Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No Icons Or Start Menu On Startup...


  • This topic is locked This topic is locked
10 replies to this topic

#1 greggwisniewski

greggwisniewski

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 30 November 2007 - 06:26 PM

Hi,
I am trying to help a friend with their laptop. When he turns the laptop on there are no icons or start button just the background. I booted in to safe mode and did a system restore and it worked until I got on the internet then started to get multiple popups about viruses and such. I rebooted and lost the icons again. I did the restore again to try and get HJT this run. The scan seemed to work fine but I could not get the log to save so I had to do multiple screenshots. I think he had an old version of HJT but was unable to get on the net from his laptop to get the most recent version. Hopefully the screenshots will be sufficient. I have attached them in a zip file. thanks in advance full all of your help

Attached Files



BC AdBot (Login to Remove)

 


#2 TheBruce1

TheBruce1

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:11:59 PM

Posted 03 December 2007 - 02:52 PM

Hello and welcome to BleepingComputer

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

* Close all other windows before proceeding.
* Double-click on dss.exe and follow the prompts.
* When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

What DSS will do:

* create a new System Restore point in Windows XP and Vista.
* clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
* check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

=========================================
Logs Required
C:\Deckard\System Scanner\main.txt
C:\Deckard\System Scanner\extra.txt

Member of ASAP since 2007
Member of UNITE
since 2008


**Notice to BT customers**
BT-Phorm Spyware to go live before the end of 2009- for more information please visit No DPI website for more information.

Posted Image

Phorm, previously known as 121Media were responsible for the Apropos rootkit, see Here for more information on said rootkit.

#3 greggwisniewski

greggwisniewski
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 04 December 2007 - 02:36 PM

thanks for your reply. i ran the utility you send but i only got one notepage doc. i have pasted the contents below. thanks!!
Deckard's System Scanner v20071014.68
Run by Keith Bryant on 2007-12-04 14:20:29
Computer is in Safe Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; computer is in safe mode.


-- Last 5 Restore Point(s) --
62: 2007-12-04 14:22:05 UTC - RP480 - Restore Operation
61: 2007-12-04 14:22:04 UTC - RP479 - Last known good configuration
60: 2007-12-04 14:21:58 UTC - RP478 - Restore Operation
59: 2007-12-04 14:21:58 UTC - RP477 - Removed Google Toolbar for Internet Explorer
58: 2007-12-04 14:21:58 UTC - RP476 - Removed Get High Speed Internet!


-- First Restore Point --
1: 2007-12-04 14:21:29 UTC - RP419 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Keith Bryant.exe) ----------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-12-04 14:24:07
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\Restore\rstrui.exe
C:\Documents and Settings\Keith Bryant\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1F14F048-0DEB-479E-B53C-9AC552575247} - C:\WINDOWS\system32\ljjkl.dll
O2 - BHO: (no name) - {4CB8F4B4-5F66-4D9E-BC3B-184596A58824} - C:\WINDOWS\system32\khfgebb.dll
O2 - BHO: (no name) - {5f8bd87f-3165-4a18-8f89-2f420cf443f2} - C:\WINDOWS\system32\yqwddea.dll
O2 - BHO: (no name) - {7E4E817D-B478-4850-80A6-1D860E9D5356} - C:\Program Files\MSN\qurodum83122.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: (no name) - {B966E5A5-7014-4525-AA5A-B5CE89E7EA13} - C:\Program Files\MSN\qurodum4444.dll
O2 - BHO: (no name) - {C4A6A763-348A-3D5B-DA2D-4DE607835EE5} - C:\WINDOWS\system32\kuaum.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [syswin] C:\DOCUME~1\KEITHB~1\LOCALS~1\Temp\v5.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.6\webbuying.exe
O4 - HKCU\..\Run: [Sen] "C:\PROGRA~1\COMMON~1\YMANTE~1\dvdplay.exe" -vt yazb
O4 - HKCU\..\Run: [Cxdu] "C:\Program Files\Common Files\??crosoft\w?nspool.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: https://online.musicmatch.com (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{3E2E38C4-A22B-45BC-8E9E-9C45636D7907}: NameServer = 85.255.115.21,85.255.112.91
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{F9E2F1E8-3B41-4219-8D46-026051715E64}: NameServer = 85.255.115.21,85.255.112.91
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.21 85.255.112.91
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.21 85.255.112.91
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: khfgebb - C:\WINDOWS\system32\khfgebb.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security 12\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security 12\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security 12\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security 12\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\system32\WLTRYSVC.EXE


--
End of file - 7186 bytes

-- HijackThis Fixed Entries (C:\HJT\backups\) ----------------------------------

backup-20070104-171943-552 O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent
backup-20070104-171943-773 O4 - HKLM\..\Run: [MediaPipe P2P Loader] "C:\Program Files\p2pnetworks\mpp2pl.exe" /H
backup-20071130-172946-479 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>

S0 szkg - c:\windows\system32\drivers\szkg.sys (file missing)
S1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
S1 core - c:\windows\system32\drivers\core.sys
S1 tmtdi (Trend Micro TDI Driver) - c:\windows\system32\drivers\tmtdi.sys <Not Verified; Trend Micro Inc.; Trend Micro Network Security Component 1.0>
S2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
S2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
S2 tm_cfw (Common Firewall Driver) - c:\windows\system32\drivers\tm_cfw.sys <Not Verified; Trend Micro Inc.; Trend Network Security Component 1.0>
S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 NICCONFIGSVC - c:\program files\dell\nicconfigsvc\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
S2 PcCtlCom (Trend Micro Central Control Component) - c:\progra~1\trendm~1\intern~1\pcctlcom.exe <Not Verified; Trend Micro Incorporated.; Trend Micro Internet Security>
S2 Tmntsrv (Trend Micro Real-time Service) - c:\progra~1\trendm~1\intern~1\tmntsrv.exe <Not Verified; Trend Micro Incorporated.; Trend Micro Internet Security>
S2 TmPfw (Trend Micro Personal Firewall) - c:\progra~1\trendm~1\intern~1\tmpfw.exe <Not Verified; Trend Micro Inc.; Trend Network Security Component 1.0>
S2 tmproxy (Trend Micro Proxy Service) - c:\progra~1\trendm~1\intern~1\tmproxy.exe <Not Verified; Trend Micro Inc.; Trend Micro Network Security Components 1.0>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2007-11-04 and 2007-12-04 -----------------------------

2007-12-04 09:20:36 0 d-------- C:\Documents and Settings\Administrator.KEITH.002\Application Data\Identities
2007-12-04 09:20:36 0 d-------- C:\Documents and Settings\Administrator.KEITH.002\Application Data\AOL
2007-12-04 09:20:34 0 dr------- C:\Documents and Settings\Administrator.KEITH.002\Favorites
2007-12-04 09:20:34 0 d-------- C:\Documents and Settings\Administrator.KEITH.002\Desktop
2007-12-04 09:20:34 0 d---s---- C:\Documents and Settings\Administrator.KEITH.002\Cookies
2007-12-04 09:20:34 0 dr-h----- C:\Documents and Settings\Administrator.KEITH.002\Application Data
2007-12-04 09:20:34 0 d-------- C:\Documents and Settings\Administrator.KEITH.002\Application Data\Sun
2007-12-04 09:20:34 0 d---s---- C:\Documents and Settings\Administrator.KEITH.002\Application Data\Microsoft
2007-12-04 09:20:33 0 dr-h----- C:\Documents and Settings\Administrator.KEITH.002\Recent
2007-12-04 09:20:33 0 d--h----- C:\Documents and Settings\Administrator.KEITH.002\PrintHood
2007-12-04 09:20:33 0 d--h----- C:\Documents and Settings\Administrator.KEITH.002\NetHood
2007-12-04 09:20:33 0 dr------- C:\Documents and Settings\Administrator.KEITH.002\My Documents
2007-12-04 09:20:33 0 d--h----- C:\Documents and Settings\Administrator.KEITH.002\Local Settings
2007-12-04 09:20:32 0 d--h----- C:\Documents and Settings\Administrator.KEITH.002\Templates
2007-12-04 09:20:32 0 dr------- C:\Documents and Settings\Administrator.KEITH.002\Start Menu
2007-12-04 09:20:32 0 dr-h----- C:\Documents and Settings\Administrator.KEITH.002\SendTo
2007-12-04 09:20:31 786432 --ah----- C:\Documents and Settings\Administrator.KEITH.002\NTUSER.DAT
2007-11-30 17:50:24 1384448 --a------ C:\Documents and Settings\Keith Bryant\ntuser.dat
2007-11-30 17:50:15 233472 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2007-11-30 17:46:57 0 d-------- C:\Program Files\Common Files\?ymantec
2007-11-30 17:46:56 0 d-------- C:\Program Files\Outerinfo
2007-11-30 17:46:55 0 d-------- C:\Program Files\Web Buying
2007-11-30 17:46:41 0 d-------- C:\Program Files\UBNet
2007-11-30 17:15:34 0 d-------- C:\Program Files\AVSystemCare
2007-11-27 19:29:55 0 d-------- C:\Documents and Settings\Administrator.KEITH.001\Favorites
2007-11-27 19:29:55 0 d-------- C:\Documents and Settings\Administrator.KEITH.001\Cookies
2007-11-27 19:29:55 0 d-------- C:\Documents and Settings\Administrator.KEITH.001\Application Data
2007-11-27 19:29:55 0 d-------- C:\Documents and Settings\Administrator.KEITH.001\Application Data\Microsoft
2007-11-27 19:29:55 0 d-------- C:\Documents and Settings\Administrator.KEITH.001\Application Data\AOL
2007-11-27 19:29:54 0 d-------- C:\Documents and Settings\Administrator.KEITH.001\Templates
2007-11-27 19:29:54 0 d-------- C:\Documents and Settings\Administrator.KEITH.001\My Documents
2007-11-27 19:29:54 0 d-------- C:\Documents and Settings\Administrator.KEITH.001\Local Settings
2007-11-27 19:29:53 786432 --ah----- C:\Documents and Settings\Administrator.KEITH.001\NTUSER.DAT
2007-11-27 19:13:07 0 d-------- C:\Documents and Settings\Administrator.KEITH.000\Application Data\AOL
2007-11-27 19:13:06 0 d-------- C:\Documents and Settings\Administrator.KEITH.000\Templates
2007-11-27 19:13:06 0 d-------- C:\Documents and Settings\Administrator.KEITH.000\My Documents
2007-11-27 19:13:06 0 d-------- C:\Documents and Settings\Administrator.KEITH.000\Local Settings
2007-11-27 19:13:06 0 d-------- C:\Documents and Settings\Administrator.KEITH.000\Favorites
2007-11-27 19:13:06 0 d-------- C:\Documents and Settings\Administrator.KEITH.000\Cookies
2007-11-27 19:13:06 0 d-------- C:\Documents and Settings\Administrator.KEITH.000\Application Data
2007-11-27 19:13:06 0 d-------- C:\Documents and Settings\Administrator.KEITH.000\Application Data\Microsoft
2007-11-27 19:13:05 786432 --ah----- C:\Documents and Settings\Administrator.KEITH.000\NTUSER.DAT
2007-11-22 19:50:59 722 --ahs---- C:\WINDOWS\system32\lkjjl.ini2
2007-11-22 19:50:46 334944 --a------ C:\WINDOWS\system32\ljjkl.dll
2007-11-22 19:47:45 2 --a------ C:\WINDOWS\system32\wnstsisv.exe
2007-11-22 19:47:30 0 d-------- C:\Program Files\Common Files\??crosoft
2007-11-22 19:47:21 60928 --a------ C:\WINDOWS\system32\kuaum.dll
2007-11-22 19:46:57 41723 ---hs---- C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
2007-11-22 19:46:21 7713 --a------ C:\WINDOWS\system32\ldcore.dll
2007-11-22 19:45:50 169147 --a------ C:\WINDOWS\TTC-4444.exe
2007-11-22 19:45:40 36352 --a------ C:\WINDOWS\system32\khfgebb.dll
2007-11-22 19:45:35 171520 --a------ C:\WINDOWS\system32\yqwddea.dll
2007-11-22 19:45:35 80640 --a------ C:\WINDOWS\system32\drivers\core.sys
2007-11-22 19:45:31 0 d-------- C:\WINDOWS\system32\n8
2007-11-22 19:45:31 0 d-------- C:\WINDOWS\system32\i2
2007-11-22 19:45:31 0 d-------- C:\WINDOWS\system32\g2
2007-11-22 19:45:30 0 d-------- C:\WINDOWS\system32\cc1
2007-11-22 19:45:30 0 d-------- C:\WINDOWS\system32\b1
2007-11-22 19:45:28 0 d-------- C:\WINDOWS\system32\rMa02yy
2007-11-22 19:45:28 0 d-------- C:\Temp
2007-11-22 19:45:15 35840 --a------ C:\WINDOWS\winshow.exe <Not Verified; ; winshow>
2007-11-22 12:33:09 0 d-------- C:\Documents and Settings\Keith Bryant\Application Data\Google
2007-11-22 12:22:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-11-22 12:22:40 0 d-------- C:\Program Files\Google


-- Find3M Report ---------------------------------------------------------------

2007-11-30 17:53:38 4 --a------ C:\Documents and Settings\Keith Bryant\Application Data\QSWWShare
2007-11-30 17:46:57 0 d-------- C:\Program Files\Common Files\?ymantec
2007-11-30 17:46:56 0 d-------- C:\Program Files\Common Files
2007-11-27 21:41:57 0 d-------- C:\Program Files\Common Files\aolshare
2007-11-27 20:02:26 0 d-------- C:\Program Files\Common Files\??crosoft
2007-11-22 12:22:55 0 d-------- C:\Program Files\Real
2007-10-08 18:03:04 4704 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-10-08 18:03:04 104 -r-hs---- C:\WINDOWS\system32\9C1B28B946.sys
2007-09-21 14:21:14 146432 ---hs---- C:\Program Files\Common Files\Yazzle1549OinAdmin.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1F14F048-0DEB-479E-B53C-9AC552575247}]
11/22/2007 07:50 PM 334944 --a------ C:\WINDOWS\system32\ljjkl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}]
11/22/2007 07:45 PM 36352 --a------ C:\WINDOWS\system32\khfgebb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5f8bd87f-3165-4a18-8f89-2f420cf443f2}]
11/22/2007 07:45 PM 171520 --a------ C:\WINDOWS\system32\yqwddea.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E4E817D-B478-4850-80A6-1D860E9D5356}]
08/02/2007 08:43 AM 282624 --a------ C:\Program Files\MSN\qurodum83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B966E5A5-7014-4525-AA5A-B5CE89E7EA13}]
08/02/2007 08:43 AM 282624 --a------ C:\Program Files\MSN\qurodum4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4A6A763-348A-3D5B-DA2D-4DE607835EE5}]
11/01/2007 08:44 AM 60928 --a------ C:\WINDOWS\system32\kuaum.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [01/31/2005 05:35 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/31/2004 10:10 PM]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [09/01/2005 06:24 PM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [02/23/2005 05:19 PM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [12/12/2005 11:15 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/12/2005 11:16 AM]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 11:44 AM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 11:44 AM]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [01/27/2005 02:02 AM]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [09/08/2005 08:20 PM]
"MMTray"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe" [09/08/2005 08:20 PM]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [08/30/2005 05:30 PM]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [08/31/2005 12:06 PM]
"syswin"="C:\DOCUME~1\KEITHB~1\LOCALS~1\Temp\v5.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [11/19/2003 06:48 PM]
"winshow"="C:\WINDOWS\winshow.exe" [11/22/2007 07:45 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [04/11/2006 07:39 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 10:09 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [11/22/2007 12:22 PM]
"WebBuying"="C:\Program Files\Web Buying\v1.8.6\webbuying.exe" [11/22/2007 07:45 PM]
"Sen"="C:\PROGRA~1\COMMON~1\YMANTE~1\dvdplay.exe" [11/22/2007 07:46 PM]
"Cxdu"="C:\Program Files\Common Files\??crosoft\w?nspool.exe" [11/01/2007 08:45 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [12/12/2005 11:15:07 AM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [12/12/2005 11:09:18 AM]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [11/11/2004 12:59:36 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}"= C:\WINDOWS\system32\khfgebb.dll [11/22/2007 07:45 PM 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="kdhfo.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfgebb]
khfgebb.dll 11/22/2007 07:45 PM 36352 C:\WINDOWS\system32\khfgebb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= c:\windows\system32\ldcore.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ljjkl.dll




-- Hosts -----------------------------------------------------------------------

127.0.0.1 localhost #***Inserted By STOPzilla***
127.0.0.1 2005-search.com # ***Inserted By STOPzilla***
127.0.0.1 600pics.com # ***Inserted By STOPzilla***
127.0.0.1 a1.interclick.com # ***Inserted By STOPzilla***
127.0.0.1 absolutepics.net # ***Inserted By STOPzilla***
127.0.0.1 ad.yieldmanager.com # ***Inserted By STOPzilla***
127.0.0.1 alex.fileburst.com # ***Inserted By STOPzilla***
127.0.0.1 all-tgp.org # ***Inserted By STOPzilla***
127.0.0.1 all-websearch.com # ***Inserted By STOPzilla***
127.0.0.1 apps.deskwizz.com # ***Inserted By STOPzilla***

129 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-12-04 14:26:03 ------------

#4 greggwisniewski

greggwisniewski
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 04 December 2007 - 03:08 PM

i wasnt sure if my HJT was out of date so i downloaded new and ran the utility again. thanks!
Deckard's System Scanner v20071014.68
Run by Keith Bryant on 2007-12-04 14:58:42
Computer is in Safe Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Keith Bryant.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:58:46 PM, on 12/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\restore\rstrui.exe
C:\Documents and Settings\Keith Bryant\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Keith Bryant.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1F14F048-0DEB-479E-B53C-9AC552575247} - C:\WINDOWS\system32\ljjkl.dll
O2 - BHO: (no name) - {4CB8F4B4-5F66-4D9E-BC3B-184596A58824} - C:\WINDOWS\system32\khfgebb.dll
O2 - BHO: (no name) - {5f8bd87f-3165-4a18-8f89-2f420cf443f2} - C:\WINDOWS\system32\yqwddea.dll
O2 - BHO: (no name) - {7E4E817D-B478-4850-80A6-1D860E9D5356} - C:\Program Files\MSN\qurodum83122.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B966E5A5-7014-4525-AA5A-B5CE89E7EA13} - C:\Program Files\MSN\qurodum4444.dll
O2 - BHO: (no name) - {C4A6A763-348A-3D5B-DA2D-4DE607835EE5} - C:\WINDOWS\system32\kuaum.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [syswin] C:\DOCUME~1\KEITHB~1\LOCALS~1\Temp\v5.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.6\webbuying.exe
O4 - HKCU\..\Run: [Sen] "C:\PROGRA~1\COMMON~1\YMANTE~1\dvdplay.exe" -vt yazb
O4 - HKCU\..\Run: [Cxdu] "C:\Program Files\Common Files\??crosoft\w?nspool.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E2E38C4-A22B-45BC-8E9E-9C45636D7907}: NameServer = 85.255.115.21,85.255.112.91
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9E2F1E8-3B41-4219-8D46-026051715E64}: NameServer = 85.255.115.21,85.255.112.91
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.21 85.255.112.91
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.115.21 85.255.112.91
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.21 85.255.112.91
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: khfgebb - C:\WINDOWS\SYSTEM32\khfgebb.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6843 bytes

-- Files created between 2007-11-04 and 2007-12-04 -----------------------------

2007-12-04 09:20:36 0 d-------- C:\Documents and Settings\Administrator.KEITH.002\Application Data\Identities
2007-12-04 09:20:36 0 d-------- C:\Documents and Settings\Administrator.KEITH.002\Application Data\AOL
2007-12-04 09:20:34 0 dr------- C:\Documents and Settings\Administrator.KEITH.002\Favorites
2007-12-04 09:20:34 0 d-------- C:\Documents and Settings\Administrator.KEITH.002\Desktop
2007-12-04 09:20:34 0 d---s---- C:\Documents and Settings\Administrator.KEITH.002\Cookies
2007-12-04 09:20:34 0 dr-h----- C:\Documents and Settings\Administrator.KEITH.002\Application Data
2007-12-04 09:20:34 0 d-------- C:\Documents and Settings\Administrator.KEITH.002\Application Data\Sun
2007-12-04 09:20:34 0 d---s---- C:\Documents and Settings\Administrator.KEITH.002\Application Data\Microsoft
2007-12-04 09:20:33 0 dr-h----- C:\Documents and Settings\Administrator.KEITH.002\Recent
2007-12-04 09:20:33 0 d--h----- C:\Documents and Settings\Administrator.KEITH.002\PrintHood
2007-12-04 09:20:33 0 d--h----- C:\Documents and Settings\Administrator.KEITH.002\NetHood
2007-12-04 09:20:33 0 dr------- C:\Documents and Settings\Administrator.KEITH.002\My Documents
2007-12-04 09:20:33 0 d--h----- C:\Documents and Settings\Administrator.KEITH.002\Local Settings
2007-12-04 09:20:32 0 d--h----- C:\Documents and Settings\Administrator.KEITH.002\Templates
2007-12-04 09:20:32 0 dr------- C:\Documents and Settings\Administrator.KEITH.002\Start Menu
2007-12-04 09:20:32 0 dr-h----- C:\Documents and Settings\Administrator.KEITH.002\SendTo
2007-12-04 09:20:31 786432 --ah----- C:\Documents and Settings\Administrator.KEITH.002\NTUSER.DAT
2007-11-30 17:50:24 1572864 --a------ C:\Documents and Settings\Keith Bryant\ntuser.dat
2007-11-30 17:50:15 233472 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2007-11-30 17:46:57 0 d-------- C:\Program Files\Common Files\?ymantec
2007-11-30 17:46:56 0 d-------- C:\Program Files\Outerinfo
2007-11-30 17:46:55 0 d-------- C:\Program Files\Web Buying
2007-11-30 17:46:41 0 d-------- C:\Program Files\UBNet
2007-11-30 17:15:34 0 d-------- C:\Program Files\AVSystemCare
2007-11-27 19:29:55 0 d-------- C:\Documents and Settings\Administrator.KEITH.001\Favorites
2007-11-27 19:29:55 0 d-------- C:\Documents and Settings\Administrator.KEITH.001\Cookies
2007-11-27 19:29:55 0 d-------- C:\Documents and Settings\Administrator.KEITH.001\Application Data
2007-11-27 19:29:55 0 d-------- C:\Documents and Settings\Administrator.KEITH.001\Application Data\Microsoft
2007-11-27 19:29:55 0 d-------- C:\Documents and Settings\Administrator.KEITH.001\Application Data\AOL
2007-11-27 19:29:54 0 d-------- C:\Documents and Settings\Administrator.KEITH.001\Templates
2007-11-27 19:29:54 0 d-------- C:\Documents and Settings\Administrator.KEITH.001\My Documents
2007-11-27 19:29:54 0 d-------- C:\Documents and Settings\Administrator.KEITH.001\Local Settings
2007-11-27 19:29:53 786432 --ah----- C:\Documents and Settings\Administrator.KEITH.001\NTUSER.DAT
2007-11-27 19:13:07 0 d-------- C:\Documents and Settings\Administrator.KEITH.000\Application Data\AOL
2007-11-27 19:13:06 0 d-------- C:\Documents and Settings\Administrator.KEITH.000\Templates
2007-11-27 19:13:06 0 d-------- C:\Documents and Settings\Administrator.KEITH.000\My Documents
2007-11-27 19:13:06 0 d-------- C:\Documents and Settings\Administrator.KEITH.000\Local Settings
2007-11-27 19:13:06 0 d-------- C:\Documents and Settings\Administrator.KEITH.000\Favorites
2007-11-27 19:13:06 0 d-------- C:\Documents and Settings\Administrator.KEITH.000\Cookies
2007-11-27 19:13:06 0 d-------- C:\Documents and Settings\Administrator.KEITH.000\Application Data
2007-11-27 19:13:06 0 d-------- C:\Documents and Settings\Administrator.KEITH.000\Application Data\Microsoft
2007-11-27 19:13:05 786432 --ah----- C:\Documents and Settings\Administrator.KEITH.000\NTUSER.DAT
2007-11-22 19:50:59 722 --ahs---- C:\WINDOWS\system32\lkjjl.ini2
2007-11-22 19:50:46 334944 --a------ C:\WINDOWS\system32\ljjkl.dll
2007-11-22 19:47:45 2 --a------ C:\WINDOWS\system32\wnstsisv.exe
2007-11-22 19:47:30 0 d-------- C:\Program Files\Common Files\??crosoft
2007-11-22 19:47:21 60928 --a------ C:\WINDOWS\system32\kuaum.dll
2007-11-22 19:46:57 41723 ---hs---- C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
2007-11-22 19:46:21 7713 --a------ C:\WINDOWS\system32\ldcore.dll
2007-11-22 19:45:50 169147 --a------ C:\WINDOWS\TTC-4444.exe
2007-11-22 19:45:40 36352 --a------ C:\WINDOWS\system32\khfgebb.dll
2007-11-22 19:45:35 171520 --a------ C:\WINDOWS\system32\yqwddea.dll
2007-11-22 19:45:35 80640 --a------ C:\WINDOWS\system32\drivers\core.sys
2007-11-22 19:45:31 0 d-------- C:\WINDOWS\system32\n8
2007-11-22 19:45:31 0 d-------- C:\WINDOWS\system32\i2
2007-11-22 19:45:31 0 d-------- C:\WINDOWS\system32\g2
2007-11-22 19:45:30 0 d-------- C:\WINDOWS\system32\cc1
2007-11-22 19:45:30 0 d-------- C:\WINDOWS\system32\b1
2007-11-22 19:45:28 0 d-------- C:\WINDOWS\system32\rMa02yy
2007-11-22 19:45:28 0 d-------- C:\Temp
2007-11-22 19:45:15 35840 --a------ C:\WINDOWS\winshow.exe <Not Verified; ; winshow>
2007-11-22 12:33:09 0 d-------- C:\Documents and Settings\Keith Bryant\Application Data\Google
2007-11-22 12:22:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-11-22 12:22:40 0 d-------- C:\Program Files\Google


-- Find3M Report ---------------------------------------------------------------

2007-11-30 17:53:38 4 --a------ C:\Documents and Settings\Keith Bryant\Application Data\QSWWShare
2007-11-30 17:46:57 0 d-------- C:\Program Files\Common Files\?ymantec
2007-11-30 17:46:56 0 d-------- C:\Program Files\Common Files
2007-11-27 21:41:57 0 d-------- C:\Program Files\Common Files\aolshare
2007-11-27 20:02:26 0 d-------- C:\Program Files\Common Files\??crosoft
2007-11-22 12:22:55 0 d-------- C:\Program Files\Real
2007-10-08 18:03:04 4704 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-10-08 18:03:04 104 -r-hs---- C:\WINDOWS\system32\9C1B28B946.sys
2007-09-21 14:21:14 146432 ---hs---- C:\Program Files\Common Files\Yazzle1549OinAdmin.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1F14F048-0DEB-479E-B53C-9AC552575247}]
11/22/2007 07:50 PM 334944 --a------ C:\WINDOWS\system32\ljjkl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}]
11/22/2007 07:45 PM 36352 --a------ C:\WINDOWS\system32\khfgebb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5f8bd87f-3165-4a18-8f89-2f420cf443f2}]
11/22/2007 07:45 PM 171520 --a------ C:\WINDOWS\system32\yqwddea.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E4E817D-B478-4850-80A6-1D860E9D5356}]
08/02/2007 08:43 AM 282624 --a------ C:\Program Files\MSN\qurodum83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B966E5A5-7014-4525-AA5A-B5CE89E7EA13}]
08/02/2007 08:43 AM 282624 --a------ C:\Program Files\MSN\qurodum4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4A6A763-348A-3D5B-DA2D-4DE607835EE5}]
11/01/2007 08:44 AM 60928 --a------ C:\WINDOWS\system32\kuaum.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [01/31/2005 05:35 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/31/2004 10:10 PM]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [09/01/2005 06:24 PM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [02/23/2005 05:19 PM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [12/12/2005 11:15 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/12/2005 11:16 AM]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 11:44 AM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 11:44 AM]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [01/27/2005 02:02 AM]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [09/08/2005 08:20 PM]
"MMTray"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe" [09/08/2005 08:20 PM]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [08/30/2005 05:30 PM]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [08/31/2005 12:06 PM]
"syswin"="C:\DOCUME~1\KEITHB~1\LOCALS~1\Temp\v5.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [11/19/2003 06:48 PM]
"winshow"="C:\WINDOWS\winshow.exe" [11/22/2007 07:45 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [04/11/2006 07:39 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 10:09 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [11/22/2007 12:22 PM]
"WebBuying"="C:\Program Files\Web Buying\v1.8.6\webbuying.exe" [11/22/2007 07:45 PM]
"Sen"="C:\PROGRA~1\COMMON~1\YMANTE~1\dvdplay.exe" [11/22/2007 07:46 PM]
"Cxdu"="C:\Program Files\Common Files\??crosoft\w?nspool.exe" [11/01/2007 08:45 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [12/12/2005 11:15:07 AM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [12/12/2005 11:09:18 AM]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [11/11/2004 12:59:36 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}"= C:\WINDOWS\system32\khfgebb.dll [11/22/2007 07:45 PM 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="kdhfo.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfgebb]
khfgebb.dll 11/22/2007 07:45 PM 36352 C:\WINDOWS\system32\khfgebb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= c:\windows\system32\ldcore.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ljjkl.dll




-- End of Deckard's System Scanner: finished at 2007-12-04 14:59:56 ------------

Edited by greggwisniewski, 04 December 2007 - 03:09 PM.


#5 TheBruce1

TheBruce1

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:11:59 PM

Posted 07 December 2007 - 02:26 PM

Hello again Keith

Sorry for the delay in replying to your log.

Please follow all instructions and in which order they come,if you have any questions,please ask before proceeding.Its important that you follow this through until i give you the all clear,a lack of symptoms does not mean you are clean.

==========================================

Download ComboFix from Here or here

**Save it to your desktop**Do not run just yet,we will shortly

=======================================

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://download.bleepingcomputer.com/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.

=========================================

Posted Image


Go to Posted Image → Run → paste in the single line command & click OK

"%userprofile%\desktop\combofix.exe" /killall

When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

==========================================

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

=========================================

You forgot to post the extra.txt from Deckard System Scanner,extra txt can be found at:

C:\Deckard\System Scanner\extra.txt

===========================================
Logs Required
report.txt
C:\Combofix.txt
Hijackthis log
C:\Deckard\System Scanner\extra.txt

Member of ASAP since 2007
Member of UNITE
since 2008


**Notice to BT customers**
BT-Phorm Spyware to go live before the end of 2009- for more information please visit No DPI website for more information.

Posted Image

Phorm, previously known as 121Media were responsible for the Apropos rootkit, see Here for more information on said rootkit.

#6 greggwisniewski

greggwisniewski
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 07 December 2007 - 06:01 PM

Hi,
I was able to get all the new logs but when I run deckards I do not get the extra log and it is also not in the directory... Also keep in mind that I can only boot this laptop in safe mode so maybe that has somethign to do with it. thanks-Gregg

ComboFix 07-12-07.3 - Keith Bryant 2007-12-07 17:40:12.2 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.403 [GMT -5:00]
Running from: C:\Documents and Settings\Keith Bryant\desktop\combofix.exe
Command switches used :: /killall
.

((((((((((((((((((((((((( Files Created from 2007-11-07 to 2007-12-07 )))))))))))))))))))))))))))))))
.

2007-12-07 17:08 . 2007-12-07 17:08 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-12-07 17:08 . 2007-12-07 17:08 31,488 --a------ C:\WINDOWS\system32\ace16win.dll
2007-12-07 17:08 . 2007-12-07 17:08 10,496 --a------ C:\WINDOWS\aconti.ini
2007-12-07 17:08 . 2007-12-07 17:08 8,448 --a------ C:\WINDOWS\aconti.sdb
2007-12-07 17:08 . 2007-12-07 17:15 1,681 --a------ C:\WINDOWS\default.htm
2007-12-07 17:07 . 2007-12-07 17:07 23,296 --a------ C:\WINDOWS\absolute key logger.lnk
2007-12-07 17:04 . 2007-12-07 17:04 108,551 --a------ C:\WINDOWS\system32\lpcywinp.exe
2007-12-07 17:04 . 2007-12-07 17:04 21,504 --a------ C:\WINDOWS\system32\egmulhxk.dll
2007-12-07 17:04 . 2007-12-07 17:04 14 --a------ C:\WINDOWS\system32\din.ip
2007-12-07 17:04 . 2007-12-07 17:04 4 --a------ C:\WINDOWS\system32\jpewocmz.ini
2007-12-04 15:05 . 2007-12-04 15:05 <DIR> d-------- C:\Documents and Settings\Keith Bryant\Application Data\Sonic
2007-12-04 15:04 . 2007-12-04 15:04 <DIR> d-------- C:\Documents and Settings\Keith Bryant\Application Data\Leadertech
2007-12-04 14:20 . 2007-12-04 14:20 <DIR> d-------- C:\Deckard
2007-12-04 09:20 . 2005-12-12 11:30 <DIR> d-------- C:\Documents and Settings\Administrator.KEITH.002\Application Data\AOL
2007-11-30 17:46 . 2007-11-30 17:46 <DIR> d-------- C:\Program Files\UBNet
2007-11-30 17:30 . 2006-12-16 21:10 212,849 --a------ C:\Program Files\HijackThis.zip
2007-11-27 19:29 . 2005-12-12 11:30 <DIR> d-------- C:\Documents and Settings\Administrator.KEITH.001\Application Data\AOL
2007-11-27 19:13 . 2005-12-12 11:30 <DIR> d-------- C:\Documents and Settings\Administrator.KEITH.000\Application Data\AOL
2007-11-22 19:45 . 2007-11-27 19:16 <DIR> d-------- C:\WINDOWS\system32\cc1
2007-11-22 19:45 . 2007-12-07 17:27 <DIR> d-------- C:\Temp
2007-11-22 12:22 . 2007-11-30 17:43 <DIR> d-------- C:\Program Files\Google
2007-11-16 12:20 . 2007-11-16 12:20 208,896 --a------ C:\WINDOWS\io43mvuiw4kj.exe
2007-11-10 01:48 . 2007-11-10 01:48 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-10 01:48 . 2007-11-10 01:48 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-07 22:25 --------- d-----w C:\Program Files\DownloadManager
2007-11-28 02:41 --------- d-----w C:\Program Files\Common Files\aolshare
2007-11-22 17:22 --------- d-----w C:\Program Files\Real
2007-09-12 18:52 53,248 ----a-w C:\WINDOWS\hg173.exe
2007-09-12 18:50 53,248 ----a-w C:\WINDOWS\df87173.exe
2006-07-02 02:35 49,498 ----a-w C:\Program Files\popcorn Terms.html
2006-02-23 06:46 26,958 ----a-w C:\Program Files\MovieLand Terms.html
.

((((((((((((((((((((((((((((( snapshot@2007-12-07_17.32.13.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-30 23:02:17 53,838 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-12-07 22:32:12 53,838 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-30 23:02:18 382,260 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-12-07 22:32:12 382,260 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E78B911A-6F68-4B84-8C19-EC417C9590E2}]
2007-12-07 17:04 21504 --a------ C:\WINDOWS\system32\egmulhxk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 19:39]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-11-22 12:22]
"Sen"="C:\PROGRA~1\COMMON~1\YMANTE~1\dvdplay.exe" []
"Cxdu"="C:\Program Files\Common Files\??crosoft\w?nspool.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-01-31 17:35]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-31 22:10]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-09-01 18:24]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-12-12 11:15]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-12 11:16]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 20:20]
"MMTray"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe" [2005-09-08 20:20]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 17:30]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 12:06]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48]
"io43mvuiw4kj"="C:\WINDOWS\io43mvuiw4kj.exe" [2007-11-16 12:20]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-12-12 11:15:07]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-12-12 11:09:18]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 12:59:36]

S3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-07 17:43:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-07 17:45:38 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-07 17:33
.
--- E O F ---


Username "Keith Bryant" - 12/07/2007 17:35:54 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
C:\Casino Deleted
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ISUSPM Startup"="\"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"DMXLauncher"="C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~3\\mimboot.exe"
"MMTray"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~3\\mm_tray.exe"
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 12\\pccguide.exe\""
"Corel Photo Downloader"="C:\\Program Files\\Corel\\Corel Photo Album 6\\MediaDetect.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe\""
"io43mvuiw4kj"="C:\\WINDOWS\\io43mvuiw4kj.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="\"C:\\Program Files\\Trend Micro\\Internet Security 12\\TMAS_OE\\TMAS_OEMon.exe\""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"DellSupport"="\"C:\\Program Files\\DellSupport\\DSAgnt.exe\" /startup"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"Sen"="\"C:\\PROGRA~1\\COMMON~1\\YMANTE~1\\dvdplay.exe\" -vt yazb"
"Cxdu"="\"C:\\Program Files\\Common Files\\??crosoft\\w?nspool.exe\""
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:49:23 PM, on 12/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\io43mvuiw4kj.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: egmulhxk.msdn_hlp - {E78B911A-6F68-4B84-8C19-EC417C9590E2} - C:\WINDOWS\system32\egmulhxk.dll
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [io43mvuiw4kj] C:\WINDOWS\io43mvuiw4kj.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Sen] "C:\PROGRA~1\COMMON~1\YMANTE~1\dvdplay.exe" -vt yazb
O4 - HKCU\..\Run: [Cxdu] "C:\Program Files\Common Files\??crosoft\w?nspool.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 8571 bytes

Edited by greggwisniewski, 07 December 2007 - 06:04 PM.


#7 TheBruce1

TheBruce1

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:11:59 PM

Posted 08 December 2007 - 02:01 PM

Hi Gregg

You have a least two backdoor trojans on this system,please get to a Non-Infected machine and change All passwords.Similarly if this machine has been used for any banking please inform your Bank,Credit Card Company...and let them know the situation.
http://www.dslreports.com/faq/10451

Whilst we could clean this system the presence of backdoor trojans will leave you prone to reinfection,we have no way of knowing what changes have been made to you system as we can only deal with what we see.With that in mind you may wish to consider formatting and giving the PC a clean state,please me know if you wish to carry on or if you are going to format.

If carrying on can you tell me why you cannot boot into normal mode.
Member of ASAP since 2007
Member of UNITE
since 2008


**Notice to BT customers**
BT-Phorm Spyware to go live before the end of 2009- for more information please visit No DPI website for more information.

Posted Image

Phorm, previously known as 121Media were responsible for the Apropos rootkit, see Here for more information on said rootkit.

#8 greggwisniewski

greggwisniewski
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 08 December 2007 - 05:11 PM

Thank you for the response. the reason why I can not boot in to normal mode is because no icons or start button come up. They only come up in safe mode.

I have never done a format, what would be involved in that?

thanks!!
Gregg

#9 TheBruce1

TheBruce1

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:11:59 PM

Posted 09 December 2007 - 08:35 AM

Hello again Gregg

If you do not know how to format it may be best if you have a family member or friend that does know do it for you,you can also take it to PC repair shop who can do it for you too.
http://www.windowsxphome.windowsreinstall....tallxpcdoldhdd/

Video Tutorial:


As for the blank desktop this can be caused by an infection you have onboard,missing or corrupt files,or using tools such as SmitFruadFix incorrectly.

Try this,boot into normal mode and then right click on desktop>a list of options should appear>select Properties.

*Now click on the Desktop tab
*Select the desktop image you want to save
*Click Apply
*Reboot,what happens.

Let me know what you want to do.

Edited by TheBruce1, 09 December 2007 - 08:36 AM.

Member of ASAP since 2007
Member of UNITE
since 2008


**Notice to BT customers**
BT-Phorm Spyware to go live before the end of 2009- for more information please visit No DPI website for more information.

Posted Image

Phorm, previously known as 121Media were responsible for the Apropos rootkit, see Here for more information on said rootkit.

#10 greggwisniewski

greggwisniewski
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 12 December 2007 - 01:49 PM

i think I am going the route of reformat. i purchased a copy of windows xp home and from what I understand if I boot to the cd it will give the option of reformating. thanks!!

#11 TheBruce1

TheBruce1

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:11:59 PM

Posted 12 December 2007 - 07:06 PM

Hi Gregg

Yes that would be correct,if you have any further questions please post in our Windows XP Home & Pro forum,as this forum deals with malware removal.

Best of luck.
Member of ASAP since 2007
Member of UNITE
since 2008


**Notice to BT customers**
BT-Phorm Spyware to go live before the end of 2009- for more information please visit No DPI website for more information.

Posted Image

Phorm, previously known as 121Media were responsible for the Apropos rootkit, see Here for more information on said rootkit.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users