security center

Computer Help and Discussions Windows Security
1

everything in the security center is turned-off. I can't seem to enable anything. what should I do?

2

My Computer, Control Panel, Administrative Tools, and Services.

Make sure Security Center is Enabled.

Right click on Security Center, Properties, Startup type: Automatic

Also click on Dependencies and make sure them services are turned on too.

3
My Computer, Control Panel, Administrative Tools, and Services.

Make sure Security Center is Enabled.

Right click on Security Center, Properties, Startup type: Automatic

Also click on Dependencies and make sure them services are turned on too.

The Firewall turned on temporarly and then off. How do I do all that stuff you said?

4

Either something is corrupted in the security center or there is a virus interfering.

Please post a hijackthis log.

Directions if needed:

http://forum.piriform.com/index.php?showtopic=1720

5
Either something is corrupted in the security center or there is a virus interfering.

Please post a hijackthis log.

Directions if needed:

http://forum.piriform.com/index.php?showtopic=1720

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 9:31:02 PM, on 6/12/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\VJ\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

F3 - REG:win.ini: load=

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab

O20 - Winlogon Notify: rqrronl - rqrronl.dll (file missing)

O20 - Winlogon Notify: ssqro - C:\WINDOWS\

O20 - Winlogon Notify: vturp - C:\WINDOWS\

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe

--

End of file - 3975 bytes

6

Run BitDefender Online Scanner

  • Using internet Explorer please go HERE to run BitDefender's Online scan.
  • Read the terms and then click I Agree
  • You may receive a Security Warning about the BitDefender ActiveX control, If you do, please allow it to install.
  • On the scanning Options screen, Press Click Here To Scan and then follow the on screen prompts.
  • Once bit defender is finished scanning your computer it will automatically remove the infections. Once the removal process is finished press the close button and a dialog box will appear asking if you want to send your scan log back to the makers of bitdefender. You do not have to do this but what you do want to do is press the button that says "view log" and then copy and paste that log into notepad and save it to your desktop as bitdefender.txt.
  • Reboot your computer

Post the bitdefender log and a new hijackthis log.

7
Run BitDefender Online Scanner
  • Using internet Explorer please go HERE to run BitDefender's Online scan.

  • Read the terms and then click I Agree

  • You may receive a Security Warning about the BitDefender ActiveX control, If you do, please allow it to install.

  • On the scanning Options screen, Press Click Here To Scan and then follow the on screen prompts.

  • Once bit defender is finished scanning your computer it will automatically remove the infections. Once the removal process is finished press the close button and a dialog box will appear asking if you want to send your scan log back to the makers of bitdefender. You do not have to do this but what you do want to do is press the button that says "view log" and then copy and paste that log into notepad and save it to your desktop as bitdefender.txt.

  • Reboot your computer

Post the bitdefender log and a new hijackthis log.

Currently scanning with BitDefender.

8
Currently scanning with BitDefender.

*BitDefender Online Scanner - Real Time Virus Report*

Generated at: Wed, Jun 13, 2007 - 06:44:03

------------------------------------------------------------------------

*Scan Info*

Scanned Files

267926

Infected Files

0

* *

*Virus Detected*

No virus found.

------------------------------------------------------------------------

This summary of the scan process will be used by the BitDefender

Antivirus Lab to create agregate statistics about virus activity around

the world.

=============================================================================================

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 6:47:44 AM, on 6/13/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\SiteAdvisor\6066\SAService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

F:\YVD\YGO Virtual Desktop V086.exe

F:\Program Files\ronin.exe

C:\Documents and Settings\VJ\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

F3 - REG:win.ini: load=

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab

O20 - Winlogon Notify: rqrronl - rqrronl.dll (file missing)

O20 - Winlogon Notify: ssqro - C:\WINDOWS\

O20 - Winlogon Notify: vturp - C:\WINDOWS\

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe

--

End of file - 4455 bytes

9

Download this file - combofix.exe and save it to your desktop.

Double click combofix.exe & follow the prompts.

When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply

Note:

Do not mouseclick combofix's window whilst it's running as it may cause it to stall

10
Download this file - combofix.exe and save it to your desktop.

Double click combofix.exe & follow the prompts.

When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply

Note:

Do not mouseclick combofix's window whilst it's running as it may cause it to stall

ComboFix 07-06-13.3 - C:\Documents and Settings\VJ\Desktop\ComboFix.exe

"VJ" - 2007-06-13 17:58:45 - Service Pack 1 NTFS

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\regedit.com

C:\WINDOWS\system32\taskmgr.com

((((((((((((((((((((((((( Files Created from 2007-05-13 to 2007-06-13 )))))))))))))))))))))))))))))))

2007-06-13 17:48 <DIR> d-------- C:\WINDOWS\Prefetch

2007-06-13 17:39 <DIR> d-------- C:\WINDOWS\LastGood

2007-06-13 17:36 113,944 --a------ C:\WINDOWS\system32\wuauclt.exe

2007-06-13 17:36 1,081,112 --a------ C:\WINDOWS\system32\wuaueng.dll

2007-06-13 17:31 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll

2007-06-13 17:31 13,312 --a------ C:\WINDOWS\system32\irclass.dll

2007-06-13 17:07 <DIR> d-------- C:\WINDOWS\setup.pss

2007-06-13 17:06 <DIR> d-------- C:\WINDOWS\setupupd

2007-06-13 13:15 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-13 09:32 <DIR> d-------- C:\WINDOWS\LastGood.Tmp

2007-06-13 09:10 77,824 --a------ C:\WINDOWS\system32\isign32.dll

2007-06-13 09:10 69,632 --a------ C:\WINDOWS\system32\icwdial.dll

2007-06-13 09:10 61,440 --a------ C:\WINDOWS\system32\icwphbk.dll

2007-06-13 09:10 47,616 --a------ C:\WINDOWS\system32\inetres.dll

2007-06-13 09:10 40,960 --a------ C:\WINDOWS\system32\safrslv.dll

2007-06-13 09:10 39,424 --a------ C:\WINDOWS\system32\safrcdlg.dll

2007-06-13 09:10 33,280 --a------ C:\WINDOWS\system32\racpldlg.dll

2007-06-13 09:10 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe

2007-06-13 09:10 28,672 --a------ C:\WINDOWS\system32\isrdbg32.dll

2007-06-13 09:10 266,240 --a------ C:\WINDOWS\system32\inetcfg.dll

2007-06-13 09:10 26,624 --a------ C:\WINDOWS\system32\safrdm.dll

2007-06-13 09:09 9,728 --a------ C:\WINDOWS\system32\mstinit.exe

2007-06-13 09:09 81,408 --a------ C:\WINDOWS\system32\msoert2.dll

2007-06-13 09:09 73,728 --a------ C:\WINDOWS\system32\ils.dll

2007-06-13 09:09 69,248 --a------ C:\WINDOWS\system32\drivers\sr.sys

2007-06-13 09:09 65,536 --a------ C:\WINDOWS\system32\msconf.dll

2007-06-13 09:09 63,488 --a------ C:\WINDOWS\system32\srclient.dll

2007-06-13 09:09 587,776 --a------ C:\WINDOWS\system32\inetcomm.dll

2007-06-13 09:09 32,256 --a------ C:\WINDOWS\system32\mnmdd.dll

2007-06-13 09:09 250,368 --a------ C:\WINDOWS\system32\mstask.dll

2007-06-13 09:09 24,576 --a------ C:\WINDOWS\system32\nmmkcert.dll

2007-06-13 09:09 228,864 --a------ C:\WINDOWS\system32\msoeacct.dll

2007-06-13 09:09 226,304 --a------ C:\WINDOWS\system32\srrstr.dll

2007-06-13 09:09 221,696 --a------ C:\WINDOWS\system32\qmgr.dll

2007-06-13 09:09 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll

2007-06-13 09:09 159,232 --a------ C:\WINDOWS\system32\schedsvc.dll

2007-06-13 09:09 158,720 --a------ C:\WINDOWS\system32\srsvc.dll

2007-06-13 09:08 98,816 --a------ C:\WINDOWS\system32\clipbrd.exe

2007-06-13 09:08 9,728 --a------ C:\WINDOWS\system32\xolehlp.dll

2007-06-13 09:08 9,216 --a------ C:\WINDOWS\system32\wuauserv.dll

2007-06-13 09:08 9,216 --a------ C:\WINDOWS\system32\icaapi.dll

2007-06-13 09:08 88,064 --a------ C:\WINDOWS\system32\tscfgwmi.dll

2007-06-13 09:08 869,376 --a------ C:\WINDOWS\system32\msdtctm.dll

2007-06-13 09:08 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll

2007-06-13 09:08 83,968 --a------ C:\WINDOWS\system32\mtxoci.dll

2007-06-13 09:08 82,432 --a------ C:\WINDOWS\system32\comrepl.dll

2007-06-13 09:08 75,912 --a------ C:\WINDOWS\system32\rdpwsx.dll

2007-06-13 09:08 61,952 --a------ C:\WINDOWS\system32\rdshost.exe

2007-06-13 09:08 6,144 --a------ C:\WINDOWS\system32\msdtc.exe

2007-06-13 09:08 598,016 --a------ C:\WINDOWS\system32\mstscax.dll

2007-06-13 09:08 582,656 --a------ C:\WINDOWS\system32\catsrvut.dll

2007-06-13 09:08 56,832 --a------ C:\WINDOWS\system32\colbact.dll

2007-06-13 09:08 56,320 --a------ C:\WINDOWS\system32\remotepg.dll

2007-06-13 09:08 54,784 --a------ C:\WINDOWS\system32\msdtclog.dll

2007-06-13 09:08 534,016 --a------ C:\WINDOWS\system32\spider.exe

2007-06-13 09:08 53,248 --a------ C:\WINDOWS\system32\servdeps.dll

2007-06-13 09:08 495,616 --a------ C:\WINDOWS\system32\comuid.dll

2007-06-13 09:08 489,984 --a------ C:\WINDOWS\system32\hypertrm.dll

2007-06-13 09:08 468,480 --a------ C:\WINDOWS\system32\clbcatq.dll

2007-06-13 09:08 44,032 --a------ C:\WINDOWS\system32\rdpclip.exe

2007-06-13 09:08 40,960 --a------ C:\WINDOWS\system32\tscupgrd.exe

2007-06-13 09:08 388,608 --a------ C:\WINDOWS\system32\mstsc.exe

2007-06-13 09:08 359,936 --a------ C:\WINDOWS\system32\msdtcprx.dll

2007-06-13 09:08 339,968 --a------ C:\WINDOWS\system32\mspaint.exe

2007-06-13 09:08 32,768 --a------ C:\WINDOWS\system32\cfgbkend.dll

2007-06-13 09:08 215,040 --a------ C:\WINDOWS\system32\catsrv.dll

2007-06-13 09:08 200,192 --a------ C:\WINDOWS\system32\termsrv.dll

2007-06-13 09:08 20,232 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys

2007-06-13 09:08 18,432 --a------ C:\WINDOWS\system32\qprocess.exe

2007-06-13 09:08 179,200 --a------ C:\WINDOWS\system32\accwiz.exe

2007-06-13 09:08 174,592 --a------ C:\WINDOWS\system32\cmprops.dll

2007-06-13 09:08 16,384 --a------ C:\WINDOWS\system32\mmfutil.dll

2007-06-13 09:08 151,040 --a------ C:\WINDOWS\system32\msdtcuiu.dll

2007-06-13 09:08 14,848 --a------ C:\WINDOWS\system32\rdpsnd.dll

2007-06-13 09:08 135,680 --a------ C:\WINDOWS\system32\rdchost.dll

2007-06-13 09:08 129,024 --a------ C:\WINDOWS\system32\sessmgr.exe

2007-06-13 09:08 124,416 --a------ C:\WINDOWS\system32\sndrec32.exe

2007-06-13 09:08 12,288 --a------ C:\WINDOWS\system32\rdsaddin.exe

2007-06-13 09:08 116,736 --a------ C:\WINDOWS\system32\mplay32.exe

2007-06-13 09:08 115,976 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys

2007-06-13 09:08 11,144 --a------ C:\WINDOWS\system32\drivers\tdpipe.sys

2007-06-13 09:08 100,864 --a------ C:\WINDOWS\system32\clbcatex.dll

2007-06-13 09:08 1,172,992 --a------ C:\WINDOWS\system32\comsvcs.dll

2007-06-13 09:07 57,856 --a------ C:\WINDOWS\system32\licwmi.dll

2007-06-13 09:07 182,400 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys

2007-06-13 09:04 56,576 --a------ C:\WINDOWS\system32\drivers\redbook.sys

2007-06-13 09:04 50,048 --a------ C:\WINDOWS\system32\drivers\DMusic.sys

2007-06-13 09:04 5,888 --a------ C:\WINDOWS\system32\drivers\splitter.sys

2007-06-13 09:02 4,096 --a------ C:\WINDOWS\system32\ksuser.dll

2007-06-13 09:01 38,024 --a------ C:\WINDOWS\system32\drivers\termdd.sys

2007-06-13 09:00 71,168 --a------ C:\WINDOWS\system32\storprop.dll

2007-06-13 09:00 10,496 --a------ C:\WINDOWS\system32\drivers\irenum.sys

2007-06-12 21:36 <DIR> d-------- C:\WINDOWS\BDOSCAN8

2007-06-12 21:17 <DIR> d-------- C:\WINDOWS\SoftwareDistribution

2007-06-12 21:12 <DIR> d-------- C:\WINDOWS\system32\CatRoot2

2007-06-12 20:07 <DIR> d-------- C:\Program Files\Sonic

2007-06-12 20:07 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared

2007-06-12 11:52 <DIR> d-------- C:\Program Files\Dell

2007-06-12 11:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Dell

2007-06-12 10:18 6,553,600 --a------ C:\DOCUME~1\VJ\ntuser.dat

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-13 23:55:16 -------- d--h--w C:\Program Files\WindowsUpdate

2007-06-13 23:37:18 23,388 ----a-w C:\WINDOWS\system32\emptyregdb.dat

2007-06-13 15:09:57 -------- d-----w C:\Program Files\Movie Maker

2007-06-13 15:08:18 -------- d-----w C:\Program Files\Windows NT

2007-06-13 11:26:48 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-06-12 15:46:10 6,468 ----a-w C:\WINDOWS\mozver.dat

2007-06-07 13:39:00 -------- d-----w C:\Program Files\Foxit Software

2007-05-25 01:23:00 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll

2007-05-08 23:52:57 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2

2007-05-08 22:00:38 -------- d-----w C:\DOCUME~1\VJ\APPLIC~1\LimeWire

2007-05-01 18:52:14 -------- d--h--w C:\DOCUME~1\VJ\APPLIC~1\yahoo!

2007-04-28 15:45:49 -------- d-----w C:\Program Files\NVIDIA Corporation

2007-04-23 16:15:05 135,936 ----a-w C:\WINDOWS\system32\drivers\sp_rsdrv2.sys

2007-04-22 19:17:21 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys

2007-04-21 12:46:54 249,856 ------w C:\WINDOWS\Setup1.exe

2007-04-21 12:46:41 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE

2007-04-20 12:12:28 -------- d-----w C:\Program Files\Yahoo!

2007-04-19 07:35:40 240,368 ----a-w C:\WINDOWS\UNBOC.EXE

2007-04-17 18:17:53 -------- d-----w C:\Program Files\Auto Cleaner

2007-04-10 15:26:12 335 ----a-w C:\WINDOWS\mozregistry.dat

2007-04-09 20:46:05 14 ----a-w C:\WINDOWS\system32\getfile.dat

2007-04-09 20:15:53 81,984 ----a-w C:\WINDOWS\system32\bdod.bin

2007-04-08 13:14:43 0 ----a-w C:\WINDOWS\system32\SBRC.dat

2007-04-08 13:14:43 0 ----a-w C:\WINDOWS\system32\SBFC.dat

2007-04-06 23:31:26 1,266,814 --sh--w C:\WINDOWS\system32\prutv.ini2

2007-04-06 22:25:28 1,247,754 --sh--w C:\WINDOWS\system32\prutv.bak2

2007-04-05 00:53:42 81,768 ----a-w C:\WINDOWS\system32\xinput1_3.dll

2007-03-30 21:30:15 1,100 ----a-w C:\WINDOWS\system32\d3d8caps.dat

2007-03-30 21:04:00 1,246,685 --sh--w C:\WINDOWS\system32\prutv.bak1

2007-03-23 21:06:41 1,241,108 --sha-w C:\WINDOWS\system32\acbeg.ini2

2007-03-23 20:33:04 229,376 ----a-w C:\WINDOWS\CMDLIC.DLL

2007-03-23 12:07:56 1,683,280 ----a-w C:\WINDOWS\system32\XpsSvcs.dll

2007-03-23 12:07:54 583,504 ----a-w C:\WINDOWS\system32\XPSSHHDR.dll

2007-03-23 02:25:02 124,928 ----a-w C:\WINDOWS\system32\prntvpt.dll

2007-03-19 02:22:43 6,637,696 ----a-w C:\WINDOWS\system32\exec1.exe

2007-03-14 08:52:10 1,073,152 ----a-w C:\WINDOWS\system32\nvCplUIR.dll

2007-03-14 08:52:08 745,472 ----a-w C:\WINDOWS\system32\nvCplUI.exe

2007-03-14 08:51:52 307,200 ----a-w C:\WINDOWS\system32\nvExpBar.dll

2007-03-13 22:05:04 1,158,883 --sha-w C:\WINDOWS\system32\gjllm.bak2

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{089FD14D-132B-48FC-8861-0048AE113215}=C:\Program Files\SiteAdvisor\6066\SiteAdv.dll [2007-03-30 09:41]

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 15:29]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 C:\WINDOWS\BCMSMMSG.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-07-16 14:26]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"NoVisualStyleChoice"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrronl]

rqrronl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqro]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vturp]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages scecli scecli scecli scecli scecli scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CBitSpirit]

"C:\Program Files\BitSpirit\BitSpirit.exe" /start

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"Dell AIO Printer A940"="C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"

*Newly Created Service* - WUAUSERV

Contents of the 'Scheduled Tasks' folder

2007-06-08 23:15:42 C:\WINDOWS\tasks\1-Click Maintenance.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-13 17:59:57

Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Completion time: 2007-06-13 18:00:26

C:\ComboFix-quarantined-files.txt ... 2007-06-13 18:00

--- E O F ---

11

GMER 1.0.12.12244 - http://www.gmer.net

Rootkit scan 2007-06-13 19:50:29

Windows 5.1.2600 Service Pack 1

---- Registry - GMER 1.0.12 ----

Reg \Registry\USER\S-1-5-21-2000478354-688789844-839522115-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{04E9F7C7-7ADF-E339-4EDF-8481E8FE53FE}@bbaiigcjghfmpobdijmecdilfodoemhedfml 0x6A 0x61 0x66 0x65 ...

Reg \Registry\USER\S-1-5-21-2000478354-688789844-839522115-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{04E9F7C7-7ADF-E339-4EDF-8481E8FE53FE}@abkhcpojpoeklkgidaphlnoepjfadpcnom 0x6A 0x61 0x66 0x65 ...

Reg \Registry\USER\S-1-5-21-2000478354-688789844-839522115-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{04E9F7C7-7ADF-E339-4EDF-8481E8FE53FE}@iaaiigcjghfmpobdij 0x61 0x61 0x00 0x00

Reg \Registry\USER\S-1-5-21-2000478354-688789844-839522115-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{04E9F7C7-7ADF-E339-4EDF-8481E8FE53FE}@hakhcpojpoeklkgi 0x61 0x61 0x00 0x00

Reg \Registry\USER\S-1-5-21-2000478354-688789844-839522115-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{04E9F7C7-7ADF-E339-4EDF-8481E8FE53FE}@iaeginchkembmhapoa 0x61 0x61 0x00 0x00

Reg \Registry\USER\S-1-5-21-2000478354-688789844-839522115-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{04E9F7C7-7ADF-E339-4EDF-8481E8FE53FE}@bbaiigcjghfmpobdijmecdilfododmegciah 0x6A 0x61 0x66 0x65 ...

Reg \Registry\USER\S-1-5-21-2000478354-688789844-839522115-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{04E9F7C7-7ADF-E339-4EDF-8481E8FE53FE}@abkhcpojpoeklkgidaphlnoepjcagadihj 0x6A 0x61 0x66 0x65 ...

Reg \Registry\USER\S-1-5-21-2000478354-688789844-839522115-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{04E9F7C7-7ADF-E339-4EDF-8481E8FE53FE}@bbaiigcjghfmpobdijmeankmpgellnjngfie 0x6A 0x61 0x66 0x65 ...

Reg \Registry\USER\S-1-5-21-2000478354-688789844-839522115-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{04E9F7C7-7ADF-E339-4EDF-8481E8FE53FE}@abkhcpojpoeklkgidafhjmgkgckggjpjpd 0x6A 0x61 0x66 0x65 ...

Reg \Registry\USER\S-1-5-21-2000478354-688789844-839522115-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{04E9F7C7-7ADF-E339-4EDF-8481E8FE53FE}@bbaiigcjghfmpobdijmeankmdmanppceodoi 0x6A 0x61 0x66 0x65 ...

Reg \Registry\USER\S-1-5-21-2000478354-688789844-839522115-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{04E9F7C7-7ADF-E339-4EDF-8481E8FE53FE}@abkhcpojpoeklkgidafhjmkkcopmdndcca 0x6A 0x61 0x66 0x65 ...

Reg \Registry\USER\S-1-5-21-2000478354-688789844-839522115-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1C118E24-2457-15AC-C01D-93999FC44876}@dbamoegnamgaahaapoamgapojjbhdhmjmenbjlei 0x6A 0x61 0x64 0x65 ...

Reg \Registry\USER\S-1-5-21-2000478354-688789844-839522115-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1C118E24-2457-15AC-C01D-93999FC44876}@cbgmaglheiednljeihfegldbdggnbgaldpancc 0x6A 0x61 0x64 0x65 ...

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\Neno\Start Menu\Programs\Startup\Registration Tom Clancy's Rainbow Six: Vegas.LNK

---- EOF - GMER 1.0.12 ----

12

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt

    (Report.txt will also be copied to Clipboard ready for posting back on the forum).

  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

13

SDFix: Version 1.87

Run by VJ on Thu 06/14/2007 at 05:31 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:

Checking Services:

Restoring Windows Registry Values

Restoring Windows Default Hosts File

Rebooting...

Normal Mode:

Checking Files:

No Trojan Files Found

Removing Temp Files...

ADS Check:

Checking C:\WINDOWS\

C:\WINDOWS

No streams found.

Checking C:\WINDOWS\system32

C:\WINDOWS\system32

No streams found.

Checking C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

No streams found.

Checking C:\WINDOWS\system32\ntoskrnl.exe

C:\WINDOWS\system32\ntoskrnl.exe

No streams found.

Final Check:

Remaining Services:

------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:

---------------

Listing Files with Hidden Attributes:

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Joel\NTUSER.DAT.COPY.TMP.LOG

C:\Documents and Settings\VJ\NTUSER.DAT.COPY.TMP.LOG

C:\WINDOWS\system32\acbeg.tmp

C:\WINDOWS\system32\prutv.tmp

C:\WINDOWS\system32\config\default.tmp.LOG

C:\WINDOWS\system32\config\software.tmp.LOG

C:\WINDOWS\system32\config\system.tmp.LOG

Listing User Accounts:

User accounts for \\JESUS-O7G2CSL5J

Administrator ASPNET Guest

HelpAssistant Joel Neno

SUPPORT_388945a0 VJ

Finished

=============================================================================================

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 5:40:44 AM, on 6/14/2007

Platform: Windows XP SP1 (WinNT 5.01.2600)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\SiteAdvisor\6066\SAService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\BCMSMMSG.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\System32\WgaTray.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\VJ\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab

O20 - Winlogon Notify: rqrronl - rqrronl.dll (file missing)

O20 - Winlogon Notify: ssqro - C:\WINDOWS\

O20 - Winlogon Notify: vturp - C:\WINDOWS\

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe

--

End of file - 4669 bytes

14

Can you turn on your firewall and stuff now?

15
Can you turn on your firewall and stuff now?

Due to an unidentifeid problem, Windwos cannot display Firewall settings.

16

Download this and unzip it:

http://djlizard.net.nyud.net:8080/software...-v0.60.0.24.zip

Click to open up dial a fix and then once its open press the green checkmarks and then press go. Let it run through everything and when its done let me know if you can use the windows firewall. (try a reboot if not working)

17

During Dial-a-Fix I get this message 2x:

"Error 127: C:\WINDOWSsystem32\qmgr.dll is not unregisterable or the file is corrupted.Your version of

qmgr.dll is: 6.2.2600.1106.Please contact dial-a-fix@DjLizard.net so that an exception can be made for

your version of this fiel."

And no I still cannot turn my firewall on.

18
During Dial-a-Fix I get this message 2x:

"Error 127: C:\WINDOWSsystem32\qmgr.dll is not unregisterable or the file is corrupted.Your version of

qmgr.dll is: 6.2.2600.1106.Please contact dial-a-fix@DjLizard.net so that an exception can be made for

your version of this fiel."

And no I still cannot turn my firewall on.

I got my update service going by downloading: WindowsUpdateAgent20-x86. Yeah it works way better than going into the registry or starting and restarting the service. I just reinstalled it and its working so far.

I'm on trying to reinstall SP2, but its taking way too long update wise.

Im gonna try the CD again and see what happens.