Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dire Need Of The Forum's Help: Gomyhit Spyware


  • Please log in to reply
1 reply to this topic

#1 carepang

carepang

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 23 December 2007 - 03:57 PM

i need your help in removing the gomyhit spyware on my system. i looked through the forums and found a similar problem. i have followed the first set of instructions posted by RichieUK by downloading sdfix.exe. here is my report.txt file log:


SDFix: Version 1.119

Run by tofuttirice on Sun 12/23/2007 at 02:36 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Killing PID 1004 'shell.exe'

Infected beep.sys Found!

beep.sys File Locations:

"C:\WINDOWS\system32\dllcache\beep.sys" 37888 12/22/2007 10:52 PM
"C:\WINDOWS\system32\drivers\beep.sys" 37888 12/22/2007 10:52 PM

Infected File Listed Below:

C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys

Trojan File copied to Backups Folder
Attempting to replace beep.sys with original version...

Original beep.sys Restored


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\DLLGH8~1.EXE - Deleted
C:\WINDOWS\Temp\nsq14.tmp\nsq14.tmp.exe - Deleted
C:\WINDOWS\system32\CatRoot\TMP4A.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP74.tmp - Deleted
C:\WINDOWS\Temp\nsq14.tmp\nsq14.tmp.exe - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe - Deleted
C:\Documents and Settings\tofuttirice\Start Menu\Programs\Startup\findfast.exe - Deleted
C:\Documents and Settings\tofuttirice\Application Data\antivirus.exe - Deleted
C:\autorun.inf - Deleted
C:\WINDOWS\Downloaded Program Files\UGA6P_4444_N122M2811NetInstaller.exe - Deleted
C:\WINDOWS\shell.exe - Deleted
C:\WINDOWS\system32\kernelw.sys - Deleted
C:\WINDOWS\system32\kernelwind32.exe - Deleted
C:\WINDOWS\system32\printer.exe - Deleted
C:\WINDOWS\system32\Setup\setup.exe - Deleted
C:\WINDOWS\system32\spoolvs.exe - Deleted
C:\WINDOWS\system32\system32.exe - Deleted
C:\WINDOWS\Temp\temp.exe - Deleted
C:\WINDOWS\windows.exe - Deleted




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-23 14:43:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 2


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Mozilla Firefox"
"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"="C:\\Program Files\\BitTorrent\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Disabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\printer.exe"="C:\\WINDOWS\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\spoolvs.exe"="C:\\WINDOWS\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\tofuttirice\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\tofuttirice\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\tofuttirice\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\tofuttirice\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"="C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe:*:Enabled:SMC Service"
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"="C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE:*:Enabled:SNAC Service"
"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe:*:Enabled:Symantec Email"
"C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\Administrator\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\printer.exe"="C:\\WINDOWS\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\spoolvs.exe"="C:\\WINDOWS\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\tofuttirice\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\tofuttirice\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\tofuttirice\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\tofuttirice\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\Administrator\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sun 23 Dec 2007 89,088 ..SH. --- "C:\B80B352C.exe"
Sun 23 Dec 2007 89,088 ...H. --- "C:\01e6d4c15817bf3598c7\01e6d4c15817bf3598c7.exe"
Sun 23 Dec 2007 89,088 ...H. --- "C:\b88670b420bc9223f8\b88670b420bc9223f8.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\i386\i386.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\i386\msimn.exe"
Sun 23 Dec 2007 89,088 ...H. --- "C:\Documents and Settings\All Users\All Users.exe"
Sun 23 Dec 2007 89,088 ...H. --- "C:\Documents and Settings\tofuttirice\tofuttirice.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Sun 25 Nov 2007 6,219,320 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\addins\addins.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\AppPatch\AppPatch.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Debug\Debug.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Help\Help.exe"
Sat 22 Dec 2007 89,088 A..H. --- "C:\WINDOWS\Internet Logs\Internet Logs.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Media\Media.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Minidump\Minidump.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\msagent\msagent.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Registration\Registration.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\repair\repair.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\ShellNew\ShellNew.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\SoftwareDistribution\SoftwareDistribution.exe"
Sun 23 Dec 2007 89,088 ..SH. --- "C:\WINDOWS\system32\shovth.exe"
Sun 23 Dec 2007 89,088 ..SH. --- "C:\WINDOWS\system32\winsn.exe"
Sun 23 Dec 2007 89,088 ...H. --- "C:\dell\Contracts\Qualxserv\Qualxserv.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\Documents and Settings\All Users\Desktop\Desktop.exe"
Sun 23 Dec 2007 89,088 ...H. --- "C:\Documents and Settings\tofuttirice\Desktop\Desktop.exe"
Sat 16 Dec 2006 253,440 ...H. --- "C:\Documents and Settings\tofuttirice\Desktop\~WRL0002.tmp"
Sat 16 Dec 2006 253,440 ...H. --- "C:\Documents and Settings\tofuttirice\Desktop\~WRL0004.tmp"
Sat 16 Dec 2006 253,952 ...H. --- "C:\Documents and Settings\tofuttirice\Desktop\~WRL0199.tmp"
Sat 16 Dec 2006 254,976 ...H. --- "C:\Documents and Settings\tofuttirice\Desktop\~WRL0335.tmp"
Sat 16 Dec 2006 253,952 ...H. --- "C:\Documents and Settings\tofuttirice\Desktop\~WRL0950.tmp"
Sat 16 Dec 2006 253,952 ...H. --- "C:\Documents and Settings\tofuttirice\Desktop\~WRL1123.tmp"
Sat 16 Dec 2006 253,952 ...H. --- "C:\Documents and Settings\tofuttirice\Desktop\~WRL1187.tmp"
Sat 16 Dec 2006 253,952 ...H. --- "C:\Documents and Settings\tofuttirice\Desktop\~WRL1295.tmp"
Sat 16 Dec 2006 254,976 ...H. --- "C:\Documents and Settings\tofuttirice\Desktop\~WRL3312.tmp"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{54C0D94A-F467-4ABC-9D02-6E58748668D4}\{54C0D94A-F467-4ABC-9D02-6E58748668D4}.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{59C4F14F-7590-45FC-BE9F-A67AB3590709}\{59C4F14F-7590-45FC-BE9F-A67AB3590709}.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\SoftwareDistribution\Download\Download.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\SoftwareDistribution\EventCache\EventCache.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\system32\1033\1033.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\system32\CatRoot2\CatRoot2.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\system32\config\config.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\system32\dla\dla.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\system32\drivers\drivers.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\system32\IOSUBSYS\IOSUBSYS.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\system32\Restore\Restore.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\system32\wbem\wbem.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\WinSxS\Manifests\Manifests.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9848.0_x-ww_1b897e9a\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9848.0_x-ww_1b897e9a.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9841.0_x-ww_18171213\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9841.0_x-ww_18171213.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_en_16a24bc0\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_en_16a24bc0.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9839.0_x-ww_ed80bd5c\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9839.0_x-ww_ed80bd5c.exe"
Fri 13 Apr 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 3 Oct 2007 407 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COH32LU.reg"
Wed 3 Oct 2007 400 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COHDLU.reg"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}\da.lproj\da.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}\de.lproj\de.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}\en.lproj\en.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}\es.lproj\es.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}\fi.lproj\fi.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}\fr.lproj\fr.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}\it.lproj\it.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}\ja.lproj\ja.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}\ko.lproj\ko.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}\nl.lproj\nl.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}\no.lproj\no.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}\sv.lproj\sv.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}\zh_CN.lproj\zh_CN.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}\zh_TW.lproj\zh_TW.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{54C0D94A-F467-4ABC-9D02-6E58748668D4}\da.lproj\da.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{54C0D94A-F467-4ABC-9D02-6E58748668D4}\de.lproj\de.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{54C0D94A-F467-4ABC-9D02-6E58748668D4}\en.lproj\en.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{54C0D94A-F467-4ABC-9D02-6E58748668D4}\es.lproj\es.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{54C0D94A-F467-4ABC-9D02-6E58748668D4}\fi.lproj\fi.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{54C0D94A-F467-4ABC-9D02-6E58748668D4}\fr.lproj\fr.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{54C0D94A-F467-4ABC-9D02-6E58748668D4}\it.lproj\it.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{54C0D94A-F467-4ABC-9D02-6E58748668D4}\ja.lproj\ja.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{54C0D94A-F467-4ABC-9D02-6E58748668D4}\ko.lproj\ko.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{54C0D94A-F467-4ABC-9D02-6E58748668D4}\nb.lproj\nb.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{54C0D94A-F467-4ABC-9D02-6E58748668D4}\nl.lproj\nl.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{54C0D94A-F467-4ABC-9D02-6E58748668D4}\sv.lproj\sv.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{54C0D94A-F467-4ABC-9D02-6E58748668D4}\zh_CN.lproj\zh_CN.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{54C0D94A-F467-4ABC-9D02-6E58748668D4}\zh_TW.lproj\zh_TW.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{59C4F14F-7590-45FC-BE9F-A67AB3590709}\da.lproj\da.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{59C4F14F-7590-45FC-BE9F-A67AB3590709}\de.lproj\de.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{59C4F14F-7590-45FC-BE9F-A67AB3590709}\en.lproj\en.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{59C4F14F-7590-45FC-BE9F-A67AB3590709}\es.lproj\es.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{59C4F14F-7590-45FC-BE9F-A67AB3590709}\fi.lproj\fi.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{59C4F14F-7590-45FC-BE9F-A67AB3590709}\fr.lproj\fr.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{59C4F14F-7590-45FC-BE9F-A67AB3590709}\it.lproj\it.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{59C4F14F-7590-45FC-BE9F-A67AB3590709}\ja.lproj\ja.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{59C4F14F-7590-45FC-BE9F-A67AB3590709}\ko.lproj\ko.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{59C4F14F-7590-45FC-BE9F-A67AB3590709}\nl.lproj\nl.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{59C4F14F-7590-45FC-BE9F-A67AB3590709}\no.lproj\no.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{59C4F14F-7590-45FC-BE9F-A67AB3590709}\sv.lproj\sv.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{59C4F14F-7590-45FC-BE9F-A67AB3590709}\zh_CN.lproj\zh_CN.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Downloaded Installations\{59C4F14F-7590-45FC-BE9F-A67AB3590709}\zh_TW.lproj\zh_TW.lproj.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Help\SBSI\Training\Training.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\v1.1.4322.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\pchealth\helpctr\binaries\binaries.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\pchealth\helpctr\Config\Config.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\pchealth\helpctr\DataColl\DataColl.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\pchealth\helpctr\PackageStore\PackageStore.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Resources\Themes\Luna\Luna.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\SoftwareDistribution\AuthCabs\7971f918-a847-4430-9279-4a52d1efe18d\7971f918-a847-4430-9279-4a52d1efe18d.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\Logs.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\SoftwareDistribution\Download\0facce6115ab861022eae3087e064a2a\0facce6115ab861022eae3087e064a2a.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\355f788b6de8a3ec79e9aa172e6317f1.exe"
Tue 18 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\BITA.tmp"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\e3709fbfd9557a7d083f543d51d38612.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\SoftwareDistribution\Download\e858ee913d8b8f3c06a5389f57403189\e858ee913d8b8f3c06a5389f57403189.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\Default.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\7971F918-A847-4430-9279-4A52D1EFE18D.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\9482F4B4-E343-43B6-B170-9A65BC822C77.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\system32\config\systemprofile\systemprofile.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\system32\drivers\etc\etc.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\system32\LogFiles\HTTPERR\HTTPERR.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\system32\Macromed\Common\Common.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\system32\Macromed\Director\Director.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\system32\Macromed\Flash\Flash.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\system32\Macromed\Shockwave 10\Shockwave 10.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\system32\mui\0409\0409.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\system32\wbem\Logs\Logs.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\system32\wbem\Performance\Performance.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\system32\wbem\xml\xml.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_x-ww_362e60dd\x86_policy.5.2.Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_x-ww_362e60dd.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\WinSxS\Policies\x86_policy.1.0.Microsoft.Windows.GdiPlus_6595b64144ccf1df_x-ww_4e8510ac\x86_policy.1.0.Microsoft.Windows.GdiPlus_6595b64144ccf1df_x-ww_4e8510ac.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\WinSxS\Policies\x86_policy.4.20.Microsoft.MSXML2_6bd6b9abf345378f_x-ww_88e8eab8\x86_policy.4.20.Microsoft.MSXML2_6bd6b9abf345378f_x-ww_88e8eab8.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Rtcdll_6595b64144ccf1df_x-ww_c7b7206f\x86_policy.5.2.Microsoft.Windows.Networking.Rtcdll_6595b64144ccf1df_x-ww_c7b7206f.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_x-ww_527a1c68\x86_policy.6.0.Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_x-ww_527a1c68.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\WinSxS\Policies\x86_policy.5.1.Microsoft.Windows.SystemCompatible_6595b64144ccf1df_x-ww_a0111510\x86_policy.5.1.Microsoft.Windows.SystemCompatible_6595b64144ccf1df_x-ww_a0111510.exe"
Sun 2 Dec 2007 31,232 ...H. --- "C:\Documents and Settings\tofuttirice\My Documents\Job Hunt\Cover Letters - Applied\~WRL1758.tmp"
Tue 20 Nov 2007 29,184 A..H. --- "C:\Documents and Settings\tofuttirice\My Documents\Job Hunt\Cover Letters - Applied\~WRL1807.tmp"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\CONFIG.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2356\SHADOW2356.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\pchealth\helpctr\Config\Cache\Cache.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\SoftwareDistribution\Download\0facce6115ab861022eae3087e064a2a\SP2QFE\SP2QFE.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\SoftwareDistribution\Download\0facce6115ab861022eae3087e064a2a\update\update.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\sp2gdr\sp2gdr.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\sp2qfe\sp2qfe.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\update\update.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2GDR\SP2GDR.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2QFE\SP2QFE.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\update\update.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\SoftwareDistribution\Download\e858ee913d8b8f3c06a5389f57403189\update\update.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\system32\Macromed\Shockwave 10\Xtras\Xtras.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\system32\spool\drivers\color\color.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\system32\spool\drivers\w32x86\w32x86.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\system32\spool\prtprocs\w32x86\w32x86.exe"
Tue 25 Oct 2005 19,968 A..H. --- "C:\Documents and Settings\tofuttirice\My Documents\My Classes\1st Year\Policy\~WRL0004.tmp"
Tue 25 Oct 2005 19,968 A..H. --- "C:\Documents and Settings\tofuttirice\My Documents\My Classes\1st Year\Policy\~WRL0100.tmp"
Tue 25 Oct 2005 20,480 A..H. --- "C:\Documents and Settings\tofuttirice\My Documents\My Classes\1st Year\Policy\~WRL0372.tmp"
Tue 25 Oct 2005 20,480 A..H. --- "C:\Documents and Settings\tofuttirice\My Documents\My Classes\1st Year\Policy\~WRL1045.tmp"
Tue 25 Oct 2005 22,016 A..H. --- "C:\Documents and Settings\tofuttirice\My Documents\My Classes\1st Year\Policy\~WRL1348.tmp"
Tue 25 Oct 2005 23,040 A..H. --- "C:\Documents and Settings\tofuttirice\My Documents\My Classes\1st Year\Policy\~WRL2123.tmp"
Tue 25 Oct 2005 22,016 A..H. --- "C:\Documents and Settings\tofuttirice\My Documents\My Classes\1st Year\Policy\~WRL3388.tmp"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\Resources\Themes\Luna\Shell\NormalColor\NormalColor.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\system32\spool\drivers\w32x86\3\3.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.374\7.0.6000.374.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.381\7.0.6000.381.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.0.6000.374\7.0.6000.374.exe"
Sat 22 Dec 2007 89,088 ...H. --- "C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.0.6000.381\7.0.6000.381.exe"
Thu 7 Jul 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Thu 7 Jul 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"

Finished!

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:02 AM

Posted 02 January 2008 - 11:14 PM

Hello carepang and welcome to the BC HijackThis forum. Let's see what going on in the system

Download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind35U.exe to start the program.
  • In the Driver Services section click on Non-Microsoft.
  • In the Rootkit Search section click on Yes.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - Disabled MS Config Items
      Reg - Security Settings
      Reg - Software Policy Settings
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in.

If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users