Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

After Downloading A Winfixer Type Program In Error


  • This topic is locked This topic is locked
8 replies to this topic

#1 dblt01

dblt01

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 03 October 2007 - 05:05 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:51:21, on 03/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.orange.co.uk/iesearch/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4AF95528-44B3-410A-8042-132E9928DCFE} - C:\WINDOWS\system32\ssqrs.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [lgzezyrk] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\lgzezyrk.dll"
O4 - HKLM\..\Run: [ihqnebcn] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ihqnebcn.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1960408961-115176313-1801674531-1004\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Storm')
O4 - HKUS\S-1-5-21-1960408961-115176313-1801674531-1004\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Storm')
O4 - HKUS\S-1-5-21-1960408961-115176313-1801674531-1004\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User 'Storm')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MightyFAX Controller.lnk.disabled
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk.disabled
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk/
O16 - DPF: Yahoo! Literati - http://download2.games.yahoo.com/games/clients/y/tt5_x.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {38D63471-E630-4492-A986-B8C48B79F2F8} (CVideoEgg_ActiveXCtl Object) - http://update.videoegg.com/wintel/VideoEggPublisher.exe
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191373989812
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://webgames.d.tmsrv.com/c=45ceefc8872f...mjolauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://webgames.d.tmsrv.com/c=10830baa635a...gamesplayer.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://eu.download.games.yahoo.com/zylom/a...zylomloader.cab
O16 - DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} (CPlayFirstSandScriptControl Object) - http://aolsvc.aol.com/onlinegames/free-tri...pt.1.0.0.21.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (MSN Games Backgammon) - http://zone.msn.com/bingame/zpagames/ZPA_B...on.cab64162.cab
O20 - Winlogon Notify: efcabxw - efcabxw.dll (file missing)
O20 - Winlogon Notify: winhdn32 - winhdn32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11041 bytes

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 06 October 2007 - 04:45 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Please download VundoFix to your Desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove.
VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt. Post that in your next reply.

Then scan again with HijackThis and include the log, along with the Combofix and Vundofix reports in your reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 dblt01

dblt01
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 07 October 2007 - 09:16 AM

Hello Charles,
Thanks for your reply and clear instructions. I have done as you requested and sojmething was found and corrected. I have included the logs here as requested, look a bit like mumbo jumbo to me, but am more than confident that you'll know what it all means :thumbsup:
Regards,
David

VundoFix V6.5.9

Checking Java version...

Sun Java not detected
Scan started at 13:47:15 07/10/2007

Listing files found while scanning....

C:\WINDOWS\system32\lcyxefwb.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\lcyxefwb.dll
C:\WINDOWS\system32\lcyxefwb.dll Has been deleted!

Performing Repairs to the registry.
Done!



ComboFix 07-10-07.2 - Da Don 2007-10-07 14:11:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.154 [GMT 1:00]
Running from: C:\Documents and Settings\Da Don\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\Olivia\Desktop\internet.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\qxwgtfat.dll
C:\WINDOWS\system32\taftgwxq.ini
C:\WINDOWS\system32\wnsapii.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-09-07 to 2007-10-07 )))))))))))))))))))))))))))))))
.

2007-10-07 14:06 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-07 13:47 <DIR> d-------- C:\VundoFix Backups
2007-10-03 22:50 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-03 19:38 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-10-03 17:56 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-03 16:35 <DIR> d-------- C:\Documents and Settings\Da Don\.housecall6.6
2007-10-03 10:52 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-03 02:20 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-02 21:18 <DIR> d-------- C:\Program Files\XoftSpySE
2007-10-02 09:25 <DIR> d-------- C:\DVD COPY
2007-10-01 20:22 1,245,006 --ahs---- C:\WINDOWS\system32\srqss.bak2
2007-10-01 19:02 <DIR> d-------- C:\Program Files\Ajealfwy
2007-10-01 17:56 <DIR> d-------- C:\Program Files\Txqxwfad
2007-10-01 08:22 1,223,037 --ahs---- C:\WINDOWS\system32\srqss.bak1
2007-09-30 21:35 <DIR> d-------- C:\WINDOWS\system32\vongraeb
2007-09-30 21:35 <DIR> d-------- C:\Program Files\klytilcj
2007-09-30 21:35 <DIR> d-------- C:\Program Files\Gsrvrkux
2007-09-20 11:01 9,898,016 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-09-20 10:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-09-19 18:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iolo
2007-09-13 06:43 <DIR> d-------- C:\Program Files\eBay
2007-09-13 06:43 <DIR> d-------- C:\Documents and Settings\All Users\eBay
2007-09-08 13:32 <DIR> d-------- C:\Program Files\GlobalSCAPE
2007-09-08 13:32 <DIR> d-------- C:\Documents and Settings\Da Don\Application Data\GlobalSCAPE
2007-09-07 22:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2007-09-07 15:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2007-09-07 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-07 14:21 117020 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-05 18:37 --------- d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-10-03 19:07 --------- d-------- C:\Program Files\Microsoft IntelliType Pro
2007-10-03 19:07 --------- d-------- C:\Program Files\Lexmark X1100 Series
2007-10-03 01:48 --------- d-------- C:\Documents and Settings\Da Don\Application Data\Registry Booster
2007-10-02 21:06 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-10-01 12:03 --------- d-------- C:\Program Files\Mightyfax
2007-10-01 09:48 --------- d-------- C:\Program Files\Google
2007-10-01 09:26 --------- d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-09-13 06:42 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-09-10 19:29 --------- d-------- C:\Documents and Settings\All Users\Application Data\Zylom
2007-09-07 15:18 --------- d-------- C:\Program Files\Common Files\Ahead
2007-09-06 16:14 75248 --a------ C:\WINDOWS\zllsputility.exe
2007-09-06 02:16 --------- d-------- C:\Documents and Settings\Da Don\Application Data\Download Manager
2007-09-05 06:28 --------- d-------- C:\Program Files\iTunes
2007-09-05 06:22 --------- d-------- C:\Program Files\iPod
2007-09-05 06:19 --------- d-------- C:\Program Files\QuickTime
2007-09-05 06:18 --------- d-------- C:\Program Files\Apple Software Update
2007-09-04 00:03 --------- d-------- C:\Program Files\HP
2007-09-03 22:42 --------- d-------- C:\Documents and Settings\Storm\Application Data\Google
2007-09-03 22:42 --------- d-------- C:\Documents and Settings\Da Don\Application Data\Google
2007-09-03 22:37 --------- d-------- C:\Program Files\MySpace
2007-08-26 09:04 --------- d-------- C:\Documents and Settings\Da Don\Application Data\AdobeUM
2007-08-26 08:11 --------- d-------- C:\Documents and Settings\Da Don\Application Data\EbkReader
2007-08-22 17:55 --------- d-------- C:\Documents and Settings\Chantelle\Application Data\AdobeUM
2007-08-20 14:45 --------- d-------- C:\Program Files\HMRC
2006-10-24 21:32:51 56 --sh--r C:\WINDOWS\system32\2D75569DA9.sys
2006-10-24 21:32:52 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4AF95528-44B3-410A-8042-132E9928DCFE}]
C:\WINDOWS\system32\ssqrs.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-15 09:47]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 17:32]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 15:43]
"itype"="c:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 17:08]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"Cmaudio"="cmicnfg.cpl" []
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 19:03]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk.disabled [2006-07-14 22:41:11]
HP Image Zone Fast Start.lnk.disabled [2006-07-14 22:42:02]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2006-06-13 17:14:19]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56]
MightyFAX Controller.lnk.disabled [2007-01-02 15:13:11]
QuickBooks 2002 Delivery Agent.lnk.disabled [2006-06-13 18:08:26]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B72CA17C-742C-4E70-ABF6-B3AF3EE1CFCE}"= C:\WINDOWS\system32\efcabxw.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcabxw]
efcabxw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winhdn32]
winhdn32.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
"Uniblue Registry Booster"=C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"HPHmon06"=C:\WINDOWS\system32\hphmon06.exe
"HPHUPD06"=C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
"PDFtypewriterPrinterMonitor"="C:\Program Files\PDFtypewriter\Printer\PDFtypewriterMonitorStart.exe"
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"SoundMan"=SOUNDMAN.EXE
"VTTimer"=VTTimer.exe
"SearchIndexer"=rundll32.exe "C:\WINDOWS\system32\qxwgtfat.dll",sitypnow
"pqlchszc"=rundll32.exe "C:\Program Files\klytilcj\qjczczcp.dll",Init
"atupmpob"=regsvr32 /u "C:\Documents and Settings\All Users\Application Data\atupmpob.dll"
"ihqnebcn"=regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ihqnebcn.dll"

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys
R1 DcCam;Kodak Camera Proxy;C:\WINDOWS\system32\DRIVERS\DcCam.sys
R2 DCFS2K;Kodak DCFS2K Driver;C:\WINDOWS\system32\drivers\dcfs2k.sys
S1 Exportit;Exportit;C:\WINDOWS\system32\DRIVERS\exportit.sys
S3 DcFpoint;DcFpoint;C:\WINDOWS\system32\DRIVERS\DcFpoint.sys
S3 DcLps;Legacy Polling Service;C:\WINDOWS\system32\DRIVERS\DcLps.sys
S3 DcPTP;dcptp;C:\WINDOWS\system32\DRIVERS\DcPTP.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d4c89d6-fb9a-11da-8604-000e50d1cd94}]
AutoRun\command- E:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-01 08:18:32 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-08-30 21:32:02 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IType_exe.job"
- c:\Program Files\Microsoft IntelliType Pro\itype.exe
"2007-10-07 13:22:38 C:\WINDOWS\Tasks\XoftSpySE 2.job"
"2007-10-02 20:18:23 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-07 14:25:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-07 14:29:05 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-07 14:28
.
--- E O F ---

2006-06-28 16:45	  104	--a------	C:\Qoobox\Quarantine\C\Documents and Settings\Olivia\Desktop\Internet.lnk.vir
2007-10-01 10:40	  2	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\wnsapii.exe.vir
2007-10-02 16:37	  519	--a------	C:\Qoobox\Quarantine\C\WINDOWS\cookies.ini.vir
2007-10-02 16:37	  693841	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\taftgwxq.ini.vir
2007-10-03 10:47	  3192	--a------	C:\Qoobox\Quarantine\C\check_LSA7.txt.vir
2007-10-07 14:19	  846	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_DOMAINSERVICE.reg.dat


Folder PATH listing
Volume serial number is 58D5-9CC6
C:\QOOBOX\QUARANTINE
+---C
|   |   check_LSA7.txt.vir
|   |   
|   +---Documents and Settings
|   |   \---Olivia
|   |	   \---Desktop
|   |			   Internet.lnk.vir
|   |			   
|   \---WINDOWS
|	   |   cookies.ini.vir
|	   |   
|	   \---system32
|			   taftgwxq.ini.vir
|			   wnsapii.exe.vir
|			   
\---Registry_backups
		LEGACY_DOMAINSERVICE.reg.dat


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:03:09, on 07/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4AF95528-44B3-410A-8042-132E9928DCFE} - C:\WINDOWS\system32\ssqrs.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MightyFAX Controller.lnk.disabled
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk.disabled
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk/
O16 - DPF: Yahoo! Literati - http://download2.games.yahoo.com/games/clients/y/tt5_x.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {38D63471-E630-4492-A986-B8C48B79F2F8} (CVideoEgg_ActiveXCtl Object) - http://update.videoegg.com/wintel/VideoEggPublisher.exe
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191373989812
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://webgames.d.tmsrv.com/c=45ceefc8872f...mjolauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://webgames.d.tmsrv.com/c=10830baa635a...gamesplayer.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://eu.download.games.yahoo.com/zylom/a...zylomloader.cab
O16 - DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} (CPlayFirstSandScriptControl Object) - http://aolsvc.aol.com/onlinegames/free-tri...pt.1.0.0.21.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (MSN Games Backgammon) - http://zone.msn.com/bingame/zpagames/ZPA_B...on.cab64162.cab
O20 - Winlogon Notify: efcabxw - efcabxw.dll (file missing)
O20 - Winlogon Notify: winhdn32 - winhdn32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10070 bytes

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 07 October 2007 - 04:11 PM

Hello there,
Copy and paste the following text into Notepad:
@echo off
dir "C:\Program Files" >> results.txt
notepad results.txt
exit
Save this as "look.bat". Choose to save as *all files and place it on your Desktop.
Double-click look.bat.

A Notepad file will then open - it will also be created on your Desktop - please post this in your reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 dblt01

dblt01
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 07 October 2007 - 05:56 PM

Hello Charles,
Thanks for the quick reply. As requested, the contents of the look.bat file you asked me to create are listed below.
Regards,
David


Volume in drive C has no label.
Volume Serial Number is 58D5-9CC6

Directory of C:\Program Files

03/10/2007 22:50 <DIR> .
03/10/2007 22:50 <DIR> ..
30/08/2006 16:31 <DIR> activePDF
06/09/2007 20:08 <DIR> Adobe
29/06/2006 09:04 <DIR> Ahead
06/10/2007 14:15 <DIR> Ajealfwy
02/01/2007 15:00 <DIR> AMF Software
11/07/2006 09:26 <DIR> AOD
05/09/2007 06:18 <DIR> Apple Software Update
13/06/2006 14:03 <DIR> AvRack
01/10/2007 10:40 <DIR> Common Files
13/06/2006 11:24 <DIR> ComPlus Applications
13/06/2006 12:10 <DIR> CyberLink
13/06/2006 11:48 <DIR> DVD Shrink
13/09/2007 06:43 <DIR> eBay
08/09/2007 13:32 <DIR> GlobalSCAPE
01/10/2007 09:48 <DIR> Google
19/02/2007 09:58 <DIR> Grisoft
13/12/2006 02:29 <DIR> gs
06/10/2007 14:15 <DIR> Gsrvrkux
14/07/2006 22:43 <DIR> Hewlett-Packard
20/08/2007 14:45 <DIR> HMRC
04/09/2007 00:03 <DIR> HP
01/04/2007 11:21 <DIR> Infogrames
18/08/2006 14:33 <DIR> Inland Revenue
03/10/2007 19:05 <DIR> Internet Explorer
13/06/2006 18:07 <DIR> Intuit
05/09/2007 06:22 <DIR> iPod
05/09/2007 06:28 <DIR> iTunes
14/06/2006 02:27 <DIR> iWin.com
06/10/2007 14:15 <DIR> klytilcj
10/10/2006 21:12 <DIR> Kodak
13/06/2006 12:04 <DIR> Lavalys
13/06/2006 21:19 <DIR> Lavasoft
03/10/2007 19:07 <DIR> Lexmark X1100 Series
13/06/2006 17:16 <DIR> Logitech
03/10/2007 19:07 <DIR> Messenger
29/04/2007 16:21 <DIR> Microsoft ActiveSync
03/10/2007 02:20 <DIR> Microsoft CAPICOM 2.1.0.2
14/06/2006 20:00 <DIR> microsoft frontpage
03/10/2007 19:07 <DIR> Microsoft IntelliType Pro
17/10/2006 11:08 <DIR> Microsoft Office
13/06/2006 12:06 <DIR> Microsoft Plus!
01/10/2007 12:03 <DIR> Mightyfax
07/05/2007 23:08 <DIR> mobile PhoneTools
13/06/2006 11:25 <DIR> Movie Maker
13/06/2006 19:15 <DIR> MSN
13/06/2006 19:21 <DIR> MSN Apps
14/10/2006 20:16 <DIR> MSN Games
13/06/2006 11:23 <DIR> MSN Gaming Zone
13/06/2007 19:41 <DIR> MSN Messenger
19/11/2006 00:28 <DIR> MSXML 4.0
28/09/2006 14:58 <DIR> MumboJumbo
03/09/2007 22:37 <DIR> MySpace
29/06/2006 09:08 <DIR> Nero
13/06/2006 11:25 <DIR> NetMeeting
04/09/2006 17:37 <DIR> Online Services
13/06/2007 22:57 <DIR> Outlook Express
13/12/2006 02:26 <DIR> PDFtypewriter
01/04/2007 11:21 <DIR> Playfirst
05/09/2007 06:19 <DIR> QuickTime
05/08/2006 11:42 <DIR> Real
13/06/2006 14:03 <DIR> Realtek AC97
13/06/2006 14:03 <DIR> Realtek Sound Manager
13/06/2006 14:24 <DIR> S3
04/01/2007 13:47 <DIR> Serif
02/05/2007 20:50 <DIR> SpeedTouch
03/10/2007 19:11 <DIR> Spybot - Search & Destroy
03/10/2007 22:50 <DIR> Trend Micro
29/09/2006 19:54 <DIR> Trymedia
06/10/2007 14:15 <DIR> Txqxwfad
31/08/2006 18:41 <DIR> Uniblue
12/07/2006 22:03 <DIR> VideoEgg
28/02/2007 00:01 <DIR> Windows Media Connect 2
03/10/2007 19:12 <DIR> Windows Media Player
13/06/2006 21:03 <DIR> Windows Messaging
28/04/2007 22:56 <DIR> Windows Mobile Device Handbook
04/09/2006 17:37 <DIR> Windows NT
07/09/2007 22:52 <DIR> WinZip
13/06/2006 11:28 <DIR> xerox
02/10/2007 21:19 <DIR> XoftSpySE
10/11/2006 21:05 <DIR> Yahoo!
13/06/2006 12:13 <DIR> Zone Labs
0 File(s) 0 bytes
83 Dir(s) 17,241,653,248 bytes free

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 08 October 2007 - 04:18 PM

Do you know anything about these folders?

C:\Program Files\Ajealfwy
C:\Program Files\gs
C:\Program Files\Gsrvrkux
C:\Program Files\klytilcj
C:\Program Files\Txqxwfad

What about their contents?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 dblt01

dblt01
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 08 October 2007 - 05:22 PM

Hello Charles,
Again thanks for your prompt responses :thumbsup:

The files you asked me about did make me wonder, the folders in the program files directory Ajealfwy, Gsrvrkux, klytilcj and Txqxwfad are all empty and I wondered if I should delete them. When I looked in the folders it was with them set to show hidden files, but they still appear empty. The folder names do look similar to some weird and wonderful .dll files I have had in start up in the past, which you have subsequently managed to get rid of.
The folder gs in the program files directory contains one file and two folders. The folders are Font and gs8.54 and the file is a large G icon and called UNINSTGS. My inpression is that it is something to do with Ghost Script whatever that may be.

Hope this makes some sort of sense?

Regards and many thanks,
David

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 09 October 2007 - 02:48 PM

Hi there David,
Yes, that explanation did make sense, thank you. All of the empty ones can be deleted [using Safe Mode if necessary]

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

O2 - BHO: (no name) - {4AF95528-44B3-410A-8042-132E9928DCFE} - C:\WINDOWS\system32\ssqrs.dll (file missing)
O20 - Winlogon Notify: efcabxw - efcabxw.dll (file missing)
O20 - Winlogon Notify: winhdn32 - winhdn32.dll (file missing)


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

Reboot your computer.

In your next post I'd like some information about how things seem to be running now.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 25 October 2007 - 04:09 AM

Due to lack of feedback, this topic is now closed.
If you need this topic reopened, please request this by sending me a Personal Message including a link to your thread.
This applies only to the original topic starter. Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users