Cojo1
asked on
HELP!! Blank Blue screen when booting up and constant pop-ups
I've got some kind fo spyware/adware infecting my PC.When I boot up it just shows a completely blank blue screen and then after a while I get a pop-up stating my system is infected, etc... and than a pop-up for AntiSpySpider. There is a link in the first pop-up that claims to update the Windows Security Center, so I clicked on it since the PC is not currently connected to a network or the internet. It brought me to an Internet Explorer window and I used that to go to C:\windws and run the Explorer.exe. Now my system is booted up but I am constantly getting pop-ups. Here is the HiJackThis Logfile. Can anyone help?
 Cojo
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:20:44 PM, on 6/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\csrss. exe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\Intel\Wireless\Bin\E vtEng.exe
C:\Program Files\Intel\Wireless\Bin\S 24EvMon.ex e
C:\Program Files\Intel\Wireless\Bin\W LKeeper.ex e
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\System32\SCardS vr.exe
C:\Program Files\ISS\RSDP\blackd.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\cisvc. exe
C:\WINDOWS\system32\CTsvcC DA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRAM FILES\DRU\bin\DRUService.e xe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
C:\Program Files\McAfee\Common Framework\FrameworkService .exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\444.0
C:\Program Files\Dell\NICCONFIGSVC\NI CCONFIGSVC .exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\PROGRA~1\PHAROS~1\Core\ CTskMstr.e xe
C:\WINDOWS\portsv.exe
C:\Program Files\Intel\Wireless\Bin\R egSrvc.exe
C:\WINDOWS\system32\rcmdsv c.exe
C:\Program Files\Radmin\r_server.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\snmpdm .exe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\IBM\Tivoli\Remote Control\Target\trc_base.ex e
C:\Program Files\Serena\ChangeMan\DS\ Client\vcs _nt_servic e.exe
C:\WINDOWS\system32\fxssvc .exe
C:\WINDOWS\system32\CCM\Cc mExec.exe
C:\Program Files\1E\SMSWakeUp50\SMSWU agent.exe
C:\WINDOWS\system32\userin it.exe
C:\WINDOWS\system32\iftuys zv.exe
C:\WINDOWS\system32\wbem\w miprvse.ex e
C:\WINDOWS\System32\alg.ex e
C:\WINDOWS\system32\wbem\w miprvse.ex e
C:\WINDOWS\system32\wbem\w miprvse.ex e
C:\WINDOWS\system32\cidaem on.exe
C:\WINDOWS\system32\cidaem on.exe
C:\WINDOWS\system32\userin it.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\explorer.exe
C:\Program Files\IBM\Tivoli\Remote Control\Target\trc_gui.exe
C:\WINDOWS\system32\hkcmd. exe
C:\Program Files\Apoint\Apoint.exe
C:\progra~1\FileNET\IDM\fn sysmgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\PaperPort\pptd40nt.e xe
C:\WINDOWS\system32\spool\ drivers\w3 2x86\3\hpz tsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpm gr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\hphmon 05.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\bin\Z CfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\i frmewrk.ex e
C:\WINDOWS\System32\cscrip t.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\zz\ZenMediaSour ce\Detecto r\CTDetect .exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\HPZipm 12.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\wbem\w miprvse.ex e
C:\_taft\mg\Microsoft Money\System\mnyexpr.exe
C:\Documents and Settings\tl1272\Applicatio n Data\Microsoft\dtsc\11189. exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\PROGRA~1\COMMON~1\CROSO F~1.NET\at trib.exe
C:\Program Files\QdrModule\QdrModule1 7.exe
C:\WINDOWS\?racle\m?hta.ex e
C:\WINDOWS\system32\rundll 32.exe
C:\Program Files\uTorrent\uTorrent.ex e
C:\PROGRA~1\MICROS~4\rapim gr.exe
C:\Documents and Settings\tl1272\Applicatio n Data\Microsoft\dtsc\11189. exe
C:\Program Files\Intel\Wireless\Bin\D ot1XCfg.ex e
C:\Program Files\HijackThis\HijackThi s.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = file://c:/windows/homepage .html
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = file://c:/windows/homepage .html
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = file://c:/windows/homepage .html
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = file://c:/windows/homepage .html
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = file://c:/windows/homepage .html
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = file://c:/windows/homepage .html
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,First Home Page = file://c:/windows/homepage .html
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,AutoConfigURL = http://autoproxy.sbc.com/autoproxy.cgi
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = 127.0.0.1;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system 32\userini t.exe,C:\W INDOWS\sys tem32\iftu yszv.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-9 0c88817369 b} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Common Files\Adobe\Acrobat\Active X\AcroIEHe lper.dll
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-7 15f53797e8 5} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b 655061432b a} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5 d24b8cdb97 2} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-a c7cc6b5ffb 1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-a c7cc6b5ffb 2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-4 8675aa2b49 4} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e 79d4ec6f80 6} - (no file)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2 a4752ca7f4 e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-0 3ca8155f0b 3} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1 f953da7377 3} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D 426709BBFE B} - C:\PROGRA~1\SPYWAR~1\tools \iesdsg.dl l
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-2 8ba1851e39 a} - (no file)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-0 0400523e39 a} - C:\Utils\RoboForm\roboform .dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre1.5.0_15\bin \ssv.dll
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d 5e0dee14d2 4} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0 a4756a77d0 0} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-9 9e6694468a 4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-7 1a080b2234 2} - (no file)
O2 - BHO: (no name) - {A664BB3E-738C-5A55-FF38-7 8A2E5EA42E 1} - C:\WINDOWS\system32\hvrx.d ll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0 445EE16191 0} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClien t.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C E66B5AD205 D} - C:\Program Files\Google\GoogleToolbar Notifier\2 .1.615.585 8\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-1 7DF180C71A C} - C:\PROGRA~1\SPYWAR~1\tools \iesdpb.dl l
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-4 3a1eb97935 2} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-7 8e0978f5f2 6} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-7 1776572130 6} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0 a5de7fe133 c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-7 47e25ebb4c 6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e 5123394c97 0} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-c dbe1c6d37e b} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4 759ff704c2 2} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-2 09B6AD74AC C} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9 d60a9f7a88 0} - (no file)
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A 722E8AB348 9} - sockins32.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0 819E2EAAC9 3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClien t.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-0 0400523e39 a} - C:\Utils\RoboForm\roboform .dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtr ay.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd. exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [0FileNET System Manager] c:\progra~1\FileNET\IDM\fn sysmgr.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\PaperPort\pptd40nt.e xe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\PaperPort\IndexSearc h.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\ drivers\w3 2x86\3\hpz tsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B 6180B-DCAB -4093-8EE8 -616445751 7F0}\hphup d05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpm gr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon 05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [VPN_MTU] "C:\Program Files\cisco systems\vpn client\setmtu.exe" /s 1200
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobs ync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SBCAssess] "C:\Program Files\Compapps\SBCAssess\S BCAssess.e xe" 5
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\Z CfgSvc.exe "
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\i frmewrk.ex e" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [BVRPLiveUpdate] C:\Program Files\Avanquest update\Engine\Setup.exe /PATCH,/SRCUPDATEC:\DOCUME ~1\ALLUSE~ 1\APPLIC~1 \BVRPSO~1\ MOTORO~1\L IVEUP~1\LI STOF~1.DAT
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [Creative Detector] C:\WINDOWS\zz\ZenMediaSour ce\Detecto r\CTDetect .exe /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe " /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\_taft\mg\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\tl1272\Applicatio n Data\Microsoft\dtsc\11189. exe
O4 - HKCU\..\Run: [Eusn] "C:\PROGRA~1\COMMON~1\CROS OF~1.NET\a ttrib.exe" -vt yazb
O4 - HKCU\..\Run: [QdrModule17] "C:\Program Files\QdrModule\QdrModule1 7.exe"
O4 - HKCU\..\Run: [Tbaxhfom] C:\WINDOWS\?racle\m?hta.ex e
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] Â (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] Â (User 'Default user')
O4 - Startup: Q Team-Link Messenger.lnk = C:\Program Files\Q Team-Link Messenger\jre1.5.0_09\bin\ javaw.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O6 - HKCU\Software\Policies\Mic rosoft\Int ernet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Mic rosoft\Int ernet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Policies\ System, DisableRegedit=1
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\ GPhotos.sc r/200
O8 - Extra context menu item: Customize Menu - file://C:\Utils\RoboForm\R oboFormCom CustomizeI EMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \OFFICE11\ EXCEL.EXE/ 3000
O8 - Extra context menu item: Fill Forms - file://C:\Utils\RoboForm\R oboFormCom FillForms. html
O8 - Extra context menu item: Open with BitPump - C:\WINDOWS\zz\AnalogX\BitP ump\ieint. htm
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Utils\RoboForm\R oboFormCom ShowToolba r.html
O8 - Extra context menu item: Save Forms - file://C:\Utils\RoboForm\R oboFormCom SavePass.h tml
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.h tm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.5.0_15\bin \ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.5.0_15\bin \ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4 C56B4E14E8 4} - C:\PROGRA~1\SPYWAR~1\tools \iesdpb.dl l
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-0 0C04FAE2D4 F} - C:\PROGRA~1\MICROS~4\INetR epl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-0 0C04FAE2D4 F} - C:\PROGRA~1\MICROS~4\INetR epl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-0 0C04FAE2D4 F} - C:\PROGRA~1\MICROS~4\INetR epl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C 5DBF3571F4 6} - file://C:\Utils\RoboForm\R oboFormCom FillForms. html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C 5DBF3571F4 6} - file://C:\Utils\RoboForm\R oboFormCom FillForms. html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C 5DBF3571F4 9} - file://C:\Utils\RoboForm\R oboFormCom SavePass.h tml
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C 5DBF3571F4 9} - file://C:\Utils\RoboForm\R oboFormCom SavePass.h tml
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-0 0400523e39 a} - file://C:\Utils\RoboForm\R oboFormCom ShowToolba r.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-0 0400523e39 a} - file://C:\Utils\RoboForm\R oboFormCom ShowToolba r.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-0 0aa003c157 a} - C:\WINDOWS\system32\shdocv w.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5 C8D4460577 F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5 C8D4460577 F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://myintranet.sbc.com
O16 - DPF: {00191E4B-49C2-48E2-A548-8 F702D75622 A} - https://strtc.oracle.com/imtapp/res/jar/cnsload.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0 E3A5CAA8CD 8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0a454840-7232-11d5-b63d-0 0c04faedb1 8} - http://chpwire2.sbc.com:8000/jinitiator/oajinit11814.exe
O16 - DPF: {406B5949-7190-4245-91A9-3 0A17DE16AD 0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {98C53984-8BF8-4D11-9B1C-C 324FCA9CAD E} (Loader Class v3) - http://quality-center.sbc.com/qcbin/Spider90.ocx
O16 - DPF: {9C134253-E8A3-4759-9F98-3 02B7981922 E} (MaxViewer Class) - http://support.scansoft.com/pp/files/np_max.cab
O16 - DPF: {C9386579-3C0F-4713-82C6-5 BA8088C7C8 D} (Windows Live SkyDrive Upload Tool) - http://cid-59243c76f68bf954.skydrive.live.com/Microsoft.Live.Folders.RichUpload.cab
O16 - DPF: {CAFECAFE-0013-0001-0018-A BCDEFABCDE F} (JInitiator 1.3.1.18) - http://chdcfas2.sbc.com:8891/jinitiator/oajinit.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0 060082AA75 C} (GpcContainer Class) - https://attwm.webex.com/client/v_mywebex-t20-pso-attdevel2/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = ait.itservices.sbc.com
O17 - HKLM\Software\..\Telephony : DomainName = ait.itservices.sbc.com
O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts .dll
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-7 2D84615C67 9} - sockins32.dll (file missing)
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\RSDP\blackd.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcC DA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DRUAgent - AT&T - C:\PROGRAM FILES\DRU\bin\DRUService.e xe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\E vtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService .exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.0.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NI CCONFIGSVC .exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\ORACLE\ORA92\bin\omtsre co.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\ORACLE\ORA92\BIN\ONRSD. EXE
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\ CTskMstr.e xe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm 12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\RSDP\RapApp.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\R egSrvc.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\Program Files\Radmin\r_server.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S 24EvMon.ex e
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SMSWUagent - 1E Ltd. - C:\Program Files\1E\SMSWakeUp50\SMSWU agent.exe
O23 - Service: snmpdm - Unknown owner - C:\WINDOWS\system32\snmpdm .exe
O23 - Service: IBM Tivoli Remote Control - Target (TRCTARGET) - Unknown owner - C:\Program Files\IBM\Tivoli\Remote Control\Target\trc_base.ex e
O23 - Service: VCS NT Service (VCS_Service) - Unknown owner - C:\Program Files\Serena\ChangeMan\DS\ Client\vcs _nt_servic e.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\W LKeeper.ex e
--
End of file - 19642 bytes
 Cojo
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:20:44 PM, on 6/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\csrss.
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\svchos
C:\Program Files\Intel\Wireless\Bin\E
C:\Program Files\Intel\Wireless\Bin\S
C:\Program Files\Intel\Wireless\Bin\W
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\spools
C:\WINDOWS\System32\SCardS
C:\Program Files\ISS\RSDP\blackd.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\cisvc.
C:\WINDOWS\system32\CTsvcC
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRAM FILES\DRU\bin\DRUService.e
C:\Program Files\Google\Common\Google
C:\Program Files\McAfee\Common Framework\FrameworkService
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\444.0
C:\Program Files\Dell\NICCONFIGSVC\NI
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\PROGRA~1\PHAROS~1\Core\
C:\WINDOWS\portsv.exe
C:\Program Files\Intel\Wireless\Bin\R
C:\WINDOWS\system32\rcmdsv
C:\Program Files\Radmin\r_server.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\snmpdm
C:\WINDOWS\system32\svchos
C:\Program Files\IBM\Tivoli\Remote Control\Target\trc_base.ex
C:\Program Files\Serena\ChangeMan\DS\
C:\WINDOWS\system32\fxssvc
C:\WINDOWS\system32\CCM\Cc
C:\Program Files\1E\SMSWakeUp50\SMSWU
C:\WINDOWS\system32\userin
C:\WINDOWS\system32\iftuys
C:\WINDOWS\system32\wbem\w
C:\WINDOWS\System32\alg.ex
C:\WINDOWS\system32\wbem\w
C:\WINDOWS\system32\wbem\w
C:\WINDOWS\system32\cidaem
C:\WINDOWS\system32\cidaem
C:\WINDOWS\system32\userin
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon
C:\WINDOWS\explorer.exe
C:\Program Files\IBM\Tivoli\Remote Control\Target\trc_gui.exe
C:\WINDOWS\system32\hkcmd.
C:\Program Files\Apoint\Apoint.exe
C:\progra~1\FileNET\IDM\fn
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\PaperPort\pptd40nt.e
C:\WINDOWS\system32\spool\
C:\Program Files\HP\hpcoretech\hpcmpm
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\hphmon
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\bin\Z
C:\Program Files\Intel\Wireless\Bin\i
C:\WINDOWS\System32\cscrip
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\zz\ZenMediaSour
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\HPZipm
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\wbem\w
C:\_taft\mg\Microsoft Money\System\mnyexpr.exe
C:\Documents and Settings\tl1272\Applicatio
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\PROGRA~1\COMMON~1\CROSO
C:\Program Files\QdrModule\QdrModule1
C:\WINDOWS\?racle\m?hta.ex
C:\WINDOWS\system32\rundll
C:\Program Files\uTorrent\uTorrent.ex
C:\PROGRA~1\MICROS~4\rapim
C:\Documents and Settings\tl1272\Applicatio
C:\Program Files\Intel\Wireless\Bin\D
C:\Program Files\HijackThis\HijackThi
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
F2 - REG:system.ini: UserInit=C:\WINDOWS\system
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-9
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-7
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-a
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-a
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-4
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-0
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-2
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-0
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-9
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-7
O2 - BHO: (no name) - {A664BB3E-738C-5A55-FF38-7
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-1
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-4
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-7
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-7
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-7
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-c
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-2
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-0
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtr
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [0FileNET System Manager] c:\progra~1\FileNET\IDM\fn
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\PaperPort\pptd40nt.e
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\PaperPort\IndexSearc
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpm
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [VPN_MTU] "C:\Program Files\cisco systems\vpn client\setmtu.exe" /s 1200
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobs
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SBCAssess] "C:\Program Files\Compapps\SBCAssess\S
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\Z
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\i
O4 - HKLM\..\Run: [BVRPLiveUpdate] C:\Program Files\Avanquest update\Engine\Setup.exe /PATCH,/SRCUPDATEC:\DOCUME
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [Creative Detector] C:\WINDOWS\zz\ZenMediaSour
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\_taft\mg\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\tl1272\Applicatio
O4 - HKCU\..\Run: [Eusn] "C:\PROGRA~1\COMMON~1\CROS
O4 - HKCU\..\Run: [QdrModule17] "C:\Program Files\QdrModule\QdrModule1
O4 - HKCU\..\Run: [Tbaxhfom] C:\WINDOWS\?racle\m?hta.ex
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] Â (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] Â (User 'Default user')
O4 - Startup: Q Team-Link Messenger.lnk = C:\Program Files\Q Team-Link Messenger\jre1.5.0_09\bin\
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O6 - HKCU\Software\Policies\Mic
O6 - HKCU\Software\Policies\Mic
O7 - HKCU\Software\Microsoft\Wi
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\
O8 - Extra context menu item: Customize Menu - file://C:\Utils\RoboForm\R
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Fill Forms - file://C:\Utils\RoboForm\R
O8 - Extra context menu item: Open with BitPump - C:\WINDOWS\zz\AnalogX\BitP
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Utils\RoboForm\R
O8 - Extra context menu item: Save Forms - file://C:\Utils\RoboForm\R
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.h
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-0
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-0
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-0
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-0
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-0
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O14 - IERESET.INF: START_PAGE_URL=http://myintranet.sbc.com
O16 - DPF: {00191E4B-49C2-48E2-A548-8
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0
O16 - DPF: {0a454840-7232-11d5-b63d-0
O16 - DPF: {406B5949-7190-4245-91A9-3
O16 - DPF: {98C53984-8BF8-4D11-9B1C-C
O16 - DPF: {9C134253-E8A3-4759-9F98-3
O16 - DPF: {C9386579-3C0F-4713-82C6-5
O16 - DPF: {CAFECAFE-0013-0001-0018-A
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-7
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\RSDP\blackd.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcC
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DRUAgent - AT&T - C:\PROGRAM FILES\DRU\bin\DRUService.e
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\E
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.0.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NI
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\ORACLE\ORA92\bin\omtsre
O23 - Service: OracleOraHome92ClientCache
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\RSDP\RapApp.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\R
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\Program Files\Radmin\r_server.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SMSWUagent - 1E Ltd. - C:\Program Files\1E\SMSWakeUp50\SMSWU
O23 - Service: snmpdm - Unknown owner - C:\WINDOWS\system32\snmpdm
O23 - Service: IBM Tivoli Remote Control - Target (TRCTARGET) - Unknown owner - C:\Program Files\IBM\Tivoli\Remote Control\Target\trc_base.ex
O23 - Service: VCS NT Service (VCS_Service) - Unknown owner - C:\Program Files\Serena\ChangeMan\DS\
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\W
--
End of file - 19642 bytes
Looks like you have a script file running C:\WINDOWS\System32\cscrip t.exe. Â Use Process Explorer and see what files are opened with that program. Â I would recommend closing all applications in your System Tray and doing an "End Task" on known programs, and avoid closing system files like svchosts and lsass. Â I would Google each .exe to identify what they are.
Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
ASKER
What do I do after identifying the files that the script is using?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Oh, I forgot to mention that when I go to boot into SAFE mode, they system won't accept my password. I can log in with my password fine in normal mode. Any ideas on how to get around that? Â Cojo
Don't think we can get "around" anything here. Just clean it up and hope for the best. Sometimes with systems this infected there is OS damage that cannot be repaired.
ASKER
Will it work without being in SAFE mode? Â When I run RunThis.bat, I only get a menu with the options to select "A, B, C, D, U,1,2,3,4 or E to Exit" I typed "Y" like your instructions and the window closed. Don't think it's doing anything. Should I be selecting another option or is it not working because I'm not in SAFE mode? By the way - Thanx for the help. Â Cojo
ASKER
I got around the problem. I am now able to login with SAFE mode. I created a new account. (Looks like my old account must have an old password stored with it.) Anyway,I can now run SDFIX in safe mode and will go thru your instructions above and post back when I'm done. - thx - cojo
ASKER
I ran the SDFIX and it completed and said it was going to reboot my system. It rebooted and is now stuck on the blank blue screen. It's like it's not starting Explorer.exe. Any ideas?
To start EXPLORER.EXE manually:
  1. Open Windows Task Manager. Press CTRL+SHIFT+ESC.
  2. On Windows Task Manager, Click File>New Task (Run..)
  3. In Create New Task, type %WinDir%\EXPLORER.EXE and click OK.
  4. Close Task Manager.
We may have to make a registry edit to bring back explorer on startup. Run combofix first though. Again....badly infected machine. You may want to consider a re-install if we continue to have issues here.
  1. Open Windows Task Manager. Press CTRL+SHIFT+ESC.
  2. On Windows Task Manager, Click File>New Task (Run..)
  3. In Create New Task, type %WinDir%\EXPLORER.EXE and click OK.
  4. Close Task Manager.
We may have to make a registry edit to bring back explorer on startup. Run combofix first though. Again....badly infected machine. You may want to consider a re-install if we continue to have issues here.
ASKER
Managed to get by it by logging in with the new account I created. For some reason I can't boot up with my main account (which I really need to). Â Here's the logs that I got after running both. I still need to be able to fix my main account to boot up right besides whatever this shows wrong.
SDFIX-log-first-run-6-09-08.txt.txt
combofix-log-6-9-08.txt
SDFIX-log-first-run-6-09-08.txt.txt
combofix-log-6-9-08.txt
Can you post a new HijackThis log too? You say you cannot get into your main profile...why? What happens when you try?
Do you know of this program?
C:\Program Files\Radmin
Do you use a remote admin. or use remote access on this pc?
Do you know of this program?
C:\Program Files\Radmin
Do you use a remote admin. or use remote access on this pc?
ASKER
Yes RADMIN is my remote access software. -- When I log into my main account, it only comes up to a blank blue screen (not the blue screen of death). I don't think it's running Explorer.exe. Also if I hit Ctrl-Alt-Del, the "Task Manager" button is grayed out. But only on the main account, not the tnew one I created. Weird! Attached is the new HijackThis file.
hijackthis.log
hijackthis.log
These scripts that are running...do you know what they are?
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\Machine\Scrip ts\Startup \[u]0[/u]\ [u]0[/u]]
"Script"=drustatus.vbe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\Machine\Scrip ts\Startup \[u]0[/u]\ 1]
"Script"=newhealth.vbs
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-2057 499049-128 9676208-19 59431660-7 0014\Scrip ts\Logon\[ u]0[/u]\[u ]0[/u]]
"Script"=LEDNIssueLogonScr ipt.vbs
[HKEY_LOCAL_MACHINE\softwa
"Script"=drustatus.vbe
[HKEY_LOCAL_MACHINE\softwa
"Script"=newhealth.vbs
[HKEY_LOCAL_MACHINE\softwa
"Script"=LEDNIssueLogonScr
ASKER
I do not know what these are. Â Also, does it make a difference that this HijackThis script was not run under the user account that I'm having the problem with? Because I can't login to that account to do anything. It just stays on the blank blue screen.If I could get the Task Mgr ungrayed than I could start Explorer.exe and run it from that account.
Yes, it does matter where it's run from, and it would be nice if we could get into that account, but I'm not sure how we can at this point. I'm assuming (maybe wrongly) that this machine is part of a domain? In a work environment?
ASKER
UPDATE: OK, I am able to login now to the main account. I went into Documents and Settings and renamed the folder for my main account. When I logged in, it recreated it and logged me in fine. Weird, but it worked. Here's the HijackThis logfile from the account.
hijackthis.log
hijackthis.log
Great, good job. Not sure what you did though?
There is one entry I am pretty sure is bad, but haven't been able to find much info. on as it appears pretty new. We can use combofix to deal with it. You may need to download combofix into this profile as it was run earlier from another correct? If so do that and download to your desktop, then...
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
-------------------------- ---------- ---------- ---------- ---------- ------
File::
C:\WINDOWS\portsv.exe
Folder::
C:\WINDOWS\system32\2705
Driver::
PlugPlayRPC
-------------------------- ---------- ---------- ---------- ---------- ------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please upload the following reports/logs.
-Combofix.txt
-A new HijackThis log
There is one entry I am pretty sure is bad, but haven't been able to find much info. on as it appears pretty new. We can use combofix to deal with it. You may need to download combofix into this profile as it was run earlier from another correct? If so do that and download to your desktop, then...
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
--------------------------
File::
C:\WINDOWS\portsv.exe
Folder::
C:\WINDOWS\system32\2705
Driver::
PlugPlayRPC
--------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please upload the following reports/logs.
-Combofix.txt
-A new HijackThis log
ASKER
Is that the right folder?
Folder::
C:\WINDOWS\system32\2705
I don't mean to question you but I just wanted to double check before I ran it. In the HJT log it shows the file being in C:\WINDOWS. the only file in this folder is ~@24771p.spt
Folder::
C:\WINDOWS\system32\2705
I don't mean to question you but I just wanted to double check before I ran it. In the HJT log it shows the file being in C:\WINDOWS. the only file in this folder is ~@24771p.spt
It is from the combofix log and was created right at the same time the portsv.exe file was. Many times there are just randomly named folders created and this is probably one of them. It's probably harmless but....if you know it's OK then don't remove. There are quite a few things on this PC I don't recognize and that's why I asked about being on a domain and having many policies and restrictions in place.
ASKER
Nevermind, I misunderstood. I didn't realize that was cleanining up the folder. For some reason I thought that under the folder section, you were telling it where to find the file portsv.exe. My bad, sorry.
ASKER
Ok, ran that combofix and here's the log for it and another HJT log.
ASKER
OK how's it running now? You need to update your Java, older versions are vulnerable to malware.
ASKER
How do I update the Java?
Updating Java:
Go to Start >Â Control Panel >Â Add/Remove programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
Select and click Remove.
Then Download and install the newest version from here:
http://www.java.com/en/download/manual.jsp
Go to Start >Â Control Panel >Â Add/Remove programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
Select and click Remove.
Then Download and install the newest version from here:
http://www.java.com/en/download/manual.jsp
ASKER
Thank you very much for your help with this. You were right on the money with your solution. Sorry for all the questions. Keep up the great work!
Glad it worked out and you're welcome. Don't worry about asking questions, that's how we learn.
You should uninstall combofix...
Click START then Run...
Now type Combofix /u in the runbox  and click OK.  Note the space between the X and the U, it needs to be there.
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
You should uninstall combofix...
Click START then Run...
Now type Combofix /u in the runbox  and click OK.  Note the space between the X and the U, it needs to be there.
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.