and Settings\Natasha\Application Data\SUPERAntiSpyware.com
2007-11-18 20:43 . 2007-11-18 20:43      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-18 19:31 . 2007-11-18 19:31      2,114      --a------      C:\WINDOWS\SYSTEM32\tmp.reg

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 15:39      ---------      d-----w      C:\Program Files\Symantec AntiVirus
2007-11-24 21:17      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-19 01:42      ---------      d-----w      C:\Program Files\Common Files\Wise Installation Wizard
2006-10-20 20:49      194,376      ----a-w      C:\Documents and Settings\Natasha\Application Data\shb.dat
2004-09-30 20:43      56,952      ----a-w      C:\Documents and Settings\Natasha\Application Data\GDIPFONTCACHEV1.DAT
2004-07-15 13:13      59,992      ----a-w      C:\Program Files\msnaddin.exe
2004-06-13 19:40      449      ----a-w      C:\Documents and Settings\Natasha\UpdateReg.reg
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4224FF33-C2EB-4039-B8C8-6EED565B9D96}]
2006-10-17 12:38      225752      --a------      C:\Program Files\NetZero DSL\PopupBlocker.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{8E613EAF-E16E-415C-BD39-F71D6A3B5518}"= C:\Program Files\NetZero DSL\Toolbar.dll [2006-10-17 12:38 263640]

[HKEY_CLASSES_ROOT\clsid\{8e613eaf-e16e-415c-bd39-f71d6a3b5518}]
[HKEY_CLASSES_ROOT\DSLToolbar.NetZero DSL.1]
[HKEY_CLASSES_ROOT\TypeLib\{98C469F7-8C27-489D-B107-44FD6A54C554}]
[HKEY_CLASSES_ROOT\DSLToolbar.NetZero DSL]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" []
"spc_w"="C:\Program Files\NZSearch\nzspc.exe" [2006-07-11 01:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 14:45]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 18:29]
"NetZeroDSL"="C:\Program Files\NetZero DSL\ConnectionCenter.exe" [2006-10-16 13:08]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-08-02 21:00]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-08-18 12:50]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-29 07:50]
"CTUPGD"="c:\progra~1\toolbar\ct5upd1.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-03-17 13:00:25]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Desktop Firewall Tray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Desktop Firewall Tray.lnk
backup=C:\WINDOWS\pss\McAfee Desktop Firewall Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-04-10 17:44      679936      --a------      C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
                  BCMSMMSG.exe
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
                  C:\Program Files\Dell Support\DSAgnt.exe /startup
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
                  C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe startup
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvdfont]
                  C:\WINDOWS\security\LOGS\dvdfont.exe
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
2002-08-14 19:22      28672      -ra------      C:\WINDOWS\System32\DSentry.exe
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Net]
                  C:\WINDOWS\winlogon.exe -stealth
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2005-12-20 20:54      278528      --a------      C:\Program Files\iTunes\iTunesHelper.exe
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X74-X75]
2002-10-14 15:09      57344      --a------      C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
                  C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe /StartedFromRunKey
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
                  C:\Program Files\McAfee.com\Agent\mcagent.exe
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
                  C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2001-08-16 23:41      28738      --a------      C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
                  C:\Program Files\Microsoft Money\System\Money Express.exe
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
                  C:\Program Files\Messenger\msmsgs.exe /background
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
                  C:\Program Files\MSN Messenger\msnmsgr.exe /background
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Associates Error Reporting Service]
                  C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetZero_uoltray]
                  C:\Program Files\NetZero\exec.exe regrun
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
                  RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
                  C:\Program Files\QuickTime\qttask.exe -atboottime
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
                  C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spc_w]
                  C:\Program Files\NZSearch\nzspc.exe -w
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 13:03      36975      --a------      C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysUpd]
                  C:\WINDOWS\sysupd.exe
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPS]
                  C:\PROGRA~1\Toolbar\TBPS.exe
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 02:00      90112      ---------      C:\WINDOWS\UpdReg.EXE
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
                  c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
                  
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]
                  C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

R1 sdcplh;sdcplh;C:\WINDOWS\System32\drivers\sdcplh.sys
R2 lxcy_device;lxcy_device;C:\WINDOWS\System32\lxcycoms.exe -service
S3 480bd693-36ea-41f2-96ae-c13e3d2f8d83;480bd693-36ea-41f2-96ae-c13e3d2f8d83;\??\D:\CDS300\cds300.dll
S3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\System32\drivers\NMSCFG.SYS
S3 NMSSvc;Intel(R) NMS;C:\WINDOWS\System32\NMSSvc.exe

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2003-02-03 18:55:47 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 20:08:20
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  MMTray = C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe?w???gp]??V??gp]??SOFTWARE\MusicMatch\MusicMatch Jukebox\4.0\TrayApp????X??????????????????>?w0 ?w????3??w???g?U?????????g?????CY????????gr]??2???????????<???? @???X???X???????????????????Y?????F?Q?????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-02 20:09:03
C:\ComboFix2.txt ... 2007-11-18 18:10
.
      --- E O F --
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:ILSI
ID: 20403088
Can anyone assist on the latest combofix results. Thanks.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20418084
Sorry for late reply.

The Toolbar folder is still there.

Open notepad and copy/paste the text inside the lines below into it
------------------------------------------------------------------------------------------------
File::
c:\progra~1\toolbar
C:\PROGRA~1\COMMON~1\WinTools

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTUPGD"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysUpd]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPS]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]
-------------------------------------------------------------------------------------------------  
Save this as CFScript in the same location as ComboFix.exe
drag CFScript into ComboFix.exe

This will start ComboFix again. Follow the prompts. After reboot, (in case it asks to reboot), attach the contents of Combofix.txt in your next reply together with a new HijackThis log.            
0
 

Author Comment

by:ILSI
ID: 20419598
Thanks. I will give this a try.
0
 

Author Comment

by:ILSI
ID: 20537623
I am still insterested in this solution. I have yet to try the latest comment by rpggamegirl.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20540284
Hi,
It was Dec, 6 when I posted the CFScript, bad files can changed by then, maybe more has been created.
After doing the CFScript, can you please show us a fresh hijackthis and Combofix log, please.

Have a Happy New Year!

0
 

Author Comment

by:ILSI
ID: 20643638
Here are the latest Combofix and HJT Info.

ComboFix 08-01-11.3 - Natasha 2008-01-12  7:50:36.3 - NTFSx86
Running from: C:\Documents and Settings\Natasha\Desktop\Kareem\ComboFix.exe
Command switches used :: C:\Documents and Settings\Natasha\Desktop\Kareem\CFScript.txt
 * Created a new restore point

FILE
C:\PROGRA~1\COMMON~1\WinTools
c:\progra~1\toolbar
.

(((((((((((((((((((((((((   Files Created from 2007-12-12 to 2008-01-12  )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 18:36      ---------      d-----w      C:\Program Files\Symantec AntiVirus
2007-11-24 21:17      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-19 02:36      ---------      d-----w      C:\Program Files\Lavasoft
2007-11-19 02:36      ---------      d-----w      C:\Documents and Settings\Natasha\Application Data\Lavasoft
2007-11-19 01:45      ---------      d-----w      C:\Program Files\SUPERAntiSpyware
2007-11-19 01:43      ---------      d-----w      C:\Documents and Settings\Natasha\Application Data\SUPERAntiSpyware.com
2007-11-19 01:43      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-19 01:42      ---------      d-----w      C:\Program Files\Common Files\Wise Installation Wizard
2006-10-20 20:49      194,376      ----a-w      C:\Documents and Settings\Natasha\Application Data\shb.dat
2004-09-30 20:43      56,952      ----a-w      C:\Documents and Settings\Natasha\Application Data\GDIPFONTCACHEV1.DAT
2004-07-15 13:13      59,992      ----a-w      C:\Program Files\msnaddin.exe
2004-06-13 19:40      449      ----a-w      C:\Documents and Settings\Natasha\UpdateReg.reg
.

(((((((((((((((((((((((((((((   snapshot@2007-12-02_20.08.22.76   )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-31 13:00:00      163,328      ----a-w      C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2008-01-12 12:50:12      229,376      ----a-w      C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-01-12 12:50:12      8,192      ----a-w      C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-01-12 12:50:12      229,376      ----a-w      C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT
+ 2008-01-12 12:50:13      8,192      ----a-w      C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
+ 2008-01-12 12:50:13      3,346,432      ----a-w      C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT
+ 2008-01-12 12:50:13      172,032      ----a-w      C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
- 2007-06-17 05:11:58      51,200      ----a-w      C:\WINDOWS\NirCmd.exe
+ 2000-08-31 13:00:00      51,200      ----a-w      C:\WINDOWS\NirCmd.exe
+ 2008-01-03 21:16:40      21,584      ----a-w      C:\WINDOWS\SoftwareDistribution\EventCache\{2CBE615A-5C28-4459-AEB6-5929729BD45B}.bin
+ 2008-01-11 18:41:09      21,584      ----a-w      C:\WINDOWS\SoftwareDistribution\EventCache\{62D483B6-E9B6-4D68-97AF-0725008A7211}.bin
+ 2007-12-30 14:15:55      21,584      ----a-w      C:\WINDOWS\SoftwareDistribution\EventCache\{7D38CC96-63B9-47B5-B4E4-EC19C742E2FE}.bin
+ 2007-12-30 01:41:41      3,922      ----a-w      C:\WINDOWS\SoftwareDistribution\EventCache\{80093691-9DF7-4E60-90C8-73F6C285D3E7}.bin
+ 2007-12-25 21:33:12      4,944      ----a-w      C:\WINDOWS\SoftwareDistribution\EventCache\{C1AE06DA-484D-4481-BAFD-A485780F23E7}.bin
+ 2007-12-25 21:30:55      11,456      ----a-w      C:\WINDOWS\SoftwareDistribution\EventCache\{F38EE7C6-04A5-40E8-9DD8-21FA158166B1}.bin
- 2007-12-03 01:05:55      262,144      ----a-w      C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT
+ 2008-01-12 12:50:29      262,144      ----a-w      C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT
- 2007-07-22 23:39:27      279,552      ----a-w      C:\WINDOWS\SYSTEM32\swreg.exe
+ 2000-08-31 13:00:00      156,160      ----a-w      C:\WINDOWS\SYSTEM32\swreg.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4224FF33-C2EB-4039-B8C8-6EED565B9D96}]
2006-10-17 12:38      225752      --a------      C:\Program Files\NetZero DSL\PopupBlocker.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8E718888-423F-11D2-876E-00A0C9082467}
{F5735C15-1FB2-41FE-BA12-242757E69DDE}
{8E613EAF-E16E-415C-BD39-F71D6A3B5518}

[HKEY_CLASSES_ROOT\clsid\{8e613eaf-e16e-415c-bd39-f71d6a3b5518}]
[HKEY_CLASSES_ROOT\DSLToolbar.NetZero DSL.1]
[HKEY_CLASSES_ROOT\TypeLib\{98C469F7-8C27-489D-B107-44FD6A54C554}]
[HKEY_CLASSES_ROOT\DSLToolbar.NetZero DSL]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [ ]
"spc_w"="C:\Program Files\NZSearch\nzspc.exe" [2006-07-11 01:00 311362]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 14:45 1663248]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 18:29 90112]
"NetZeroDSL"="C:\Program Files\NetZero DSL\ConnectionCenter.exe" [2006-10-16 13:08 325080]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-08-02 21:00 67184]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-08-18 12:50 120640]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-29 07:50 185896]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-03-17 13:00:25]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Desktop Firewall Tray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Desktop Firewall Tray.lnk
backup=C:\WINDOWS\pss\McAfee Desktop Firewall Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-04-10 17:44 679936 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2002-05-16 19:36 65536 C:\WINDOWS\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2004-07-19 07:51 306688 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
--a------ 2002-04-03 02:01 135264 C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvdfont]
C:\WINDOWS\security\LOGS\dvdfont.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
-ra------ 2002-08-14 19:22 28672 C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Net]
C:\WINDOWS\winlogon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-12-20 20:54 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X74-X75]
--a------ 2002-10-14 15:09 57344 C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
--a------ 2003-09-10 02:11 135251 C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2001-08-16 23:41 28738 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
C:\Program Files\Microsoft Money\System\Money Express.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-11-15 14:45 1663248 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Associates Error Reporting Service]
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetZero_uoltray]
--a------ 2005-11-10 19:57 776704 C:\Program Files\NetZero\exec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-01-27 21:51 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2007-05-29 07:50 214560 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spc_w]
--a------ 2006-07-11 01:00 311362 C:\Program Files\NZSearch\nzspc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 13:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

R1 sdcplh;sdcplh;C:\WINDOWS\System32\drivers\sdcplh.sys [2005-09-13 15:33]
R2 lxcy_device;lxcy_device;C:\WINDOWS\System32\lxcycoms.exe [2007-06-20 05:28]
S3 480bd693-36ea-41f2-96ae-c13e3d2f8d83;480bd693-36ea-41f2-96ae-c13e3d2f8d83;D:\CDS300\cds300.dll []
S3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\System32\drivers\NMSCFG.SYS [2002-05-03 12:30]
S3 NMSSvc;Intel(R) NMS;C:\WINDOWS\System32\NMSSvc.exe [2002-05-03 12:29]

.
Contents of the 'Scheduled Tasks' folder
"2003-02-03 18:55:47 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-12 07:53:45
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  MMTray = C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe?w???g????V??g????SOFTWARE\MusicMatch\MusicMatch Jukebox\4.0\TrayApp????X??????????????????>?w0 ?w????3??w???g???????????g?????CY????????g????2???????t???<???? @???X???X???????????????????Y?????F?Q?????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-12  7:55:04
ComboFix2.txt  2007-12-03 01:09:06
ComboFix3.txt  2007-11-18 23:10:09

--------------------------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:57:22 AM, on 1/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\lxcycoms.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\NetZero DSL\ConnectionCenter.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Natasha\Desktop\Kareem\alternativ.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Pop-up Blocker - {4224FF33-C2EB-4039-B8C8-6EED565B9D96} - C:\Program Files\NetZero DSL\PopupBlocker.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: NetZero DSL - {8E613EAF-E16E-415C-BD39-F71D6A3B5518} - C:\Program Files\NetZero DSL\Toolbar.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [NetZeroDSL] "C:\Program Files\NetZero DSL\ConnectionCenter.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.mcg-sms02
O15 - Trusted Zone: *.mcg-sms03
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcy_device -   - C:\WINDOWS\System32\lxcycoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


0
 

Author Comment

by:ILSI
ID: 20653569
Anything in the latest reports that I can fix? Thanks.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20703071
Sorry, I've been away with no internet access.(but the other experts here should've helped you)

I noticed your Combofix is an older version.

Some bad reg entries are still showing, though not sure if the files are still present or not(we'll include them in the CFScript anyway)

Open notepad and copy/paste ALL the text inside the lines below into it (including the colons "::")
--------------------------------------------------------------
File::
C:\WINDOWS\winlogon.exe
C:\WINDOWS\sysupd.exe

Folder::
C:\PROGRA~1\Toolbar
C:\PROGRA~1\COMMON~1\WinTools

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTUPGD"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Net]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysUpd]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPS]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]
--------------------------------------------------------------
Save this as CFScript in the same location as ComboFix.exe
then drag CFScript.txt into ComboFix.exe

This will start ComboFix again. Follow the prompts.                  
0
 

Author Comment

by:ILSI
ID: 20703586
Thanks, I am out of the country too and cannot gain access to the Pc, but will try the above solution!
0
 

Author Comment

by:ILSI
ID: 20866395
I am still working on this issue please keep this question open. Thanks.
0
 

Author Comment

by:ILSI
ID: 21001377
I know it has been a while, but I have attached the latest HJT file. I tried d/l an updated version of combofix, but I kept getting an error message that it was expired. Is it really worth all of this troubleshooting or should I wipe the drive clean and reinstall Windows?


hijackthis.log
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21002994
http://download.bleepingcomputer.com/sUBs/Combo-Fix.exe
Renamed combofix above, have you tried it?
Hijackthis log is not showing any obvious nasties.


>>>Is it really worth all of this troubleshooting or should I wipe the drive clean and reinstall Windows?<<<
I understand how you feel, a lot of people would just reformat and reinstall windows because of the tedious job of troubleshooting what and which one is the culprit.
Yeah, this thread has been going awhile now, I can understand if you wipe the harddrive and start again, that might be quicker.
0
 

Author Comment

by:ILSI
ID: 21003744
Thanks rpggamergirl. I noticed the latest combofix came with more stern warnings of its use and that "1/100 computers fail" or something along those lines. Should I still go ahead and run Combofix? Also, if HJT is not picking up any malware on the computer, would it be safe to install SP2? I am still having issues installing software and I have noticed I could not drag a file from a USB drive to the local drive. I have to cut/paste the file - weird!!
0
 

Author Comment

by:ILSI
ID: 21011043
I attached the latest ComboFix.
ComboFix.txt
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 150 total points
ID: 21011770
Yeah, because Combofix is a very powerful tool it will say so in its Disclaimer.

Run this CFScript below please.
Open notepad and copy/paste the text inside the lines below into it.
--------------------------------------------------------------
File::
C:\WINDOWS\winlogon.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Net]

--------------------------------------------------------------
Save this as CFScript in the same location as ComboFix.exe
drag CFScript.txt into ComboFix.exe

This will start ComboFix again. Follow the prompts.



I would also suggest running an online scan with kaspersky, it won't remove any viruses but the log will be useful to us.
Using Internet Explorer, run Kaspersky Online Scanner
http://www.kaspersky.com/virusscanner
   
* Click 'Accept' in the window that pops up.
* You will be prompted to install an ActiveX component from Kaspersky, Click on the information bar and select Install ActiveX Control if so. This may happen more than once. That is OK. You also may get a warning from your Windows Firewall. You can tell it to unblock.
* The program will launch and then start to download the latest definition files.
* Once the scanner is installed and the definitions downloaded, click 'Next'.
* Now click on 'Scan Settings'
* In the scan settings make sure that the following are selected:
          o Scan using the following Anti-Virus database: 'Extended' (If available, otherwise 'Standard')
          o Scan Options: 'Scan Archives' and 'Scan Mail Bases'
* Click 'OK'
* Now under 'Select a target to scan' select 'My Computer'
* The scan will take a while, so be patient and let it run. Once the scan is complete, it will display whether your system has been infected.
* Now click on the 'Save Report As...' button:
* Make sure it says Save as a text file - change it if not
* Save the file to your desktop.

0
 

Author Comment

by:ILSI
ID: 21013846
I will give this a try later tonight/tomorrow. It appears that much of the nasty stuff has disappeared as you have mentioned. The biggest problem still remains software not being able to install. I am convinced the Windows installer is part of the problem and perhaps I may need to do a repair of XP.

This is definitely dragging on longer than I had anticipated (mainly b/c I dont have readily access to the PC). I do appreciate you (and others) helping me out as much as you can. If all else fails I may have to do a clean install. Something I truly wanted to avoid.
0
 

Author Comment

by:ILSI
ID: 21019413
Latest ComboFix.
ComboFix.txt
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21021794
Actually that is the same combofix log that you posted here --> {http:#21011043}

Yeah, Windows installer could be the culprit here, possibly.
0
 

Author Comment

by:ILSI
ID: 21033858
The problem is solved (well not exactly the way I wanted). I ended up installing XP SP2 on another disk and used the original as a secondary. I really wanted to find the solution to this problem, but the effort was far outweighing the benefits imo.

I must thank rpggamergirl for sticking with me and this question till the end and have to give her the majority of the points.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now