Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Userinit.exe Issues


  • This topic is locked This topic is locked
10 replies to this topic

#1 kellibeanz

kellibeanz

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 25 June 2008 - 07:11 AM

As of a few days ago I began to receive a pop up box indicating that userinit.exe couldn't load, click ok to terminate program. From there my desktop screen loads but it hangs there. I can access task manager and through there access regedit, my anti-virus software and I've found a loophole to accessing the internet as well.

I've run several anti-virus applications. The last one I ran was Dr.Web in which it detected a "trojan downloader" but it wouldn't or couldn't remove it. I suspect this is why every time I do a scan and delete trojans ... there are always new ones to be found the next day.

I've tried to do a system restore but the computer cannot locate a date in which to restore to (all restore dates have been discarded I guess?).

In safemode I have the same problem, nothing loads.

Here is my main.txt

Deckard's System Scanner v20071014.68
Run by Momma on 2008-06-25 04:40:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
17: 2008-06-25 11:40:59 UTC - RP332 - Deckard's System Scanner Restore Point
16: 2008-06-24 11:30:16 UTC - RP331 - Uniblue RegistryBooster
15: 2008-06-24 11:14:30 UTC - RP330 - Uniblue RegistryBooster
14: 2008-06-24 11:12:25 UTC - RP329 - Uniblue RegistryBooster
13: 2008-06-24 00:52:57 UTC - RP328 - Spyware Doctor: Cleaning Threats


-- First Restore Point --
1: 2008-06-22 14:00:56 UTC - RP316 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 0.21 GiB (less than 15%) free.


-- HijackThis (run as Momma.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:43:54 AM, on 6/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Momma\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Momma.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {0F8F84CF-DCBA-4426-AC18-30A8AB00C526} - C:\WINDOWS\system32\ddcDtSMd.dll
O2 - BHO: {edba1711-f1df-bd08-e9d4-5018aa3cd7d1} - {1d7dc3aa-8105-4d9e-80db-fd1f1171abde} - C:\WINDOWS\system32\uaoxqxbc.dll
O2 - BHO: (no name) - {436A85E0-D761-4CCD-B509-0C553302B89F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {E09FC2C8-116C-4B1C-85AA-4F216AF3DEA3} - C:\WINDOWS\system32\geBstuuu.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\lserver\server.vbs"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [D-Link RangeBooster G WUA-2340] C:\Program Files\D-Link\RangeBooster G WUA-2340\AirPlusCFG.exe
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [RocketDock] "C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - S-1-5-18 Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe (User 'Default user')
O4 - .DEFAULT Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe (User 'Default user')
O4 - .DEFAULT Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User 'Default user')
O4 - .DEFAULT Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe (User 'Default user')
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe
O4 - Global Startup: Real-time Monitor.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: Hawking HWU54G Utility.lnk = C:\Program Files\Hawking Technologies\Hawking_HWU54G_Utility\HWU54G.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O20 - AppInit_DLLs: uaoxqxbc.dll
O20 - Winlogon Notify: ddcDtSMd - C:\WINDOWS\SYSTEM32\ddcDtSMd.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

--
End of file - 10658 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ANIO (ANIO Service) - c:\windows\system32\anio.sys <Not Verified; Alpha Networks Inc.; ANIO (NT5) Driver>

S3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\program files\common files\motive\mrendis5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
S3 PCAMPR5 (PCAMPR5 NDIS Protocol Driver) - c:\windows\system32\pcampr5.sys (file missing)
S3 ZDBRGSYS (ZDBRGSYS NDIS Protocol Driver) - c:\windows\system32\zdbrgsys.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 ZDPNDIS5 (ZDPNDIS5 NDIS Protocol Driver) - c:\windows\system32\zdpndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ANIWZCSdService (ANIWZCSd Service) - c:\program files\ani\aniwzcs2 service\aniwzcsds.exe <Not Verified; Alpha Networks Inc.; ANIWZCS2 Service Launcher (NT)>
R2 ProtexisLicensing - c:\windows\system32\psiservice.exe <Not Verified; ; PSIService>
R2 Tmntsrv (Trend NT Realtime Service) - "c:\program files\trend micro\pc-cillin 2000\tmntsrv.exe" <Not Verified; Trend Micro Inc.; Trend Pc-cillin 7.61>

S3 Imapi Helper - "c:\program files\alex feinman\iso recorder\imapihelper.exe" <Not Verified; Alex Feinman; ISO Recorder>
S3 nmraapache (Pure Networks Net2Go Service) - "c:\program files\pure networks\network magic\webserver\bin\nmraapache.exe" -k runservice <Not Verified; Pure Networks, Inc.; Pure Networks Net2Go Service>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-15 02:21:02 340 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2008-06-01 01:00:38 332 --a------ C:\WINDOWS\Tasks\McQcTask.job


-- Files created between 2008-05-25 and 2008-06-25 -----------------------------

2008-06-24 19:18:05 0 d-------- C:\Documents and Settings\Momma\DoctorWeb
2008-06-24 04:08:27 0 d-------- C:\Documents and Settings\Momma\Application Data\Uniblue
2008-06-24 04:08:04 0 d-------- C:\Program Files\Uniblue
2008-06-23 19:46:24 0 d--hs---- C:\Documents and Settings\Momma\Recent
2008-06-23 18:29:06 0 d-------- C:\ucd
2008-06-23 18:19:08 0 d--hs---- C:\FOUND.002
2008-06-23 11:33:31 106496 --a------ C:\WINDOWS\system32\uaoxqxbc.dll
2008-06-23 11:31:12 95232 --a------ C:\WINDOWS\system32\uggftgtt.dll
2008-06-23 09:16:20 0 d--hs---- C:\FOUND.001
2008-06-23 09:01:00 0 d--hs---- C:\FOUND.000
2008-06-22 23:31:50 86528 --a------ C:\WINDOWS\system32\mrnmtatx.dll
2008-06-22 15:01:38 101888 --a------ C:\WINDOWS\system32\gxcfjvvh.dll
2008-06-22 15:01:19 86528 --a------ C:\WINDOWS\system32\amoqwewy.dll
2008-06-22 15:00:58 95232 --a------ C:\WINDOWS\system32\vpatjtwk.dll
2008-06-22 10:56:54 86528 -----n--- C:\WINDOWS\system32\spgmgyik.dll
2008-06-22 10:15:43 515446 --ahs---- C:\WINDOWS\system32\uuutsBeg.ini2
2008-06-22 10:15:20 285184 --a------ C:\WINDOWS\system32\geBstuuu.dll
2008-06-22 08:56:50 86528 --a------ C:\WINDOWS\system32\uhugjuip.dll
2008-06-22 07:52:48 0 d-------- C:\Program Files\Spyware Doctor
2008-06-22 07:52:48 0 d-------- C:\Documents and Settings\Momma\Application Data\PC Tools
2008-06-22 07:00:45 22714 --ahs---- C:\WINDOWS\system32\uEgiQqss.ini2
2008-06-22 06:55:13 33792 --a------ C:\WINDOWS\system32\ddcDtSMd.dll
2008-06-22 00:52:43 0 d---s---- C:\Documents and Settings\Momma\UserData
2008-06-21 19:37:39 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-21 19:27:19 0 d-------- C:\Documents and Settings\Momma\Application Data\WinRAR
2008-06-21 18:39:44 0 dr-h----- C:\MSOCache
2008-06-20 21:35:23 0 d--hs---- C:\Documents and Settings\Megan and Dylan\Recent
2008-06-20 18:38:31 2560 --a------ C:\WINDOWS\system32\bitcometres.dll <Not Verified; BitComet; BitComet BCTP Helper>
2008-06-20 18:38:21 0 d-------- C:\Downloads
2008-06-20 18:33:08 0 d-------- C:\Program Files\BitComet
2008-06-08 15:03:18 0 d-------- C:\Program Files\CCleaner


-- Find3M Report ---------------------------------------------------------------

2008-06-25 02:55:40 7 --a------ C:\WINDOWS\system32\ANIWZCSUSERNAME{4CA297BF-9695-4C7D-A574-CAE48605A8DF}
2008-06-23 08:29:14 3284 --a------ C:\WINDOWS\system32\ANIWZCS{4CA297BF-9695-4C7D-A574-CAE48605A8DF}
2008-06-23 07:18:38 7 --a------ C:\WINDOWS\system32\ANIWZCSUSERNAME
2008-05-17 06:44:32 469 --a------ C:\Program Files\INSTALL.LOG
2008-05-17 04:55:06 0 d-------- C:\Program Files\Common Files\Motive
2008-05-12 19:11:42 0 d-------- C:\Program Files\Alex Feinman
2008-05-08 18:24:40 0 d-------- C:\Documents and Settings\Momma\Application Data\Thunderbird
2008-05-06 05:01:38 8656 --a------ C:\WINDOWS\system32\sbnetkey.sys
2008-04-28 14:11:34 146432 --a------ C:\WINDOWS\system32\wlanapip.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:11:34 146432 --a------ C:\WINDOWS\system32\rasadhlpa.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:11:28 327680 --a------ C:\WINDOWS\system32\lzk32.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:11:28 327680 --a------ C:\WINDOWS\system32\imgutilg.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:11:20 90112 --a------ C:\WINDOWS\system32\hhsetupx.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:11:08 200704 --a------ C:\WINDOWS\system32\mcastmibu.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:11:08 200704 --a------ C:\WINDOWS\system32\kbdfon.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:11:00 184320 --a------ C:\WINDOWS\system32\wuapik.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:11:00 184320 --a------ C:\WINDOWS\system32\ati2dvaak.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:10:52 184320 --a------ C:\WINDOWS\system32\webclntv.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:10:52 184320 --a------ C:\WINDOWS\system32\adsmsexth.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:10:40 131072 --a------ C:\WINDOWS\system32\kbditm142.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:10:40 131072 --a------ C:\WINDOWS\system32\cnvfato.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:10:36 77824 --a------ C:\WINDOWS\system32\iedkcsu32.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:10:26 122112 --a------ C:\WINDOWS\system32\ansil.sys <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:10:26 122112 --a------ C:\WINDOWS\system32\ansic.sys <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:10:22 81920 --a------ C:\WINDOWS\system32\wmph.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:10:22 81920 --a------ C:\WINDOWS\system32\mlangx.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:10:14 38784 --a------ C:\WINDOWS\system32\KGyGaAvLR.sys <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:10:14 38784 --a------ C:\WINDOWS\system32\ANIOG.sys <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:10:06 200704 --a------ C:\WINDOWS\system32\creduim.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:09:52 167936 --a------ C:\WINDOWS\system32\tsshutdnm.exe <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:09:52 167936 --a------ C:\WINDOWS\system32\tmpn00003.exe <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:09:52 73728 --a------ C:\WINDOWS\system32\iassami.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:09:52 73728 --a------ C:\WINDOWS\system32\dxtmsftq.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:09:48 192512 --a------ C:\WINDOWS\system32\WMSPDMOEI.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:09:48 192512 --a------ C:\WINDOWS\system32\jobexeci.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:09:44 53248 --a------ C:\WINDOWS\system32\netuie2.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:09:38 81920 --a------ C:\WINDOWS\system32\MFC71CHTU.DLL <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:09:38 81920 --a------ C:\WINDOWS\system32\ifsutilc.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:09:36 69632 --a------ C:\WINDOWS\system32\PortableDeviceApiv.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:09:36 69632 --a------ C:\WINDOWS\system32\msnetobjq.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:09:22 53248 --a------ C:\WINDOWS\system32\drprovt.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:09:22 53248 --a------ C:\WINDOWS\system32\dpnlobbyn.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:09:18 159744 --a------ C:\WINDOWS\system32\mll_hpt.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:09:18 159744 --a------ C:\WINDOWS\system32\deskmond.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:09:06 86016 --a------ C:\WINDOWS\system32\netuib0.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:09:06 86016 --a------ C:\WINDOWS\system32\icfgnta5.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:09:02 360448 --a------ C:\WINDOWS\system32\ntmsmgri.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:09:02 360448 --a------ C:\WINDOWS\system32\msencodeg.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:08:48 167936 --a------ C:\WINDOWS\system32\inputs.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:08:48 167936 --a------ C:\WINDOWS\system32\glmfh32.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:08:48 5218304 --a------ C:\WINDOWS\system32\dxdiagnr.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:08:48 5218304 --a------ C:\WINDOWS\system32\clbc.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:08:36 118784 --a------ C:\WINDOWS\system32\msihndd.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:08:36 118784 --a------ C:\WINDOWS\system32\kbdfonv.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:08:26 135168 --a------ C:\WINDOWS\system32\kbdslv.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:08:26 135168 --a------ C:\WINDOWS\system32\dmloaderr.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:08:16 4001792 --a------ C:\WINDOWS\system32\tscfgwmim.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:08:16 4001792 --a------ C:\WINDOWS\system32\kbdlvn.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:08:06 208896 --a------ C:\WINDOWS\system32\syncuiv.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-28 14:08:06 208896 --a------ C:\WINDOWS\system32\MP43DMODV.dll <Not Verified; SearchHelp, Inc.; Sentry At Home Lite>
2008-04-13 07:03:30 1744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-28 18:57:48 2516 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-28 18:57:06 88 -r-hs---- C:\WINDOWS\system32\A4E9C6BDB9.sys


-- Registry Dump ---------------------------------------------------------------



-- End of Deckard's System Scanner: finished at 2008-06-25 04:46:38 ------------


And the extra.txt file

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.00GHz
Percentage of Memory in Use: 67%
Physical Memory (total/avail): 511.53 MiB / 164.37 MiB
Pagefile Memory (total/avail): 1249.61 MiB / 722.77 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1927.64 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 15.6 GiB total, 0.2 GiB free.
D: is Fixed (NTFS) - 60.69 GiB total, 60.63 GiB free.
E: is CDROM (No Media)
F: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - Maxtor 6Y080L0 - 76.33 GiB - 2 partitions
\PARTITION0 (bootable) - Unknown - 15.63 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 60.69 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: F-Secure Anti-Virus 2008 8.00 v8.00 (F-Secure Corporation) Disabled
FW: McAfee Personal Firewall v (McAfee)
AV: McAfee VirusScan v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Trend Micro\\PC-cillin 2000\\WebTrapNT.exe"="C:\\Program Files\\Trend Micro\\PC-cillin 2000\\WebTrapNT.exe:*:Enabled:WebTrap"
"C:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"="C:\\Program Files\\support.com\\client\\bin\\tgcmd.exe:*:Enabled:tgcmd Module"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Disabled:LimeWire"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"="C:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE:*:Enabled:Firefox"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\WINDOWS\\System32\\systemi.exe"="C:\\WINDOWS\\System32\\systemi.exe:*:Disabled:systemi"


-- Environment Variables -------------------------------------------------------



-- User Profiles ---------------------------------------------------------------

Owner (admin)
Momma (admin)
Megan and Dylan
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------



-- Application Event Log -------------------------------------------------------

Event Record #/Type126794 / Error
Event Submitted/Written: 06/23/2008 11:50:52 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.
Processing media-specific event for [drwtsn32.exe!ws!]

Event Record #/Type126793 / Error
Event Submitted/Written: 06/23/2008 11:49:11 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3156, faulting module unknown, version 0.0.0.0, fault address 0x1000b1db.
Processing media-specific event for [explorer.exe!ws!]

Event Record #/Type126791 / Error
Event Submitted/Written: 06/23/2008 11:47:21 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3156, faulting module unknown, version 0.0.0.0, fault address 0x1000b1db.
Processing media-specific event for [explorer.exe!ws!]

Event Record #/Type126789 / Error
Event Submitted/Written: 06/23/2008 11:42:53 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.
Processing media-specific event for [drwtsn32.exe!ws!]

Event Record #/Type126788 / Error
Event Submitted/Written: 06/23/2008 11:40:34 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3156, faulting module unknown, version 0.0.0.0, fault address 0x1000b1db.
Processing media-specific event for [explorer.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type61742 / Warning
Event Submitted/Written: 06/25/2008 04:35:49 AM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 001B11C1DCE6. The IP address being used is 169.254.142.75.

Event Record #/Type61736 / Warning
Event Submitted/Written: 06/25/2008 04:10:50 AM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 001B11C1DCE6. The IP address being used is 169.254.142.75.

Event Record #/Type61731 / Warning
Event Submitted/Written: 06/25/2008 03:27:49 AM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 001B11C1DCE6. The IP address being used is 169.254.142.75.

Event Record #/Type61724 / Warning
Event Submitted/Written: 06/25/2008 02:59:51 AM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 001B11C1DCE6. The IP address being used is 169.254.142.75.

Event Record #/Type61718 / Error
Event Submitted/Written: 06/25/2008 02:58:20 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Application Layer Gateway Service service failed to start due to the following error:
%%1053



-- End of Deckard's System Scanner: finished at 2008-06-25 04:46:38 ------------


Thanks for any help offered.

BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:04 AM

Posted 25 June 2008 - 09:28 AM

Please download ComboFix and save it to your desktop.
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 kellibeanz

kellibeanz
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 27 June 2008 - 07:39 PM

Sorry for taking so long, the first download for combofix crashed the computer. Had to reinstall program.



ComboFix 08-06-25.3 - Momma 2008-06-27 20:06:33.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.165 [GMT -7:00]
Running from: C:\Documents and Settings\Momma\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Momma\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\MyWebSearch
C:\WINDOWS\BM13618375.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\amoqwewy.dll
C:\WINDOWS\system32\ansic.sys
C:\WINDOWS\system32\cbcotgjd.ini
C:\WINDOWS\system32\geBstuuu.dll
C:\WINDOWS\system32\gxcfjvvh.dll
C:\WINDOWS\system32\jnspbolt.ini
C:\WINDOWS\system32\kiygmgps.ini
C:\WINDOWS\system32\mrnmtatx.dll
C:\WINDOWS\system32\piujguhu.ini
C:\WINDOWS\system32\sdxcptde.ini
C:\WINDOWS\system32\sipwfvvt.ini
C:\WINDOWS\system32\spgmgyik.dll
C:\WINDOWS\system32\uEgiQqss.ini
C:\WINDOWS\system32\uEgiQqss.ini2
C:\WINDOWS\system32\uhugjuip.dll
C:\WINDOWS\system32\uuutsBeg.ini
C:\WINDOWS\system32\uuutsBeg.ini2
C:\WINDOWS\system32\vpatjtwk.dll
C:\WINDOWS\system32\xtatmnrm.ini
C:\WINDOWS\system32\ywewqoma.ini
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-28 )))))))))))))))))))))))))))))))
.

2008-06-26 11:24 . 2008-06-26 11:24 <DIR> d--hs---- C:\FOUND.003
2008-06-25 18:24 . 2008-06-25 18:24 <DIR> d-------- C:\Documents and Settings\Momma\Application Data\skypePM
2008-06-25 18:24 . 2008-06-25 18:24 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-06-25 18:22 . 2008-06-25 18:22 <DIR> d-------- C:\Documents and Settings\Momma\Application Data\Skype
2008-06-25 18:12 . 2008-06-25 18:12 <DIR> d-------- C:\Program Files\Skype
2008-06-25 18:12 . 2008-06-25 18:12 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-06-25 18:11 . 2008-06-25 18:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-06-25 04:39 . 2008-06-25 04:39 <DIR> d-------- C:\Deckard
2008-06-24 19:18 . 2008-06-24 19:18 <DIR> d-------- C:\Documents and Settings\Momma\DoctorWeb
2008-06-24 04:08 . 2008-06-24 04:08 <DIR> d-------- C:\Program Files\Uniblue
2008-06-24 04:08 . 2008-06-24 04:08 <DIR> d-------- C:\Documents and Settings\Momma\Application Data\Uniblue
2008-06-23 18:29 . 2008-06-23 18:29 <DIR> d-------- C:\ucd
2008-06-23 18:19 . 2008-06-23 18:19 <DIR> d--hs---- C:\FOUND.002
2008-06-23 11:31 . 2008-06-23 11:31 95,232 --a------ C:\WINDOWS\system32\uggftgtt.dll
2008-06-23 09:16 . 2008-06-23 09:16 <DIR> d--hs---- C:\FOUND.001
2008-06-23 09:01 . 2008-06-23 09:01 <DIR> d--hs---- C:\FOUND.000
2008-06-22 07:53 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-06-22 07:53 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-06-22 07:53 . 2008-06-22 08:32 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-06-22 07:53 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-06-22 07:52 . 2008-06-22 07:52 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-22 07:52 . 2008-06-22 07:52 <DIR> d-------- C:\Documents and Settings\Momma\Application Data\PC Tools
2008-06-22 00:52 . 2008-06-22 00:52 <DIR> d---s---- C:\Documents and Settings\Momma\UserData
2008-06-21 19:37 . 2008-06-21 19:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-21 18:39 . 2008-06-21 18:39 <DIR> dr-h----- C:\MSOCache
2008-06-20 20:25 . 2007-10-30 09:20 360,064 --a------ C:\WINDOWS\system32\drivers\tcpip.sys.ORIGINAL
2008-06-20 20:25 . 2007-10-30 09:20 360,064 --a------ C:\WINDOWS\system32\dllcache\tcpip.sys.ORIGINAL
2008-06-20 18:38 . 2008-06-20 18:38 <DIR> d-------- C:\Downloads
2008-06-20 18:33 . 2008-06-20 18:33 <DIR> d-------- C:\Program Files\BitComet
2008-06-10 18:27 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-08 15:03 . 2008-06-08 15:03 <DIR> d-------- C:\Program Files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-17 13:44 469 ----a-w C:\Program Files\INSTALL.LOG
2008-05-17 11:55 --------- d-----w C:\Program Files\Common Files\Motive
2008-05-17 11:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2008-05-13 02:11 --------- d-----w C:\Program Files\Alex Feinman
2008-05-12 00:20 --------- d-----w C:\Documents and Settings\Megan and Dylan\Application Data\Thunderbird
2008-05-09 01:24 --------- d-----w C:\Documents and Settings\Momma\Application Data\Thunderbird
2008-05-08 23:57 --------- d-----w C:\Program Files\ophcrack
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-05-06 12:01 8,656 ----a-w C:\WINDOWS\system32\sbnetkey.sys
2008-04-28 21:11 90,112 ----a-w C:\WINDOWS\system32\hhsetupx.dll
2008-04-28 21:11 327,680 ----a-w C:\WINDOWS\system32\lzk32.dll
2008-04-28 21:11 327,680 ----a-w C:\WINDOWS\system32\imgutilg.dll
2008-04-28 21:11 200,704 ----a-w C:\WINDOWS\system32\mcastmibu.dll
2008-04-28 21:11 200,704 ----a-w C:\WINDOWS\system32\kbdfon.dll
2008-04-28 21:11 184,320 ----a-w C:\WINDOWS\system32\wuapik.dll
2008-04-28 21:11 184,320 ----a-w C:\WINDOWS\system32\ati2dvaak.dll
2008-04-28 21:11 146,432 ----a-w C:\WINDOWS\system32\wlanapip.dll
2008-04-28 21:11 146,432 ----a-w C:\WINDOWS\system32\rasadhlpa.dll
2008-04-28 21:10 81,920 ----a-w C:\WINDOWS\system32\wmph.dll
2008-04-28 21:10 81,920 ----a-w C:\WINDOWS\system32\mlangx.dll
2008-04-28 21:10 77,824 ----a-w C:\WINDOWS\system32\iedkcsu32.dll
2008-04-28 21:10 38,784 ----a-w C:\WINDOWS\system32\KGyGaAvLR.sys
2008-04-28 21:10 38,784 ----a-w C:\WINDOWS\system32\ANIOG.sys
2008-04-28 21:10 200,704 ----a-w C:\WINDOWS\system32\creduim.dll
2008-04-28 21:10 184,320 ----a-w C:\WINDOWS\system32\webclntv.dll
2008-04-28 21:10 184,320 ----a-w C:\WINDOWS\system32\adsmsexth.dll
2008-04-28 21:10 131,072 ----a-w C:\WINDOWS\system32\kbditm142.dll
2008-04-28 21:10 131,072 ----a-w C:\WINDOWS\system32\cnvfato.dll
2008-04-28 21:10 122,112 ----a-w C:\WINDOWS\system32\ansil.sys
2008-04-28 21:08 5,218,304 ----a-w C:\WINDOWS\system32\dxdiagnr.dll
2008-04-28 21:08 5,218,304 ----a-w C:\WINDOWS\system32\clbc.dll
2008-04-28 21:08 4,001,792 ----a-w C:\WINDOWS\system32\tscfgwmim.dll
2008-04-28 21:08 4,001,792 ----a-w C:\WINDOWS\system32\kbdlvn.dll
2008-04-28 21:08 208,896 ----a-w C:\WINDOWS\system32\syncuiv.dll
2008-04-28 21:08 208,896 ----a-w C:\WINDOWS\system32\MP43DMODV.dll
2008-04-28 21:08 167,936 ----a-w C:\WINDOWS\system32\inputs.dll
2008-04-28 21:08 167,936 ----a-w C:\WINDOWS\system32\glmfh32.dll
2008-04-28 21:08 135,168 ----a-w C:\WINDOWS\system32\kbdslv.dll
2008-04-28 21:08 135,168 ----a-w C:\WINDOWS\system32\dmloaderr.dll
2008-04-28 21:08 118,784 ----a-w C:\WINDOWS\system32\msihndd.dll
2008-04-28 21:08 118,784 ----a-w C:\WINDOWS\system32\kbdfonv.dll
2008-04-21 06:57 666,624 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-21 06:57 666,624 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2008-04-17 10:47 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2008-03-29 01:57 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe" [2007-03-18 15:05 630784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2008-05-05 12:22 1923352]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-05-30 15:54 21718312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZTgServerSwitch"="c:\program files\support.com\client\lserver\server.vbs" [2001-09-10 19:36 2339]
"WebTrapNT.exe"="C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe" [2001-09-06 20:20 235520]
"Pop3trap.exe"="C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe" [2001-09-06 20:25 294982]
"QuickTime Task"="C:\WINDOWS\system32\qttask.exe" [2001-09-08 12:56 28672]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 13:57 36640]
"D-Link RangeBooster G WUA-2340"="C:\Program Files\D-Link\RangeBooster G WUA-2340\AirPlusCFG.exe" [2006-09-01 12:09 1880064]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-01-08 17:20 451896]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2008-01-18 10:32 451896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]

C:\Documents and Settings\Momma\Start Menu\Programs\Startup\
UberIcon.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 00:43:08 180224]
RocketDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-18 15:05:02 630784]
TransBar.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe [2005-06-01 12:41:18 65536]

C:\Documents and Settings\Megan and Dylan\Start Menu\Programs\Startup\
RocketDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-18 15:05:02 630784]
TransBar.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe [2005-06-01 12:41:18 65536]
UberIcon.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 00:43:08 180224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Real-time Monitor.lnk - C:\WINDOWS\Installer\{A839294B-70A9-11D5-9F5A-0050DAD742CD}\_299368D.exe [2001-09-08 13:07:52 57344]
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2001-09-08 12:52:03 113664]
VAIO Action Setup (Server).lnk - C:\Program Files\Sony\VAIO Action Setup\VAServ.exe [2001-09-08 12:51:48 40960]
Hawking HWU54G Utility.lnk - C:\Program Files\Hawking Technologies\Hawking_HWU54G_Utility\HWU54G.exe [2008-04-20 16:45:58 438272]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=uaoxqxbc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= sonymjpg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Trend Micro\\PC-cillin 2000\\WebTrapNT.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8718:TCP"= 8718:TCP:BitComet 8718 TCP
"8718:UDP"= 8718:UDP:BitComet 8718 UDP

R1 SonyFanC;FAN Control Device Service;C:\WINDOWS\system32\Drivers\SonyFanC.sys [2001-09-06 16:21]
R3 A5AGU;D-Link USB Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\A5AGU.sys [2006-05-08 19:10]
S3 BCM42XX;Broadcom iLine10™ Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys [2001-08-17 12:11]
S3 WLAN(WLAN);XPC 802.11b/g Wireless Kit Driver(WLAN);C:\WINDOWS\system32\DRIVERS\zd1211u.sys [2005-08-16 14:50]
S3 ZDBRGSYS;ZDBRGSYS NDIS Protocol Driver;C:\WINDOWS\system32\ZDBRGSYS.SYS [2004-06-01 21:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd7524e4-74c2-11dc-9b89-00e0183fb106}]
\Shell\AutoRun\command - G:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-01 08:00:38 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-06-15 09:21:02 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-WeatherEye - C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
Notify-ddcDtSMd - ddcDtSMd.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 20:25:02
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
-> C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.dll
-> C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\MCAFEE\MSC\MCMSCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\MCAFEE\MNA\MCNASVC.EXE
C:\PROGRAM FILES\COMMON FILES\MCAFEE\MCPROXY\MCPROXY.EXE
C:\PROGRAM FILES\MCAFEE\VIRUSSCAN\MCSHIELD.EXE
C:\PROGRAM FILES\MCAFEE\MPF\MPFSRV.EXE
C:\WINDOWS\SYSTEM32\NVSVC32.EXE
C:\WINDOWS\SYSTEM32\PSISERVICE.EXE
C:\PROGRAM FILES\SITEADVISOR\6253\SASERVICE.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2000\TMNTSRV.EXE
C:\PROGRAM FILES\COMMON FILES\PURE NETWORKS SHARED\PLATFORM\NMSRVC.EXE
C:\WINDOWS\SYSTEM32\WSCRIPT.EXE
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Progra~1\Support.com\client\bin\forcesync.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-06-27 20:29:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-28 03:28:56

Pre-Run: 2,891,137,024 bytes free
Post-Run: 2,849,472,512 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

249 --- E O F --- 2008-06-22 10:04:49



#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:04 AM

Posted 28 June 2008 - 12:05 PM

No problem on the delay. Glad you got it up and running again.

Please visit the online Jotti Virus Scanner
  • Click on Posted Image button.
  • Copy and paste the following filepath in the box:


    C:\WINDOWS\system32\uggftgtt.dll


  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

If Jotti's too busy, try here:
Go here: http://www.virustotal.com/en/virustotalf.html


How is your computer running now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 kellibeanz

kellibeanz
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 29 June 2008 - 07:32 AM

Computer is running better. Haven't noticed anything out of the ordinary.

These are the results:

File: uggftgtt.dll
Status: POSSIBLY INFECTED/MALWARE (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because ofthis, results of this scan will not be recorded in the database.)
MD5: 64fb9dba26251e4ccb1acb2297eb7d1d
Packers detected: UPX

Scan taken on 29 Jun 2008 12:26:26 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Vundo.Gen
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found Win32.Rigel.6468
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing


Thanks

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:04 AM

Posted 29 June 2008 - 07:49 AM

Let's get rid of that file.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\uggftgtt.dll
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 kellibeanz

kellibeanz
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 29 June 2008 - 05:54 PM

Done ... here are the contents

ComboFix 08-06-29.3 - Momma 2008-06-29 13:33:14.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.171 [GMT -7:00]
Running from: C:\Documents and Settings\Momma\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Momma\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\uggftgtt.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM13618375.txt
C:\WINDOWS\system32\uggftgtt.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-29 )))))))))))))))))))))))))))))))
.

2008-06-29 10:08 . 2008-06-29 10:08 <DIR> d-------- C:\Program Files\WexTech
2008-06-29 10:08 . 2008-06-29 10:08 <DIR> d-------- C:\Program Files\Common Files\WexTech Shared
2008-06-29 10:08 . 2008-06-29 10:08 <DIR> d-------- C:\Program Files\Common Files\LHSPF
2008-06-29 10:08 . 1998-08-04 11:22 111,616 --a------ C:\WINDOWS\system32\Ltih30tb.dll
2008-06-29 10:05 . 1998-10-01 05:21 1,467,700 --------- C:\WINDOWS\system32\ODBC.HLP
2008-06-29 10:05 . 1998-10-01 05:21 39,239 --------- C:\WINDOWS\system32\ODBC.CNT
2008-06-29 10:05 . 1998-10-09 23:01 36,864 --------- C:\WINDOWS\system32\iduninst.dll
2008-06-29 10:05 . 1998-10-01 05:21 26,858 --------- C:\WINDOWS\system32\ODBCinst.HLP
2008-06-29 10:05 . 1998-10-01 05:21 244 --------- C:\WINDOWS\system32\ODBCinst.CNT
2008-06-29 10:04 . 1998-08-11 06:04 1,213,440 --------- C:\WINDOWS\system32\opengl.dll
2008-06-29 10:04 . 1999-01-10 23:13 401,462 -ra------ C:\WINDOWS\system32\30743
2008-06-29 10:04 . 1998-08-11 06:04 315,904 --------- C:\WINDOWS\system32\glu.dll
2008-06-29 10:04 . 1999-06-03 12:05 170,496 --a------ C:\WINDOWS\system32\Awrtl30.dll
2008-06-29 10:04 . 1998-08-11 06:04 154,624 --------- C:\WINDOWS\system32\glut.dll
2008-06-29 10:04 . 2000-03-12 17:47 131,072 --------- C:\WINDOWS\system32\shellwp.dll
2008-06-29 10:04 . 1999-03-20 21:49 100,864 --------- C:\WINDOWS\system32\awpe.dll
2008-06-29 10:04 . 1999-01-06 05:35 93,184 --------- C:\WINDOWS\system32\LTIH21TB.DLL
2008-06-29 10:04 . 1998-08-10 04:45 46,592 --------- C:\WINDOWS\system32\csh.dll
2008-06-29 10:04 . 1998-08-10 04:46 7,680 --------- C:\WINDOWS\system32\shlwp9en.dll
2008-06-29 10:03 . 2008-06-29 10:03 <DIR> d-------- C:\Program Files\Corel
2008-06-29 10:02 . 2008-06-29 10:02 <DIR> d-------- C:\WINDOWS\Corel
2008-06-25 18:24 . 2008-06-25 18:24 <DIR> d-------- C:\Documents and Settings\Momma\Application Data\skypePM
2008-06-25 18:24 . 2008-06-25 18:24 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-06-25 18:22 . 2008-06-25 18:22 <DIR> d-------- C:\Documents and Settings\Momma\Application Data\Skype
2008-06-25 18:12 . 2008-06-25 18:12 <DIR> d-------- C:\Program Files\Skype
2008-06-25 18:12 . 2008-06-25 18:12 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-06-25 18:11 . 2008-06-25 18:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-06-24 19:18 . 2008-06-24 19:18 <DIR> d-------- C:\Documents and Settings\Momma\DoctorWeb
2008-06-24 04:08 . 2008-06-24 04:08 <DIR> d-------- C:\Program Files\Uniblue
2008-06-24 04:08 . 2008-06-24 04:08 <DIR> d-------- C:\Documents and Settings\Momma\Application Data\Uniblue
2008-06-23 18:29 . 2008-06-23 18:29 <DIR> d-------- C:\ucd
2008-06-22 07:53 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-06-22 07:53 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-06-22 07:53 . 2008-06-22 08:32 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-06-22 07:53 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-06-22 07:52 . 2008-06-22 07:52 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-22 07:52 . 2008-06-22 07:52 <DIR> d-------- C:\Documents and Settings\Momma\Application Data\PC Tools
2008-06-22 00:52 . 2008-06-22 00:52 <DIR> d---s---- C:\Documents and Settings\Momma\UserData
2008-06-21 19:37 . 2008-06-21 19:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-21 18:39 . 2008-06-21 18:39 <DIR> dr-h----- C:\MSOCache
2008-06-20 20:25 . 2007-10-30 09:20 360,064 --a------ C:\WINDOWS\system32\drivers\tcpip.sys.ORIGINAL
2008-06-20 20:25 . 2007-10-30 09:20 360,064 --a------ C:\WINDOWS\system32\dllcache\tcpip.sys.ORIGINAL
2008-06-20 18:38 . 2008-06-20 18:38 <DIR> d-------- C:\Downloads
2008-06-20 18:33 . 2008-06-20 18:33 <DIR> d-------- C:\Program Files\BitComet
2008-06-10 18:27 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-08 15:03 . 2008-06-08 15:03 <DIR> d-------- C:\Program Files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-17 13:44 469 ----a-w C:\Program Files\INSTALL.LOG
2008-05-17 11:55 --------- d-----w C:\Program Files\Common Files\Motive
2008-05-17 11:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2008-05-13 02:11 --------- d-----w C:\Program Files\Alex Feinman
2008-05-12 00:20 --------- d-----w C:\Documents and Settings\Megan and Dylan\Application Data\Thunderbird
2008-05-09 01:24 --------- d-----w C:\Documents and Settings\Momma\Application Data\Thunderbird
2008-05-08 23:57 --------- d-----w C:\Program Files\ophcrack
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-05-06 12:01 8,656 ----a-w C:\WINDOWS\system32\sbnetkey.sys
2008-04-28 21:11 90,112 ----a-w C:\WINDOWS\system32\hhsetupx.dll
2008-04-28 21:11 327,680 ----a-w C:\WINDOWS\system32\lzk32.dll
2008-04-28 21:11 327,680 ----a-w C:\WINDOWS\system32\imgutilg.dll
2008-04-28 21:11 200,704 ----a-w C:\WINDOWS\system32\mcastmibu.dll
2008-04-28 21:11 200,704 ----a-w C:\WINDOWS\system32\kbdfon.dll
2008-04-28 21:11 184,320 ----a-w C:\WINDOWS\system32\wuapik.dll
2008-04-28 21:11 184,320 ----a-w C:\WINDOWS\system32\ati2dvaak.dll
2008-04-28 21:11 146,432 ----a-w C:\WINDOWS\system32\wlanapip.dll
2008-04-28 21:11 146,432 ----a-w C:\WINDOWS\system32\rasadhlpa.dll
2008-04-28 21:10 81,920 ----a-w C:\WINDOWS\system32\wmph.dll
2008-04-28 21:10 81,920 ----a-w C:\WINDOWS\system32\mlangx.dll
2008-04-28 21:10 77,824 ----a-w C:\WINDOWS\system32\iedkcsu32.dll
2008-04-28 21:10 38,784 ----a-w C:\WINDOWS\system32\KGyGaAvLR.sys
2008-04-28 21:10 38,784 ----a-w C:\WINDOWS\system32\ANIOG.sys
2008-04-28 21:10 200,704 ----a-w C:\WINDOWS\system32\creduim.dll
2008-04-28 21:10 184,320 ----a-w C:\WINDOWS\system32\webclntv.dll
2008-04-28 21:10 184,320 ----a-w C:\WINDOWS\system32\adsmsexth.dll
2008-04-28 21:10 131,072 ----a-w C:\WINDOWS\system32\kbditm142.dll
2008-04-28 21:10 131,072 ----a-w C:\WINDOWS\system32\cnvfato.dll
2008-04-28 21:10 122,112 ----a-w C:\WINDOWS\system32\ansil.sys
2008-04-28 21:08 5,218,304 ----a-w C:\WINDOWS\system32\dxdiagnr.dll
2008-04-28 21:08 5,218,304 ----a-w C:\WINDOWS\system32\clbc.dll
2008-04-28 21:08 4,001,792 ----a-w C:\WINDOWS\system32\tscfgwmim.dll
2008-04-28 21:08 4,001,792 ----a-w C:\WINDOWS\system32\kbdlvn.dll
2008-04-28 21:08 208,896 ----a-w C:\WINDOWS\system32\syncuiv.dll
2008-04-28 21:08 208,896 ----a-w C:\WINDOWS\system32\MP43DMODV.dll
2008-04-28 21:08 167,936 ----a-w C:\WINDOWS\system32\inputs.dll
2008-04-28 21:08 167,936 ----a-w C:\WINDOWS\system32\glmfh32.dll
2008-04-28 21:08 135,168 ----a-w C:\WINDOWS\system32\kbdslv.dll
2008-04-28 21:08 135,168 ----a-w C:\WINDOWS\system32\dmloaderr.dll
2008-04-28 21:08 118,784 ----a-w C:\WINDOWS\system32\msihndd.dll
2008-04-28 21:08 118,784 ----a-w C:\WINDOWS\system32\kbdfonv.dll
2008-04-21 06:57 666,624 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-21 06:57 666,624 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2008-04-17 10:47 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2008-03-29 01:57 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe" [2007-03-18 15:05 630784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2008-05-05 12:22 1923352]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-05-30 15:54 21718312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZTgServerSwitch"="c:\program files\support.com\client\lserver\server.vbs" [2001-09-10 19:36 2339]
"WebTrapNT.exe"="C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe" [2001-09-06 20:20 235520]
"Pop3trap.exe"="C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe" [2001-09-06 20:25 294982]
"QuickTime Task"="C:\WINDOWS\system32\qttask.exe" [2001-09-08 12:56 28672]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 13:57 36640]
"D-Link RangeBooster G WUA-2340"="C:\Program Files\D-Link\RangeBooster G WUA-2340\AirPlusCFG.exe" [2006-09-01 12:09 1880064]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-01-08 17:20 451896]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2008-01-18 10:32 451896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]

C:\Documents and Settings\Momma\Start Menu\Programs\Startup\
UberIcon.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 00:43:08 180224]
RocketDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-18 15:05:02 630784]
TransBar.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe [2005-06-01 12:41:18 65536]
Corel Registration.lnk - C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe [2008-06-29 10:05:25 67584]

C:\Documents and Settings\Megan and Dylan\Start Menu\Programs\Startup\
RocketDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-18 15:05:02 630784]
TransBar.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe [2005-06-01 12:41:18 65536]
UberIcon.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 00:43:08 180224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Real-time Monitor.lnk - C:\WINDOWS\Installer\{A839294B-70A9-11D5-9F5A-0050DAD742CD}\_299368D.exe [2001-09-08 13:07:52 57344]
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2001-09-08 12:52:03 113664]
VAIO Action Setup (Server).lnk - C:\Program Files\Sony\VAIO Action Setup\VAServ.exe [2001-09-08 12:51:48 40960]
Hawking HWU54G Utility.lnk - C:\Program Files\Hawking Technologies\Hawking_HWU54G_Utility\HWU54G.exe [2008-04-20 16:45:58 438272]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=uaoxqxbc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= sonymjpg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Trend Micro\\PC-cillin 2000\\WebTrapNT.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8718:TCP"= 8718:TCP:BitComet 8718 TCP
"8718:UDP"= 8718:UDP:BitComet 8718 UDP

R1 SonyFanC;FAN Control Device Service;C:\WINDOWS\system32\Drivers\SonyFanC.sys [2001-09-06 16:21]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\A5AGU.sys [2006-05-08 19:10]
S3 BCM42XX;Broadcom iLine10™ Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys [2001-08-17 12:11]
S3 WLAN(WLAN);XPC 802.11b/g Wireless Kit Driver(WLAN);C:\WINDOWS\system32\DRIVERS\zd1211u.sys [2005-08-16 14:50]
S3 ZDBRGSYS;ZDBRGSYS NDIS Protocol Driver;C:\WINDOWS\system32\ZDBRGSYS.SYS [2004-06-01 21:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd7524e4-74c2-11dc-9b89-00e0183fb106}]
\Shell\AutoRun\command - G:\setupSNK.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-01 08:00:38 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-06-15 09:21:02 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-29 13:38:26
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-29 13:40:17
ComboFix2.txt 2008-06-28 03:29:30
ComboFix-quarantined-files.txt 2008-06-29 20:40:00

Pre-Run: 3,843,305,472 bytes free
Post-Run: 3,837,054,976 bytes free

209 --- E O F --- 2008-06-22 10:04:49



#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:04 AM

Posted 30 June 2008 - 08:33 AM

Looking good! I don't see any issues in your log. :)

Just a few last things and you should be good to go! :thumbup2:


First, let's remove Combofix now that we're done with it and clean up a few other things.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

    • Posted Image
  • When shown the disclaimer, Select "2"



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :spacer:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 kellibeanz

kellibeanz
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 02 July 2008 - 07:00 AM

Thanks so much for your help :thumbsup:

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:04 AM

Posted 02 July 2008 - 09:55 AM

Glad I could help you out! :thumbsup:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:04 AM

Posted 21 July 2008 - 08:00 AM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users