Content Top
DAL Computer Help » Internet Security Help » Spyware, Adware, Viruses and HijackThis Logs » BHO's, DLL's, and no HJT log - OH MY!

Recommended Fix

Click here to fix Windows Errors and Optimize Windows Performance

Need Computer Help?
Register Now for FREE

BHO's, DLL's, and no HJT log - OH MY!

Reply
Thread Tools
Spyware, Adware, Viruses and HijackThis Logs
  #1 (permalink)  
Old 09-04-2007, 10:09 PM
Elzeothis's Avatar
Junior Member
New Recruit
  
Join Date: Dec 2004
Posts: 41
Elzeothis Is a beginner here at D-A-L
Send a message via AIM to Elzeothis Send a message via MSN to Elzeothis Send a message via Yahoo to Elzeothis
Unhappy BHO's, DLL's, and no HJT log - OH MY!
My dearest and most wonderful, helpful people at D-A-L:

Well, today's been a fortunate day for me; apparently last night someone downloaded and installed something that is slamming my system with repeated queries to load BHO DLL's into my system.

Fortunately, I have the teatimer on which is declining their requests, but the repeated queries from my SpywareGuard to allow the changes is getting frustrating.

So, of course, I turn to you guys!

Now, just for clarification:
I ran an AVG scan last night and quarantined a few trojans from temp directories.
I ran Adaware this morning and fixed about 45 objects (following the advanced settings from the stickied threads).
I used HJT to unload the weird DLL loads in my system startup.
I tried to use pocket killbox to have the bad files removed with a reboot.

Unfortunately, when I tried to use killbox to remove the two DLLs who are trying to load as BHO's, it said that the changes were aborted by currently running processes - and this was in completely, utterly safe mode (no networking, etc.)!

Also problematic is the fact that for whatever reason, HJT will NOT let me save nor view a logfile from its scan! I even re-downloaded and reinstalled it into C:/Program Files/HijackThis - and now, after another reboot into safe mode, the logger function has been disabled!

Now - one of the BHO's is for WinAntiVirusPro 2007; however I don't have the program installed and I am fairly certain the hijacking DLL's are just trying to make me do so - but my system is locked up fairly tightly. I guess that is just why this is so frustrating!

If anyone has any advice or suggestions, I would very much appreciate any and all help I can get!

The DLL files causing the BHO issues are ddcyv.dll and tuvvtsp.dll; I also have a startup list from Hijack which DID load successfully which I will be attaching.

Any other thoughts, suggestions, requests, etc. would be very, VERY much welcome!

Thankees kindly!
~Mai



StartupList report, 4/9/2007, 3:08:15 PM
StartupList version: 1.52.2
Started from : C:\Program Files\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Mayumi\Start Menu\Programs\Startup]
SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Win logon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Win logon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
LVCOMS = C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
Microsoft Works Portfolio = C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
Microsoft Works Update Detection = C:\Program Files\Microsoft Works\WkDetect.exe
SsAAD.exe = C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
nwiz = nwiz.exe /install
SystemTray = SysTray.Exe
RegistryMechanic =
SunJavaUpdateSched = "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Once

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run OnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
updateMgr = C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run OnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Services

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Once
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run OnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run OnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Services
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser .NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[{CA0A4247-44BE-11d1-A005-00805F8ABE06}] *
StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

*No BHO's found*

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[{288C5F13-7E52-4ADA-A32E-F5BF9D125F99}]

[YInstStarter Class]
InProcServer32 = C:\Program Files\Yahoo!\Common\yinsthelper.dll
CODEBASE = C:\Program Files\Yahoo!\Common\yinsthelper.dll

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeup...tent/opuc2.cab

[{4F1E5B1A-2A80-42CA-8532-2D05CB959537}]

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll

[Java Plug-in 1.5.0_09]
InProcServer32 = C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jin...ndows-i586.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/actives...ree/asinst.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]

[SimCityX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\SimCityX.ocx
CODEBASE = http://simcity.ea.com/play/classic/SimCityX.cab

[Java Plug-in 1.5.0_01]
InProcServer32 = C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

[Java Plug-in 1.5.0_02]
InProcServer32 = C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

[Java Plug-in 1.5.0_04]
InProcServer32 = C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

[Java Plug-in 1.5.0_09]
InProcServer32 = C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jin...ndows-i586.cab

[Java Plug-in 1.5.0_09]
InProcServer32 = C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
CODEBASE = http://java.sun.com/update/1.5.0/jin...ndows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx
CODEBASE = http://fpdownload.macromedia.com/get...nt/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\as pnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (autostart)
AVG7 Clean Driver: \SystemRoot\System32\Drivers\avgclean.sys (system)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (autostart)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\msco rsvw.exe (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Logitech QuickCam VC USB: system32\DRIVERS\CxUSB.sys (manual start)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
DAVICOM 9102(A) PCI Fast Ethernet Based NT Driver: System32\DRIVERS\DM9PCI5.SYS (manual start)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Firewall Driver: \SystemRoot\system32\drivers\fwdrv.sys (system)
Santa Cruz Game Port: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
HCF_MSFT: System32\DRIVERS\HCF_MSFT.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe" (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: system32\DRIVERS\kbdhid.sys (system)
Kerio HIPS Driver: \SystemRoot\system32\drivers\khips.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Kerio Personal Firewall 4: "C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe" (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: system32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
MSCSPTISRV: "C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe" (manual start)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Display Driver Service: %SystemRoot%\system32\nvsvc32.exe (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
PACSPTISVR: "C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe" (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
StarForce Protection Environment Driver v5: \SystemRoot\System32\drivers\prodrv05.sys (system)
StarForce Protection Helper Driver v1: System32\drivers\prohlp01.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
sptd: System32\Drivers\sptd.sys (system)
Sony SPTI Service: "C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe" (manual start)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
SonicStage SCSI Service: C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe (manual start)
Still Serial Digital Camera Driver: system32\DRIVERS\serscan.sys (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{1FA75E93-B30B-4BF7-9A0D-F5118159BC1C} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Santa Cruz Driver: system32\drivers\tbcspud.sys (manual start)
Santa Cruz WDM Driver: system32\drivers\tbcwdm.sys (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: system32\DRIVERS\usbccgp.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
Messenger Sharing USN Journal Reader service: C:\WINDOWS\system32\svchost.exe -k usnsvc (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
vsdatant: \??\C:\WINDOWS\System32\vsdatant.sys (manual start)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
vtdg46xx: \??\C:\PROGRA~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46x x.sys (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

UPnPMonitor: C:\WINDOWS\system32\upnpui.dll
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\pol icies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\pol icies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 33,354 bytes
Report generated in 0.187 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 10-04-2007, 02:38 AM
Elzeothis's Avatar
Junior Member
New Recruit
  
Join Date: Dec 2004
Posts: 41
Elzeothis Is a beginner here at D-A-L
Send a message via AIM to Elzeothis Send a message via MSN to Elzeothis Send a message via Yahoo to Elzeothis
Re: BHO's, DLL's, and no HJT log - OH MY!
Ok - I think I found the problem, but I seriously can't believe that no one here has any suggestions or thoughts yet.



Dangit.

Well, I ran Spybot S&D startup list and managed to actually log this one (everytime I reboot my computer, hijackthis works less and less; clicking on different tools and options cause it to end abruptly or just ignore commands I feed the program. Quite frankly, I am starting to feel rather helpless.)

For more information as to what I refer, please read the last half dozen lines of the startup log to see what I mean.

Thanks for anyone who can come up with some ideas!

~Mai



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-07-07 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-01-15 advcheck.dll (1.2.1.0)
2007-01-02 Tools.dll (2.0.1.0)
2007-04-04 Includes\Cookies.sbi
2006-12-08 Includes\Dialer.sbi
2007-04-04 Includes\Hijackers.sbi
2006-10-27 Includes\Keyloggers.sbi
2007-03-21 Includes\Malware.sbi
2007-04-04 Includes\Revision.sbi
2006-12-08 Includes\Security.sbi
2007-03-21 Includes\Spybots.sbi
2007-04-04 Includes\Trojans.sbi
2005-02-17 Includes\Tracks.uti
2007-03-21 Includes\PUPS.sbi
2007-04-04 Includes\TrojansC.sbi
2007-04-04 Includes\SpybotsC.sbi
2007-04-04 Includes\SecurityC.sbi
2007-04-04 Includes\PUPSC.sbi
2007-04-04 Includes\MalwareC.sbi
2007-04-04 Includes\KeyloggersC.sbi
2007-04-04 Includes\HijackersC.sbi
2007-04-04 Includes\DialerC.sbi
2004-11-29 Includes\LSP.sbi

Located: HK_LM:Run, AVG7_CC
command: C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
file: C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
size: 411648
MD5: 2a62570d13f14f49218ce7b03caa9cb2

Located: HK_LM:Run, LVCOMS
command: C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
file: C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
size: 102400
MD5: 0edbfe68b0c81ac51fc9040cdbf6d6df

Located: HK_LM:Run, Microsoft Works Portfolio
command: C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
file:

Located: HK_LM:Run, Microsoft Works Update Detection
command: C:\Program Files\Microsoft Works\WkDetect.exe
file: C:\Program Files\Microsoft Works\WkDetect.exe
size: 28739
MD5: 3141750fad211c6dadf7c2dc2ec74da8

Located: HK_LM:Run, nwiz
command: nwiz.exe /install
file: C:\WINDOWS\system32\nwiz.exe
size: 1519616
MD5: 66db459386d7bf62852b1bfa029fb887

Located: HK_LM:Run, SsAAD.exe
command: C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
file: C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
size: 81920
MD5: ed3c7da8ade49efc753fdddf18c8a53e

Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
file: C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
size: 49263
MD5: 409c45da1cfbc3fc19eec7cbfe9b2786

Located: HK_LM:Run, SystemTray
command: SysTray.Exe
file: C:\WINDOWS\system32\SysTray.Exe
size: 3072
MD5: 46e07fd3a40760fda18cf6b4fc691742

Located: HK_CU:Run, SpybotSD TeaTimer
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 70496eee0ddbe485f658693826f44d38

Located: HK_CU:Run, updateMgr
command: C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
file:

Located: HK_CU:Run, Aim6 (DISABLED)
command:
file:

Located: Startup (user), OCRAWARE.lnk
command: C:\OPLIMIT\OCRAWARE.EXE
file: C:\OPLIMIT\OCRAWARE.EXE
size: 51360
MD5: 861163b5561b34bd9a5c4cb5d9811891

Located: Startup (user), SpywareGuard.lnk
command: C:\Program Files\SpywareGuard\sgmain.exe
file: C:\Program Files\SpywareGuard\sgmain.exe
size: 360448
MD5: 61c028aba5e49573a6332f4a7c744e87

Located: Startup (user), UMAX VistaAccess.lnk
command: C:\VSTASCAN\vsaccess.exe
file: C:\VSTASCAN\vsaccess.exe
size: 299008
MD5: a03488f4c3165b35185bb5a15a0d1384

Located: System.ini, ddcyv (DISABLED)
command: C:\WINDOWS\system32\ddcyv.dll
file: C:\WINDOWS\system32\ddcyv.dll
size: 280676
MD5: f103f4952601098f28b848bece29780c

Located: System.ini, tuvvtsp (DISABLED)
command: tuvvtsp.dll
file: tuvvtsp.dll

Located: System.ini, WgaLogon (DISABLED)
command:
file:

Located: System.ini, crypt32chain (DISABLED)
command: crypt32.dll
file: crypt32.dll

Located: System.ini, cryptnet (DISABLED)
command: cryptnet.dll
file: cryptnet.dll

Located: System.ini, cscdll (DISABLED)
command: cscdll.dll
file: cscdll.dll

Located: System.ini, ddcyv (DISABLED)
command: C:\WINDOWS\system32\ddcyv.dll
file: C:\WINDOWS\system32\ddcyv.dll
size: 280676
MD5: f103f4952601098f28b848bece29780c

Located: System.ini, ScCertProp (DISABLED)
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, Schedule (DISABLED)
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, sclgntfy (DISABLED)
command: sclgntfy.dll
file: sclgntfy.dll

Located: System.ini, SensLogn (DISABLED)
command: WlNotify.dll
file: WlNotify.dll

Located: System.ini, termsrv (DISABLED)
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, tuvvtsp (DISABLED)
command: tuvvtsp.dll
file: tuvvtsp.dll

Located: System.ini, WgaLogon (DISABLED)
command:
file:

Located: System.ini, wlballoon (DISABLED)
command: wlnotify.dll
file: wlnotify.dll
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #3 (permalink)  
Old 10-04-2007, 03:56 AM
VopThis's Avatar
Senior Member (Canada)
  
Join Date: Nov 2005
Posts: 3,439
VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!
Re: BHO's, DLL's, and no HJT log - OH MY!
Quote:
I seriously can't believe that no one here has any suggestions or thoughts yet
I saw your problem from the very first post. No need to keep posting until specific requests are made of you. I am am volunteer here (and currently the main responder, at this time) and my personal responsibilities have taken me away from my PC until now. Also be aware that the turnaround time on this site is very much more reliable and timely than on many other sites that your could go to.


Your issues seem to be particularly bad for the malware infection that seems to be currently in charge. Hopefully you can still download needed tools or onto another PC (and finally get one of them to run without interference).



Please download VundoFix.exe to your desktop. May be necessary and wise to rename this file - use any alternate name say: fix_vundo. You may have to try and run this in SAFE MODE (if necessary) - by rebooting and gently tapping the F8 key until a boot menu appears.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
__________________
Vincent P

MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis LOG __V2.0.2 _|

__
ASAP: promoting a high standard and quality of security support no matter where you seek help.

Quote:
SAFER SURFING TOOLS (IE/FF **FREE** browser addons):
Linkscanner + WOT (Web of Trust) + SiteAdvisor (suggest at least two but not necessarily all)
Quote:
Tell me and I forget; show me and I remember; involve me and I understand.
There are no foolish questions, the only thing foolish is not asking if you're unsure of something.
Never ASSUME any detail because it can make an ASS out of U and ME... (ASS/U/ME ).
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #4 (permalink)  
Old 10-04-2007, 06:01 AM
Elzeothis's Avatar
Junior Member
New Recruit
  
Join Date: Dec 2004
Posts: 41
Elzeothis Is a beginner here at D-A-L
Send a message via AIM to Elzeothis Send a message via MSN to Elzeothis Send a message via Yahoo to Elzeothis
Re: BHO's, DLL's, and no HJT log - OH MY!
Vincent -

I wasn't trying to imply anything and I apologize for saying and/or doing something that upset you or seemed hasty on my part towards the ever kind and gracious volunteer helpers here on D-A-L.

There's a reason I use D-A-L and not 'the other sites'; hence my posting here.

However, I did do enough research into my dll problems to find the dozen other topics referring to this as a 'Vundo' problem; I have already installed and run VundoFix over two dozen times. Everytime I reboot my computer (into safe mode) and rerun Vundofix (under the same user who had run it before), it says it finds the vundo files, cannot delete them, but will delete them on reboot.

So, I reboot - again - and rerun Vundofix, and it still says it finds the files but cannot delete them and will delete them upon reboot.

Reboot, safe mode, log on, run vundofix, can't delete but will repair upon reboot, end without end, amen.

On the bleeping computer website I found a thread with advice on purging vundo, and it involves a program called virtumundobgone - which I also downloaded and ran after about an hour worth of trying with vundofix and over two dozen reboots of my PC.

Quite frankly, anything I did have before that may have been quarantined is probably now causing problems to complicate the matter, after so many reboots - and I am still no closer to finding a solution.

I've been working on this for over 24 hours and have reached a point of endless frustration.

So, here's what happened with virtumundoBgone: the program ran for two hours; hanging up all my processes and constantly working my hard drive. What the heck it was doing, I had no idea - until I manually shut down my computer with the power button and restarted into safe mode.

Here is what my VBG.txt (virtumundoBgone log) looks like... for 47 pages of notepad. (By the way, vundofix.exe, renamed as fix_vundo.exe still finds the vundo files, says it will delete them, then rescans and finds them again, making me reboot again, yadda yadda.)

[04/09/2007, 20:48:56] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Mayumi\Desktop\VirtumundoBeGone.exe" )
[04/09/2007, 20:49:03] - Detected System Information:
[04/09/2007, 20:49:03] - Windows Version: 5.1.2600, Service Pack 2
[04/09/2007, 20:49:03] - Current Username: Mayumi (Admin)
[04/09/2007, 20:49:03] - Windows is in SAFE mode.
[04/09/2007, 20:49:03] - Searching for Browser Helper Objects:
[04/09/2007, 20:49:03] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} ()
[04/09/2007, 20:49:03] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2007, 20:49:03] - No filename found. Continuing.
[04/09/2007, 20:49:03] - BHO 2: {4A368E80-174F-4872-96B5-0B27DDD11DB2} (SpywareGuardDLBLOCK.CBrowserHelper)
[04/09/2007, 20:49:03] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[04/09/2007, 20:49:03] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2007, 20:49:03] - No filename found. Continuing.
[04/09/2007, 20:49:03] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/09/2007, 20:49:03] - BHO 5: {7F5FFCB8-4838-43CD-80EA-A7EC9C744281} ()
[04/09/2007, 20:49:03] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2007, 20:49:03] - Checking for HKLM\...\Winlogon\Notify\tuvvtsp
[04/09/2007, 20:49:03] - Found: HKLM\...\Winlogon\Notify\tuvvtsp - This is probably Virtumundo.
[04/09/2007, 20:49:03] - Assigning {7F5FFCB8-4838-43CD-80EA-A7EC9C744281} MSEvents Object
[04/09/2007, 20:49:03] - BHO list has been changed! Starting over...
[04/09/2007, 20:49:03] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} ()
[04/09/2007, 20:49:03] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2007, 20:49:03] - No filename found. Continuing.
[04/09/2007, 20:49:03] - BHO 2: {4A368E80-174F-4872-96B5-0B27DDD11DB2} (SpywareGuardDLBLOCK.CBrowserHelper)
[04/09/2007, 20:49:03] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[04/09/2007, 20:49:03] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2007, 20:49:03] - No filename found. Continuing.
[04/09/2007, 20:49:03] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/09/2007, 20:49:03] - BHO 5: {7F5FFCB8-4838-43CD-80EA-A7EC9C744281} (MSEvents Object)
[04/09/2007, 20:49:03] - ALERT: Found MSEvents Object!
[04/09/2007, 20:49:03] - BHO 6: {AB8BBFF2-E8EB-4550-BA12-0EC1B2467422} ()
[04/09/2007, 20:49:03] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2007, 20:49:03] - Checking for HKLM\...\Winlogon\Notify\ddcyv
[04/09/2007, 20:49:03] - Found: HKLM\...\Winlogon\Notify\ddcyv - This is probably Virtumundo.
[04/09/2007, 20:49:03] - Assigning {AB8BBFF2-E8EB-4550-BA12-0EC1B2467422} MSEvents Object
[04/09/2007, 20:49:03] - BHO list has been changed! Starting over...
[04/09/2007, 20:49:03] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} ()
[04/09/2007, 20:49:03] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2007, 20:49:03] - No filename found. Continuing.
[04/09/2007, 20:49:03] - BHO 2: {4A368E80-174F-4872-96B5-0B27DDD11DB2} (SpywareGuardDLBLOCK.CBrowserHelper)
[04/09/2007, 20:49:03] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[04/09/2007, 20:49:03] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2007, 20:49:03] - No filename found. Continuing.
[04/09/2007, 20:49:03] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/09/2007, 20:49:03] - BHO 5: {7F5FFCB8-4838-43CD-80EA-A7EC9C744281} (MSEvents Object)
[04/09/2007, 20:49:03] - ALERT: Found MSEvents Object!
[04/09/2007, 20:49:03] - BHO 6: {AB8BBFF2-E8EB-4550-BA12-0EC1B2467422} (MSEvents Object)
[04/09/2007, 20:49:03] - ALERT: Found MSEvents Object!
[04/09/2007, 20:49:03] - Finished Searching Browser Helper Objects
[04/09/2007, 20:49:03] - *** Detected MSEvents Object
[04/09/2007, 20:49:03] - Trying to remove MSEvents Object...
[04/09/2007, 20:49:04] - Terminating Process: IEXPLORE.EXE
[04/09/2007, 20:49:05] - Terminating Process: RUNDLL32.EXE
[04/09/2007, 20:49:05] - Disabling Automatic Shell Restart
[04/09/2007, 20:49:05] - Terminating Process: EXPLORER.EXE
[04/09/2007, 20:49:05] - Suspending the NT Session Manager System Service
[04/09/2007, 20:49:05] - Terminating Windows NT Logon/Logoff Manager
[04/09/2007, 20:49:05] - Re-enabling Automatic Shell Restart
[04/09/2007, 20:49:05] - File to disable: C:\WINDOWS\system32\tuvvtsp.dll
[04/09/2007, 20:49:05] - Renaming C:\WINDOWS\system32\tuvvtsp.dll -> C:\WINDOWS\system32\tuvvtsp.dll.vir
[04/09/2007, 20:49:05] - ! File rename was unsucessful.
[04/09/2007, 20:49:05] - Attempting to Deny Access to C:\WINDOWS\system32\tuvvtsp.dll
[04/09/2007, 20:49:05] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[04/09/2007, 20:49:05] - processed file: C:\WINDOWS\system32\tuvvtsp.dll

[04/09/2007, 20:49:05] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[04/09/2007, 20:49:05] - Removing HKLM\...\Browser Helper Objects\{7F5FFCB8-4838-43CD-80EA-A7EC9C744281}
[04/09/2007, 20:49:05] - Removing HKCR\CLSID\{7F5FFCB8-4838-43CD-80EA-A7EC9C744281}
[04/09/2007, 20:49:06] - Adding Kill Bit for ActiveX for GUID: {7F5FFCB8-4838-43CD-80EA-A7EC9C744281}
[04/09/2007, 20:49:06] - Deleting ATLEvents/MSEvents Registry entries
[04/09/2007, 20:49:06] - Removing HKLM\...\Winlogon\Notify\tuvvtsp
[04/09/2007, 20:49:07] - Searching for Browser Helper Objects:
[04/09/2007, 20:49:07] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} ()
[04/09/2007, 20:49:07] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2007, 20:49:07] - No filename found. Continuing.
[04/09/2007, 20:49:07] - BHO 2: {4A368E80-174F-4872-96B5-0B27DDD11DB2} (SpywareGuardDLBLOCK.CBrowserHelper)
[04/09/2007, 20:49:07] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[04/09/2007, 20:49:07] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2007, 20:49:07] - No filename found. Continuing.
[04/09/2007, 20:49:07] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/09/2007, 20:49:07] - BHO 5: {AB8BBFF2-E8EB-4550-BA12-0EC1B2467422} (MSEvents Object)
[04/09/2007, 20:49:07] - ALERT: Found MSEvents Object!
[04/09/2007, 20:49:07] - Finished Searching Browser Helper Objects
[04/09/2007, 20:49:07] - *** Detected MSEvents Object
[04/09/2007, 20:49:07] - Trying to remove MSEvents Object...
[04/09/2007, 20:49:08] - Terminating Process: IEXPLORE.EXE
[04/09/2007, 20:49:08] - Terminating Process: RUNDLL32.EXE
[04/09/2007, 20:49:08] - Disabling Automatic Shell Restart
[04/09/2007, 20:49:08] - Terminating Process: EXPLORER.EXE
[04/09/2007, 20:49:08] - Suspending the NT Session Manager System Service
[04/09/2007, 20:49:08] - Terminating Windows NT Logon/Logoff Manager
[04/09/2007, 20:49:08] - Re-enabling Automatic Shell Restart
[04/09/2007, 20:49:08] - File to disable: C:\WINDOWS\system32\ddcyv.dll
[04/09/2007, 20:49:08] - Renaming C:\WINDOWS\system32\ddcyv.dll -> C:\WINDOWS\system32\ddcyv.dll.vir
[04/09/2007, 20:49:08] - ! File rename was unsucessful.
[04/09/2007, 20:49:08] - Attempting to Deny Access to C:\WINDOWS\system32\ddcyv.dll
[04/09/2007, 20:49:09] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[04/09/2007, 20:49:09] - processed file: C:\WINDOWS\system32\ddcyv.dll

(This goes on and on and on and on repeatedly in the logfile.)

[04/09/2007, 22:32:28] - *** Detected MSEvents Object
[04/09/2007, 22:32:28] - Trying to remove MSEvents Object...
[04/09/2007, 22:32:29] - Terminating Process: IEXPLORE.EXE
[04/09/2007, 22:32:29] - Terminating Process: RUNDLL32.EXE
[04/09/2007, 22:32:29] - Disabling Automatic Shell Restart
[04/09/2007, 22:32:29] - Terminating Process: EXPLORER.EXE
[04/09/2007, 22:32:29] - Suspending the NT Session Manager System Service
[04/09/2007, 22:32:29] - Terminating Windows NT Logon/Logoff Manager
[04/09/2007, 22:32:29] - Re-enabling Automatic Shell Restart
[04/09/2007, 22:32:29] - File to disable: C:\WINDOWS\system32\ddcyv.dll
[04/09/2007, 22:32:29] - Renaming C:\WINDOWS\system32\ddcyv.dll -> C:\WINDOWS\system32\ddcyv.dll.vir
[04/09/2007, 22:32:29] - ! File rename was unsucessful.
[04/09/2007, 22:32:29] - Attempting to Deny Access to C:\WINDOWS\system32\ddcyv.dll
[04/09/2007, 22:32:30] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[04/09/2007, 22:32:30] - processed file: C:\WINDOWS\system32\ddcyv.dll

[04/09/2007, 22:32:30] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[04/09/2007, 22:32:30] - Removing HKLM\...\Browser Helper Objects\{AB8BBFF2-E8EB-4550-BA12-0EC1B2467422}
[04/09/2007, 22:32:30] - Removing HKCR\CLSID\{AB8BBFF2-E8EB-4550-BA12-0EC1B2467422}
[04/09/2007, 22:32:30] - Adding Kill Bit for ActiveX for GUID: {AB8BBFF2-E8EB-4550-BA12-0EC1B2467422}
[04/09/2007, 22:32:30] - Deleting ATLEvents/MSEvents Registry entries
[04/09/2007, 22:32:30] - Removing HKLM\...\Winlogon\Notify\ddcyv
[04/09/2007, 22:32:30] - Searching for Browser Helper Objects:
[04/09/2007, 22:32:30] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} ()
[04/09/2007, 22:32:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2007, 22:32:30] - No filename found. Continuing.
[04/09/2007, 22:32:30] - BHO 2: {4A368E80-174F-4872-96B5-0B27DDD11DB2} (SpywareGuardDLBLOCK.CBrowserHelper)
[04/09/2007, 22:32:30] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[04/09/2007, 22:32:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2007, 22:32:31] - No filename found. Continuing.
[04/09/2007, 22:32:31] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/09/2007, 22:32:31] - BHO 5: {7F5FFCB8-4838-43CD-80EA-A7EC9C744281} ()
[04/09/2007, 22:32:31] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2007, 22:32:31] - Checking for HKLM\...\Winlogon\Notify\tuvvtsp
[04/09/2007, 22:32:31] - Found: HKLM\...\Winlogon\Notify\tuvvtsp - This is probably Virtumundo.
[04/09/2007, 22:32:31] - Assigning {7F5FFCB8-4838-43CD-80EA-A7EC9C744281} MSEvents Object
[04/09/2007, 22:32:31] - BHO list has been changed! Starting over...
[04/09/2007, 22:32:31] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} ()
[04/09/2007, 22:32:31] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2007, 22:32:31] - No filename found. Continuing.
[04/09/2007, 22:32:31] - BHO 2: {4A368E80-174F-4872-96B5-0B27DDD11DB2} (SpywareGuardDLBLOCK.CBrowserHelper)
[04/09/2007, 22:32:31] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[04/09/2007, 22:32:31] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2007, 22:32:31] - No filename found. Continuing.
[04/09/2007, 22:32:31] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/09/2007, 22:32:31] - BHO 5: {7F5FFCB8-4838-43CD-80EA-A7EC9C744281} (MSEvents Object)
[04/09/2007, 22:32:31] - ALERT: Found MSEvents Object!
[04/09/2007, 22:32:31] - Finished Searching Browser Helper Objects
[04/09/2007, 22:32:31] - *** Detected MSEvents Object
[04/09/2007, 22:32:31] - Trying to remove MSEvents Object...

For two hours, it did this - over, and over, and over again.

Now - I apologize, but I canNOT post a HJT log; everytime I reboot my use of HJT becomes more and more limited - now, when I start up HJT, I can do a scan - if I click any other button besides scan (before, after, or during said scan), then HJT literally just disappears. Like I mentioned before, it isn't possible for me to submit a log or even document anything, and now, after two dozen reboots of my machine and two hours of virtumundoBgone running, I can't even select any options without the program falling.

Again; I apologize for treading on your toes before.

Thank you again for your attempts to help me; it is appreciated. I am inclined, as of this moment, to utilize spysweeper as has been suggested on multiple other websites and see if it can actually help me - because while those DLL's and MSEVENT problems do NOT appear on HJT (when I do run a scan), they are still listed in my spybot startup menu thingy...

Thanks again!

Cheers.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #5 (permalink)  
Old 10-04-2007, 04:17 PM
VopThis's Avatar
Senior Member (Canada)
  
Join Date: Nov 2005
Posts: 3,439
VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!
Re: BHO's, DLL's, and no HJT log - OH MY!
It would appear that your have disabled running processes in MSCONFIG (selective startup) thereby causing fix problem issues:
Located: System.ini, ddcyv (DISABLED)
command: C:\WINDOWS\system32\ddcyv.dll
file: C:\WINDOWS\system32\ddcyv.dll
size: 280676
MD5: f103f4952601098f28b848bece29780c

Located: System.ini, tuvvtsp (DISABLED)
command: tuvvtsp.dll
file: tuvvtsp.dll


You need to reverse what you did in MSCONFIG, if applicable.



Additionally, the vundo infection will often hide itself if you try to run HijackThis using that exact program name. Try renaming the program to 'analysethis' or 'foolingme'. Potentially, your scans may now run.



If still no complete success with the above, do a file search for the following exact TEXT (using enable/show hidden files option) - copy & paste:
VYCDD.*
PSTVVUT.*

Report back if multiple file instances were reported for any of the above.





As a further alternative possibility,

Your best option may be to try a system restore point (if available) to a date before any known problems or before you started performing any recent fixes?

Click on Start>All Programs>Accessories>System Tools>System Restore.

Check Restore my computer to an earlier date> Click Next.

Choose the date before you performed any recent fixes and click Next and Next again.
__________________
Vincent P

MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis LOG __V2.0.2 _|

__
ASAP: promoting a high standard and quality of security support no matter where you seek help.

Quote:
SAFER SURFING TOOLS (IE/FF **FREE** browser addons):
Linkscanner + WOT (Web of Trust) + SiteAdvisor (suggest at least two but not necessarily all)
Quote:
Tell me and I forget; show me and I remember; involve me and I understand.
There are no foolish questions, the only thing foolish is not asking if you're unsure of something.
Never ASSUME any detail because it can make an ASS out of U and ME... (ASS/U/ME ).
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
corrupt registry/missing dll's? farside88 Windows XP Help 3 07-03-2007 02:28 AM
Nothing works - rogue BHO's have taken over philbishop0726 Spyware, Adware, Viruses and HijackThis Logs 1 06-05-2005 06:55 AM
homesearch hijacker delets spybot .dll's tbabe80 Spyware, Adware, Viruses and HijackThis Logs 19 25-01-2005 10:14 AM
hijacked dll's plumpton Windows XP Help 4 15-12-2004 08:07 PM


All times are GMT +1. The time now is 04:13 AM.
Member Login
Remember me ?
Forgot password?
Ads

Want to Advertise? Click Here
Help Categories
Desktop / Server Apps
Drivers
Firewalls and Networks
Games
General Internet Issues
Hardware
Linux
MAC OS
Modding / Overclocking
Search Engines
Spyware and Security
Web Development
Windows 2000
Windows 7
Windows 98
Windows ME
Windows Vista
Windows XP

Computer Repair Companies
Bottom Corner Bottom Nav