Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Problems


  • Please log in to reply
6 replies to this topic

#1 lorilee86

lorilee86

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:04 PM

Posted 04 December 2007 - 06:20 PM

I managed to copy my hijackthis log to another drive and upload it on an other computer. Here is my log. I am having terrible problems with my internet explorer. I can't go to certain web pages and then when I attempt to search for a certain site, another site appears (some search program). Basically I am being redirected to other sites.

PLEASE HELP

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:03:35 PM, on 12/2/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\yomicyuq.exe
C:\PROGRA~1\TEXTBR~1\BIN\INSTAN~1.EXE
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
C:\Program Files\Canon\MultiPASS\monitr32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe r
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MegaPanel] D:\Neilson\HSTrans.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [MagicSpeed] C:\Program Files\SamsungODD\Magic Speed\MagicSL.exe /autorun
O4 - HKLM\..\Run: [ipmon] ipmon.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [WatchDog] D:\Program Files\WatchDog.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [00000faf] rundll32.exe "C:\WINDOWS\System32\hkgetvtl.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/P...000049.000000b9
O4 - S-1-5-18 Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\mpdsrngk.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\mpdsrngk.exe (User 'Default user')
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\mpdsrngk.exe
O4 - Global Startup: MultiPASS Background.lnk = C:\MPASS\MPSERVER.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: GA311 Smart Wizard Utility.lnk = C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
O4 - Global Startup: Canon MultiPASS Status Monitor.lnk = C:\Program Files\Canon\MultiPASS\monitr32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Auto Detect.lnk = C:\Program Files\iConcepts Music Express\MEAutoDetect.exe
O8 - Extra context menu item: &Search - ?p=ZUxdm265YYUS
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.trustedantivirus.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {54D53429-945C-4188-B460-C81356541882} - http://photosmart.hpphoto.com/Download/HPe...sLocalPrint.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1139615115578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1140842192148
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.kw.com/websiteTemplateAdmin/inc...geUploader4.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DomainService - - C:\WINDOWS\System32\yomicyuq.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MPService - Unknown owner - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

--
End of file - 8329 bytes

BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:04 PM

Posted 10 December 2007 - 11:16 PM

Hi lorilee86,

Apologies for the long delay. Before we get started I have one question for you. Your log shows you have no service packs installed. Is that intentional or have you had SP1 or SP2 installed earlier or they are missing for some other reason?

If you have not ever patched your operating system then your best option at this point would be to reformat and then reinstall Windows. I can try and help you get cleaned up, but dealing with today's infections on a system that has never been patched is an exercise in futility--we may be able to get most of it, but trying to fix all the collateral damage is like beating your head against a wall. Also the tools we use work best with service packs.

It will take more time for us to try to fix this than it will for you to reformat. Let me know your decision. If you reformat, then there is no need to try malware removal.

The thing about people

is they change

when they walk away.--Mipso


#3 lorilee86

lorilee86
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:04 PM

Posted 16 December 2007 - 07:59 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:16:57 PM, on 12/16/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\PROGRA~1\TEXTBR~1\BIN\INSTAN~1.EXE
C:\WINDOWS\System32\hphmon03.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
C:\Program Files\Canon\MultiPASS\monitr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {4EDC706D-932F-49F5-B00A-40C07A5660DA} - C:\Program Files\Windows Media Player\pobehujo83122.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9A35D164-6F44-437D-BF71-64E6D5097193} - c:\windows\system32\olecli32n.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {F55B087B-FCB7-48D1-94E4-6447AD3359B3} - C:\Program Files\Windows Media Player\pobehujo4444.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe r
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MegaPanel] D:\Neilson\HSTrans.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [MagicSpeed] C:\Program Files\SamsungODD\Magic Speed\MagicSL.exe /autorun
O4 - HKLM\..\Run: [ipmon] ipmon.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [WatchDog] D:\Program Files\WatchDog.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [00000faf] rundll32.exe "C:\WINDOWS\System32\lweisvlb.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/P...000049.000000b9
O4 - S-1-5-18 Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\mpdsrngk.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\mpdsrngk.exe (User 'Default user')
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\mpdsrngk.exe
O4 - Global Startup: MultiPASS Background.lnk = C:\MPASS\MPSERVER.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: GA311 Smart Wizard Utility.lnk = C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
O4 - Global Startup: Canon MultiPASS Status Monitor.lnk = C:\Program Files\Canon\MultiPASS\monitr32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Auto Detect.lnk = C:\Program Files\iConcepts Music Express\MEAutoDetect.exe
O8 - Extra context menu item: &Search - ?p=ZUxdm265YYUS
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.trustedantivirus.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {54D53429-945C-4188-B460-C81356541882} - http://photosmart.hpphoto.com/Download/HPe...sLocalPrint.CAB
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1139615115578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1140842192148
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.kw.com/websiteTemplateAdmin/inc...geUploader4.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: crypta - cryptsa.dll (file missing)
O20 - Winlogon Notify: fmwgjvtx - C:\WINDOWS\SYSTEM32\olecli32n.dll
O20 - Winlogon Notify: jkkkijg - jkkkijg.dll (file missing)
O20 - Winlogon Notify: ljjkihf - ljjkihf.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MPService - Unknown owner - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

--
End of file - 10175 bytes

Attached Files



#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:04 PM

Posted 16 December 2007 - 11:32 PM

Hi lorilee86,

I've merged your new topic together with this original one--please stick to one topic by using the Add Reply button--otherwise it just causes confusion and you will get help quicker in one topic about the same issue. When you start a new topic you are basically putting yourself at the end of the line to wait for an answer again.

Please follow the instructions for tracking your topic that Quietman7 gave you here: http://www.bleepingcomputer.com/forums/ind...st&p=678203

You didn't really answer my question tho. Since you have installed SP1 now I'm going to assume the operating system was never patched. I still believe your best option is to start over fresh but we will see what we can do as far as getting you cleaned up. The first thing you should do is back up all your important data. There has always been some risk involved in malware removal, but lately that risk has gotten greater so that if something does go wrong and you have to reformat anyway, I don't want you to lose what's important to you.

Print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Download SDFix and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet.

Reboot your computer in SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log.


Please download Combofix to your desktop.

Doubleclick ComboFix.exe to launch the application.

Follow the prompts that will be displayed on the screen.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt. Note that some cleaning may require a reboot, so it won't be finished until that is done.

Post this log in your next reply.

Note - Your internet connection will be terminated while ComboFix runs. Do Not attempt to re-enable it. Should ComboFix terminate prematurely, restart the computer to restore connectivity.

The thing about people

is they change

when they walk away.--Mipso


#5 lorilee86

lorilee86
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:04 PM

Posted 24 December 2007 - 10:17 AM

I ran the two files you sent me. Here are the new saved logs. Am I to wait for your response or assume all is fixed.

Attached Files



#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:04 PM

Posted 29 December 2007 - 01:13 PM

Apologies for the delay--holidays and all.

No, there is much more to do to get you completely clean. As badly infected as your system is, it is unlikely that we will ever find all of it and repair all the damage. Even more so if you have never patched Windows--what I mean by starting fresh is that there is no magic bullet--the closest thing to it is to reformat your hard drive and then reinstall Windows--start fresh. That is why I keep asking about patches. In your PM to me (and I don't do any tech support via PM--ask your questions in this thread) you said you thought SP1 was already installed. That is beside the point. If you had been visiting the windows update site or had automatic updates turned on, you not only would have SP1 already, but SP2 as well.

This is important because with an unpatched system, you are going to get reinfected and what you have may never be cleared. So it would be a waste of your time and mine to try. I suspect that the reason you had no patches is because you may be running an illegal copy of XP. If that is the case then all I can tell you is if you want to stay infection free you should invest in a legal copy. Just a word to the wise.

If it's not the case, then we need to get you updated to SP2 as soon as we get you cleaned up more, since SP2 can be problematical when installed on an infected system. And then all the patches that have come after SP2. Personally I would go for a reformat.

I also need for you to read my instructions carefully and follow them exactly. If there is something you don't understand, by all means ask for clarification--in this thread. For example, I asked you to post the logs, not attach them. Attachments are more difficult to deal with. So I am going to post your logs below. I have to go on my lunch break and have some other issues to deal with so won't be able to give further instructions just yet. I will get to them as soon as I can.


SDFix: Version 1.119

Run by Lori DeSilva on Fri 12/21/2007 at 11:19 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
NtmlSvc

Path:
%SystemRoot%\System32\svchost.exe -k netsvcs

NtmlSvc - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\FAC46819.EXE - Deleted
C:\WINDOWS\SYSTEM32\AB60.T - Deleted
C:\WINDOWS\SYSTEM32\AA60.T - Deleted
C:\50.TMP - Deleted
C:\3840 - Deleted
C:\PROGRA~1\NETMEE~1\SAMU - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\Temp\abW9\tPho.log - Deleted
C:\WINDOWS\system32\KBRunOnce2.t__ - Deleted
C:\Documents and Settings\Lori DeSilva\Start Menu\Programs\Startup\TA_Start.lnk - Deleted
C:\Program Files\Setup.exe - Deleted
C:\WINDOWS\System32KBRunOnce2.tm_ - Deleted
C:\WINDOWS\System32KBRunOnce2.t__ - Deleted
C:\WINDOWS\system32\advvpi32.dll - Deleted
C:\WINDOWS\system32\kr_done1 - Deleted
C:\WINDOWS\system32\ldinfo.ldr - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\Temp\$b17a2e8.tmp - Deleted



Folder C:\Program Files\Insider - Removed
Folder C:\Program Files\WinAble - Removed
Folder C:\Temp\abW9 - Removed
Folder C:\Temp\1cb - Removed
Folder C:\Temp\fse - Removed
Folder C:\WINDOWS\system32\f1 - Removed
Folder C:\WINDOWS\system32\h2 - Removed
Folder C:\WINDOWS\system32\r2 - Removed
Folder C:\WINDOWS\system32\rMa01yy - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-21 23:59:40
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\System32\\juekcfmf.exe"="C:\\WINDOWS\\System32\\jue"
"C:\\WINDOWS\\System32\\xdbgqpxx.exe"="C:\\WINDOWS\\System32\\xdb"
"C:\\WINDOWS\\System32\\llgfigrm.exe"="C:\\WINDOWS\\System32\\llg"
"C:\\WINDOWS\\System32\\ywtlscxt.exe"="C:\\WINDOWS\\System32\\ywt"
"C:\\WINDOWS\\System32\\weneftsf.exe"="C:\\WINDOWS\\System32\\wen"
"C:\\WINDOWS\\System32\\yomicyuq.exe"="C:\\WINDOWS\\System32\\yom"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Mon 16 Jan 2006 1,680 ..SHR --- "C:\MSDOS.BAK"
Thu 9 Nov 2006 4 A..H. --- "C:\WINDOWS\uccspecb.sys"
Thu 22 Nov 2007 441,851 ..SH. --- "C:\WINDOWS\SYSTEM32\gfefe.tmp"
Wed 5 Dec 2007 794,143 ..SH. --- "C:\WINDOWS\SYSTEM32\iapxedjk.tmp"
Wed 5 Dec 2007 794,143 ..SH. --- "C:\WINDOWS\SYSTEM32\iapxedjk.tmp2"
Wed 12 Dec 2007 439,992 ..SH. --- "C:\WINDOWS\SYSTEM32\gfefe.bak1"
Wed 12 Dec 2007 440,317 ..SH. --- "C:\WINDOWS\SYSTEM32\gfefe.bak2"
Wed 3 Jan 2007 146,432 ..SHR --- "C:\Program Files\iConcepts Music Express\Setup.exe"
Wed 13 Sep 2006 4,348 ..SH. --- "C:\WINDOWS\All Users\DRM\DRMv1.bak"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Sun 19 Feb 2006 5,390,336 ...H. --- "C:\Documents and Settings\Lori DeSilva\My Documents\Debra\~WRL0003.tmp"
Wed 16 Aug 2006 32,768 ...H. --- "C:\Documents and Settings\Lori DeSilva\My Documents\Miscellaneous\~WRL0003.tmp"
Sun 28 Oct 2007 22,528 ...H. --- "C:\Documents and Settings\Lori DeSilva\My Documents\Beverley Job Search\~WRL3410.tmp"
Sun 28 Oct 2007 29,696 ...H. --- "C:\Documents and Settings\Lori DeSilva\My Documents\Beverley Job Search\~WRL0468.tmp"
Sat 24 Feb 2007 22,016 ...H. --- "C:\Documents and Settings\Lori DeSilva\My Documents\City Wide\Web Site\~WRL0034.tmp"
Wed 26 Sep 2007 24,064 ...H. --- "C:\Documents and Settings\Lori DeSilva\Application Data\Microsoft\Word\~WRL0858.tmp"
Wed 26 Sep 2007 27,136 ...H. --- "C:\Documents and Settings\Lori DeSilva\Application Data\Microsoft\Word\~WRL3622.tmp"
Wed 26 Sep 2007 27,648 ...H. --- "C:\Documents and Settings\Lori DeSilva\Application Data\Microsoft\Word\~WRL1568.tmp"
Sat 13 Oct 2007 19,456 ...H. --- "C:\Documents and Settings\Lori DeSilva\Application Data\Microsoft\Word\~WRL0003.tmp"
Sun 28 Oct 2007 27,648 ...H. --- "C:\Documents and Settings\Lori DeSilva\Application Data\Microsoft\Word\~WRL3111.tmp"
Wed 26 Sep 2007 19,456 ...H. --- "C:\Documents and Settings\Lori DeSilva\My Documents\Travis\KMHS\Health\~WRL1611.tmp"
Wed 26 Sep 2007 23,552 ...H. --- "C:\Documents and Settings\Lori DeSilva\My Documents\Travis\KMHS\Health\~WRL1977.tmp"
Wed 26 Sep 2007 29,696 ...H. --- "C:\Documents and Settings\Lori DeSilva\My Documents\Travis\KMHS\Health\~WRL1301.tmp"

Finished!


ComboFix 07-12-21.4 - Lori DeSilva 2007-12-22 14:37:12.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.74 [GMT -5:00]
Running from: C:\Documents and Settings\Lori DeSilva\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\LocalService\Application Data\.rdr.ini
C:\Documents and Settings\LocalService\Application Data\install.dat
C:\Documents and Settings\Lori DeSilva\Local Settings\Application Data.\n.ini
C:\Documents and Settings\Lori DeSilva\Local Settings\Application Data\n.ini
C:\Documents and Settings\NetworkService\Application Data\.rdr.ini
C:\Documents and Settings\NetworkService\Application Data\Install.dat
C:\Program Files\myglobalsearch
C:\WINDOWS\cookies.ini
C:\WINDOWS\start.exe
C:\WINDOWS\system32\drivers\4_stars.gif
C:\WINDOWS\system32\drivers\5_stars.gif
C:\WINDOWS\system32\drivers\alert_icon.gif
C:\WINDOWS\system32\drivers\buy_btn.gif
C:\WINDOWS\system32\drivers\close_icon.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_btn.gif
C:\WINDOWS\system32\drivers\features.gif
C:\WINDOWS\system32\drivers\header_bg.gif
C:\WINDOWS\system32\drivers\hokmbodb.dat
C:\WINDOWS\system32\drivers\icon_warning.gif
C:\WINDOWS\system32\drivers\logo_bg.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\perfect_cleaner_box_small.jpg
C:\WINDOWS\system32\drivers\perfect_cleaner_header.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_header_small.gif
C:\WINDOWS\system32\drivers\protect.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\remove_spyware_button.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\secuity_center_logo.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\spy_away_box_small.jpg
C:\WINDOWS\system32\drivers\spy_away_header.gif
C:\WINDOWS\system32\drivers\spy_away_header_small.gif
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\olecli32n.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_HQIIHTYC
-------\LEGACY_POOF
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\LEGACY_TEDDOJOL
-------\hqiihtyc
-------\teddojol


((((((((((((((((((((((((( Files Created from 2007-11-22 to 2007-12-22 )))))))))))))))))))))))))))))))
.

2007-12-21 23:18 . 2007-12-21 23:18 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-18 23:00 . 2007-12-18 23:00 <DIR> d--h----- C:\WINDOWS\$SQLUninstallMDAC28-KB911562-x86-ENU$
2007-12-17 20:18 . 2005-10-20 17:33 991,232 --a------ C:\WINDOWS\SYSTEM32\esent.dll
2007-12-16 20:28 . 2007-12-16 20:28 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-12-16 13:56 . 2007-12-16 13:56 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-12-16 13:56 . 2007-12-16 13:56 <DIR> d-------- C:\WINDOWS\ehome
2007-12-16 13:49 . 2002-08-29 05:41 3,494,303 --------- C:\WINDOWS\SYSTEM32\nv4_disp.dll
2007-12-16 13:47 . 2002-08-29 05:41 1,004,032 --a------ C:\WINDOWS\explorer.exe
2007-12-16 13:46 . 2002-08-29 05:41 578,560 --a------ C:\WINDOWS\SYSTEM32\appwiz.cpl
2007-12-16 13:03 . 2001-08-23 12:00 116,736 --a------ C:\WINDOWS\SYSTEM32\dpcdll.dll.wga
2007-12-16 13:03 . 2001-08-23 12:00 27,136 --a------ C:\WINDOWS\SYSTEM32\pidgen.dll.wga
2007-12-16 13:03 . 2007-12-16 13:03 12,922 --a------ C:\WINDOWS\SYSTEM32\wpa.bak
2007-12-15 12:12 . 2007-12-15 12:12 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-15 12:12 . 2007-12-15 12:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-14 21:46 . 2007-12-14 21:46 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-12-14 06:55 . 2007-12-14 06:55 1,022,464 --a------ C:\WINDOWS\WBDEL44I.DLL
2007-12-14 06:55 . 2007-12-14 06:55 53,317 --a------ C:\WINDOWS\WWIPG34I.DLL
2007-12-13 07:13 . 2007-12-13 07:13 <DIR> d--hs---- C:\FOUND.021
2007-12-12 07:53 . 2007-12-12 17:21 440,636 ---hs---- C:\WINDOWS\SYSTEM32\gfefe.ini2
2007-12-12 07:35 . 2007-12-12 07:36 918,516 ---hs---- C:\WINDOWS\SYSTEM32\blvsiewl.ini
2007-12-11 22:35 . 2007-12-12 07:30 913,022 ---hs---- C:\WINDOWS\SYSTEM32\vbcvrvsv.ini
2007-12-05 18:19 . 2007-12-05 18:19 <DIR> d--hs---- C:\FOUND.020
2007-12-05 08:05 . 2007-12-05 08:06 794,143 ---hs---- C:\WINDOWS\SYSTEM32\iapxedjk.tmp2
2007-12-05 08:05 . 2007-12-05 08:06 794,143 ---hs---- C:\WINDOWS\SYSTEM32\iapxedjk.tmp
2007-12-03 13:15 . 2007-12-04 07:53 794,529 ---hs---- C:\WINDOWS\SYSTEM32\objxjmcj.ini
2007-12-03 07:54 . 2007-12-03 13:09 792,501 ---hs---- C:\WINDOWS\SYSTEM32\ppnpxsdx.ini
2007-12-02 16:03 . 2007-12-02 16:03 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-02 10:54 . 2007-12-03 07:49 793,862 ---hs---- C:\WINDOWS\SYSTEM32\ltvtegkh.ini
2007-12-01 17:23 . 2007-12-12 07:52 1,049 --a------ C:\WINDOWS\Active Setup Log.BAK
2007-12-01 16:26 . 2007-12-01 16:26 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-01 15:08 . 2007-12-02 10:48 793,742 ---hs---- C:\WINDOWS\SYSTEM32\tbnihjfi.ini
2007-11-30 07:14 . 2007-11-30 07:14 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-30 07:14 . 2007-11-30 07:14 <DIR> d-------- C:\Documents and Settings\Lori DeSilva\Application Data\SUPERAntiSpyware.com
2007-11-30 07:14 . 2007-11-30 07:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-30 07:13 . 2007-11-30 07:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-29 22:29 . 2007-11-29 22:29 <DIR> d-------- C:\Documents and Settings\Lori DeSilva\DoctorWeb
2007-11-29 22:15 . 2007-11-29 22:15 143 --a------ C:\WINDOWS\SYSTEM32\mcrh.tmp
2007-11-28 11:02 . 2007-11-29 22:17 789,976 ---hs---- C:\WINDOWS\SYSTEM32\qqfxpykg.ini
2007-11-28 08:00 . 2007-11-28 10:56 783,737 ---hs---- C:\WINDOWS\SYSTEM32\ghklqaob.ini
2007-11-27 22:32 . 2007-11-28 07:46 784,425 ---hs---- C:\WINDOWS\SYSTEM32\ciobfkse.ini
2007-11-27 21:43 . 2007-11-27 22:24 784,305 ---hs---- C:\WINDOWS\SYSTEM32\pjmuhhtb.ini
2007-11-27 20:17 . 2007-11-27 21:45 784,545 ---hs---- C:\WINDOWS\SYSTEM32\soxfoafi.ini
2007-11-27 08:56 . 2007-11-27 20:07 784,435 ---hs---- C:\WINDOWS\SYSTEM32\isqhubmp.ini
2007-11-27 08:29 . 2007-11-27 08:29 <DIR> d--hs---- C:\FOUND.019
2007-11-26 21:19 . 2005-07-22 18:03 7,680 --a------ C:\WINDOWS\SYSTEM32\dllcache\migregdb.exe
2007-11-26 16:15 . 2007-11-27 08:48 780,335 ---hs---- C:\WINDOWS\SYSTEM32\syljpdut.ini
2007-11-25 16:32 . 2007-11-25 16:33 151 --a------ C:\WINDOWS\PhotoSnapViewer.INI
2007-11-25 14:45 . 2007-11-25 14:45 775,952 ---hs---- C:\WINDOWS\SYSTEM32\abcyqfio.ini
2007-11-25 13:18 . 2007-11-25 14:37 775,901 ---hs---- C:\WINDOWS\SYSTEM32\hxqbierv.ini
2007-11-24 12:51 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-11-24 12:51 . 2004-01-09 05:13 380,928 --a------ C:\WINDOWS\SYSTEM32\actskin4.ocx
2007-11-24 12:51 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2007-11-24 12:51 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2007-11-24 12:51 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2007-11-24 12:51 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2007-11-24 12:51 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2007-11-24 12:51 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2007-11-22 19:18 . 2007-11-22 19:12 441,870 --ahs---- C:\WINDOWS\SYSTEM32\gfefe.ini
2007-11-22 10:52 . 2007-11-22 11:17 441,851 ---hs---- C:\WINDOWS\SYSTEM32\gfefe.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-12 12:32 440,317 --sh--w C:\WINDOWS\SYSTEM32\gfefe.bak2
2007-12-12 12:32 439,992 --sh--w C:\WINDOWS\SYSTEM32\gfefe.bak1
2007-11-22 03:51 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-22 03:51 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-22 00:34 --------- d-----w C:\Documents and Settings\Lori DeSilva\Application Data\ErrorSmart
2007-11-14 04:54 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-11-14 04:54 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2007-11-14 04:53 --------- d-----w C:\Program Files\Common Files\Motorola Shared
2007-11-06 22:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2007-11-06 22:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-11-05 01:58 --------- d-----w C:\Program Files\SamsungODD
2007-11-05 01:30 769,536 ----a-w C:\Documents and Settings\Lori DeSilva\Application Data\sfdnwin.dll
2007-11-05 01:28 --------- d-----w C:\Program Files\SAMSUNG
2007-11-04 02:33 141,280 ----a-w C:\Documents and Settings\Lori DeSilva\Application Data\GDIPFONTCACHEV1.DAT
2007-11-03 18:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\LightScribe
2007-11-03 18:44 --------- d-----w C:\Program Files\Common Files\LightScribe
2007-11-03 18:41 --------- d-----w C:\Documents and Settings\Lori DeSilva\Application Data\Ahead
2007-11-03 18:36 --------- d-----w C:\Program Files\Nero
2007-11-03 18:36 --------- d-----w C:\Program Files\Common Files\Ahead
2007-11-03 02:40 --------- d-----w C:\Program Files\Alwil Software
2007-10-25 15:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-17 15:46 246,545 ----a-w C:\WINDOWS\SYSTEM32\libssl32.dll
2007-10-17 15:46 1,188,375 ----a-w C:\WINDOWS\SYSTEM32\libeay32.dll
2006-12-24 00:24 92,064 ----a-w C:\Documents and Settings\Lori DeSilva\mqdmmdm.sys
2006-12-24 00:24 9,232 ----a-w C:\Documents and Settings\Lori DeSilva\mqdmmdfl.sys
2006-12-24 00:24 79,328 ----a-w C:\Documents and Settings\Lori DeSilva\mqdmserd.sys
2006-12-24 00:24 66,656 ----a-w C:\Documents and Settings\Lori DeSilva\mqdmbus.sys
2006-12-24 00:24 6,208 ----a-w C:\Documents and Settings\Lori DeSilva\mqdmcmnt.sys
2006-12-24 00:24 5,936 ----a-w C:\Documents and Settings\Lori DeSilva\mqdmwhnt.sys
2006-12-24 00:24 4,048 ----a-w C:\Documents and Settings\Lori DeSilva\mqdmcr.sys
2006-12-24 00:24 25,600 ----a-w C:\Documents and Settings\Lori DeSilva\usbsermptxp.sys
2006-12-24 00:24 22,768 ----a-w C:\Documents and Settings\Lori DeSilva\usbsermpt.sys
2006-01-16 21:28 266 --sh--w C:\Program Files\desktop.ini
2006-01-16 21:28 11,079 ---h--w C:\Program Files\folder.htt
2005-05-13 02:36 8,688,364 ----a-w C:\Program Files\Adobe Illustrator CS2.msi
2005-05-13 02:36 1,175 ----a-w C:\Program Files\Setup.ini
2005-05-13 02:35 278,994,817 ----a-w C:\Program Files\Data1.cab
2005-05-13 02:29 1,454 ----a-w C:\Program Files\Abcpy.ini
2003-02-25 15:04 4,632 ----a-w C:\Program Files\0x0409.ini
2002-03-11 12:06 1,822,520 ----a-w C:\Program Files\instmsiw.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4EDC706D-932F-49F5-B00A-40C07A5660DA}]
C:\Program Files\Windows Media Player\pobehujo83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A35D164-6F44-437D-BF71-64E6D5097193}]
c:\windows\system32\olecli32n.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F55B087B-FCB7-48D1-94E4-6447AD3359B3}]
C:\Program Files\Windows Media Player\pobehujo4444.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@={7D688A77-C613-11D0-999B-00C04FD655E1}

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 08:05]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2002-01-07 18:24]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 19:03]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"@"="C:\Program Files\Internet Explorer\iexplore.exe" [2002-08-29 05:41]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57]
"Name of App"="C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe" [2007-04-05 15:29]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-01-26 10:46]
"MegaPanel"="D:\Neilson\HSTrans.exe" [2006-05-11 14:30]
"MediaFace Integration"="C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe" [2002-12-17 15:49]
"MagicSpeed"="C:\Program Files\SamsungODD\Magic Speed\MagicSL.exe" [2004-01-12 10:13]
"InstantAccess"="C:\PROGRA~1\TEXTBR~1\BIN\INSTAN~1.exe" [1998-07-20 16:47]
"HPHmon03"="C:\WINDOWS\System32\hphmon03.exe" [2003-01-30 18:55]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2003-01-30 18:55]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" []
"WatchDog"="D:\Program Files\WatchDog.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00]
"00000faf"="C:\WINDOWS\System32\lweisvlb.dll" []
"combofix"="C:\WINDOWS\system32\cmd.exe" [2001-08-23 12:00]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkkijg]
jkkkijg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjkihf]
ljjkihf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Iomega Icons.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Iomega Icons.lnk
backup=C:\WINDOWS\pss\Iomega Icons.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Iomega Startup Options.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Iomega Startup Options.lnk
backup=C:\WINDOWS\pss\Iomega Startup Options.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-09-07 16:55 267064 --a------ D:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=3 (0x3)
"iPod Service"=3 (0x3)
"DomainService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"BJCFD"=C:\Program Files\BroadJump\Client Foundation\CFD.exe
"HPHA1MON"=C:\WINDOWS\SYSTEM32\hpha1mon.exe
"InCD"=C:\Program Files\ahead\InCD\InCD.exe
"mdac_runonce"=C:\WINDOWS\SYSTEM32\RUNONCE.EXE
"REGSHAVE"=C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
"Share-to-Web Namespace Daemon"=C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
"<NO NAME>"=
"SoundMan"=SOUNDMAN.EXE



[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\Program Files\Outlook Express\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\Program Files\Outlook Express\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\Program Files\Outlook Express\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-22 15:36:59
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-22 15:51:18 - machine was rebooted
.
2007-12-19 04:05:46 --- E O F ---

The thing about people

is they change

when they walk away.--Mipso


#7 lorilee86

lorilee86
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:04 PM

Posted 29 December 2007 - 02:09 PM

I appreciate all you efforts to help me. I really don't mind reformatting the hard drive, but there are some programs that I have installed that I no longer have the software for and therefore don't want them deleted.

As for the Windows XP SP2, I read several times within your site that it is not recommended that it is installed!

I am not having some of the same issues I had before I ran the antivirus, spamware programs you suggested. I guess that that really didn't fix all the problems?

I hope to hear from you soon.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users