Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Badly Infected


  • Please log in to reply
2 replies to this topic

#1 drew16

drew16

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Barbados
  • Local time:04:26 PM

Posted 03 June 2008 - 12:17 AM

http://www.bleepingcomputer.com/forums/ind...mp;#entry842565
Forum originated


Dss Logs
Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-03 00:20:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
18: 2008-06-03 04:21:06 UTC - RP18 - Deckard's System Scanner Restore Point
17: 2008-06-02 07:00:34 UTC - RP17 - Software Distribution Service 3.0
16: 2008-06-01 23:13:51 UTC - RP16 - Installed SUPERAntiSpyware Free Edition
15: 2008-06-01 10:03:52 UTC - RP15 - Software Distribution Service 3.0
14: 2008-06-01 10:00:05 UTC - RP14 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-05-26 05:07:13 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 495 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:22:17 AM, on 6/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\TOSHIBA\ivp\ISM\pinger.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: nhmxajkl.dll - {17AC9076-C898-B098-D098-A18319080971} - C:\WINDOWS\System32\nhmxajkl.dll (file missing)
O2 - BHO: skqnbbib.dll - {22023698-6984-8541-9654-698745012522} - C:\WINDOWS\System32\skqnbbib.dll (file missing)
O2 - BHO: pjjxcdwd.dll - {34FAE856-AD58-20CB-A025-CD4895FA6E43} - C:\WINDOWS\System32\pjjxcdwd.dll (file missing)
O2 - BHO: lofscjbo.dll - {370165F1-9F65-569F-F895-F14F58F41073} - C:\WINDOWS\system32\lofscjbo.dll (file missing)
O2 - BHO: mnmhdsrv.dll - {4C8D1401-A58D-A81C-CD24-A5915C4517C4} - C:\WINDOWS\System32\mnmhdsrv.dll (file missing)
O2 - BHO: zywmeime.dll - {5319A1F1-9410-9654-3201-345FFA349135} - C:\WINDOWS\System32\zywmeime.dll (file missing)
O2 - BHO: Baiwanbar - {B219CEE8-07F4-4FDD-9753-ECB78258F0CA} - C:\WINDOWS\System32\baiwancai.dll
O3 - Toolbar: ░┘═˛░╔ - {B219CEE8-07F4-4FDD-9753-ECB78258F0CA} - C:\WINDOWS\System32\baiwancai.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMEEJME.EXE] C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\ivp\ISM\pinger.exe /run
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [kcomw] kcomw32.exe
O4 - S-1-5-18 Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'SYSTEM')
O4 - .DEFAULT Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')
O4 - .DEFAULT User Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1211778913584
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1211757110608
O20 - AppInit_DLLs: fnhwe.dll,fyrgtr.dll,ghrst.dll,ethyg.dll,yuker.dll,gtujerg.dll,fydfgk.dll,ukrth.
dll,fghdghu.dll,reger.dll,tynjder.dll,wefgh.dll,gfcfg.dll,frntrn.dll,qrhhb.dll,d
rghszd.dll,fngn.dll,gnfctt.dll,xgnfn.dll,xfgnhcgfm.dll,serger.dll,bnxnb.dll,fxgn
fx.dll,jzijj.dll,xfgnfx.dll,serghjm.dll,thsddh.dll,xbcvxb.dll,zfdzb.dll,xdndn.dl
l,xdfntt.dll,hgfhk.dll,dnteh.dll,xfng.dll,njritc.dll,chmfcmh.dll,jwlah.dll,gmnai
t.dll,hfjg.dll,thurh.dll,mgmgmm.dll,oqrthc.dll,rhdhj.dll,jyjlt.dll,ijatnaw.dll,s
ehhter.dll,fhjfg.dll,zdbdb.dll,ydgn.dll,dbfb.dll,fjnbv.dll,thrtgth.dll,setrhes.d
ll,cdxbfxdb.dll,xfgnxfn.dll,gjkhj.dll,xdhdg.dll,rhs.dll,mrjhtjd.dll,zdbfbd.dll,f
jyjy.dll,fxnfnh.dll,bjrvm.dll,ektvm.dll,rdthr.dll,yjrfe.dll,dscef.dll,crugd.dll,
lariytrz.dll,hjaiq.dll,kduy.dll,hkfgh.dll,awef.dll,dfhsh.dll,ethsh.dll,stehs.dll
,sthth.dll,wfhyt.dll,rgghjj.dll,ghjkdr.dll,hfther.dll,
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Tmesbs32 (Tmesbs) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

--
End of file - 8635 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 TVALD (Toshiba ACPI-Based Value Added Logical Device Driver) - c:\windows\system32\drivers\tvald.sys <Not Verified; Toshiba Corporation; Toshiba ACPI-Compliant Value Added Logical Device>
R0 TVALG (Toshiba Value Added Logical and General Purpose Device Driver) - c:\windows\system32\drivers\tvalg.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Value Added Logical and General Purpose Device Driver>
R1 meiudf - c:\windows\system32\drivers\meiudf.sys <Not Verified; Matsubleepa Electric Industrial Co.,Ltd.; >
R1 TMEI3E - c:\windows\system32\drivers\tmei3e.sys <Not Verified; Toshiba Corporation; Toshiba Mobile Extension>

S0 r3fwvq - c:\windows\system32\drivers\r3fwvq.sys (file missing)
S0 xsq8lwus2y (xsq8lwus2) - c:\windows\system32\drivers\xsq8lwus2y.sys
S3 Atixeve2298 - c:\windows\temp\~wxp2ins.667.tmp (file missing)
S3 Atixeve24798 - c:\windows\temp\~wxp2ins.318.tmp (file missing)
S3 Atixeve2591 - c:\windows\temp\~wxp2ins.380.tmp (file missing)
S3 Atixeve27348 - c:\windows\temp\~wxp2ins.207.tmp (file missing)
S3 Atixeve28229 - c:\windows\temp\~wxp2ins.59.tmp (file missing)
S3 Atixeve2956 - c:\windows\temp\~wxp2ins.165.tmp (file missing)
S3 EL3C574 (3Com-3C574-TX_Fast_EtherLink_PC_Card Device Driver) - c:\windows\system32\drivers\el574nd4.sys (file missing)
S3 TBiosDrv - c:\windows\system32\drivers\tbiosdrv.sys
S3 tosrfec (Bluetooth ACPI from TOSHIBA) - c:\windows\system32\drivers\tosrfec.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Bluetooth EC Driver>
S3 tsdhd (TOSHIBA SD Card Host Controller Driver) - c:\windows\system32\drivers\tsdhd.sys <Not Verified; TOSHIBA Corporation; SD Card Driver Set>
S3 XDva164 - c:\windows\system32\xdva164.sys (file missing)
S3 XDva167 - c:\windows\system32\xdva167.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 DVD-RAM_Service - c:\windows\system32\dvdramsv.exe <Not Verified; Matsubleepa Electric Industrial Co., Ltd.; >
R2 Tmesbs (Tmesbs32) - "c:\program files\toshiba\tme3\tmesbs32.exe" /service <Not Verified; TOSHIBA Corporation; TOSHIBA Mobile Extension Slim Select Bay Service>
R2 Tmesrv (Tmesrv3) - "c:\program files\toshiba\tme3\tmesrv31.exe" /service <Not Verified; TOSHIBA; TOSHIBA MobileExtension Service>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2000-02-14 23:56:41 258 --a------ C:\WINDOWS\Tasks\Registration reminder 3.job
2000-02-14 23:56:40 258 --a------ C:\WINDOWS\Tasks\Registration reminder 2.job
2000-02-14 23:56:40 258 --a------ C:\WINDOWS\Tasks\Registration reminder 1.job


-- Files created between 2008-05-03 and 2008-06-03 -----------------------------

2008-06-03 00:21:45 0 d-------- C:\Program Files\Trend Micro
2008-06-01 19:31:14 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-06-01 19:14:09 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-01 19:13:53 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-01 19:13:53 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-06-01 19:13:24 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-01 17:42:36 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-01 17:42:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-01 17:42:26 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-01 12:53:12 0 d-------- C:\WINDOWS\BDOSCAN8
2008-05-26 00:50:19 0 d-------- C:\WINDOWS\Prefetch
2008-05-25 23:03:13 0 d-------- C:\WINDOWS\setup.pss
2008-05-25 21:30:36 0 d--h----- C:\WINDOWS\ShellNew
2008-05-25 21:28:59 0 d-------- C:\Documents and Settings\Owner\Application Data\Microsoft Web Folders
2008-05-25 21:03:53 11416 --a------ C:\WINDOWS\system32\ohes16.exe
2008-05-25 19:57:36 24 --a------ C:\WINDOWS\system32\pzzxaime.sys
2008-05-25 19:57:16 24 --a------ C:\WINDOWS\system32\ijsgajba.sys
2008-05-25 19:42:59 0 d-------- C:\WINDOWS\system32\appmgmt
2008-05-25 19:18:51 0 d-------- C:\WINDOWS\Provisioning
2008-05-25 19:18:51 0 d-------- C:\WINDOWS\PeerNet
2008-05-25 19:18:51 0 d-------- C:\WINDOWS\ehome
2008-05-25 18:14:46 0 d--h----- C:\WINDOWS\$hf_mig$
2008-05-25 18:04:36 0 d-------- C:\WINDOWS\system32\bits
2008-05-25 16:54:30 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-05-25 16:52:06 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-05-25 16:41:48 0 d-------- C:\Program Files\Symantec
2008-05-25 16:41:23 0 d-------- C:\Program Files\Symantec AntiVirus
2008-05-25 16:41:23 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-25 16:41:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-24 12:37:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-05-24 12:15:27 0 d--hs---- C:\WINDOWS\CSC
2008-05-24 09:50:43 24 --a------ C:\WINDOWS\system32\lesxachu.sys
2008-05-24 09:50:27 24 --a------ C:\WINDOWS\system32\qbhxaklo.sys
2008-05-24 09:50:25 24 --a------ C:\WINDOWS\system32\ijzhatde.sys
2008-05-24 09:50:23 24 --a------ C:\WINDOWS\system32\toqnabib.sys
2008-05-24 09:50:09 24 --a------ C:\WINDOWS\system32\efwsakop.sys
2008-05-24 09:48:29 24 --a------ C:\WINDOWS\system32\pzwmaime.sys
2008-05-23 17:04:24 0 d-------- C:\Program Files\Common Files\Real
2008-05-23 17:03:49 65536 --a------ C:\WINDOWS\system32\baiwancai.dll <Not Verified; ; baiwancai Module>
2008-05-23 14:15:02 6248 --a------ C:\WINDOWS\system32\atielf.dat
2008-05-21 18:12:39 0 d-------- C:\Documents and Settings\Owner\Application Data\Ventrilo
2008-05-20 15:03:17 0 d-------- C:\WINDOWS\.jagex_cache_32
2008-05-20 13:30:40 0 d---s---- C:\Documents and Settings\Owner\UserData
2008-05-16 12:12:55 0 d-------- C:\Documents and Settings\Owner\Application Data\Nexon
2008-05-16 12:03:08 0 d-------- C:\Nexon
2008-05-12 10:54:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-05-11 23:08:09 2097152 --a------ C:\Documents and Settings\Owner\ntuser.dat
2008-05-11 23:06:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-05-11 22:26:39 0 d-------- C:\Program Files\OGPlanet


-- Find3M Report ---------------------------------------------------------------

2008-06-01 19:13:24 0 d-------- C:\Program Files\Common Files
2008-05-25 23:42:57 0 d-------- C:\Program Files\Movie Maker
2008-05-25 23:41:12 23348 --a----c- C:\WINDOWS\system32\emptyregdb.dat
2008-05-25 23:40:11 0 d-------- C:\Program Files\Messenger
2008-05-25 23:40:06 0 d-------- C:\Program Files\Windows NT
2008-05-25 21:28:29 0 d-------- C:\Program Files\microsoft frontpage
2008-05-25 21:14:00 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-25 21:09:21 0 d-------- C:\Program Files\Toshiba
2008-05-25 16:52:02 0 d--h----- C:\Program Files\WindowsUpdate
2008-05-12 11:11:34 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17AC9076-C898-B098-D098-A18319080971}]
C:\WINDOWS\System32\nhmxajkl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22023698-6984-8541-9654-698745012522}]
C:\WINDOWS\System32\skqnbbib.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34FAE856-AD58-20CB-A025-CD4895FA6E43}]
C:\WINDOWS\System32\pjjxcdwd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{370165F1-9F65-569F-F895-F14F58F41073}]
C:\WINDOWS\system32\lofscjbo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4C8D1401-A58D-A81C-CD24-A5915C4517C4}]
C:\WINDOWS\System32\mnmhdsrv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5319A1F1-9410-9654-3201-345FFA349135}]
C:\WINDOWS\System32\zywmeime.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B219CEE8-07F4-4FDD-9753-ECB78258F0CA}]
05/24/2008 07:51 PM 65536 --a------ C:\WINDOWS\System32\baiwancai.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{B219CEE8-07F4-4FDD-9753-ECB78258F0CA}"= C:\WINDOWS\System32\baiwancai.dll [05/24/2008 07:51 PM 65536]

[-HKEY_CLASSES_ROOT\CLSID\{B219CEE8-07F4-4FDD-9753-ECB78258F0CA}]
[HKEY_CLASSES_ROOT\Baiwancai.Baiwanbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{9AED3432-B917-41B0-83AC-9B400AAAC154}]
[HKEY_CLASSES_ROOT\Baiwancai.Baiwanbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [04/06/2003 11:19 AM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [04/06/2003 11:07 AM]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [04/15/2003 11:01 PM]
"000StTHK"="000StTHK.exe" [06/23/2001 11:28 PM C:\WINDOWS\system32\000StTHK.exe]
"TFNF5"="TFNF5.exe" [08/03/2001 04:08 AM C:\WINDOWS\system32\TFNF5.exe]
"Tpwrtray"="TPWRTRAY.EXE" [05/15/2003 01:32 PM C:\WINDOWS\system32\TPWRTRAY.EXE]
"TFncKy"="TFncKy.exe" []
"NDSTray.exe"="NDSTray.exe" []
"TMESRV.EXE"="C:\Program Files\TOSHIBA\TME3\TMESRV31.exe" [05/16/2003 12:28 AM]
"TMERzCtl.EXE"="C:\Program Files\TOSHIBA\TME3\TMERzCtl.exe" [05/20/2003 12:11 AM]
"TMEEJME.EXE"="C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE" [05/16/2003 12:26 AM]
"TMESBS.EXE"="C:\Program Files\TOSHIBA\TME3\TMESBS32.exe" [05/16/2003 08:25 PM]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [01/02/2003 03:16 AM]
"AGRSMMSG"="AGRSMMSG.exe" [04/17/2003 10:20 PM C:\WINDOWS\agrsmmsg.exe]
"Pinger"="C:\TOSHIBA\ivp\ISM\pinger.exe" [10/17/2002 05:21 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [04/08/2005 03:52 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [04/17/2005 12:30 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [08/04/2004 01:06 AM]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 4:05:56 PM]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [6/23/2003 3:17:34 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"kcomw"=kcomw32.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4C8D1401-A58D-A81C-CD24-A5915C4517C4}"= C:\WINDOWS\System32\mnmhdsrv.dll [ ]
"{5319A1F1-9410-9654-3201-345FFA349135}"= C:\WINDOWS\System32\zywmeime.dll [ ]
"{84143967-B645-4BFF-B873-DA1DC886E9A7}"= C:\WINDOWS\System32\cedafb.dll [ ]
"{34FAE856-AD58-20CB-A025-CD4895FA6E43}"= C:\WINDOWS\System32\pjjxcdwd.dll [ ]
"{17AC9076-C898-B098-D098-A18319080971}"= C:\WINDOWS\System32\nhmxajkl.dll [ ]
"{370165F1-9F65-569F-F895-F14F58F41073}"= C:\WINDOWS\system32\lofscjbo.dll [ ]
"{22023698-6984-8541-9654-698745012522}"= C:\WINDOWS\System32\skqnbbib.dll [ ]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=fnhwe.dll,fyrgtr.dll,ghrst.dll,ethyg.dll,yuker.dll,gtujerg.dll,fydfgk.dll,
ukrth.dll,fghdghu.dll,reger.dll,tynjder.dll,wefgh.dll,gfcfg.dll,frntrn.dll,qrhhb
.dll,drghszd.dll,fngn.dll,gnfctt.dll,xgnfn.dll,xfgnhcgfm.dll,serger.dll,bnxnb.dl
l,fxgnfx.dll,jzijj.dll,xfgnfx.dll,serghjm.dll,thsddh.dll,xbcvxb.dll,zfdzb.dll,xd
ndn.dll,xdfntt.dll,hgfhk.dll,dnteh.dll,xfng.dll,njritc.dll,chmfcmh.dll,jwlah.dll
,gmnait.dll,hfjg.dll,thurh.dll,mgmgmm.dll,oqrthc.dll,rhdhj.dll,jyjlt.dll,ijatnaw
.dll,sehhter.dll,fhjfg.dll,zdbdb.dll,ydgn.dll,dbfb.dll,fjnbv.dll,thrtgth.dll,set
rhes.dll,cdxbfxdb.dll,xfgnxfn.dll,gjkhj.dll,xdhdg.dll,rhs.dll,mrjhtjd.dll,zdbfbd
.dll,fjyjy.dll,fxnfnh.dll,bjrvm.dll,ektvm.dll,rdthr.dll,yjrfe.dll,dscef.dll,crug
d.dll,lariytrz.dll,hjaiq.dll,kduy.dll,hkfgh.dll,awef.dll,dfhsh.dll,ethsh.dll,ste
hs.dll,sthth.dll,wfhyt.dll,rgghjj.dll,ghjkdr.dll,hfther.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options]
Debugger=C:\WINDOWS\System32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ati2evxx.exe]
Debugger=C:\WINDOWS\System32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\egui.exe]
Debugger=C:\WINDOWS\System32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\idag.exe]
Debugger=C:\WINDOWS\System32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kaccore.exe]
Debugger=C:\WINDOWS\System32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVPF.exe]
Debugger=C:\WINDOWS\System32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kissvc.exe]
Debugger=C:\WINDOWS\System32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVScan.kxp]
Debugger=C:\WINDOWS\System32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NPFMntor.exe]
Debugger=C:\WINDOWS\System32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\OllyDBG.EXE]
Debugger=C:\WINDOWS\System32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\OllyICE.EXE]
Debugger=C:\WINDOWS\System32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\procexp.exe]
Debugger=C:\WINDOWS\System32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\qqsc.exe]
Debugger=C:\WINDOWS\System32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ravtool.exe]
Debugger=C:\WINDOWS\System32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\regtool.exe]
Debugger=C:\WINDOWS\System32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwproxy.exeFYFireWall.exe]
Debugger=C:\WINDOWS\System32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwstub.exe]
Debugger=C:\WINDOWS\System32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\safebank.exe]
Debugger=C:\WINDOWS\System32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UmxCfg.exe]
Debugger=C:\WINDOWS\System32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\WinDbg.exe]
Debugger=C:\WINDOWS\System32\svchost.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,




-- End of Deckard's System Scanner: finished at 2008-06-03 00:23:12 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel« Pentium« M processor 1200MHz
Percentage of Memory in Use: 69%
Physical Memory (total/avail): 494.86 MiB / 149.06 MiB
Pagefile Memory (total/avail): 1157.39 MiB / 884.76 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1933.07 MiB

C: is Fixed (NTFS) - 27.95 GiB total, 19.46 GiB free.
D: is CDROM (Unformatted)

\\.\PHYSICALDRIVE0 - IC25N030ATCS04-0 - 27.95 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 27.95 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: Symantec AntiVirus Corporate Edition v10.0.0.359 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Disabled:Windows« NetMeeting«"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HOMELAPTOP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\HOMELAPTOP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 9 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0905
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=HOMELAPTOP
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Bluetooth Stack for Windows by Toshiba --> MsiExec.exe /X{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}
CABAL Online --> "C:\Program Files\OGPlanet\CABAL Online\unins000.exe"
DVD-RAM Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}\Setup.exe" DVD-RAM Driver
Intel« Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582
Intel« PRO Network Adapters and Drivers --> Prounstl.exe
InterVideo WinDVD 4 --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
LiveUpdate 2.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office 2000 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Symantec AntiVirus --> MsiExec.exe /I{5A633ED0-E5D7-4D65-AB8D-53ED43510284}
TOSHIBA ConfigFree --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}\Setup.exe"
TOSHIBA Console --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3CF0858D-1AC5-4308-9DE7-AD15288A8BDC}\Setup.exe" -l0x9
TOSHIBA Controls --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A6690C0E-B96E-4F0F-A8EB-D5B332454AC6}\Setup.exe" -l0x9
TOSHIBA Display Devices Change Utility --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\TDspBtn.inf,DefaultUninstall,5
Toshiba Hotkey Utility for Display Devices --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\TFNF5Wxp.inf,DefaultUninstall,5
TOSHIBA Mobile Extension3 for Windows XP V3.41.00.XP --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\TME3\Uninst.isu" -c"C:\Program Files\TOSHIBA\TME3\uninstx.dll"
TOSHIBA Power Saver --> TPWRDEL.EXE
Toshiba Registration --> MsiExec.exe /X{F6C405D2-C50D-4D10-B89E-73A233A14D74}
TOSHIBA SD Memory Card Format --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48CF9A66-5F03-4025-ABD0-B3A3FA095A59}\setup.exe"
TOSHIBA Software Modem --> Tosmreg -U
TOSHIBA Software Upgrades --> C:\TOSHIBA\ivp\swupdate\UNWISE.EXE C:\TOSHIBA\ivp\swupdate\INSTALL.LOG
Toshiba Tbiosdrv Driver --> C:\PROGRA~1\Toshiba\TOSHIB~3\UNWISE.EXE C:\PROGRA~1\Toshiba\TOSHIB~3\INSTALL.LOG
TOSHIBA Utilities --> tutildel.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1250 / Error
Event Submitted/Written: 06/02/2008 11:42:07 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application notepad.exe, version 5.1.2600.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1238 / Error
Event Submitted/Written: 06/02/2008 10:17:28 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1230 / Error
Event Submitted/Written: 06/02/2008 07:40:56 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application notepad.exe, version 5.1.2600.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1229 / Error
Event Submitted/Written: 06/01/2008 10:47:36 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1228 / Error
Event Submitted/Written: 06/01/2008 10:43:03 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application notepad.exe, version 5.1.2600.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4669 / Error
Event Submitted/Written: 06/01/2008 06:52:37 PM
Event ID/Source: 7 / Cdrom
Event Description:
The device, \Device\CdRom0, has a bad block.

Event Record #/Type4668 / Error
Event Submitted/Written: 06/01/2008 06:52:37 PM
Event ID/Source: 7 / Cdrom
Event Description:
The device, \Device\CdRom0, has a bad block.

Event Record #/Type4667 / Error
Event Submitted/Written: 06/01/2008 06:52:37 PM
Event ID/Source: 7 / Cdrom
Event Description:
The device, \Device\CdRom0, has a bad block.

Event Record #/Type4666 / Error
Event Submitted/Written: 06/01/2008 06:52:37 PM
Event ID/Source: 7 / Cdrom
Event Description:
The device, \Device\CdRom0, has a bad block.

Event Record #/Type4665 / Error
Event Submitted/Written: 06/01/2008 06:52:37 PM
Event ID/Source: 7 / Cdrom
Event Description:
The device, \Device\CdRom0, has a bad block.



-- End of Deckard's System Scanner: finished at 2008-06-03 00:23:12 ------------

BC AdBot (Login to Remove)

 


#2 drew16

drew16
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Barbados
  • Local time:04:26 PM

Posted 03 June 2008 - 12:21 AM

SDfix Logs

SDFix: Version 1.187
Run by Administrator on Tue 06/03/2008 at 12:51 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-03 01:02:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\SoftwareDistribution\Download\131ae35a2f5be2cefedd349d083bb253
C:\WINDOWS\SoftwareDistribution\Download\131ae35a2f5be2cefedd349d083bb253\BIT2E.tmp 154875 bytes
C:\WINDOWS\SoftwareDistribution\Download\131ae35a2f5be2cefedd349d083bb253\_downloadprogress_.state 4 bytes
C:\WINDOWS\SoftwareDistribution\Download\131ae35a2f5be2cefedd349d083bb253\_usedelta_.state 34 bytes
C:\WINDOWS\system32\fjyjy.cfg 824 bytes
C:\WINDOWS\system32\fjyjy.dll 32024 bytes executable
C:\WINDOWS\system32\fnhwe.dll 9216 bytes executable
C:\WINDOWS\system32\jzijj.cfg 1368 bytes
C:\WINDOWS\system32\njritc.cfg 688 bytes
C:\WINDOWS\system32\njritc.dll 30352 bytes executable
C:\WINDOWS\system32\fyrgtr.dll 9216 bytes executable
C:\WINDOWS\system32\xgnfn.cfg 688 bytes
C:\WINDOWS\LastGood
C:\WINDOWS\LastGood\INF
C:\WINDOWS\LastGood\INF\oem31.inf 0 bytes
C:\WINDOWS\LastGood\INF\oem31.PNF 0 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 16


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Disabled:Windowsr NetMeetingr"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :



Files with Hidden Attributes :

Sun 8 Aug 2004 3,120 A.SH. --- "C:\WINDOWS\system32\aoqnabib.sys"
Sun 8 Aug 2004 2,600 A.SH. --- "C:\WINDOWS\system32\bcsxachu.sys"
Thu 29 Aug 2002 32,024 A.SH. --- "C:\WINDOWS\system32\fjyjy.dll"
Thu 29 Aug 2002 9,216 A.SH. --- "C:\WINDOWS\system32\fnhwe.dll"
Sat 7 Aug 2004 6,240 A.SH. --- "C:\WINDOWS\system32\fstlbsys.sys"
Sun 8 Aug 2004 3,120 A.SH. --- "C:\WINDOWS\system32\fxwmbime.sys"
Sun 8 Aug 2004 520 A.SH. --- "C:\WINDOWS\system32\fxzxbime.sys"
Thu 29 Aug 2002 9,216 A.SH. --- "C:\WINDOWS\system32\fyrgtr.dll"
Sat 7 Aug 2004 2,600 A.SH. --- "C:\WINDOWS\system32\fzmsbwin.sys"
Sun 8 Aug 2004 3,120 A.SH. --- "C:\WINDOWS\system32\fzptbjpg.sys"
Sun 8 Aug 2004 520 A.SH. --- "C:\WINDOWS\system32\gajzalit.sys"
Sun 8 Aug 2004 3,120 A.SH. --- "C:\WINDOWS\system32\ghwsbkop.sys"
Sun 8 Aug 2004 520 A.SH. --- "C:\WINDOWS\system32\gpfoadet.sys"
Sun 8 Aug 2004 520 A.SH. --- "C:\WINDOWS\system32\gpsgajba.sys"
Sat 7 Aug 2004 4,160 A.SH. --- "C:\WINDOWS\system32\gpzhatde.sys"
Sat 7 Aug 2004 1,560 A.SH. --- "C:\WINDOWS\system32\gsdhadwd.sys"
Sun 8 Aug 2004 1,040 A.SH. --- "C:\WINDOWS\system32\jashbbty.sys"
Thu 29 Aug 2002 30,352 A.SH. --- "C:\WINDOWS\system32\njritc.dll"
Sat 7 Aug 2004 3,640 A.SH. --- "C:\WINDOWS\system32\pmjhbhlp.sys"
Sun 8 Aug 2004 520 A.SH. --- "C:\WINDOWS\system32\rnmxajkl.sys"
Sun 8 Aug 2004 1,040 A.SH. --- "C:\WINDOWS\system32\smdsbsrv.sys"
Sun 8 Aug 2004 3,640 A.SH. --- "C:\WINDOWS\system32\smhxbbyt.sys"
Sun 8 Aug 2004 1,040 A.SH. --- "C:\WINDOWS\system32\smmhbsrv.sys"
Sun 8 Aug 2004 520 A.SH. --- "C:\WINDOWS\system32\snfybbyt.sys"
Sat 7 Aug 2004 1,040 A.SH. --- "C:\WINDOWS\system32\spmybapi.sys"
Sat 7 Aug 2004 5,200 A.SH. --- "C:\WINDOWS\system32\spwdbapi.sys"
Sat 7 Aug 2004 5,200 A.SH. --- "C:\WINDOWS\system32\vlhxaklo.sys"
Sun 8 Aug 2004 3,120 A.SH. --- "C:\WINDOWS\system32\xbfsbjbo.sys"
Sat 7 Aug 2004 2,600 A.SH. --- "C:\WINDOWS\system32\xfztbmsn.sys"
Sun 8 Aug 2004 520 A.SH. --- "C:\WINDOWS\system32\xscqbhlp.sys"
Sat 7 Aug 2004 5,720 A.SH. --- "C:\WINDOWS\system32\xsdjbbmp.sys"
Sun 8 Aug 2004 520 A.SH. --- "C:\WINDOWS\system32\xzcsbhlp.sys"
Sun 8 Aug 2004 520 A.SH. --- "C:\WINDOWS\system32\xzfhbjpg.sys"
Sun 8 Aug 2004 3,120 A.SH. --- "C:\WINDOWS\system32\ysjxbdwd.sys"
Tue 3 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\131ae35a2f5be2cefedd349d083bb253\BIT5.tmp"
Fri 30 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\29f79ad83880337acafe2a37966d9d29\BIT8.tmp"
Tue 3 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\30afadc4c35db2f5d8b4c076a49edc7b\BIT6.tmp"
Sun 1 Jun 2008 685,368 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4387300ca1dcf29784a47c30e67cb637\BITF.tmp"
Sun 1 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4f79e01ce8ee10a7556514a051f797f4\BIT3E.tmp"
Tue 3 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8a37f70e90784c333642cb76a8881df8\BIT40.tmp"
Tue 3 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\991099a35378d98f420ab4028323ec84\BITA.tmp"
Tue 3 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a82dc500ddf76b06dc26bd22c7a14240\BITB.tmp"
Tue 3 Jun 2008 3,134,264 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d8816d09f86abbe0c321ddc90d5c0948\BITC.tmp"
Fri 30 May 2008 2,300,320 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\dcfb65ff18fcfdf3d0086d241818e7bc\BITA.tmp"
Sun 1 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ee52836d5c671146809a1dc54498be1f\BIT41.tmp"
Sun 1 Jun 2008 516,286 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\00766461b1b00d8469999536d8f8d6e4\download\BITD.tmp"
Tue 3 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2abaeb659824de5967ddf7181c6befdb\download\BIT9.tmp"

Finished!

#3 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:26 PM

Posted 04 June 2008 - 04:55 PM

Hello drew16 and welcome to BC. Let's see what we can find. Please follow the steps below in order:

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users