Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Severely Infected Computer, Multiple Issues


  • Please log in to reply
43 replies to this topic

#1 Dana P

Dana P

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 05 December 2007 - 03:57 PM

Hello everyone, this is my first time posting to a forum like this, I seem to have run out of other options on a co-worker's computer.

Some background:

When I first took a look at the computer, it failed boot and displayed the error message: "Failed to load Operating System". I ran the Recovery Console from my own XP cd, and issued FixMBR and FixBoot commands, and was able to boot back up normally into windows. Once at the login screen, there are three user accounts available. The first two, both admin accounts, would log on successfully, the third however, would start to log on, then instantly log back off (I have read it described as a logon-logoff loop elsewhere). Any way, trudging along, I did some checking with a usable account and discovered that the OS was XP Home, version 2002, no service packs intalled, likewise there was no antivirus or firewall programs installed, and the computer had been connected via DSL Modem for I don't know how long. Needless to say, when I ran a few online antivirus scans, this computer was severely infected (hundreds of instances of malware). I did what I could, let bit defender, ad aware, and spywareblaster clean up what they could. I also installed the HD via USB to my own computer and scanned it with ZoneAlarm's AV, in order to catch as many malware instances that I could.

I then installed updates from microsoft. After rebooting, the computer began exhibiting even more behaviors I would associate with malware. Once logged on as a user, the computer would freeze up after a few minutes, and after rebooting a windows error message would indicate that the problem was due to a graphics device failing a draw operation. Also, I would constantly get error messages about a "duplicate name exists on the network", although I know that this is not the case.

The owner of the computer asked me to purchase and install an appropriate AV/Firewall program, and after some checking around online, I settled with Bit Defender's Internet Security Suite, and attempted an install in safe mode (due to the comp freezing in normal mode), and after configuring the microsoft installer to work in safemode, I found out that Bit Defender will not install unless Service Pack 2 is installed. So I installed SP2, installed Bit Defender, and can boot normally into windows again, however, only with one user. Now all other users experience the logon-logoff loop as I described earlier. The message about the duplicate name on the network appears constantly, even when I go to the command line and issue IPCONFIG /RELEASE. When the computer is connected to my home LAN, it can connect to the Internet, however, the connection is constantly interrupted - I am pretty sure that it is related to the "duplicate name" error that I am receiving.


SO here I am, and after reading the Preparation Guide before posting here, I read about how installing SP2 can cause problems if the computer is infected with malware. I then realized that I probably made things worse for myself, and it is difficult to separate which problems are being caused by malware, and which problems are caused by me. I would like to salvage this installation if possible, although a fresh install is probably the best alternative. But I figured I would try here first, and See if we can solve the malware issues first, and then I can move on to other issues.

Here is the HJT Log, and sorry for the long post :thumbsup:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:49:10 PM, on 12/5/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Adrian\Desktop\malware downloads\hjt\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: (no name) - {03B0D615-052A-49E7-8B98-792AE5EB319A} - C:\Program Files\Online Services\mexocado83122.dll (file missing)
O2 - BHO: (no name) - {16d85bee-89bd-4b30-85d3-acf35766c41c} - C:\WINDOWS\System32\bytpmux.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo Toolbar - {54C7D1DD-4296-451e-B756-1E94F665B4FF} - C:\WINDOWS\System32\yatool.dll (file missing)
O2 - BHO: (no name) - {5868A4F5-6364-46BB-6157-4A71C67896CB} - C:\WINDOWS\System32\wprmi.dll (file missing)
O2 - BHO: (no name) - {A4CDE248-094A-4AE0-B3D1-582007FA9080} - C:\Program Files\Online Services\mexocado4444.dll (file missing)
O2 - BHO: HelloWorldBHO - {B3A05538-8F91-49C1-8EE3-6EB142B41E2A} - C:\Program Files\Microsoft Help\Microsoft.System.Help.dll (file missing)
O2 - BHO: 0 - {E76102B6-0364-49B2-8382-7BB77CF0C25C} - C:\Program Files\MSN\quka535.dll (file missing)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [Internet Explorer] C:\WINDOWS\patchw32.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKCU\..\Run: [autoload] C:\WINDOWS\System32\drivers\smss.exe
O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\Adrian\smss.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-790525478-1220945662-839522115-1004\..\Run: [autoload] C:\WINDOWS\System32\drivers\smss.exe (User '?')
O4 - HKUS\S-1-5-21-790525478-1220945662-839522115-1004\..\Run: [autorun] C:\Documents and Settings\Adrian\smss.exe (User '?')
O4 - HKUS\S-1-5-21-790525478-1220945662-839522115-1004\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1196290982218
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: c:\windows\system32\jkhhecc.dll
O20 - Winlogon Notify: gb2nt$ - gb2nt$.dll (file missing)
O21 - SSODL: mLQUFBjFkX - {6C7E3EE9-C6D4-9443-4993-6D227FD52246} - C:\WINDOWS\System32\evlgw.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\rtese.html

--
End of file - 8755 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:45 AM

Posted 07 December 2007 - 06:21 PM

We can definitely help you, but first you need to help us.
The first step in this process is to apply Service Pack 1a for Windows XP.

Without this update, you're wide open to re-infection, and we're both just wasting our time.

Click HERE. Apply the update, reboot, and post a fresh Hijack This log.

Install all critical updates except Service Pack 2.
Some hijacks interfere with the installation of Service Pack 2, so please wait until your computer is clean before installing it.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Dana P

Dana P
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 08 December 2007 - 09:28 PM

Thanks a bunch, SifuMike. :blink: I have done what you instructed - I installed sp1a and all windows updates. Also, I have recanned the computer with ad aware, spybot, bd, panda, and AVERT Stinger, and installed zone alarm firewall. The issue I described about the computer freezing upon startup in normal mode was solved by installing the most recent graphics drivers from HP (the computer is a compaq presario, by the way). Also, I cloned the HD using the linux command 'dd' and am working on the clone, just to keep the original intact. Anyhow, here is the newest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:00:29 PM, on 12/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\spupdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\QdrPack\QdrPack9.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\sistray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Adrian\Desktop\malware downloads\hjt\HiJackThis.exe
C:\WINDOWS\System32\wpabaln.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: (no name) - {03B0D615-052A-49E7-8B98-792AE5EB319A} - C:\Program Files\Online Services\mexocado83122.dll (file missing)
O2 - BHO: (no name) - {16d85bee-89bd-4b30-85d3-acf35766c41c} - C:\WINDOWS\System32\bytpmux.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo Toolbar - {54C7D1DD-4296-451e-B756-1E94F665B4FF} - C:\WINDOWS\System32\yatool.dll (file missing)
O2 - BHO: (no name) - {5868A4F5-6364-46BB-6157-4A71C67896CB} - C:\WINDOWS\System32\wprmi.dll (file missing)
O2 - BHO: (no name) - {A4CDE248-094A-4AE0-B3D1-582007FA9080} - C:\Program Files\Online Services\mexocado4444.dll (file missing)
O2 - BHO: HelloWorldBHO - {B3A05538-8F91-49C1-8EE3-6EB142B41E2A} - C:\Program Files\Microsoft Help\Microsoft.System.Help.dll (file missing)
O2 - BHO: 0 - {E76102B6-0364-49B2-8382-7BB77CF0C25C} - C:\Program Files\MSN\quka535.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [Internet Explorer] C:\WINDOWS\patchw32.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [gvobmtwt] rundll32.exe "C:\Program Files\gvobmtwt\yrixoxcf.dll",Init
O4 - HKLM\..\Run: [bkdurshe] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\bkdurshe.dll"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [uwas7cw] "C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe" -c
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\System32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\Adrian\LOCALS~1\Temp\IXP000.TMP\"
O4 - HKCU\..\Run: [autoload] C:\WINDOWS\System32\drivers\smss.exe
O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\Adrian\smss.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.4\webbuying.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ISMModule4] "C:\Program Files\ISM\ISMModule4.exe"
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKCU\..\Run: [QdrPack9] "C:\Program Files\QdrPack\QdrPack9.exe"
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKUS\S-1-5-21-790525478-1220945662-839522115-1004\..\Run: [autoload] C:\WINDOWS\System32\drivers\smss.exe (User '?')
O4 - HKUS\S-1-5-21-790525478-1220945662-839522115-1004\..\Run: [autorun] C:\Documents and Settings\Adrian\smss.exe (User '?')
O4 - HKUS\S-1-5-21-790525478-1220945662-839522115-1004\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-790525478-1220945662-839522115-1004\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.4\webbuying.exe (User '?')
O4 - HKUS\S-1-5-21-790525478-1220945662-839522115-1004\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-790525478-1220945662-839522115-1004\..\Run: [ISMModule4] "C:\Program Files\ISM\ISMModule4.exe" (User '?')
O4 - HKUS\S-1-5-21-790525478-1220945662-839522115-1004\..\Run: [Insider] C:\Program Files\Insider\Insider.exe (User '?')
O4 - HKUS\S-1-5-21-790525478-1220945662-839522115-1004\..\Run: [QdrPack9] "C:\Program Files\QdrPack\QdrPack9.exe" (User '?')
O4 - HKUS\S-1-5-21-790525478-1220945662-839522115-1004\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe (User '?')
O4 - HKUS\S-1-5-21-790525478-1220945662-839522115-1004\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe (User '?')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1196290982218
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: c:\windows\system32\jkhhecc.dll
O20 - Winlogon Notify: gb2nt$ - gb2nt$.dll (file missing)
O21 - SSODL: mLQUFBjFkX - {6C7E3EE9-C6D4-9443-4993-6D227FD52246} - C:\WINDOWS\System32\evlgw.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\rtese.html

--
End of file - 11001 bytes




Thanks again for the assistance :thumbsup:

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:45 AM

Posted 08 December 2007 - 09:52 PM

Hi Dana P,

An Online Scanner can never replace a real anti-virus product which provides real-time protection against viruses, automatic updates with very quick response time, memory scanning and usually has a firewall and several other protection mechanisms integrated.

Before we start, you need to realize that you are missing one important program on that computer: An antivirus.

This is somewhat suicidal in today's digital world.

You need to install an antivirus program as soon as you can and run a complete scan of the computer.

I recommend you download the free

Avast or
AntiVir or
AVG antivirus

Products from all three vendors received the Virus Bulletin's VB100% award and certification for virus detection from ICSA Labs.

Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!

After you install the antivirus and run a scan of your computer, then post a fresh Hijackthis log.

Edited by SifuMike, 08 December 2007 - 10:10 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Dana P

Dana P
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 09 December 2007 - 12:55 AM

Right on, thanks. I had Bit Defender on there until I uninstalled sp2, which is a requirement for BD - I removed it in order to prevent any possible conflicts. Anyhow, I installed Avast and scanned both at system bootup and once again after loggin into to an admin acount in normal mode. Here is the latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:34:02 PM, on 12/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\QdrPack\QdrPack9.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wpabaln.exe
C:\Documents and Settings\Adrian\Desktop\malware downloads\hjt\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: (no name) - {03B0D615-052A-49E7-8B98-792AE5EB319A} - C:\Program Files\Online Services\mexocado83122.dll (file missing)
O2 - BHO: (no name) - {16d85bee-89bd-4b30-85d3-acf35766c41c} - C:\WINDOWS\System32\bytpmux.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo Toolbar - {54C7D1DD-4296-451e-B756-1E94F665B4FF} - C:\WINDOWS\System32\yatool.dll (file missing)
O2 - BHO: (no name) - {5868A4F5-6364-46BB-6157-4A71C67896CB} - C:\WINDOWS\System32\wprmi.dll (file missing)
O2 - BHO: (no name) - {A4CDE248-094A-4AE0-B3D1-582007FA9080} - C:\Program Files\Online Services\mexocado4444.dll (file missing)
O2 - BHO: HelloWorldBHO - {B3A05538-8F91-49C1-8EE3-6EB142B41E2A} - C:\Program Files\Microsoft Help\Microsoft.System.Help.dll (file missing)
O2 - BHO: 0 - {E76102B6-0364-49B2-8382-7BB77CF0C25C} - C:\Program Files\MSN\quka535.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [Internet Explorer] C:\WINDOWS\patchw32.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [gvobmtwt] rundll32.exe "C:\Program Files\gvobmtwt\yrixoxcf.dll",Init
O4 - HKLM\..\Run: [bkdurshe] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\bkdurshe.dll"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [uwas7cw] "C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe" -c
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\System32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\Adrian\LOCALS~1\Temp\IXP000.TMP\"
O4 - HKCU\..\Run: [autoload] C:\WINDOWS\System32\drivers\smss.exe
O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\Adrian\smss.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.4\webbuying.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ISMModule4] "C:\Program Files\ISM\ISMModule4.exe"
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKCU\..\Run: [QdrPack9] "C:\Program Files\QdrPack\QdrPack9.exe"
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKUS\S-1-5-21-790525478-1220945662-839522115-1004\..\Run: [autoload] C:\WINDOWS\System32\drivers\smss.exe (User '?')
O4 - HKUS\S-1-5-21-790525478-1220945662-839522115-1004\..\Run: [autorun] C:\Documents and Settings\Adrian\smss.exe (User '?')
O4 - HKUS\S-1-5-21-790525478-1220945662-839522115-1004\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-790525478-1220945662-839522115-1004\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.4\webbuying.exe (User '?')
O4 - HKUS\S-1-5-21-790525478-1220945662-839522115-1004\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-790525478-1220945662-839522115-1004\..\Run: [ISMModule4] "C:\Program Files\ISM\ISMModule4.exe" (User '?')
O4 - HKUS\S-1-5-21-790525478-1220945662-839522115-1004\..\Run: [Insider] C:\Program Files\Insider\Insider.exe (User '?')
O4 - HKUS\S-1-5-21-790525478-1220945662-839522115-1004\..\Run: [QdrPack9] "C:\Program Files\QdrPack\QdrPack9.exe" (User '?')
O4 - HKUS\S-1-5-21-790525478-1220945662-839522115-1004\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe (User '?')
O4 - HKUS\S-1-5-21-790525478-1220945662-839522115-1004\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe (User '?')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1196290982218
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: c:\windows\system32\jkhhecc.dll
O20 - Winlogon Notify: gb2nt$ - gb2nt$.dll (file missing)
O21 - SSODL: mLQUFBjFkX - {6C7E3EE9-C6D4-9443-4993-6D227FD52246} - C:\WINDOWS\System32\evlgw.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\rtese.html

--
End of file - 11612 bytes


Thanks yet again

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:45 AM

Posted 09 December 2007 - 01:19 AM

Hi Dana,

The owner of the computer asked me


Are you a computer repair shop? Is this a company computer? Whose computer is this?

I had Bit Defender on there until I uninstalled sp2, which is a requirement for BD - I removed it in order to prevent any possible conflicts.

How long were you using this computer with no antivirus program installed ? :blink:
And how long were you using this computer with XP (not SP1 or SP2)? :thumbsup:


Let's run ComboFix.

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer during HijackThis Cleanup
When everything is done and your log is clean again, you can enable it again.


You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


If you have used Combofix before, please delete the version you have and redownload it again, because Combofix is being updated everyday.

Disconnect from the Internet while running ComboFix.

Temporarily disable any anti-virus and anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
Do NOT run ComboFix more than once.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".

Edited by SifuMike, 09 December 2007 - 01:29 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Dana P

Dana P
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 09 December 2007 - 05:13 PM

Hi Mike -

No, I am not attempting to fix this computer professionally, the computer (Compaq Presario sr1575cl) is a personal/home computer, and belongs to a friend of a co-worker of mine. I had fixed another co-worker's computer before so now everyone comes to me, lol. Anyway, the owner does not speak much English and I do not speak any Spanish, so it has been difficult to get many details from him. Here is what I do know, however, and it will help explain your questions about service packs and anti-virus programs. (Looking back at my last post, I can see that my explanation is confusing).

For however long he has owned it (unsure of that), it has been running XP home version 2002, with no service packs installed. He was connected directly to a 2wire dsl modem through SBC, and, when I received it, did not have any anti-virus or anti-malware at all. So the first thing I did was connect the Hard Drive to my computer via USB adapter, and scanned it with Zone Alarm and removed what it found. Then I reinstalled the Hard Drive, (and after running the recovery console in order to fix the MBR which seems to have been corrupted by a boot sector virus) booted into normal mode where I discovered the lack of service packs and antivirus software. He asked me to install whatever AV program I thought was best, and so I decided on Bit Defender as it was ranked highly on various reviewing websites. I went to install it, however BD prompted me with an error about it requiring SP2 in order to install, and being unaware of the problems of Installing SP2 on an infected computer, I installed it. Then I noticed stop errors that would flash for about half a second before the computer rebooted constantly. I managed to boot into safe mode and went ahead with the install of Bit Defender, to see if Scanning for viruses would make a difference somehow. Eventually I Uninstalled SP2, as well as BD (because with SP2 no longer installed, I figured keeping BD installed might cause even more issues).

Keep in mind, though, that I was as careful as possible to keep the computer disconnected from the Internet ( I downloaded various spyware programs from my computer and installed them on the infected computer via flash drive). The only times I actually connected to the Internet on the infected machine was to perform windows updates, update ad aware, spybot, etc... and to perform the free online scans, and only in safe mode, unless whatever I was doing would not run in safe mode (such as MS updates, I believe). All the HJT scans were performed in normal mode, and I then saved the logs on flash drive and posted to this forum on my own computer, in order to minimize exposure as much as possible.

Again, thanks for all of your help, this thing is becoming a nightmare, lol. I am pretty good with computers in general(I have a Bachelor's in CIS), however malware isn't my area. Although, after this experience, I am definitely going to do some research on this stuff.

Here is the Combofix log, followed by the subsequent HJT log:

ComboFix 07-12-09.1 - Adrian 2003-01-09 12:54:03.1 - NTFSx86

Running from: C:\Documents and Settings\Adrian\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Adrian\Application Data\tmp5D.tmp.exe
C:\Documents and Settings\Adrian\Application Data\tmpC.tmp.exe
C:\Documents and Settings\Adrian\err.log
C:\Documents and Settings\Adrian\Local Settings\Application Data.\n.ini
C:\Documents and Settings\Adrian\Local Settings\Application Data\n.ini
C:\Documents and Settings\Adrian\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Adrian\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Adrian\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Alejandra\Application Data\WinTouch
C:\Documents and Settings\Alejandra\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\Alejandra\err.log
C:\Documents and Settings\Alejandra\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Alejandra\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Alejandra\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Alejandra\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Alejandra\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Alejandra\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\SI o ke\Desktop\Install WinAntiSpyware 2006 .lnk
C:\Documents and Settings\SI o ke\Desktop\Install WinAntiSpyware 2007 .lnk
C:\Documents and Settings\SI o ke\err.log
C:\Documents and Settings\SI o ke\Start Menu\Programs\Startup\TA_Start.lnk
C:\Program Files\Common Files\ppatch~1
C:\Program Files\ISM
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\ISM2
C:\Program Files\ISM2\cringupd.exe
C:\Program Files\ISM2\targets.gz
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\QdrPack10.exe
C:\Program Files\QdrPack\QdrPack9.exe
C:\Program Files\QdrPack\trgts.gz
C:\Program Files\QdrPack\zhydupd.exe
C:\Program Files\svhost
C:\Program Files\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\brr
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files.\xpreload.ocx
C:\WINDOWS\search_res.txt
C:\WINDOWS\system32\C2
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\pppatc~1
C:\WINDOWS\system32\wnscpsv32.exe
C:\WINDOWS\system32\Z1
C:\WINDOWS\system32\Z2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-11-09 to 2007-12-09 )))))))))))))))))))))))))))))))
.

2007-12-08 16:42 . 2005-10-20 14:33 991,232 --a------ C:\WINDOWS\system32\esent.dll
2007-12-08 15:44 . 2007-12-08 15:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-08 15:43 . 2007-12-08 16:53 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-12-08 15:23 . 2007-12-08 15:23 <DIR> d-------- C:\Program Files\sisagp
2007-12-08 15:23 . 2007-12-08 15:23 <DIR> d-------- C:\Program Files\SiS VGA Utilities V3.67
2007-12-08 10:30 . 2007-12-08 16:49 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-12-07 23:07 . 2002-08-29 02:20 115,200 --a------ C:\WINDOWS\system32\dpcdll.dll
2007-12-07 23:04 . 2002-06-14 18:46 19,274 --a------ C:\WINDOWS\001198_.tmp
2007-12-07 22:33 . 2007-12-07 22:33 <DIR> d-------- C:\HP
2007-12-07 21:21 . 2007-12-07 21:21 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-12-05 00:03 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-04 23:18 . 2007-12-05 00:06 <DIR> d-------- C:\Documents and Settings\Adrian\.housecall6.6
2007-12-04 22:20 . 2007-12-04 22:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2007-12-04 16:50 . 2007-12-08 14:04 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-04 16:50 . 2007-12-08 14:04 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-04 16:49 . 2003-01-01 00:49 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-04 16:49 . 2007-12-08 14:04 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-04 12:34 . 2007-12-04 22:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-29 22:33 . 2007-11-29 22:33 77,824 --a------ C:\WINDOWS\system32\xcomm.dll.avxpnd
2007-11-29 11:03 . 2001-08-17 13:28 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys
2007-11-29 11:03 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2007-11-29 11:03 . 2001-08-17 22:36 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2007-11-29 11:03 . 2001-08-17 22:36 53,760 --a--c--- C:\WINDOWS\system32\dllcache\wiamsmud.dll
2007-11-29 11:03 . 2001-08-17 12:12 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys
2007-11-29 11:03 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-11-29 11:03 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-11-29 11:03 . 2001-08-17 22:36 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-11-29 11:03 . 2001-08-17 12:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2007-11-29 11:03 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-11-29 11:01 . 2001-08-17 14:56 1,738,496 --a--c--- C:\WINDOWS\system32\dllcache\nv4.dll
2007-11-29 11:00 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2007-11-29 10:59 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2007-11-29 10:58 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2007-11-29 10:58 . 2001-08-17 14:55 689,216 --a--c--- C:\WINDOWS\system32\dllcache\3dfxvs.dll
2007-11-29 10:58 . 2001-08-17 22:36 462,848 --a--c--- C:\WINDOWS\system32\dllcache\a3dapi.dll
2007-11-29 10:58 . 2001-08-17 12:48 148,352 --a--c--- C:\WINDOWS\system32\dllcache\3dfxvsm.sys
2007-11-29 10:58 . 2001-08-17 22:36 98,304 --a--c--- C:\WINDOWS\system32\dllcache\a3d.dll
2007-11-29 10:58 . 2001-08-17 12:20 96,256 --a--c--- C:\WINDOWS\system32\dllcache\ac97intc.sys
2007-11-29 10:58 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2007-11-29 10:58 . 2001-08-17 14:55 38,400 --a--c--- C:\WINDOWS\system32\dllcache\8514a.dll
2007-11-29 10:58 . 2001-08-17 13:52 23,552 --a--c--- C:\WINDOWS\system32\dllcache\abp480n5.sys
2007-11-29 10:58 . 2001-08-17 14:06 11,264 --a--c--- C:\WINDOWS\system32\dllcache\1394vdbg.sys
2007-11-28 23:39 . 2007-12-04 22:20 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-28 23:36 . 2007-11-28 23:36 <DIR> d-------- C:\Documents and Settings\Adrian\Application Data\MSN6
2007-11-28 22:47 . 2007-12-08 00:55 1,353,834 --a------ C:\WINDOWS\setupapi.log.1.old
2007-11-28 20:12 . 2007-12-07 21:21 121 --a------ C:\WINDOWS\bdagent.INI
2007-11-28 19:57 . 2007-11-28 19:57 <DIR> d-------- C:\Program Files\BitDefender
2007-11-28 19:57 . 2007-12-07 21:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2007-11-28 19:56 . 2007-12-07 21:21 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2007-11-28 16:41 . 2007-12-08 16:49 5,674 --a------ C:\WINDOWS\system32\spupdsvc.inf
2007-11-28 16:33 . 2007-11-28 16:33 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2007-11-28 15:56 . 2007-11-28 15:56 <DIR> d-------- C:\WINDOWS\provisioning
2007-11-28 15:56 . 2007-11-28 11:11 <DIR> d-------- C:\WINDOWS\peernet
2007-11-28 15:52 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002283_.tmp
2007-11-28 15:50 . 2007-12-07 23:06 <DIR> d-------- C:\WINDOWS\EHome
2007-11-28 15:41 . 2007-11-28 15:41 <DIR> d-------- C:\ae4cc492cc25ea9db44639db2c4800
2007-11-28 15:18 . 2007-11-28 15:18 278,927,592 --a------ C:\WindowsXP-KB835935-SP2-ENU.exe
2007-11-27 10:23 . 2007-11-27 11:24 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-27 01:21 . 2007-11-27 01:21 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2007-11-27 01:21 . 2007-11-27 01:21 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-27 01:21 . 2007-11-27 01:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-27 01:14 . 2007-11-27 01:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-27 00:57 . 2007-12-08 10:24 <DIR> dr--s---- C:\WINDOWS\Fonts
2007-11-27 00:52 . 2007-11-27 00:52 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2007-11-27 00:24 . 2007-11-27 00:24 <DIR> d-------- C:\WINDOWS\LogFiles
2007-11-26 23:57 . 2002-09-25 15:18 316,928 --a------ C:\WINDOWS\system32\zipfldr.dll
2007-11-26 23:56 . 2002-12-03 18:50 68,608 --a------ C:\WINDOWS\system32\locator.exe
2007-11-26 23:56 . 2002-12-03 18:50 68,608 --a--c--- C:\WINDOWS\system32\dllcache\locator.exe
2007-11-26 23:56 . 2007-11-26 23:56 127 --a------ C:\WINDOWS\system32\MRT.INI
2007-11-26 23:55 . 2005-04-12 11:30 258,048 --a------ C:\WINDOWS\system32\_SiSParse.dll
2007-11-26 23:55 . 2005-04-12 11:30 184,320 --a------ C:\WINDOWS\system32\SiSInst.dll
2007-11-26 23:55 . 2003-01-10 14:43 143,872 --a------ C:\WINDOWS\system32\itircl.dll
2007-11-26 23:55 . 2003-01-10 14:43 122,368 --a------ C:\WINDOWS\system32\itss.dll
2007-11-26 23:55 . 2005-04-12 11:31 49,152 --a------ C:\WINDOWS\system32\SiSPower.dll
2007-11-26 23:55 . 2005-04-12 11:29 49,152 --a------ C:\WINDOWS\system32\_SiSBase.dll
2007-11-26 23:55 . 2003-01-10 14:43 37,888 --a------ C:\WINDOWS\system32\hhsetup.dll
2007-11-26 23:55 . 2002-12-17 17:43 10,752 --a------ C:\WINDOWS\hh.exe
2007-11-26 23:55 . 2005-04-12 11:29 7,168 --a------ C:\WINDOWS\InstFunc.dll
2007-11-26 23:54 . 2002-11-14 12:50 226,816 --a------ C:\WINDOWS\system32\srrstr.dll
2007-11-26 23:53 . 2007-11-26 23:58 <DIR> d--h-c--- C:\WINDOWS\$xpsp1hfm$
2007-11-26 23:53 . 2007-11-26 23:53 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-26 23:53 . 2002-09-30 10:58 125,440 --a------ C:\WINDOWS\system32\shmedia.dll
2007-11-26 23:53 . 2002-09-30 10:58 125,440 --a--c--- C:\WINDOWS\system32\dllcache\shmedia.dll
2007-11-26 23:53 . 2004-01-09 21:11 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-08 23:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-08 23:23 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-27 09:56 --------- d-----w C:\Program Files\Odmeibds
2007-11-27 09:56 --------- d-----w C:\Program Files\Kacnyvrg
2007-11-27 09:56 --------- d-----w C:\Program Files\gvobmtwt
2007-11-26 22:40 --------- d-----w C:\Program Files\Microsoft Help
2007-11-26 22:35 --------- d-----w C:\Program Files\Common Files\Update
2007-10-25 18:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{03B0D615-052A-49E7-8B98-792AE5EB319A}]
C:\Program Files\Online Services\mexocado83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16d85bee-89bd-4b30-85d3-acf35766c41c}]
C:\WINDOWS\System32\bytpmux.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54C7D1DD-4296-451e-B756-1E94F665B4FF}]
C:\WINDOWS\System32\yatool.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5868A4F5-6364-46BB-6157-4A71C67896CB}]
C:\WINDOWS\System32\wprmi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A4CDE248-094A-4AE0-B3D1-582007FA9080}]
C:\Program Files\Online Services\mexocado4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E76102B6-0364-49B2-8382-7BB77CF0C25C}]
C:\Program Files\MSN\quka535.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YBrowser"="C:\Program Files\Yahoo!\browser\ybrwicon.exe" [2003-07-11 13:51]
"IPInSightMonitor 01"="C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 11:30]
"2wSysTray"="C:\Program Files\2Wire\2PortalMon.exe" [2004-05-25 03:24]
"Internet Explorer"="C:\WINDOWS\patchw32.exe" []
"SiSPower"="Rundll32.exe" [2001-08-18 04:00 C:\WINDOWS\system32\rundll32.exe]
"PRISMSVR.EXE"="C:\WINDOWS\System32\PRISMSVR.exe" []
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 14:49]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 09:06 C:\WINDOWS\AGRSMMSG.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 03:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 18:28:24]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 18:50:52]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 12:05:56]
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2007-12-08 15:23:44]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\MSN\rtese.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"mLQUFBjFkX"= {6C7E3EE9-C6D4-9443-4993-6D227FD52246} - C:\WINDOWS\System32\evlgw.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gb2nt$]
gb2nt$.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\jkhhecc.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"


*Newly Created Service* - ALG
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2800.1106]
-> C:\DOCUME~1\Adrian\LOCALS~1\Temp\rjexviqnESARIO.dll
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-09 13:00:39
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-09 13:01:07 - machine was rebooted
.
--- E O F ---






HJT LOG:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:10:15 PM, on 12/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\sistray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Adrian\Desktop\malware downloads\hjt\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: (no name) - {03B0D615-052A-49E7-8B98-792AE5EB319A} - C:\Program Files\Online Services\mexocado83122.dll (file missing)
O2 - BHO: (no name) - {16d85bee-89bd-4b30-85d3-acf35766c41c} - C:\WINDOWS\System32\bytpmux.dll (file missing)
O2 - BHO: Yahoo Toolbar - {54C7D1DD-4296-451e-B756-1E94F665B4FF} - C:\WINDOWS\System32\yatool.dll (file missing)
O2 - BHO: (no name) - {5868A4F5-6364-46BB-6157-4A71C67896CB} - C:\WINDOWS\System32\wprmi.dll (file missing)
O2 - BHO: (no name) - {A4CDE248-094A-4AE0-B3D1-582007FA9080} - C:\Program Files\Online Services\mexocado4444.dll (file missing)
O2 - BHO: 0 - {E76102B6-0364-49B2-8382-7BB77CF0C25C} - C:\Program Files\MSN\quka535.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [Internet Explorer] C:\WINDOWS\patchw32.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-21-790525478-1220945662-839522115-1004\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1196290982218
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: c:\windows\system32\jkhhecc.dll
O20 - Winlogon Notify: gb2nt$ - gb2nt$.dll (file missing)
O21 - SSODL: mLQUFBjFkX - {6C7E3EE9-C6D4-9443-4993-6D227FD52246} - C:\WINDOWS\System32\evlgw.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\rtese.html

--
End of file - 8189 bytes




I really apprectiate the help.

Edited by Dana P, 09 December 2007 - 05:15 PM.


#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:45 AM

Posted 09 December 2007 - 10:19 PM

Hi Dana,

You have a suspicious file we need to check.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\system32\xcomm.dll.avxpnd

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.
Once scanned, copy and paste the results also in your next reply.

NOTE: I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.


Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: (no name) - {03B0D615-052A-49E7-8B98-792AE5EB319A} - C:\Program Files\Online Services\mexocado83122.dll (file missing)
O2 - BHO: (no name) - {16d85bee-89bd-4b30-85d3-acf35766c41c} - C:\WINDOWS\System32\bytpmux.dll (file missing)
O2 - BHO: Yahoo Toolbar - {54C7D1DD-4296-451e-B756-1E94F665B4FF} - C:\WINDOWS\System32\yatool.dll (file missing)
O2 - BHO: (no name) - {5868A4F5-6364-46BB-6157-4A71C67896CB} - C:\WINDOWS\System32\wprmi.dll (file missing)
O2 - BHO: (no name) - {A4CDE248-094A-4AE0-B3D1-582007FA9080} - C:\Program Files\Online Services\mexocado4444.dll (file missing)
O2 - BHO: 0 - {E76102B6-0364-49B2-8382-7BB77CF0C25C} - C:\Program Files\MSN\quka535.dll (file missing)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - AppInit_DLLs: c:\windows\system32\jkhhecc.dll
O20 - Winlogon Notify: gb2nt$ - gb2nt$.dll (file missing)
O21 - SSODL: mLQUFBjFkX - {6C7E3EE9-C6D4-9443-4993-6D227FD52246} - C:\WINDOWS\System32\evlgw.dll (file missing)


If you did not add this page to your desktop, then fix it.
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\rtese.html

*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system32\jkhhecc.dll
C:\WINDOWS\web\related.htm

DirLook:: 
C:\Program Files\Odmeibds
C:\Program Files\Kacnyvrg
C:\Program Files\gvobmtwt
C:\WINDOWS\Fonts


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Dana P

Dana P
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 10 December 2007 - 07:28 PM

Hi Mike,

Sorry for not posting for a while, I have been sick with a stomach bug since yesterday - I am going to sleep for a while, I should have those results for you later tonight

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:45 AM

Posted 11 December 2007 - 12:46 AM

That is OK, there is no rush. Your health is more important than posting a log. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Dana P

Dana P
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 11 December 2007 - 08:03 PM

Thanks for understanding.

I have done as you asked and ran a check on C:\WINDOWS\system32\xcomm.dll.avxpnd on virustotal.com, although none of the av scanners seemed to detect anything:

Antivirus;Version;Last Update;Result
AhnLab-V3;2007.12.11.0;2007.12.10;-
AntiVir;7.6.0.40;2007.12.10;-
Authentium;4.93.8;2007.12.10;-
Avast;4.7.1098.0;2007.12.10;-
AVG;7.5.0.503;2007.12.10;-
BitDefender;7.2;2007.12.11;-
CAT-QuickHeal;9.00;2007.12.10;-
ClamAV;0.91.2;2007.12.10;-
DrWeb;4.44.0.09170;2007.12.10;-
eSafe;7.0.15.0;2007.12.10;-
eTrust-Vet;31.3.5368;2007.12.10;-
Ewido;4.0;2007.12.10;-
FileAdvisor;1;2007.12.11;-
Fortinet;3.14.0.0;2007.12.10;-
F-Prot;4.4.2.54;2007.12.10;-
F-Secure;6.70.13030.0;2007.12.11;-
Ikarus;T3.1.1.12;2007.12.10;-
Kaspersky;7.0.0.125;2007.12.11;-
McAfee;5182;2007.12.10;-
Microsoft;1.3007;2007.12.10;-
NOD32v2;2714;2007.12.10;-
Norman;5.80.02;2007.12.10;-
Panda;9.0.0.4;2007.12.10;-
Prevx1;V2;2007.12.11;-
Rising;20.21.42.00;2007.12.07;-
Sophos;4.24.0;2007.12.10;-
Sunbelt;2.2.907.0;2007.12.07;-
Symantec;10;2007.12.10;-
TheHacker;6.2.9.155;2007.12.10;-
VBA32;3.12.2.5;2007.12.10;-
VirusBuster;4.3.26:9;2007.12.10;-
Webwasher-Gateway;6.6.2;2007.12.10;-

Additional information
File size: 77824 bytes
MD5: 511e52f847eee07b62d22182ff3c8afd
SHA1: 015cf67898eaa84e311608a018a0f5fd1323eb61
PEiD: -

I installed CCleaner, then ran HijackThis and fixed the lines that you instructed.

Then I ran CCleaner on the account that I have been using thus far.

I ran into a problem logging into other accounts however, there are two other accounts (one administrator and one limited user) that will not successfully log on - they both go through a "logon-logoff loop", where at the logon screen, when the user account is selected, the screen goes black for about a second, only to return to the login screen. I am unsure how I should continue at this point, try to solve the logon problem or continue with combofix?

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:45 AM

Posted 11 December 2007 - 09:17 PM

Please continue with ComboFix.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Dana P

Dana P
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 12 December 2007 - 01:32 AM

I ran combofix using the saved script as you described, and after reboot I ran HJT again. Here are the logs:

COMBOFIX LOG:

ComboFix 07-12-09.1 - Adrian 2007-12-11 22:18:11.2 - NTFSx86

Running from: C:\Documents and Settings\Adrian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Adrian\Desktop\CFScript.txt

FILE
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system32\jkhhecc.dll
C:\WINDOWS\web\related.htm
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\web\related.htm

.
((((((((((((((((((((((((( Files Created from 2007-11-12 to 2007-12-12 )))))))))))))))))))))))))))))))
.

2007-12-10 16:08 . 2007-12-10 16:08 <DIR> d-------- C:\Program Files\CCleaner
2007-12-08 16:42 . 2005-10-20 14:33 991,232 --a------ C:\WINDOWS\system32\esent.dll
2007-12-08 15:44 . 2007-12-08 15:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-08 15:43 . 2007-12-11 15:59 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-12-08 15:23 . 2007-12-08 15:23 <DIR> d-------- C:\Program Files\sisagp
2007-12-08 15:23 . 2007-12-08 15:23 <DIR> d-------- C:\Program Files\SiS VGA Utilities V3.67
2007-12-08 10:30 . 2007-12-08 16:49 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-12-07 23:07 . 2002-08-29 02:20 115,200 --a------ C:\WINDOWS\system32\dpcdll.dll
2007-12-07 23:04 . 2002-06-14 18:46 19,274 --a------ C:\WINDOWS\001198_.tmp
2007-12-07 22:33 . 2007-12-07 22:33 <DIR> d-------- C:\HP
2007-12-07 21:21 . 2007-12-07 21:21 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-12-05 00:03 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-04 23:18 . 2007-12-05 00:06 <DIR> d-------- C:\Documents and Settings\Adrian\.housecall6.6
2007-12-04 22:20 . 2007-12-04 22:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2007-12-04 16:50 . 2007-12-08 14:04 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-04 16:50 . 2007-12-08 14:04 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-04 16:49 . 2003-01-01 00:49 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-04 16:49 . 2007-12-08 14:04 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-04 12:34 . 2007-12-04 22:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-29 22:33 . 2007-11-29 22:33 77,824 --a------ C:\WINDOWS\system32\xcomm.dll.avxpnd
2007-11-29 11:03 . 2001-08-17 13:28 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys
2007-11-29 11:03 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2007-11-29 11:03 . 2001-08-17 22:36 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2007-11-29 11:03 . 2001-08-17 22:36 53,760 --a--c--- C:\WINDOWS\system32\dllcache\wiamsmud.dll
2007-11-29 11:03 . 2001-08-17 12:12 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys
2007-11-29 11:03 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-11-29 11:03 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-11-29 11:03 . 2001-08-17 22:36 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-11-29 11:03 . 2001-08-17 12:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2007-11-29 11:03 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-11-29 11:01 . 2001-08-17 14:56 1,738,496 --a--c--- C:\WINDOWS\system32\dllcache\nv4.dll
2007-11-29 11:00 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2007-11-29 10:59 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2007-11-29 10:58 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2007-11-29 10:58 . 2001-08-17 14:55 689,216 --a--c--- C:\WINDOWS\system32\dllcache\3dfxvs.dll
2007-11-29 10:58 . 2001-08-17 22:36 462,848 --a--c--- C:\WINDOWS\system32\dllcache\a3dapi.dll
2007-11-29 10:58 . 2001-08-17 12:48 148,352 --a--c--- C:\WINDOWS\system32\dllcache\3dfxvsm.sys
2007-11-29 10:58 . 2001-08-17 22:36 98,304 --a--c--- C:\WINDOWS\system32\dllcache\a3d.dll
2007-11-29 10:58 . 2001-08-17 12:20 96,256 --a--c--- C:\WINDOWS\system32\dllcache\ac97intc.sys
2007-11-29 10:58 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2007-11-29 10:58 . 2001-08-17 14:55 38,400 --a--c--- C:\WINDOWS\system32\dllcache\8514a.dll
2007-11-29 10:58 . 2001-08-17 13:52 23,552 --a--c--- C:\WINDOWS\system32\dllcache\abp480n5.sys
2007-11-29 10:58 . 2001-08-17 14:06 11,264 --a--c--- C:\WINDOWS\system32\dllcache\1394vdbg.sys
2007-11-28 23:39 . 2007-12-04 22:20 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-28 23:36 . 2007-11-28 23:36 <DIR> d-------- C:\Documents and Settings\Adrian\Application Data\MSN6
2007-11-28 22:47 . 2007-12-08 00:55 1,353,834 --a------ C:\WINDOWS\setupapi.log.1.old
2007-11-28 20:12 . 2007-12-07 21:21 121 --a------ C:\WINDOWS\bdagent.INI
2007-11-28 19:57 . 2007-11-28 19:57 <DIR> d-------- C:\Program Files\BitDefender
2007-11-28 19:57 . 2007-12-07 21:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2007-11-28 19:56 . 2007-12-07 21:21 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2007-11-28 16:41 . 2007-12-08 16:49 5,674 --a------ C:\WINDOWS\system32\spupdsvc.inf
2007-11-28 16:33 . 2007-11-28 16:33 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2007-11-28 15:56 . 2007-11-28 15:56 <DIR> d-------- C:\WINDOWS\provisioning
2007-11-28 15:56 . 2007-11-28 11:11 <DIR> d-------- C:\WINDOWS\peernet
2007-11-28 15:52 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002283_.tmp
2007-11-28 15:50 . 2007-12-07 23:06 <DIR> d-------- C:\WINDOWS\EHome
2007-11-28 15:41 . 2007-11-28 15:41 <DIR> d-------- C:\ae4cc492cc25ea9db44639db2c4800
2007-11-28 15:18 . 2007-11-28 15:18 278,927,592 --a------ C:\WindowsXP-KB835935-SP2-ENU.exe
2007-11-27 10:23 . 2007-11-27 11:24 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-27 01:21 . 2007-11-27 01:21 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2007-11-27 01:21 . 2007-11-27 01:21 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-27 01:21 . 2007-11-27 01:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-27 01:14 . 2007-11-27 01:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-27 00:57 . 2007-12-08 10:24 <DIR> dr--s---- C:\WINDOWS\Fonts
2007-11-27 00:52 . 2007-11-27 00:52 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2007-11-27 00:24 . 2007-11-27 00:24 <DIR> d-------- C:\WINDOWS\LogFiles
2007-11-26 23:57 . 2002-09-25 15:18 316,928 --a------ C:\WINDOWS\system32\zipfldr.dll
2007-11-26 23:56 . 2002-12-03 18:50 68,608 --a------ C:\WINDOWS\system32\locator.exe
2007-11-26 23:56 . 2002-12-03 18:50 68,608 --a--c--- C:\WINDOWS\system32\dllcache\locator.exe
2007-11-26 23:56 . 2007-11-26 23:56 127 --a------ C:\WINDOWS\system32\MRT.INI
2007-11-26 23:55 . 2005-04-12 11:30 258,048 --a------ C:\WINDOWS\system32\_SiSParse.dll
2007-11-26 23:55 . 2005-04-12 11:30 184,320 --a------ C:\WINDOWS\system32\SiSInst.dll
2007-11-26 23:55 . 2003-01-10 14:43 143,872 --a------ C:\WINDOWS\system32\itircl.dll
2007-11-26 23:55 . 2003-01-10 14:43 122,368 --a------ C:\WINDOWS\system32\itss.dll
2007-11-26 23:55 . 2005-04-12 11:31 49,152 --a------ C:\WINDOWS\system32\SiSPower.dll
2007-11-26 23:55 . 2005-04-12 11:29 49,152 --a------ C:\WINDOWS\system32\_SiSBase.dll
2007-11-26 23:55 . 2003-01-10 14:43 37,888 --a------ C:\WINDOWS\system32\hhsetup.dll
2007-11-26 23:55 . 2002-12-17 17:43 10,752 --a------ C:\WINDOWS\hh.exe
2007-11-26 23:55 . 2005-04-12 11:29 7,168 --a------ C:\WINDOWS\InstFunc.dll
2007-11-26 23:54 . 2002-11-14 12:50 226,816 --a------ C:\WINDOWS\system32\srrstr.dll
2007-11-26 23:53 . 2007-11-26 23:58 <DIR> d--h-c--- C:\WINDOWS\$xpsp1hfm$
2007-11-26 23:53 . 2007-11-26 23:53 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-26 23:53 . 2002-09-30 10:58 125,440 --a------ C:\WINDOWS\system32\shmedia.dll
2007-11-26 23:53 . 2002-09-30 10:58 125,440 --a--c--- C:\WINDOWS\system32\dllcache\shmedia.dll
2007-11-26 23:53 . 2004-01-09 21:11 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-08 23:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-08 23:23 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-27 09:56 --------- d-----w C:\Program Files\Odmeibds
2007-11-27 09:56 --------- d-----w C:\Program Files\Kacnyvrg
2007-11-27 09:56 --------- d-----w C:\Program Files\gvobmtwt
2007-11-26 22:40 --------- d-----w C:\Program Files\Microsoft Help
2007-11-26 22:35 --------- d-----w C:\Program Files\Common Files\Update
2007-10-25 18:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\gvobmtwt ----


---- Directory of C:\Program Files\Kacnyvrg ----


---- Directory of C:\Program Files\Odmeibds ----


---- Directory of C:\WINDOWS\Fonts ----

2007-07-12 09:04 67 --ahs---- C:\WINDOWS\Fonts\desktop.ini
2002-03-25 19:43 379588 --a------ C:\WINDOWS\Fonts\tahoma.ttf
2002-03-25 19:43 352020 --a------ C:\WINDOWS\Fonts\tahomabd.ttf
2002-03-25 19:43 349636 --a------ C:\WINDOWS\Fonts\times.ttf
2002-03-25 19:43 311636 --a------ C:\WINDOWS\Fonts\arial.ttf
2002-03-25 19:43 171792 --a------ C:\WINDOWS\Fonts\verdana.ttf
2002-03-25 19:43 155068 --a------ C:\WINDOWS\Fonts\georgia.ttf
2002-03-25 19:43 134108 --a------ C:\WINDOWS\Fonts\trebuc.ttf
2001-08-18 04:00 9856 ---h-c--- C:\WINDOWS\Fonts\8514sysg.fon
2001-08-18 04:00 98256 ---h-c--- C:\WINDOWS\Fonts\sseriffr.fon
2001-08-18 04:00 9792 ---h-c--- C:\WINDOWS\Fonts\8514syst.fon
2001-08-18 04:00 9504 ---h-c--- C:\WINDOWS\Fonts\8514syse.fon
2001-08-18 04:00 9472 ---h-c--- C:\WINDOWS\Fonts\85s1257.fon
2001-08-18 04:00 9280 ---h-c--- C:\WINDOWS\Fonts\8514sys.fon
2001-08-18 04:00 9248 ---h-c--- C:\WINDOWS\Fonts\ega40869.fon
2001-08-18 04:00 9248 ---h-c--- C:\WINDOWS\Fonts\ega40737.fon
2001-08-18 04:00 9232 ---h-c--- C:\WINDOWS\Fonts\ega40866.fon
2001-08-18 04:00 92032 ---h-c--- C:\WINDOWS\Fonts\sseriffe.fon
2001-08-18 04:00 90736 ---h-c--- C:\WINDOWS\Fonts\seriffr.fon
2001-08-18 04:00 90336 ---h-c--- C:\WINDOWS\Fonts\ssef1257.fon
2001-08-18 04:00 90288 ---h-c--- C:\WINDOWS\Fonts\sseriffg.fon
2001-08-18 04:00 89856 ---h-c--- C:\WINDOWS\Fonts\sseriff.fon
2001-08-18 04:00 89456 ---h-c--- C:\WINDOWS\Fonts\sserifft.fon
2001-08-18 04:00 8704 --a------ C:\WINDOWS\Fonts\modern.fon
2001-08-18 04:00 8704 ---h-c--- C:\WINDOWS\Fonts\ega40857.fon
2001-08-18 04:00 86256 ---h-c--- C:\WINDOWS\Fonts\seriffg.fon
2001-08-18 04:00 85360 ---h-c--- C:\WINDOWS\Fonts\seriffe.fon
2001-08-18 04:00 84848 ---h-c--- C:\WINDOWS\Fonts\serifft.fon
2001-08-18 04:00 84080 ---h-c--- C:\WINDOWS\Fonts\serf1257.fon
2001-08-18 04:00 8384 ---h-c--- C:\WINDOWS\Fonts\ega40850.fon
2001-08-18 04:00 8368 ---h-c--- C:\WINDOWS\Fonts\ega40852.fon
2001-08-18 04:00 8368 ---h----- C:\WINDOWS\Fonts\ega40woa.fon
2001-08-18 04:00 81728 ---h-c--- C:\WINDOWS\Fonts\seriff.fon
2001-08-18 04:00 81000 --a------ C:\WINDOWS\Fonts\wingding.ttf
2001-08-18 04:00 79744 --a------ C:\WINDOWS\Fonts\estre.ttf
2001-08-18 04:00 73292 --a------ C:\WINDOWS\Fonts\latha.ttf
2001-08-18 04:00 7280 ---h----- C:\WINDOWS\Fonts\vgasys.fon
2001-08-18 04:00 7232 ---h-c--- C:\WINDOWS\Fonts\cga40866.fon
2001-08-18 04:00 7216 ---h-c--- C:\WINDOWS\Fonts\cga40869.fon
2001-08-18 04:00 7216 ---h-c--- C:\WINDOWS\Fonts\cga40737.fon
2001-08-18 04:00 7008 ---h-c--- C:\WINDOWS\Fonts\vgasysg.fon
2001-08-18 04:00 69464 --a------ C:\WINDOWS\Fonts\symbol.ttf
2001-08-18 04:00 6912 ---h-c--- C:\WINDOWS\Fonts\vgasyst.fon
2001-08-18 04:00 6912 ---h-c--- C:\WINDOWS\Fonts\vgasysr.fon
2001-08-18 04:00 68848 ---h-c--- C:\WINDOWS\Fonts\sserifer.fon
2001-08-18 04:00 6672 ---h-c--- C:\WINDOWS\Fonts\cga40857.fon
2001-08-18 04:00 6672 ---h-c--- C:\WINDOWS\Fonts\cga40852.fon
2001-08-18 04:00 6656 ---h-c--- C:\WINDOWS\Fonts\vgas1257.fon
2001-08-18 04:00 66464 ---h-c--- C:\WINDOWS\Fonts\sserifee.fon
2001-08-18 04:00 6608 ---h-c--- C:\WINDOWS\Fonts\vgasyse.fon
2001-08-18 04:00 65456 ---h-c--- C:\WINDOWS\Fonts\ssee1257.fon
2001-08-18 04:00 65328 ---h-c--- C:\WINDOWS\Fonts\sserifeg.fon
2001-08-18 04:00 64656 ---h----- C:\WINDOWS\Fonts\sserife.fon
2001-08-18 04:00 64400 ---h-c--- C:\WINDOWS\Fonts\sserifet.fon
2001-08-18 04:00 6352 ---h-c--- C:\WINDOWS\Fonts\cga40850.fon
2001-08-18 04:00 6336 ---h----- C:\WINDOWS\Fonts\cga40woa.fon
2001-08-18 04:00 63296 ---h-c--- C:\WINDOWS\Fonts\serifer.fon
2001-08-18 04:00 6192 ---h-c--- C:\WINDOWS\Fonts\ega80869.fon
2001-08-18 04:00 6192 ---h-c--- C:\WINDOWS\Fonts\ega80737.fon
2001-08-18 04:00 6160 ---h-c--- C:\WINDOWS\Fonts\vga852.fon
2001-08-18 04:00 6128 ---h-c--- C:\WINDOWS\Fonts\vga866.fon
2001-08-18 04:00 6112 ---h-c--- C:\WINDOWS\Fonts\vgafixt.fon
2001-08-18 04:00 6112 ---h-c--- C:\WINDOWS\Fonts\vgafixg.fon
2001-08-18 04:00 61024 ---h-c--- C:\WINDOWS\Fonts\serifet.fon
2001-08-18 04:00 60752 ---h-c--- C:\WINDOWS\Fonts\serifeg.fon
2001-08-18 04:00 59952 ---h-c--- C:\WINDOWS\Fonts\serifee.fon
2001-08-18 04:00 59024 ---h-c--- C:\WINDOWS\Fonts\sere1257.fon
2001-08-18 04:00 57936 ---h----- C:\WINDOWS\Fonts\serife.fon
2001-08-18 04:00 57348 --a------ C:\WINDOWS\Fonts\raavi.ttf
2001-08-18 04:00 5648 ---h-c--- C:\WINDOWS\Fonts\ega80857.fon
2001-08-18 04:00 56336 ---h----- C:\WINDOWS\Fonts\symbole.fon
2001-08-18 04:00 5600 ---h-c--- C:\WINDOWS\Fonts\vgafixr.fon
2001-08-18 04:00 5552 ---h-c--- C:\WINDOWS\Fonts\vga857.fon
2001-08-18 04:00 5376 ---h-c--- C:\WINDOWS\Fonts\vgafixe.fon
2001-08-18 04:00 5376 ---h-c--- C:\WINDOWS\Fonts\vgaf1257.fon
2001-08-18 04:00 5360 ---h----- C:\WINDOWS\Fonts\vgafix.fon
2001-08-18 04:00 5344 ---h-c--- C:\WINDOWS\Fonts\ega80852.fon
2001-08-18 04:00 5328 ---h-c--- C:\WINDOWS\Fonts\ega80850.fon
2001-08-18 04:00 5312 ---h----- C:\WINDOWS\Fonts\ega80woa.fon
2001-08-18 04:00 5280 ---h-c--- C:\WINDOWS\Fonts\ega80866.fon
2001-08-18 04:00 5232 ---h-c--- C:\WINDOWS\Fonts\vga850.fon
2001-08-18 04:00 5200 ---h-c--- C:\WINDOWS\Fonts\vga863.fon
2001-08-18 04:00 5200 ---h-c--- C:\WINDOWS\Fonts\cga80852.fon
2001-08-18 04:00 5184 ---h-c--- C:\WINDOWS\Fonts\vga869.fon
2001-08-18 04:00 5184 ---h-c--- C:\WINDOWS\Fonts\vga865.fon
2001-08-18 04:00 5184 ---h-c--- C:\WINDOWS\Fonts\vga860.fon
2001-08-18 04:00 5168 ---h-c--- C:\WINDOWS\Fonts\vga775.fon
2001-08-18 04:00 5168 ---h-c--- C:\WINDOWS\Fonts\vga737.fon
2001-08-18 04:00 5168 ---h-c--- C:\WINDOWS\Fonts\cga80869.fon
2001-08-18 04:00 5168 ---h-c--- C:\WINDOWS\Fonts\cga80866.fon
2001-08-18 04:00 5168 ---h-c--- C:\WINDOWS\Fonts\cga80737.fon
2001-08-18 04:00 5168 ---h----- C:\WINDOWS\Fonts\vgaoem.fon
2001-08-18 04:00 5120 ---h-c--- C:\WINDOWS\Fonts\vga855.fon
2001-08-18 04:00 489884 --a------ C:\WINDOWS\Fonts\pala.ttf
2001-08-18 04:00 4640 ---h-c--- C:\WINDOWS\Fonts\cga80857.fon
2001-08-18 04:00 434004 --a------ C:\WINDOWS\Fonts\palab.ttf
2001-08-18 04:00 4320 ---h-c--- C:\WINDOWS\Fonts\cga80850.fon
2001-08-18 04:00 430800 --a------ C:\WINDOWS\Fonts\palai.ttf
2001-08-18 04:00 4304 ---h----- C:\WINDOWS\Fonts\cga80woa.fon
2001-08-18 04:00 40500 --a------ C:\WINDOWS\Fonts\mvboli.ttf
2001-08-18 04:00 37472 ---h-c--- C:\WINDOWS\Fonts\app866.fon
2001-08-18 04:00 37296 ---h-c--- C:\WINDOWS\Fonts\app855.fon
2001-08-18 04:00 36672 ---h-c--- C:\WINDOWS\Fonts\app857.fon
2001-08-18 04:00 36672 ---h-c--- C:\WINDOWS\Fonts\app850.fon
2001-08-18 04:00 36656 ---h-c--- C:\WINDOWS\Fonts\app852.fon
2001-08-18 04:00 36656 ---h----- C:\WINDOWS\Fonts\dosapp.fon
2001-08-18 04:00 36336 ---h-c--- C:\WINDOWS\Fonts\dos737.fon
2001-08-18 04:00 35808 ---h-c--- C:\WINDOWS\Fonts\app775.fon
2001-08-18 04:00 344288 --a------ C:\WINDOWS\Fonts\palabi.ttf
2001-08-18 04:00 334944 --a------ C:\WINDOWS\Fonts\timesbd.ttf
2001-08-18 04:00 33360 ---h-c--- C:\WINDOWS\Fonts\courft.fon
2001-08-18 04:00 33344 ---h-c--- C:\WINDOWS\Fonts\courfg.fon
2001-08-18 04:00 323980 --a------ C:\WINDOWS\Fonts\l_10646.ttf
2001-08-18 04:00 31808 ---h-c--- C:\WINDOWS\Fonts\courfr.fon
2001-08-18 04:00 31776 ---h-c--- C:\WINDOWS\Fonts\courfe.fon
2001-08-18 04:00 31760 ---h-c--- C:\WINDOWS\Fonts\couf1257.fon
2001-08-18 04:00 31712 ---h-c--- C:\WINDOWS\Fonts\courf.fon
2001-08-18 04:00 312920 --a------ C:\WINDOWS\Fonts\courbd.ttf
2001-08-18 04:00 305724 --a------ C:\WINDOWS\Fonts\micross.ttf
2001-08-18 04:00 303296 --a------ C:\WINDOWS\Fonts\cour.ttf
2001-08-18 04:00 29200 ---h-c--- C:\WINDOWS\Fonts\smallet.fon
2001-08-18 04:00 28912 ---h-c--- C:\WINDOWS\Fonts\smalleg.fon
2001-08-18 04:00 288496 --a------ C:\WINDOWS\Fonts\arialbd.ttf
2001-08-18 04:00 26112 ---h----- C:\WINDOWS\Fonts\smalle.fon
2001-08-18 04:00 25024 ---h-c--- C:\WINDOWS\Fonts\couret.fon
2001-08-18 04:00 25024 ---h-c--- C:\WINDOWS\Fonts\coureg.fon
2001-08-18 04:00 248368 --a------ C:\WINDOWS\Fonts\timesi.ttf
2001-08-18 04:00 24832 ---h-c--- C:\WINDOWS\Fonts\smaller.fon
2001-08-18 04:00 24784 ---h-c--- C:\WINDOWS\Fonts\smallee.fon
2001-08-18 04:00 24672 ---h-c--- C:\WINDOWS\Fonts\smae1257.fon
2001-08-18 04:00 245032 --a------ C:\WINDOWS\Fonts\couri.ttf
2001-08-18 04:00 24124 ---h----- C:\WINDOWS\Fonts\marlett.ttf
2001-08-18 04:00 239692 --a------ C:\WINDOWS\Fonts\timesbi.ttf
2001-08-18 04:00 236148 --a------ C:\WINDOWS\Fonts\courbi.ttf
2001-08-18 04:00 23440 ---h-c--- C:\WINDOWS\Fonts\courer.fon
2001-08-18 04:00 23440 ---h-c--- C:\WINDOWS\Fonts\couree.fon
2001-08-18 04:00 23440 ---h-c--- C:\WINDOWS\Fonts\coue1257.fon
2001-08-18 04:00 234280 --a------ C:\WINDOWS\Fonts\shruti.ttf
2001-08-18 04:00 23408 ---h----- C:\WINDOWS\Fonts\coure.fon
2001-08-18 04:00 23120 ---h-c--- C:\WINDOWS\Fonts\smallfg.fon
2001-08-18 04:00 23008 ---h-c--- C:\WINDOWS\Fonts\smallft.fon
2001-08-18 04:00 226748 --a------ C:\WINDOWS\Fonts\arialbi.ttf
2001-08-18 04:00 221676 --a------ C:\WINDOWS\Fonts\sylfaen.ttf
2001-08-18 04:00 21504 ---h-c--- C:\WINDOWS\Fonts\smallf.fon
2001-08-18 04:00 214936 --a------ C:\WINDOWS\Fonts\gautami.ttf
2001-08-18 04:00 207808 --a------ C:\WINDOWS\Fonts\ariali.ttf
2001-08-18 04:00 19904 ---h-c--- C:\WINDOWS\Fonts\smaf1257.fon
2001-08-18 04:00 19760 ---h-c--- C:\WINDOWS\Fonts\smallfr.fon
2001-08-18 04:00 19600 ---h-c--- C:\WINDOWS\Fonts\smallfe.fon
2001-08-18 04:00 18880 --a------ C:\WINDOWS\Fonts\wst_swed.fon
2001-08-18 04:00 18880 --a------ C:\WINDOWS\Fonts\wst_span.fon
2001-08-18 04:00 18880 --a------ C:\WINDOWS\Fonts\wst_ital.fon
2001-08-18 04:00 18880 --a------ C:\WINDOWS\Fonts\wst_germ.fon
2001-08-18 04:00 18880 --a------ C:\WINDOWS\Fonts\wst_fren.fon
2001-08-18 04:00 18880 --a------ C:\WINDOWS\Fonts\wst_engl.fon
2001-08-18 04:00 18880 --a------ C:\WINDOWS\Fonts\wst_czec.fon
2001-08-18 04:00 159736 --a------ C:\WINDOWS\Fonts\georgiaz.ttf
2001-08-18 04:00 157388 --a------ C:\WINDOWS\Fonts\georgiai.ttf
2001-08-18 04:00 155076 --a------ C:\WINDOWS\Fonts\verdanai.ttf
2001-08-18 04:00 154800 --a------ C:\WINDOWS\Fonts\verdanaz.ttf
2001-08-18 04:00 152844 --a------ C:\WINDOWS\Fonts\framdit.ttf
2001-08-18 04:00 148636 --a------ C:\WINDOWS\Fonts\tunga.ttf
2001-08-18 04:00 143864 --a------ C:\WINDOWS\Fonts\mangal.ttf
2001-08-18 04:00 141032 --a------ C:\WINDOWS\Fonts\georgiab.ttf
2001-08-18 04:00 139288 --a------ C:\WINDOWS\Fonts\trebucit.ttf
2001-08-18 04:00 137616 --a------ C:\WINDOWS\Fonts\verdanab.ttf
2001-08-18 04:00 136076 --a------ C:\WINDOWS\Fonts\impact.ttf
2001-08-18 04:00 135984 --a------ C:\WINDOWS\Fonts\framd.ttf
2001-08-18 04:00 13312 --a------ C:\WINDOWS\Fonts\roman.fon
2001-08-18 04:00 13248 ---h-c--- C:\WINDOWS\Fonts\8514oeme.fon
2001-08-18 04:00 13200 ---h-c--- C:\WINDOWS\Fonts\8514oemr.fon
2001-08-18 04:00 131188 --a------ C:\WINDOWS\Fonts\trebucbi.ttf
2001-08-18 04:00 12800 ---h-c--- C:\WINDOWS\Fonts\8514oemg.fon
2001-08-18 04:00 12720 ---h-c--- C:\WINDOWS\Fonts\8514oemt.fon
2001-08-18 04:00 126364 --a------ C:\WINDOWS\Fonts\comic.ttf
2001-08-18 04:00 123096 --a------ C:\WINDOWS\Fonts\trebucbd.ttf
2001-08-18 04:00 12304 ---h-c--- C:\WINDOWS\Fonts\85775.fon
2001-08-18 04:00 12288 --a------ C:\WINDOWS\Fonts\script.fon
2001-08-18 04:00 12288 ---h-c--- C:\WINDOWS\Fonts\8514oem.fon
2001-08-18 04:00 12256 ---h-c--- C:\WINDOWS\Fonts\85855.fon
2001-08-18 04:00 118752 --a------ C:\WINDOWS\Fonts\webdings.ttf
2001-08-18 04:00 117028 --a------ C:\WINDOWS\Fonts\ariblk.ttf
2001-08-18 04:00 11520 ---h-c--- C:\WINDOWS\Fonts\8514fixg.fon
2001-08-18 04:00 115068 --a------ C:\WINDOWS\Fonts\lucon.ttf
2001-08-18 04:00 11488 ---h-c--- C:\WINDOWS\Fonts\8514fixt.fon
2001-08-18 04:00 111476 --a------ C:\WINDOWS\Fonts\comicbd.ttf
2001-08-18 04:00 10976 ---h-c--- C:\WINDOWS\Fonts\85f1257.fon
2001-08-18 04:00 10976 ---h-c--- C:\WINDOWS\Fonts\8514fixr.fon
2001-08-18 04:00 10976 ---h-c--- C:\WINDOWS\Fonts\8514fixe.fon
2001-08-18 04:00 10976 ---h-c--- C:\WINDOWS\Fonts\8514fix.fon
2001-08-18 04:00 10064 ---h-c--- C:\WINDOWS\Fonts\8514sysr.fon
1998-11-12 06:18 155528 --a------ C:\WINDOWS\Fonts\BKANT.TTF
1998-11-12 06:18 151000 --a------ C:\WINDOWS\Fonts\ANTQUAB.TTF
1998-11-12 06:18 150416 --a------ C:\WINDOWS\Fonts\ANTQUABI.TTF
1998-11-12 06:18 149092 --a------ C:\WINDOWS\Fonts\ANTQUAI.TTF
1998-11-04 15:30 162460 --a------ C:\WINDOWS\Fonts\BOOKOSBI.TTF
1998-11-04 15:30 160940 --a------ C:\WINDOWS\Fonts\BOOKOS.TTF
1998-11-04 15:30 160920 --a------ C:\WINDOWS\Fonts\BOOKOSI.TTF
1998-11-04 15:30 154576 --a------ C:\WINDOWS\Fonts\BOOKOSB.TTF
1998-09-25 11:52 157360 --a------ C:\WINDOWS\Fonts\MTCORSVA.TTF
1998-09-01 12:13 148520 --a------ C:\WINDOWS\Fonts\GOTHICI.TTF
1998-09-01 12:13 139084 --a------ C:\WINDOWS\Fonts\GOTHICBI.TTF
1998-09-01 12:13 137568 --a------ C:\WINDOWS\Fonts\GOTHIC.TTF
1998-09-01 12:13 129676 --a------ C:\WINDOWS\Fonts\GOTHICB.TTF
1998-07-16 14:26 217624 --a------ C:\WINDOWS\Fonts\VERDREF.TTF
1998-07-14 15:29 70680 --a------ C:\WINDOWS\Fonts\PERI____.TTF
1998-07-14 15:00 72464 --a------ C:\WINDOWS\Fonts\TCMI____.TTF
1998-07-14 15:00 70448 --a------ C:\WINDOWS\Fonts\TCM_____.TTF
1998-07-14 14:59 67360 --a------ C:\WINDOWS\Fonts\TCCEB.TTF
1998-07-14 14:59 61036 --a------ C:\WINDOWS\Fonts\TCCM____.TTF
1998-07-14 14:58 60172 --a------ C:\WINDOWS\Fonts\TCCB____.TTF
1998-07-14 14:57 68044 --a------ C:\WINDOWS\Fonts\TCBI____.TTF
1998-07-14 14:56 68880 --a------ C:\WINDOWS\Fonts\TCB_____.TTF
1998-07-14 14:55 68380 --a------ C:\WINDOWS\Fonts\ROCKBI.TTF
1998-07-14 14:54 70420 --a------ C:\WINDOWS\Fonts\PERBI___.TTF
1998-07-14 14:52 79012 --a------ C:\WINDOWS\Fonts\GLSNECB.TTF
1998-07-14 14:51 65764 --a------ C:\WINDOWS\Fonts\GILSANUB.TTF
1998-07-14 14:50 66820 --a------ C:\WINDOWS\Fonts\GILLUBCD.TTF
1998-07-14 14:50 62224 --a------ C:\WINDOWS\Fonts\GILI____.TTF
1998-07-14 14:49 54672 --a------ C:\WINDOWS\Fonts\GILC____.TTF
1998-07-14 14:48 64308 --a------ C:\WINDOWS\Fonts\GILBI___.TTF
1998-07-14 14:47 60952 --a------ C:\WINDOWS\Fonts\GILB____.TTF
1998-07-14 14:47 60160 --a------ C:\WINDOWS\Fonts\GIL_____.TTF
1998-07-14 14:46 122964 --a------ C:\WINDOWS\Fonts\FRAMDCN.TTF
1998-07-14 14:44 144448 --a------ C:\WINDOWS\Fonts\FRAHVIT.TTF
1998-07-14 14:43 131336 --a------ C:\WINDOWS\Fonts\FRAHV.TTF
1998-07-14 14:42 127856 --a------ C:\WINDOWS\Fonts\FRADMIT.TTF
1998-07-14 14:41 134856 --a------ C:\WINDOWS\Fonts\FRADM.TTF
1998-07-14 14:41 108780 --a------ C:\WINDOWS\Fonts\FRADMCN.TTF
1998-07-14 14:40 161124 --a------ C:\WINDOWS\Fonts\FRABKIT.TTF
1998-07-14 14:39 142384 --a------ C:\WINDOWS\Fonts\FRABK.TTF
1998-07-14 14:38 52224 --a------ C:\WINDOWS\Fonts\CALISTI.TTF
1998-07-14 14:37 77684 --a------ C:\WINDOWS\Fonts\CALISTBI.TTF
1998-07-14 14:36 79372 --a------ C:\WINDOWS\Fonts\CALISTB.TTF
1998-07-14 14:35 73048 --a------ C:\WINDOWS\Fonts\CALIST.TTF
1998-07-14 13:42 98748 --a------ C:\WINDOWS\Fonts\CALIFI.TTF
1998-07-14 13:42 95904 --a------ C:\WINDOWS\Fonts\NIAGENG.TTF
1998-07-14 13:42 92736 --a------ C:\WINDOWS\Fonts\HTOWERT.TTF
1998-07-14 13:42 80620 --a------ C:\WINDOWS\Fonts\CALIFB.TTF
1998-07-14 13:42 74712 --a------ C:\WINDOWS\Fonts\HTOWERTI.TTF
1998-07-14 13:42 74416 --a------ C:\WINDOWS\Fonts\RAVIE.TTF
1998-07-14 13:42 74012 --a------ C:\WINDOWS\Fonts\NIAGSOL.TTF
1998-07-14 13:42 65284 --a------ C:\WINDOWS\Fonts\MAGNETOB.TTF
1998-07-14 13:42 52316 --a------ C:\WINDOWS\Fonts\SHOWG.TTF
1998-07-14 13:42 105300 --a------ C:\WINDOWS\Fonts\CALIFR.TTF
1998-07-14 13:41 97284 --a------ C:\WINDOWS\Fonts\BRLNSR.TTF
1998-07-14 13:41 96880 --a------ C:\WINDOWS\Fonts\BRLNSB.TTF
1998-07-14 13:41 96852 --a------ C:\WINDOWS\Fonts\BRLNSDB.TTF
1998-07-14 13:41 59012 --a------ C:\WINDOWS\Fonts\AGENCYB.TTF
1998-07-14 13:41 57280 --a------ C:\WINDOWS\Fonts\AGENCYR.TTF
1998-06-17 12:27 49788 --a------ C:\WINDOWS\Fonts\STENCIL.TTF
1998-06-17 12:14 72484 --a------ C:\WINDOWS\Fonts\ROCK.TTF
1998-05-28 13:38 141328 --a------ C:\WINDOWS\Fonts\ARIALNI.TTF
1998-05-28 13:38 139056 --a------ C:\WINDOWS\Fonts\ARIALNB.TTF
1998-05-28 13:38 138468 --a------ C:\WINDOWS\Fonts\ARIALNBI.TTF
1998-05-28 13:38 134188 --a------ C:\WINDOWS\Fonts\ARIALN.TTF
1998-05-21 11:30 198540 --a------ C:\WINDOWS\Fonts\GARABD.TTF
1998-05-21 11:30 196588 --a------ C:\WINDOWS\Fonts\GARA.TTF
1998-05-21 11:30 188916 --a------ C:\WINDOWS\Fonts\GARAIT.TTF
1998-04-30 08:45 58816 --a------ C:\WINDOWS\Fonts\LTYPE.TTF
1998-03-13 17:21 51848 --a------ C:\WINDOWS\Fonts\LCALLIG.TTF
1998-03-13 17:20 57584 --a------ C:\WINDOWS\Fonts\LHANDW.TTF
1998-03-13 16:56 47644 --a------ C:\WINDOWS\Fonts\BRUSHSCI.TTF
1998-03-11 20:05 87740 --a------ C:\WINDOWS\Fonts\OLDENGL.TTF
1998-03-09 14:58 71208 --a------ C:\WINDOWS\Fonts\JOKERMAN.TTF
1998-03-06 16:52 79280 --a------ C:\WINDOWS\Fonts\TEMPSITC.TTF
1998-03-06 16:52 56624 --a------ C:\WINDOWS\Fonts\OCRAEXT.TTF
1998-03-06 16:51 71168 --a------ C:\WINDOWS\Fonts\CURLZ___.TTF
1998-03-06 16:51 49020 --a------ C:\WINDOWS\Fonts\BAUHS93.TTF
1998-01-08 15:26 10028 --a------ C:\WINDOWS\Fonts\OUTLOOK.TTF
1997-12-08 01:00 48296 --a------ C:\WINDOWS\Fonts\ELEPHNTI.TTF
1997-10-24 14:42 65544 --a------ C:\WINDOWS\Fonts\ARBLI___.TTF
1997-07-10 18:01 90752 --a------ C:\WINDOWS\Fonts\CHILLER.TTF
1997-07-10 17:27 54132 --a------ C:\WINDOWS\Fonts\ITCKRIST.TTF
1997-07-10 16:54 125656 --a------ C:\WINDOWS\Fonts\ITCBLKAD.TTF
1997-07-09 12:30 71280 --a------ C:\WINDOWS\Fonts\POORICH.TTF
1997-07-09 12:13 71172 --a------ C:\WINDOWS\Fonts\INFROMAN.TTF
1997-07-09 12:10 136872 --a------ C:\WINDOWS\Fonts\GIGI.TTF
1997-07-03 20:09 51288 --a------ C:\WINDOWS\Fonts\HARLOWSI.TTF
1997-07-03 17:50 76824 --a------ C:\WINDOWS\Fonts\PRISTINA.TTF
1997-07-03 17:09 58100 --a------ C:\WINDOWS\Fonts\ITCEDSCR.TTF
1997-07-02 16:51 64256 --a------ C:\WINDOWS\Fonts\FREESCPT.TTF
1997-07-01 16:53 48084 --a------ C:\WINDOWS\Fonts\ROCKEB.TTF
1997-07-01 16:02 71232 --a------ C:\WINDOWS\Fonts\ROCKI.TTF
1997-07-01 15:59 63016 --a------ C:\WINDOWS\Fonts\ROCKB.TTF
1997-07-01 14:40 145672 --a------ C:\WINDOWS\Fonts\PARCHM.TTF
1997-06-30 18:02 156000 --a------ C:\WINDOWS\Fonts\PAPYRUS.TTF
1997-06-04 17:13 100964 --a------ C:\WINDOWS\Fonts\BRADHITC.TTF
1997-06-04 12:56 100104 --a------ C:\WINDOWS\Fonts\VINERITC.TTF
1997-06-04 12:55 57760 --a------ C:\WINDOWS\Fonts\SNAP____.TTF
1997-06-04 12:55 124932 --a------ C:\WINDOWS\Fonts\RAGE.TTF
1997-06-04 12:53 57452 --a------ C:\WINDOWS\Fonts\JUICE___.TTF
1997-05-27 17:47 58928 --a------ C:\WINDOWS\Fonts\KUNSTLER.TTF
1997-05-27 17:47 49928 --a------ C:\WINDOWS\Fonts\VLADIMIR.TTF
1997-05-27 17:47 49804 --a------ C:\WINDOWS\Fonts\SCRIPTBL.TTF
1997-04-03 16:59 59676 --a------ C:\WINDOWS\Fonts\LTYPEO.TTF
1996-05-14 15:33 50004 --a------ C:\WINDOWS\Fonts\ROCCB___.TTF
1996-05-14 15:32 48112 --a------ C:\WINDOWS\Fonts\ROCC____.TTF
1996-05-14 14:30 54700 --a------ C:\WINDOWS\Fonts\ERASMD.TTF
1996-05-14 14:29 62540 --a------ C:\WINDOWS\Fonts\ERASLGHT.TTF
1996-05-14 14:28 53884 --a------ C:\WINDOWS\Fonts\ERASDEMI.TTF
1996-05-14 14:26 51432 --a------ C:\WINDOWS\Fonts\ERASBD.TTF
1996-04-23 13:59 54216 --a------ C:\WINDOWS\Fonts\FORTE.TTF
1996-04-23 13:04 50308 --a------ C:\WINDOWS\Fonts\PER_____.TTF
1996-04-23 12:58 51172 --a------ C:\WINDOWS\Fonts\PERB____.TTF
1996-04-23 12:51 51804 --a------ C:\WINDOWS\Fonts\MAIAN.TTF
1996-04-23 12:48 48356 --a------ C:\WINDOWS\Fonts\GOUDYSTO.TTF
1996-04-18 15:21 39492 --a------ C:\WINDOWS\Fonts\FELIXTI.TTF
1996-04-15 18:39 29236 --a------ C:\WINDOWS\Fonts\WINGDNG3.TTF
1996-04-15 18:38 59696 --a------ C:\WINDOWS\Fonts\WINGDNG2.TTF
1996-04-15 17:54 48872 --a------ C:\WINDOWS\Fonts\LTYPEBO.TTF
1996-04-15 17:53 47116 --a------ C:\WINDOWS\Fonts\LTYPEB.TTF
1996-04-15 17:49 60672 --a------ C:\WINDOWS\Fonts\LSANSDI.TTF
1996-04-15 17:47 54328 --a------ C:\WINDOWS\Fonts\LSANSD.TTF
1996-04-15 17:46 58748 --a------ C:\WINDOWS\Fonts\LSANS.TTF
1996-04-15 17:30 66416 --a------ C:\WINDOWS\Fonts\LFAXDI.TTF
1996-04-15 17:30 62008 --a------ C:\WINDOWS\Fonts\LFAXI.TTF
1996-04-15 17:29 56804 --a------ C:\WINDOWS\Fonts\LFAXD.TTF
1996-04-15 17:28 56024 --a------ C:\WINDOWS\Fonts\LFAX.TTF
1996-04-15 15:35 65208 --a------ C:\WINDOWS\Fonts\LBRITEI.TTF
1996-04-15 15:34 65728 --a------ C:\WINDOWS\Fonts\LBRITEDI.TTF
1996-04-15 15:34 61040 --a------ C:\WINDOWS\Fonts\LBRITED.TTF
1996-04-15 15:33 64976 --a------ C:\WINDOWS\Fonts\LBRITE.TTF
1996-04-15 14:44 51924 --a------ C:\WINDOWS\Fonts\FRSCRIPT.TTF
1996-03-25 10:17 152584 --a------ C:\WINDOWS\Fonts\CENSCBK.TTF
1996-03-20 13:31 152116 --a------ C:\WINDOWS\Fonts\SCHLBKI.TTF
1996-03-20 13:30 149540 --a------ C:\WINDOWS\Fonts\SCHLBKBI.TTF
1996-03-20 13:28 157640 --a------ C:\WINDOWS\Fonts\SCHLBKB.TTF
1996-03-06 14:16 39196 --a------ C:\WINDOWS\Fonts\LATINWD.TTF
1996-03-06 13:44 58928 --a------ C:\WINDOWS\Fonts\VIVALDII.TTF
1996-03-06 13:37 40536 --a------ C:\WINDOWS\Fonts\PLAYBILL.TTF
1996-03-06 13:36 39628 --a------ C:\WINDOWS\Fonts\PERTIBD.TTF
1996-03-06 13:36 36192 --a------ C:\WINDOWS\Fonts\PERTILI.TTF
1996-03-06 13:30 75116 --a------ C:\WINDOWS\Fonts\ONYX.TTF
1996-03-06 13:26 57064 --a------ C:\WINDOWS\Fonts\MOD20.TTF
1996-03-06 13:04 46052 --a------ C:\WINDOWS\Fonts\MATURASC.TTF
1996-03-06 13:01 46376 --a------ C:\WINDOWS\Fonts\PALSCRI.TTF
1996-03-06 12:34 54980 --a------ C:\WINDOWS\Fonts\IMPRISHA.TTF
1996-03-06 12:28 59644 --a------ C:\WINDOWS\Fonts\LSANSI.TTF
1996-03-05 19:45 64816 --a------ C:\WINDOWS\Fonts\HARNGTON.TTF
1996-03-05 19:41 73640 --a------ C:\WINDOWS\Fonts\GOUDOSI.TTF
1996-03-05 19:40 76052 --a------ C:\WINDOWS\Fonts\GOUDOSB.TTF
1996-03-05 19:39 75924 --a------ C:\WINDOWS\Fonts\GOUDOS.TTF
1996-03-05 19:39 68012 --a------ C:\WINDOWS\Fonts\GLECB.TTF
1996-03-05 19:36 78104 --a------ C:\WINDOWS\Fonts\FTLTLT.TTF
1996-03-05 19:33 40800 --a------ C:\WINDOWS\Fonts\ENGR.TTF
1996-03-05 19:21 49296 --a------ C:\WINDOWS\Fonts\COLONNA.TTF
1996-03-05 19:19 74808 --a------ C:\WINDOWS\Fonts\COOPBL.TTF
1996-03-05 19:19 57232 --a------ C:\WINDOWS\Fonts\COPRGTL.TTF
1996-03-05 19:18 56104 --a------ C:\WINDOWS\Fonts\COPRGTB.TTF
1996-03-05 19:09 35368 --a------ C:\WINDOWS\Fonts\BRITANIC.TTF
1996-03-05 19:07 65212 --a------ C:\WINDOWS\Fonts\BERNHC.TTF
1996-03-05 19:06 75964 --a------ C:\WINDOWS\Fonts\BELLB.TTF
1996-03-05 19:06 75572 --a------ C:\WINDOWS\Fonts\BELLI.TTF
1996-03-05 19:05 78988 --a------ C:\WINDOWS\Fonts\BELL.TTF
1996-03-05 19:04 49720 --a------ C:\WINDOWS\Fonts\BASKVILL.TTF
1996-03-05 19:02 44828 --a------ C:\WINDOWS\Fonts\ELEPHNT.TTF
1996-03-05 19:01 39968 --a------ C:\WINDOWS\Fonts\ARLRDBD.TTF
1996-03-05 18:58 69504 --a------ C:\WINDOWS\Fonts\ALGER.TTF
1996-03-05 18:45 77200 --a------ C:\WINDOWS\Fonts\CENTAUR.TTF
1996-03-05 18:44 42772 --a------ C:\WINDOWS\Fonts\CASTELAR.TTF
1996-03-05 18:40 53328 --a------ C:\WINDOWS\Fonts\BROADW.TTF
1996-02-24 12:55 185684 --a------ C:\WINDOWS\Fonts\MISTRAL.TTF
1995-07-05 13:31 101592 --a------ C:\WINDOWS\Fonts\HATTEN.TTF


((((((((((((((((((((((((((((( snapshot@2007-12-09_13.00.50.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-12 06:19:49 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_458.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YBrowser"="C:\Program Files\Yahoo!\browser\ybrwicon.exe" [2003-07-11 13:51]
"IPInSightMonitor 01"="C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 11:30]
"2wSysTray"="C:\Program Files\2Wire\2PortalMon.exe" [2004-05-25 03:24]
"Internet Explorer"="C:\WINDOWS\patchw32.exe" []
"SiSPower"="Rundll32.exe" [2001-08-18 04:00 C:\WINDOWS\system32\rundll32.exe]
"PRISMSVR.EXE"="C:\WINDOWS\System32\PRISMSVR.exe" []
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 14:49]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 09:06 C:\WINDOWS\AGRSMMSG.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 03:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 18:28:24]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 18:50:52]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 12:05:56]
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2007-12-08 15:23:44]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"


.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2800.1106]
-> C:\DOCUME~1\Adrian\LOCALS~1\Temp\rjexviqnESARIO.dll
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-11 22:21:03
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-11 22:21:35 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-09 13:01
.
--- E O F ---





And the HJT Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:07 PM, on 12/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\sistray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Documents and Settings\Adrian\Desktop\malware downloads\hjt\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [Internet Explorer] C:\WINDOWS\patchw32.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-21-790525478-1220945662-839522115-1004\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1196290982218
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 6518 bytes

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:45 AM

Posted 12 December 2007 - 02:03 AM

Hi

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

Hi Dana P,

Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\patchw32.exe


Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.
Once scanned, copy and paste the results also in your next reply.

NOTE: I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 Dana P

Dana P
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 12 December 2007 - 03:01 AM

Hi Mike,

I wasn't able to locate the file patchw32.exe in C:/Windows - although I did select 'show hidden files' and unhid systems files and unhid file extensions. That is weird because patchw32.exe is listed in the combofix log. Anyway, all I was able to find was "patchw32.dll", however, and ran that in virustotal with no results:

Antivirus Version Last Update Result
AhnLab-V3 2007.12.12.0 2007.12.12 -
AntiVir 7.6.0.40 2007.12.11 -
Authentium 4.93.8 2007.12.11 -
Avast 4.7.1098.0 2007.12.11 -
AVG 7.5.0.503 2007.12.11 -
BitDefender 7.2 2007.12.12 -
CAT-QuickHeal 9.00 2007.12.11 -
ClamAV 0.91.2 2007.12.12 -
DrWeb 4.44.0.09170 2007.12.11 -
eSafe 7.0.15.0 2007.12.11 -
eTrust-Vet 31.3.5371 2007.12.12 -
Ewido 4.0 2007.12.11 -
FileAdvisor 1 2007.12.12 -
Fortinet 3.14.0.0 2007.12.12 -
F-Prot 4.4.2.54 2007.12.11 -
F-Secure 6.70.13030.0 2007.12.12 -
Ikarus T3.1.1.12 2007.12.12 -
Kaspersky 7.0.0.125 2007.12.12 -
McAfee 5183 2007.12.11 -
Microsoft 1.3007 2007.12.12 -
NOD32v2 2718 2007.12.12 -
Norman 5.80.02 2007.12.11 -
Panda 9.0.0.4 2007.12.12 -
Prevx1 V2 2007.12.12 -
Rising 20.21.42.00 2007.12.07 -
Sophos 4.24.0 2007.12.12 -
Sunbelt 2.2.907.0 2007.12.12 -
Symantec 10 2007.12.12 -
TheHacker 6.2.9.155 2007.12.10 -
VBA32 3.12.2.5 2007.12.10 -
VirusBuster 4.3.26:9 2007.12.11 -
Webwasher-Gateway 6.6.2 2007.12.11 -

Additional information
File size: 197120 bytes
MD5: 3f30e7d132d62476db9ba5ebb0f7b902
SHA1: de83f87fcf06d5e468dc7cb5ac74a52baa0c9f07
PEiD: -

The only other file that resembles what we are looking for is just patch.exe, which I uploaded to virus total with no results either.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users