lemor_butz Posted January 7, 2008 Report Share Posted January 7, 2008 i have a big problem everytime i ran an executable like Excel, Word, IE anything a message will come up saying,"The application or DLL C:\WINDOWS\SYSTEMS32\WOWFX.DLL is not a valid windows image. Please check this against your installation disk."It it very annoying and it slows down anything i wish to do. Please help me on this. Thanks a lot. Link to post Share on other sites
jwbirdsong Posted January 8, 2008 Report Share Posted January 8, 2008 Deckard's System ScannerDownload Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.Close all applications and windows.Double-click on dss.exe to run it, and follow the prompts.When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimizedCopy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.Please attach extra.txt to your post.To attach a file to a new post, simplyGo to the Atachments section on the post composition page.(just below the text entry window), andcopy and paste the following into the "Select a file" box: C:\Deckard\System Scanner\extra.txt Click Upload. What DSS will do: create a new System Restore point in Windows XP and Vista. clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives. check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed. Link to post Share on other sites
lemor_butz Posted January 8, 2008 Author Report Share Posted January 8, 2008 thanks, i will let you know as soon as am done with the process you instructed me to do.. Link to post Share on other sites
lemor_butz Posted January 8, 2008 Author Report Share Posted January 8, 2008 here it is, sorry about the delay computer just wont almost boot up.Deckard's System Scanner v20071014.68Run by jessica ahlers on 2008-01-08 14:40:00Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------Failed to create restore point; unknown error code 0x00000001Backed up registry hives.Performed disk cleanup.Total Physical Memory: 254 MiB (512 MiB recommended).-- HijackThis Clone ------------------------------------------------------------Emulating logfile of Trend Micro HijackThis v2.0.2Scan saved at 2008-01-08 14:43:23Platform: Windows XP Service Pack 2 (5.01.2600)MSIE: Internet Explorer (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\system32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Boomerang Software\Guardian PC Security Tools\PfftWrk.exeC:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exeC:\Program Files\WS_FTP Pro\ftpsched.exeC:\WINDOWS\system32\PGPserv.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\searchindexer.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\system32\taskmgr.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\wuauclt.exeC:\Documents and Settings\jessica ahlers\Desktop\dss.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ieR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%sR1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ieR1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cl...&channel=usR3 - Default URLSearchHook is missingF0 - system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exeF2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exeO1 - Hosts: 10.18.250.4 ad.doubleclick.netO1 - Hosts: 10.18.250.4 ad.fastclick.netO1 - Hosts: 10.18.250.4 ads.fastclick.netO1 - Hosts: 10.18.250.4 ar.atwola.comO1 - Hosts: 10.18.250.4 atdmt.comO1 - Hosts: 10.18.250.4 avp.chO1 - Hosts: 10.18.250.4 avp.comO1 - Hosts: 10.18.250.4 avp.ruO1 - Hosts: 10.18.250.4 awaps.netO1 - Hosts: 10.18.250.4 banner.fastclick.netO1 - Hosts: 10.18.250.4 banners.fastclick.netO1 - Hosts: 10.18.250.4 ca.comO1 - Hosts: 10.18.250.4 click.atdmt.comO1 - Hosts: 10.18.250.4 clicks.atdmt.comO1 - Hosts: 10.18.250.4 customer.symantec.comO1 - Hosts: 10.18.250.4 dispatch.mcafee.comO1 - Hosts: 10.18.250.4 download.mcafee.comO1 - Hosts: 10.18.250.4 download.microsoft.comO1 - Hosts: 10.18.250.4 downloads-us1.kaspersky-labs.comO1 - Hosts: 10.18.250.4 downloads-us2.kaspersky-labs.comO1 - Hosts: 10.18.250.4 downloads-us3.kaspersky-labs.comO1 - Hosts: 10.18.250.4 downloads.microsoft.comO1 - Hosts: 10.18.250.4 downloads1.kaspersky-labs.comO1 - Hosts: 10.18.250.4 downloads2.kaspersky-labs.comO1 - Hosts: 10.18.250.4 downloads3.kaspersky-labs.comO1 - Hosts: 10.18.250.4 downloads4.kaspersky-labs.comO1 - Hosts: 10.18.250.4 engine.awaps.netO1 - Hosts: 10.18.250.4 f-secure.comO1 - Hosts: 10.18.250.4 fastclick.netO1 - Hosts: 10.18.250.4 ftp.avp.chO1 - Hosts: 10.18.250.4 ftp.downloads1.kaspersky-labs.comO1 - Hosts: 10.18.250.4 ftp.downloads2.kaspersky-labs.comO1 - Hosts: 10.18.250.4 ftp.downloads3.kaspersky-labs.comO1 - Hosts: 10.18.250.4 ftp.f-secure.comO1 - Hosts: 10.18.250.4 ftp.kasperskylab.ruO1 - Hosts: 10.18.250.4 ftp.sophos.comO1 - Hosts: 10.18.250.4 go.microsoft.comO1 - Hosts: 10.18.250.4 ids.kaspersky-labs.comO1 - Hosts: 10.18.250.4 kaspersky-labs.comO1 - Hosts: 10.18.250.4 kaspersky.comO1 - Hosts: 10.18.250.4 liveupdate.symantec.comO1 - Hosts: 10.18.250.4 liveupdate.symantecliveupdate.comO1 - Hosts: 10.18.250.4 mast.mcafee.comO1 - Hosts: 10.18.250.4 mcafee.comO1 - Hosts: 10.18.250.4 media.fastclick.netO1 - Hosts: 10.18.250.4 microsoft.comO1 - Hosts: 10.18.250.4 msdn.microsoft.comO1 - Hosts: 10.18.250.4 my-etrust.comO1 - Hosts: 10.18.250.4 nai.comO1 - Hosts: 10.18.250.4 networkassociates.comO1 - Hosts: 10.18.250.4 norton.comO1 - Hosts: 10.18.250.4 office.microsoft.comO1 - Hosts: 10.18.250.4 pandasoftware.comO1 - Hosts: 10.18.250.4 phx.corporate-ir.netO1 - Hosts: 10.18.250.4 rads.mcafee.comO1 - Hosts: 10.18.250.4 secure.nai.comO1 - Hosts: 10.18.250.4 securityresponse.symantec.comO1 - Hosts: 10.18.250.4 service1.symantec.comO1 - Hosts: 10.18.250.4 sophos.comO1 - Hosts: 10.18.250.4 spd.atdmt.comO1 - Hosts: 10.18.250.4 support.microsoft.comO1 - Hosts: 10.18.250.4 symantec.comO1 - Hosts: 10.18.250.4 trendmicro.comO1 - Hosts: 10.18.250.4 update.symantec.comO1 - Hosts: 10.18.250.4 updates.symantec.comO1 - Hosts: 10.18.250.4 updates1.kaspersky-labs.comO1 - Hosts: 10.18.250.4 updates2.kaspersky-labs.comO1 - Hosts: 10.18.250.4 updates3.kaspersky-labs.comO1 - Hosts: 10.18.250.4 updates4.kaspersky-labs.comO1 - Hosts: 10.18.250.4 updates5.kaspersky-labs.comO1 - Hosts: 10.18.250.4 us.mcafee.comO1 - Hosts: 10.18.250.4 vil.nai.comO1 - Hosts: 10.18.250.4 viruslist.comO1 - Hosts: 10.18.250.4 viruslist.ruO1 - Hosts: 10.18.250.4 virusscan.jotti.orgO1 - Hosts: 10.18.250.4 virustotal.comO1 - Hosts: 10.18.250.4 windowsupdate.microsoft.comO1 - Hosts: 10.18.250.4 www.avp.chO1 - Hosts: 10.18.250.4 www.avp.comO1 - Hosts: 10.18.250.4 www.avp.ruO1 - Hosts: 10.18.250.4 www.awaps.netO1 - Hosts: 10.18.250.4 www.ca.comO1 - Hosts: 10.18.250.4 www.f-secure.comO1 - Hosts: 10.18.250.4 www.fastclick.netO1 - Hosts: 10.18.250.4 www.grisoft.comO1 - Hosts: 10.18.250.4 www.kaspersky-labs.comO1 - Hosts: 10.18.250.4 www.kaspersky.comO1 - Hosts: 10.18.250.4 www.kaspersky.ruO1 - Hosts: 10.18.250.4 www.mcafee.comO1 - Hosts: 10.18.250.4 www.microsoft.comO1 - Hosts: 10.18.250.4 www.my-etrust.comO1 - Hosts: 10.18.250.4 www.nai.comO1 - Hosts: 10.18.250.4 www.networkassociates.comO1 - Hosts: 10.18.250.4 www.pandasoftware.comO1 - Hosts: 10.18.250.4 www.sophos.comO1 - Hosts: 10.18.250.4 www.symantec.comO1 - Hosts: 10.18.250.4 www.trendmicro.comO1 - Hosts: 10.18.250.4 www.viruslist.comO1 - Hosts: 10.18.250.4 www.viruslist.ruO1 - Hosts: 10.18.250.4 www.virustotal.comO2 - BHO: (no name) - {56636fa0-466e-4fa3-9d81-80c53e8a9973} - C:\WINDOWS\system32\phmxoiv.dllO2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Common Files\Symantec Shared\IDS\IPSBHO.dllO2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\grjlloin.dllO2 - BHO: (no name) - {AEBF6926-DBA6-4100-A838-1CED0169AB78} - C:\WINDOWS\system32\xxyayay.dllO2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\Helper\Helper6.dllO4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exeO4 - HKLM\..\Run: [lsass] C:\WINDOWS\lsass.exeO4 - HKLM\..\Run: [smgr] mgrs.exeO4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exeO4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startupO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exeO4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.6\webbuying.exeO4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exeO4 - HKCU\..\Run: [spoolsv] C:\WINDOWS\system32\spoolvs.exeO4 - Startup: AutoSpell 5.lnk = C:\Program Files\autospell50\Aswatc32.exeO4 - Startup: findfast.exeO4 - Global Startup: autorun.exeO4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exeO4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO4 - Global Startup: PGPtray.exe.lnk = ?O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exeO7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000O8 - Extra context menu item: Encarta &Definition - http://encarta.msn.com/encnet/features/dic...kDictionary.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - (file missing)O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - (file missing)O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exeO9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exeO9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO15 - Trusted Zone: *.amaena.com (HKLM)O15 - Trusted Zone: *.avsystemcare.com (HKLM)O15 - Trusted Zone: *.gomyhit.com (HKLM)O15 - Trusted Zone: *.imageservr.com (HKLM)O15 - Trusted Zone: *.imagesrvr.com (HKLM)O15 - Trusted Zone: *.onerateld.com (HKLM)O15 - Trusted Zone: *.trustedantivirus.com (HKLM)O15 - Trusted Zone: *.virusschlacht.com (HKLM)O15 - Trusted Zone: *.amaena.com (HKCU)O15 - Trusted Zone: *.avsystemcare.com (HKCU)O15 - Trusted Zone: *.gomyhit.com (HKCU)O15 - Trusted Zone: *.imageservr.com (HKCU)O15 - Trusted Zone: *.imagesrvr.com (HKCU)O15 - Trusted Zone: *.onerateld.com (HKCU)O15 - Trusted Zone: *.trustedantivirus.com (HKCU)O15 - Trusted Zone: *.virusschlacht.com (HKCU)O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://download.microsoft.com/download/e/7.../OGAControl.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cabO16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cabO16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc4.cabO20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dllO20 - Winlogon Notify: grjlloin - C:\WINDOWS\system32\grjlloin.dllO20 - Winlogon Notify: xxyayay - C:\WINDOWS\system32\xxyayay.dllO23 - Service: AntiSpy Server - Boomerang Software, Inc. - C:\Program Files\Boomerang Software\Guardian PC Security Tools\PfftWrk.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exeO23 - Service: Ipswitch WS_FTP Queue (ftpqueue) - Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421 - C:\Program Files\WS_FTP Pro\ftpsched.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXEO23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exeO23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exeO23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe--End of file - 13398 bytes-- File Associations -----------------------------------------------------------All associations okay.-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------All drivers whitelisted.-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------All services whitelisted.-- Device Manager: Disabled ----------------------------------------------------No disabled devices found.-- Scheduled Tasks -------------------------------------------------------------2008-01-08 13:15:08 456 --a------ C:\WINDOWS\Tasks\RegCure Program Check.job2008-01-07 20:00:01 574 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - jessica ahlers.job2007-10-20 16:17:34 390 --a------ C:\WINDOWS\Tasks\RegCure.job-- Files created between 2007-12-08 and 2008-01-08 -----------------------------2008-01-08 13:18:44 0 d-------- C:\WINDOWS\LastGood2008-01-05 16:08:54 0 --a------ C:\WINDOWS\system32\wowfx.dll2008-01-02 08:48:02 6520 ---hs---- C:\WINDOWS\system32\egjlm.bak22008-01-02 08:16:20 78400 --a------ C:\WINDOWS\system32\xnjvlomw.dll2008-01-02 08:13:55 74304 --a------ C:\WINDOWS\system32\sbqtdnay.exe <Not Verified; ; DDC>2007-12-31 07:52:21 90176 --a------ C:\WINDOWS\system32\spjpgaam.dll2007-12-31 07:46:04 0 d-------- C:\Documents and Settings\jessica ahlers\Application Data\EasySpywareCleaner.com2007-12-31 07:41:53 0 d-------- C:\Program Files\EasySpywareCleaner2007-12-31 07:39:42 78912 --a------ C:\WINDOWS\system32\nnfaisuy.dll2007-12-31 07:39:21 74304 --a------ C:\WINDOWS\system32\leffqqeq.exe <Not Verified; ; DDC>2007-12-29 08:23:22 78912 --a------ C:\WINDOWS\system32\srcxcalr.dll2007-12-29 08:23:13 74304 --a------ C:\WINDOWS\system32\unbmombw.exe <Not Verified; ; DDC>2007-12-28 13:07:06 505 ---hs---- C:\WINDOWS\system32\egjlm.ini22007-12-28 12:12:04 90176 --a------ C:\WINDOWS\system32\vpjykgew.dll2007-12-28 12:07:02 77888 --a------ C:\WINDOWS\system32\uamtwucx.dll2007-12-28 12:05:55 74304 --a------ C:\WINDOWS\system32\lrplrpfk.exe <Not Verified; ; DDC>2007-12-28 08:03:37 77888 --a------ C:\WINDOWS\system32\myyebjht.dll2007-12-28 08:01:28 74304 --a------ C:\WINDOWS\system32\bdticafi.exe <Not Verified; ; DDC>2007-12-28 07:36:53 90176 --a------ C:\WINDOWS\system32\nkfsbrum.dll2007-12-28 07:31:35 77888 --a------ C:\WINDOWS\system32\fbpwexbv.dll2007-12-28 07:26:38 74304 --a------ C:\WINDOWS\system32\dbnbjuoj.exe <Not Verified; ; DDC>2007-12-27 07:07:28 81984 --a------ C:\WINDOWS\system32\mrcdppqn.dll2007-12-27 07:04:35 74304 --a------ C:\WINDOWS\system32\djifjlgl.exe <Not Verified; ; DDC>2007-12-26 15:24:13 0 d-------- C:\Program Files\Boomerang Software2007-12-26 14:46:07 90176 --a------ C:\WINDOWS\system32\wonabitw.dll2007-12-26 14:43:07 80448 --a------ C:\WINDOWS\system32\blftyaqt.dll2007-12-26 14:41:15 74304 --a------ C:\WINDOWS\system32\hmrnsodi.exe <Not Verified; ; DDC>2007-12-26 14:20:21 80448 --a------ C:\WINDOWS\system32\wwbkaytf.dll2007-12-26 14:18:56 90176 --a------ C:\WINDOWS\system32\phoheihd.dll2007-12-26 14:18:38 74304 --a------ C:\WINDOWS\system32\xjcjudxu.exe <Not Verified; ; DDC>2007-12-26 13:54:21 80448 --a------ C:\WINDOWS\system32\uskifprc.dll2007-12-26 13:51:22 90176 --a------ C:\WINDOWS\system32\wchpyhwd.dll2007-12-26 13:50:28 74304 --a------ C:\WINDOWS\system32\wekdyovb.exe <Not Verified; ; DDC>2007-12-26 11:55:11 80448 --a------ C:\WINDOWS\system32\eqpvoqyt.dll2007-12-26 11:52:13 90176 --a------ C:\WINDOWS\system32\byyksyhk.dll2007-12-26 11:49:41 74304 --a------ C:\WINDOWS\system32\crrvhlkq.exe <Not Verified; ; DDC>2007-12-26 11:47:58 74304 --a------ C:\WINDOWS\system32\pbbthora.exe <Not Verified; ; DDC>2007-12-26 11:24:55 90176 --a------ C:\WINDOWS\system32\pltblkbk.dll2007-12-26 11:18:46 80448 --a------ C:\WINDOWS\system32\mqglehxv.dll2007-12-26 11:16:26 74304 --a------ C:\WINDOWS\system32\juovkpvk.exe <Not Verified; ; DDC>2007-12-26 09:43:36 5840 --a------ C:\Documents and Settings\jessica ahlers\Application Data\mcrupdate.exe2007-12-26 09:38:53 80448 --a------ C:\WINDOWS\system32\fgnhphok.dll2007-12-26 09:36:57 74304 --a------ C:\WINDOWS\system32\dnffbano.exe <Not Verified; ; DDC>2007-12-22 10:01:11 87104 --a------ C:\WINDOWS\system32\ygwsktxb.dll2007-12-22 09:58:08 78400 --a------ C:\WINDOWS\system32\ckefgkhn.dll2007-12-22 09:55:31 74304 --a------ C:\WINDOWS\system32\kssgngfx.exe <Not Verified; ; DDC>2007-12-22 09:33:41 74304 --a------ C:\WINDOWS\system32\mdthjuoc.exe <Not Verified; ; DDC>2007-12-22 08:34:51 18944 --a------ C:\Documents and Settings\jessica ahlers\Application Data\nvsvc1024.dll2007-12-22 08:19:08 78400 --a------ C:\WINDOWS\system32\vkqchaaq.dll2007-12-22 08:16:17 87104 --a------ C:\WINDOWS\system32\lljpjfsf.dll2007-12-22 08:14:54 74304 --a------ C:\WINDOWS\system32\ktorjolw.exe <Not Verified; ; DDC>2007-12-21 08:55:09 80448 --a------ C:\WINDOWS\system32\bdvdvhlc.dll2007-12-21 08:27:19 74304 --a------ C:\WINDOWS\system32\jwcmvwmo.exe <Not Verified; ; DDC>2007-12-20 10:31:13 85568 --a------ C:\WINDOWS\system32\bfpgsqly.dll2007-12-20 10:30:16 110592 --a------ C:\Documents and Settings\All Users\Application Data\dqrudmfw.dll2007-12-20 10:29:42 0 d-------- C:\Program Files\wwyqpmkx2007-12-20 10:28:58 80448 --a------ C:\WINDOWS\system32\arcguwdx.dll2007-12-20 10:28:40 74304 --a------ C:\WINDOWS\system32\kpcceika.exe <Not Verified; ; DDC>2007-12-20 10:14:12 9728 --a------ C:\Documents and Settings\jessica ahlers\Application Data\printer.exe2007-12-20 09:10:25 80448 --a------ C:\WINDOWS\system32\wlqksrtt.dll2007-12-20 09:07:36 165472 --a------ C:\WINDOWS\system32\grjlloin.dll2007-12-20 09:07:26 165472 --a------ C:\WINDOWS\system32\pusboxgm.dll2007-12-20 09:07:03 74304 --a------ C:\WINDOWS\system32\iyperwpm.exe <Not Verified; ; DDC>2007-12-19 09:16:02 80448 --a------ C:\WINDOWS\system32\vtscyysy.dll2007-12-19 09:08:25 74304 --a------ C:\WINDOWS\system32\vymvaylb.exe <Not Verified; ; DDC>2007-12-18 12:19:11 80448 --a------ C:\WINDOWS\system32\hdhjtruw.dll2007-12-18 12:17:02 74304 --a------ C:\WINDOWS\system32\bpohyrrs.exe <Not Verified; ; DDC>2007-12-18 10:32:59 80448 --a------ C:\WINDOWS\system32\tvtbykqs.dll2007-12-18 10:30:42 74304 --a------ C:\WINDOWS\system32\xgsvvwpi.exe <Not Verified; ; DDC>2007-12-18 09:40:42 80448 --a------ C:\WINDOWS\system32\hvbppqfu.dll2007-12-18 09:37:41 85568 --a------ C:\WINDOWS\system32\bwirween.dll2007-12-18 09:35:45 74304 --a------ C:\WINDOWS\system32\ovsbnvxg.exe <Not Verified; ; DDC>2007-12-18 08:12:05 80448 --a------ C:\WINDOWS\system32\pyalfubk.dll2007-12-18 08:08:34 74304 --a------ C:\WINDOWS\system32\fcydcity.exe <Not Verified; ; DDC>2007-12-17 09:15:31 85568 --a------ C:\WINDOWS\system32\algyfeya.dll2007-12-17 09:02:03 80448 --a------ C:\WINDOWS\system32\avmlbuie.dll2007-12-17 08:59:37 74304 --a------ C:\WINDOWS\system32\skymdicm.exe <Not Verified; ; DDC>2007-12-15 10:01:26 80448 --a------ C:\WINDOWS\system32\uvqekwlv.dll2007-12-15 09:58:02 85568 --a------ C:\WINDOWS\system32\ixipqfdm.dll2007-12-15 09:56:50 74304 --a------ C:\WINDOWS\system32\jwmcdhac.exe <Not Verified; ; DDC>2007-12-15 09:08:36 74304 --a------ C:\WINDOWS\system32\tmgtguvk.exe <Not Verified; ; DDC>2007-12-14 11:47:20 941775 ---hs---- C:\WINDOWS\system32\fsenciug.ini22007-12-14 09:08:18 80448 --a------ C:\WINDOWS\system32\hoahqnnb.dll2007-12-14 09:06:50 85568 --a------ C:\WINDOWS\system32\guicnesf.dll2007-12-14 09:06:47 74304 --a------ C:\WINDOWS\system32\iwcdeinb.exe <Not Verified; ; DDC>2007-12-13 08:13:26 80448 --a------ C:\WINDOWS\system32\skpavwan.dll2007-12-12 15:40:22 0 d-------- C:\Program Files\Windows Sidebar2007-12-12 15:40:19 0 d-------- C:\Program Files\Norton AntiVirus2007-12-12 15:34:07 0 d-------- C:\Program Files\Symantec2007-12-12 14:08:28 0 d-------- C:\Documents and Settings\All Users\Symantec Temporary Files2007-12-12 08:18:56 25600 --a------ C:\WINDOWS\lsass.exe <Not Verified; MskSoftStudy Corp.; Anti-Virus Project (AVP) spyware removal module>2007-12-12 08:18:55 25600 -r-hs---- C:\Program Files\lsass.exe <Not Verified; MskSoftStudy Corp.; Anti-Virus Project (AVP) spyware removal module>2007-12-12 08:18:55 0 d-------- C:\Program Files\Helper2007-12-12 08:18:51 14900 --a------ C:\Program Files\3269.exe2007-12-12 08:18:36 10240 --a------ C:\Program Files\spoolsv.exe <Not Verified; NoName Corp.; NNC module>2007-12-12 08:17:11 11776 --a------ C:\WINDOWS\mgrs.exe2007-12-12 08:16:01 20992 --a------ C:\WINDOWS\avp.exe <Not Verified; MskVip Ltd.; Antivirus Project (AVP) spyware removal module>2007-12-12 07:42:48 0 d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!2007-12-12 07:42:27 0 dr------- C:\Documents and Settings\LocalService\Favorites2007-12-12 07:36:25 0 d-------- C:\Program Files\WinAble2007-12-12 07:36:24 0 d-------- C:\Program Files\Temporary2007-12-11 19:48:28 171520 --a------ C:\WINDOWS\system32\phmxoiv.dll2007-12-11 19:48:10 80640 --a------ C:\WINDOWS\system32\drivers\core.sys2007-12-11 19:48:09 35840 --a------ C:\WINDOWS\mrofinu572.exe2007-12-11 19:48:04 0 d-------- C:\WINDOWS\system32\rex22007-12-11 19:48:04 0 d-------- C:\WINDOWS\system32\doc42007-12-11 19:48:04 0 d-------- C:\WINDOWS\system32\bbc52007-12-11 19:48:04 0 d-------- C:\WINDOWS\system32\ashell32007-12-11 19:48:04 0 d-------- C:\Program Files\Web Buying2007-12-11 19:47:48 37376 --a------ C:\WINDOWS\system32\xxyayay.dll2007-12-11 19:47:48 0 d-------- C:\WINDOWS\system32\daSgo01-- Find3M Report ---------------------------------------------------------------2008-01-07 16:54:12 52814 --a------ C:\logfile2007-12-26 15:24:06 0 d--h----- C:\Program Files\InstallShield Installation Information2007-12-22 11:19:35 0 d-------- C:\Documents and Settings\jessica ahlers\Application Data\Syntrillium2007-12-17 14:33:44 0 d-------- C:\Documents and Settings\jessica ahlers\Application Data\ICQ2007-12-13 08:26:51 0 d-------- C:\Program Files\Common Files\Symantec Shared2007-12-12 15:45:52 0 d-------- C:\Program Files\Common Files2007-12-12 15:23:42 0 d-------- C:\Program Files\Online Services2007-12-12 09:17:28 0 d-------- C:\Program Files\Messenger2007-11-27 11:05:22 0 d-------- C:\Program Files\Eusing Free Registry Cleaner2007-11-27 10:43:41 0 d-------- C:\Documents and Settings\jessica ahlers\Application Data\Uniblue2007-11-26 14:37:31 0 d-------- C:\Documents and Settings\jessica ahlers\Application Data\Windows Desktop Search2007-11-26 14:36:45 0 d-------- C:\Program Files\Windows Desktop Search2007-11-26 09:25:41 0 d-------- C:\Documents and Settings\jessica ahlers\Application Data\ICAClient2007-11-26 09:25:34 0 d-------- C:\Program Files\Citrix2007-11-20 14:35:19 0 d-------- C:\Program Files\QuickTime2007-11-20 14:34:29 0 d-------- C:\Program Files\Kodak2007-11-20 14:33:31 0 d-------- C:\Program Files\Common Files\Kodak2007-10-25 07:24:20 53760 --a------ C:\WINDOWS\b122.exe-- Registry Dump ---------------------------------------------------------------*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56636fa0-466e-4fa3-9d81-80c53e8a9973}]12/11/2007 19:48 171520 --a------ C:\WINDOWS\system32\phmxoiv.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]12/12/2007 15:45 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]12/20/2007 09:07 165472 --a------ C:\WINDOWS\system32\grjlloin.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AEBF6926-DBA6-4100-A838-1CED0169AB78}]12/11/2007 19:47 37376 --a------ C:\WINDOWS\system32\xxyayay.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}]12/12/2007 08:18 18432 -r-hs---- C:\Program Files\Helper\Helper6.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"avp"="C:\WINDOWS\avp.exe" [12/12/2007 08:16]"lsass"="C:\WINDOWS\lsass.exe" [12/12/2007 08:18]"smgr"="mgrs.exe" [12/12/2007 08:18 C:\WINDOWS\mgrs.exe]"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [08/24/2007 23:07]"Printer"="C:\WINDOWS\system32\printer.exe" []"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/01/2006 15:57][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 10:24]"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 10:09]"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 04:00]"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [06/08/2007 08:59]"WebBuying"="C:\Program Files\Web Buying\v1.8.6\webbuying.exe" [12/11/2007 19:48]"WinAble"="C:\Program Files\WinAble\winable.exe" [12/12/2007 07:36]"Spoolsv"="C:\WINDOWS\system32\spoolvs.exe" []C:\Documents and Settings\jessica ahlers\Start Menu\Programs\Startup\AutoSpell 5.lnk - C:\Program Files\autospell50\Aswatc32.exe [06/15/2006 16:22:34]findfast.exe [05/13/2005 00:35:24] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe [05/13/2005 01:54:09] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [05/26/2006 20:47:32]Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [02/20/2007 05:10:26]Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [02/17/1999 14:05:56]PGPtray.exe.lnk - C:\WINDOWS\Installer\{A61CFA2F-E28F-4C2B-8DB8-C8B44C68811B}\Icon6560581611.exe [06/27/2006 14:51:22]Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [02/05/2007 15:40:46][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"DisableRegistryTools"=1 (0x1)"DisableTaskMgr"=1 (0x1)[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]"Wallpaper"=[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]"ForceActiveDesktopOn"=1 (0x1)"NoActiveDesktop"=2 (0x2)"NoControlPanel"=1 (0x1)[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]"{AEBF6926-DBA6-4100-A838-1CED0169AB78}"= C:\WINDOWS\system32\xxyayay.dll [12/11/2007 19:47 37376][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]"Shell"="Explorer.exe C:\WINDOWS\shell.exe"[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\grjlloin] grjlloin.dll 12/20/2007 09:07 165472 C:\WINDOWS\system32\grjlloin.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyayay] xxyayay.dll 12/11/2007 19:47 37376 C:\WINDOWS\system32\xxyayay.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"appinit_dlls"=C:\WINDOWS\system32\wowfx.dll[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\mljge[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"RDSessMgr"=3 (0x3)"Fax"=2 (0x2)"DSBrokerService"=3 (0x3)[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8495530d-2fd7-11dc-9879-0016766b97e3}]AutoRun\command- F:\Installer.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd3e80d4-1454-11dc-9858-00038a000015}]AutoRun\command- F:\LaunchU3.exe -a-- Hosts -----------------------------------------------------------------------10.18.250.4 ad.doubleclick.net10.18.250.4 ad.fastclick.net10.18.250.4 ads.fastclick.net10.18.250.4 ar.atwola.com10.18.250.4 atdmt.com10.18.250.4 avp.ch10.18.250.4 avp.com10.18.250.4 avp.ru10.18.250.4 awaps.net10.18.250.4 banner.fastclick.net90 more entries in hosts file.-- End of Deckard's System Scanner: finished at 2008-01-08 14:45:42 ------------extra.txt Link to post Share on other sites
jwbirdsong Posted January 8, 2008 Report Share Posted January 8, 2008 (edited) You've got a pretty infected machine there; plus you have NO active Anti_Virus installed. Install and AV program..there are some good free ones in my signature,,,Pick one and install it (or choose one of your own) Download SDFix and save it to your desktop.Double click SDFix.exe and it will extract the files to C:\SDFixPlease then reboot your computer in Safe Mode (without Networking) by doing the following :Restart your computerAfter hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;Instead of Windows loading as normal, the Advanced Options Menu should appear;Select the option, to run Windows in Safe Mode, then press Enter.Choose your usual account. Open the C:\SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt(Report.txt will also be copied to Clipboard ready for posting back on the forum). Finally paste the contents of the Report.txt back here along with a Combofix log..(below) Download Combofix to your desktop.Doubleclick combofix.exeFollow the prompts.Don't click on the window while the fix is running, because that will cause your system to hang.When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt. Post this log in your next reply . Edited January 8, 2008 by jwbirdsong Link to post Share on other sites
lemor_butz Posted January 9, 2008 Author Report Share Posted January 9, 2008 hi, it has been a while SDFix has been running( computer in Safe Mode without network). Right now the screens shows:Restoring Windows Registry ValuesRestoring Default Host FileChecking FilePlease Wait25% Checkedin that order. Just curious, the message box (wowfx.dll) still comes up and everytime i clicked OK the header in the message box shows find.exe & MD5File.exe alternately. Now, do i have to click OK so that the process will continue or just leave it as it is ( as it's processing in the background sorta ) . Please let me know. thanks.. Link to post Share on other sites
jwbirdsong Posted January 9, 2008 Report Share Posted January 9, 2008 (edited) go ahead and stop the sdfix Just post the Combofix log for now Edited January 9, 2008 by jwbirdsong Link to post Share on other sites
lemor_butz Posted January 9, 2008 Author Report Share Posted January 9, 2008 all the things that we've done come to naught. I left it last night while it was processing Combofix. The last time i saw screen shows "C:\POS24F1.tmp" something like that. My friend thought that his computer was broke and unfixable. He went ahead and format it. Bummer. I would have like to get it fixed myself with your help of course. Having said that, i would like to thank you for your time and effort helping me out. God bless... Link to post Share on other sites
jwbirdsong Posted January 9, 2008 Report Share Posted January 9, 2008 Well sometime it is nice to start with a fresh clean install.To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.More info and download is available at links in the following article by TonyKleinMake SURE to read How Did I Get Infected in the First Place?? Link to post Share on other sites
jwbirdsong Posted January 9, 2008 Report Share Posted January 9, 2008 Well sometime it is nice to start with a fresh clean install.To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.More info and download is available at links in the following article by TonyKleinMake SURE to read How Did I Get Infected in the First Place?? Link to post Share on other sites
lemor_butz Posted January 10, 2008 Author Report Share Posted January 10, 2008 thanks a lot, greatly appreciated... Link to post Share on other sites
jwbirdsong Posted January 10, 2008 Report Share Posted January 10, 2008 Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic. Link to post Share on other sites
Recommended Posts