Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Think My Pc Is Infected, Help Required Please


  • This topic is locked This topic is locked
2 replies to this topic

#1 frankmeardon

frankmeardon

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 04 July 2008 - 02:46 AM

Hi,

I've been communicating with Superbird (see my topic "I Think My Pc Is Infected, Help Required Please") Link: http://www.bleepingcomputer.com/forums/t/154350/i-think-my-pc-is-infected-help-required-please/ who has suggested running HiJackThis and posting the log here, so here goes, can someone help please.

Here are the symptoms which make me believe my PC is infected -

System Freezes - only solution is to unplug power supply, happens 3 times a week or more. Hijack?

IE7 Freeze - happens frequently, maybe hijack?

Unable to update windows - I think that registry has been changed so that system time is out of sync with updateserver? - see previous note.

Spybot Entry - seems to confirm presence of Malware? see attached file .jpg

Phising filter - when I click on check website, in Tools, Phising Filter recieve the following message
"Phising filter cannot check this website, Microsoft Online Service is temporarily unavailable"
It has been unavailable for 3 to 4 weeks, I don't believe this. Maybe sign of Malware?

Strange File -

C:\$$DeleteMe.$$DeleteMe.$$DeleteMe.$$DeleteMe.$$DeleteMe.$$DeleteMe..01c8d2af45a1a2ff.0001.01c8d2af657738f8.0000.01c8d2b3f3412fcd.0000
.01c8d2b41a0f3738.0000.01c8d2bd08d798f3.0000.01c8d2bd2c9fee7f.0000


It's not a file I have saved/changed/opened I've never seen anything quite like this file name - malware?

I've been working with PC's since the mid 80's, and I have a gut feel that something is not right, that the PC has a lurking piece of nastyness somewhere.

Cheers

Frank

----------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------

Deckard's System Scanner v20071014.68
Run by FMCOMP on 2008-07-03 11:43:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as FMCOMP.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:14, on 03/07/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\system32\svchost.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Windows\system32\lxdicoms.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\MediaSource5\CTDetctu.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Windows\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\FMCOMP\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\FMCOMP.exe
C:\Windows\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [lxdimon.exe] "C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe"
O4 - HKLM\..\Run: [lxdiamon] "C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - Startup: Secunia PSI (RC3).lnk.disabled
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Password Generator - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComPasswordGenerator.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Generate - {320AF880-6646-11D3-ABEE-C5DBF3571F50} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComPasswordGenerator.html
O9 - Extra 'Tools' menuitem: Password Generator - {320AF880-6646-11D3-ABEE-C5DBF3571F50} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComPasswordGenerator.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.bbc.co.uk
O15 - Trusted Zone: http://www.kaspersky.nl
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: lxdi_device - - C:\Windows\system32\lxdicoms.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 9140 bytes

-- Files created between 2008-06-03 and 2008-07-03 -----------------------------

2008-07-03 10:09:39 0 d-------- C:\Program Files\TomTom HOME 2
2008-07-02 17:00:21 203776 --a------ C:\Windows\system32\clrviddc.dll
2008-07-02 12:08:42 0 d-------- C:\Program Files\Movie Download Manager
2008-07-02 11:36:33 0 d-------- C:\Program Files\DivX
2008-07-02 11:24:59 0 d-------- C:\Program Files\VideoLAN
2008-07-02 09:09:39 0 d-------- C:\logs
2008-07-02 09:03:48 12288 --a------ C:\Windows\system32\LXF3PMRC.DLL
2008-07-02 09:03:48 45056 --a------ C:\Windows\system32\LXF3PMON.DLL
2008-07-02 09:03:48 36864 --a------ C:\Windows\system32\lxf3oem.dll
2008-07-02 09:03:48 32768 --a------ C:\Windows\system32\LXF3FXPU.DLL
2008-07-02 09:03:48 98345 --a------ C:\Windows\system32\IMHOST32.DLL
2008-07-02 09:03:43 339968 --a------ C:\Windows\system32\IMGMAN32.DLL
2008-07-02 09:03:24 0 d-------- C:\Program Files\Lexmark Fax Solutions
2008-07-02 09:03:07 0 d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-07-02 09:01:34 294912 --a------ C:\Windows\system32\lxdiinst.dll
2008-07-02 09:01:19 0 d-------- C:\Program Files\Lexmark 3500-4500 Series
2008-07-01 23:20:26 0 d-------- C:\Program Files\Lavasoft
2008-07-01 23:05:47 0 d-------- C:\Program Files\Belarc
2008-07-01 22:58:02 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-01 22:57:11 0 d-------- C:\Program Files\Windows Live
2008-06-30 19:02:59 0 d-------- C:\Program Files\AVG
2008-06-30 12:10:11 0 d-------- C:\Program Files\Safer Networking
2008-06-30 12:00:59 0 d-------- C:\Windows\system32\Kaspersky Lab
2008-06-28 14:58:17 0 d-------- C:\Program Files\PC Inspector File Recovery
2008-06-28 10:15:50 0 d-------- C:\Windows\ShellNew
2008-06-28 10:15:48 0 d-------- C:\Program Files\Windows Journal
2008-06-23 08:24:26 0 d-------- C:\Windows\pss
2008-06-22 16:23:43 0 d-------- C:\Program Files\a-squared Anti-Malware
2008-06-22 15:53:55 0 d-------- C:\Program Files\Spyware Doctor
2008-06-22 13:37:34 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-22 12:50:05 0 d-------- C:\Program Files\Trend Micro
2008-06-22 12:34:06 0 d-------- C:\Windows\BDOSCAN8
2008-06-22 00:49:21 0 d-------- C:\Program Files\Siber Systems
2008-06-21 22:40:41 0 d-------- C:\Program Files\EsetOnlineScanner
2008-06-21 21:22:15 0 d-------- C:\Program Files\a-squared Free
2008-06-21 20:31:54 0 d-------- C:\MSNCleaner
2008-06-21 20:24:52 118784 --a------ C:\Windows\system32\MSSTDFMT.DLL
2008-06-21 20:24:51 0 d-------- C:\Program Files\SpywareBlaster
2008-06-21 19:49:42 0 d-------- C:\Program Files\Secunia
2008-06-21 17:41:32 0 d-------- C:\Program Files\Java
2008-06-21 17:39:55 0 d-------- C:\Program Files\Common Files\Java
2008-06-21 14:58:35 0 d-------- C:\Program Files\Common Files\xing shared
2008-06-21 14:58:08 0 d-------- C:\Program Files\Real
2008-06-21 14:58:02 0 d-------- C:\Program Files\Common Files\Real
2008-06-21 00:12:45 0 d-------- C:\PerfLogs
2008-06-20 21:53:03 873472 --a------ C:\Windows\system32\DCUninstall.exe
2008-06-20 10:59:34 0 d-------- C:\Program Files\Microsoft Silverlight
2008-06-20 10:59:09 0 d-------- C:\Windows\system32\RTCOM
2008-06-20 07:55:45 0 d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2008-06-20 07:47:48 0 d-------- C:\Users\FMCOMP\SecurityScans
2008-06-20 05:57:50 0 d-------- C:\Program Files\SiteAdvisor
2008-06-20 05:55:28 0 d-------- C:\Windows\system32\Macromed
2008-06-19 16:52:08 96966 --a------ C:\Windows\system32\drivers\klin.dat
2008-06-19 16:52:08 88774 --a------ C:\Windows\system32\drivers\klick.dat
2008-06-19 16:51:23 214941472 --ahs---- C:\Windows\system32\drivers\fidbox.dat
2008-06-19 16:51:23 0 d-------- C:\Program Files\Kaspersky Lab
2008-06-19 15:35:32 0 d-------- C:\Program Files\WinDirStat
2008-06-19 09:41:05 0 d-------- C:\Program Files\Yahoo!
2008-06-19 09:40:57 0 d-------- C:\Program Files\CCleaner
2008-06-18 23:50:43 0 d-------- C:\Windows\Panther
2008-06-18 23:50:29 0 d--hs---- C:\Boot
2008-06-18 23:50:08 0 d-------- C:\Windows\system32\OEM
2008-06-18 23:50:07 36 -rah----- C:\Windows\DELL_VERSION
2008-06-18 17:47:30 0 d-------- C:\Program Files\Intel
2008-06-18 17:47:18 0 d-------- C:\Intel
2008-06-18 17:38:14 0 d-------- C:\Program Files\VS Revo Group
2008-06-18 17:35:13 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-18 17:34:24 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-18 16:51:06 0 d-------- C:\Program Files\Common Files\SureThing Shared
2008-06-18 16:50:01 0 d-------- C:\Program Files\Common Files\Sonic Shared
2008-06-18 16:50:01 0 d-------- C:\Program Files\Common Files\PX Storage Engine
2008-06-18 16:49:14 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-06-18 16:48:55 0 d-------- C:\Program Files\Roxio
2008-06-18 16:28:53 0 d-------- C:\Program Files\Common Files\Creative
2008-06-18 16:28:51 0 d--h----- C:\Program Files\Creative Installation Information
2008-06-18 16:27:12 409600 --a------ C:\Windows\system32\wrap_oal.dll
2008-06-18 16:27:12 114688 --a------ C:\Windows\system32\OpenAL32.dll
2008-06-18 16:27:12 0 d-------- C:\Program Files\OpenAL
2008-06-18 16:27:01 0 d-------- C:\Windows\system32\Data
2008-06-18 16:27:01 2560 --a------ C:\Windows\CTXFIRES.DLL
2008-06-18 16:26:12 67072 -----n--- C:\Windows\system32\CmdRtr.dll
2008-06-18 16:26:12 105472 -----n--- C:\Windows\system32\APOMngr.dll
2008-06-18 16:24:22 0 d-------- C:\Program Files\Creative
2008-06-18 16:22:05 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-18 16:22:03 0 d-------- C:\Program Files\Common Files\InstallShield
2008-06-18 16:11:38 0 d-------- C:\Program Files\ATI Technologies
2008-06-18 16:11:35 0 d-------- C:\Program Files\ATI
2008-06-18 16:10:45 0 d-------- C:\Dell
2008-06-18 16:05:12 0 d-------- C:\Windows\system32\vmm32
2008-06-18 16:05:12 0 d-------- C:\Program Files\Dell
2008-06-18 16:00:29 0 d-------- C:\Program Files\Microsoft Works
2008-06-18 15:59:46 0 d--hs---- C:\Windows\Installer
2008-06-18 15:56:00 0 dr------- C:\Users\FMCOMP\Searches
2008-06-18 15:55:51 0 dr------- C:\Users\FMCOMP\Contacts
2008-06-18 15:55:47 0 dr------- C:\Users\FMCOMP\Videos
2008-06-18 15:55:47 0 d--hs---- C:\Users\FMCOMP\Templates
2008-06-18 15:55:47 0 d--hs---- C:\Users\FMCOMP\Start Menu
2008-06-18 15:55:47 0 d--hs---- C:\Users\FMCOMP\SendTo
2008-06-18 15:55:47 0 dr------- C:\Users\FMCOMP\Saved Games
2008-06-18 15:55:47 0 d--hs---- C:\Users\FMCOMP\Recent
2008-06-18 15:55:47 0 d--hs---- C:\Users\FMCOMP\PrintHood
2008-06-18 15:55:47 0 dr------- C:\Users\FMCOMP\Pictures
2008-06-18 15:55:47 4194304 --ahs---- C:\Users\FMCOMP\NTUSER.DAT
2008-06-18 15:55:47 0 d--hs---- C:\Users\FMCOMP\NetHood
2008-06-18 15:55:47 0 d--hs---- C:\Users\FMCOMP\My Documents
2008-06-18 15:55:47 0 dr------- C:\Users\FMCOMP\Music
2008-06-18 15:55:47 0 d--hs---- C:\Users\FMCOMP\Local Settings
2008-06-18 15:55:47 0 dr------- C:\Users\FMCOMP\Links
2008-06-18 15:55:47 0 dr------- C:\Users\FMCOMP\Favorites
2008-06-18 15:55:47 0 dr------- C:\Users\FMCOMP\Downloads
2008-06-18 15:55:47 0 dr------- C:\Users\FMCOMP\Documents
2008-06-18 15:55:47 0 dr------- C:\Users\FMCOMP\Desktop
2008-06-18 15:55:47 0 d--hs---- C:\Users\FMCOMP\Cookies
2008-06-18 15:55:47 0 d--hs---- C:\Users\FMCOMP\Application Data
2008-06-18 15:55:47 0 d--h----- C:\Users\FMCOMP\AppData
2008-06-18 14:53:30 0 d-------- C:\Windows\SoftwareDistribution
2008-06-18 14:52:34 0 d-------- C:\Windows\Debug
2008-06-18 14:51:38 0 d-------- C:\Windows\Prefetch
2008-06-18 14:51:30 0 d--hs---- C:\System Volume Information
2008-06-16 09:31:08 7808 --a------ C:\Windows\system32\drivers\psi_mf.sys
2008-06-11 01:07:20 3596288 --a------ C:\Windows\system32\qt-dx331.dll
2008-06-11 01:03:26 196608 --a------ C:\Windows\system32\dtu100.dll
2008-06-11 01:03:26 81920 --a------ C:\Windows\system32\dpl100.dll
2008-06-11 01:03:20 802816 --a------ C:\Windows\system32\divx_xx11.dll
2008-06-11 01:03:20 823296 --a------ C:\Windows\system32\divx_xx0c.dll
2008-06-11 01:03:20 815104 --a------ C:\Windows\system32\divx_xx0a.dll
2008-06-11 01:03:20 823296 --a------ C:\Windows\system32\divx_xx07.dll
2008-06-11 01:03:18 683520 --a------ C:\Windows\system32\DivX.dll


-- Find3M Report ---------------------------------------------------------------

2008-07-03 10:14:14 0 d-------- C:\Users\FMCOMP\AppData\Roaming\Mozilla
2008-07-03 10:14:03 0 d-------- C:\Users\FMCOMP\AppData\Roaming\TomTom
2008-07-02 11:43:30 0 d-------- C:\Users\FMCOMP\AppData\Roaming\vlc
2008-07-02 11:38:21 0 d-------- C:\Users\FMCOMP\AppData\Roaming\DivX
2008-07-02 11:32:14 0 d-------- C:\Users\FMCOMP\AppData\Roaming\Roxio
2008-07-02 11:04:16 0 d-------- C:\Users\FMCOMP\AppData\Roaming\Creative
2008-07-02 10:50:51 0 d-------- C:\Users\FMCOMP\AppData\Roaming\SiteAdvisor
2008-07-01 22:58:02 0 d-------- C:\Program Files\Common Files
2008-06-28 09:55:12 210 --a------ C:\Users\FMCOMP\AppData\Roaming\wklnhst.dat
2008-06-22 15:53:55 0 d-------- C:\Users\FMCOMP\AppData\Roaming\PC Tools
2008-06-22 13:37:36 0 d-------- C:\Users\FMCOMP\AppData\Roaming\Malwarebytes
2008-06-21 15:02:19 0 d-------- C:\Users\FMCOMP\AppData\Roaming\Real
2008-06-21 00:30:11 174 --ahs---- C:\Program Files\desktop.ini
2008-06-21 00:17:56 0 d-------- C:\Program Files\Windows Calendar
2008-06-21 00:17:55 0 d-------- C:\Program Files\Windows Sidebar
2008-06-21 00:17:54 0 d-------- C:\Program Files\Movie Maker
2008-06-21 00:17:52 0 d-------- C:\Program Files\Windows Mail
2008-06-21 00:17:49 0 d-------- C:\Program Files\Windows Photo Gallery
2008-06-21 00:17:40 0 d-------- C:\Program Files\Windows Defender
2008-06-20 05:56:09 0 d-------- C:\Users\FMCOMP\AppData\Roaming\Adobe
2008-06-20 05:39:18 0 d-------- C:\Users\FMCOMP\AppData\Roaming\Template
2008-06-18 17:35:13 0 d-------- C:\Users\FMCOMP\AppData\Roaming\SUPERAntiSpyware.com
2008-06-18 17:30:27 0 d-------- C:\Users\FMCOMP\AppData\Roaming\Macromedia
2008-06-18 16:17:37 0 d-------- C:\Users\FMCOMP\AppData\Roaming\ATI
2008-06-18 15:55:52 0 d-------- C:\Users\FMCOMP\AppData\Roaming\Identities
2008-05-22 23:18:54 12288 --a------ C:\Windows\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
27/06/2008 19:12 34816 --a------ C:\Program Files\Java\jre6\bin\jp2ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [19/01/2008 08:38]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [08/02/2008 18:36]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [26/06/2008 19:50]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [10/04/2008 15:14]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [16/05/2008 17:50]
"lxdimon.exe"="C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe" [16/07/2007 17:54]
"lxdiamon"="C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe" [16/07/2007 17:54]
"FaxCenterServer"="C:\Program Files\\Lexmark Fax Solutions\fm3032.exe" [16/07/2007 17:54]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [21/06/2008 14:58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [19/01/2008 08:33]

C:\Users\FMCOMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Secunia PSI (RC3).lnk.disabled [6/21/2008 7:50:02 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
"ehTray.exe"=C:\Windows\ehome\ehTray.exe
"Creative Detector U"="C:\Program Files\Creative\MediaSource5\CTDetctu.exe" /R

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
"RtHDVCpl"=RtHDVCpl.exe
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
"UpdReg"=C:\Windows\UpdReg.EXE
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
AutoRun\command- setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1ce96125-48d7-11dd-8e19-001d097f65d0}]
AutoRun\command- L:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f67d9f7-411d-11dd-8591-c07a053f6578}]
AutoRun\command- setupSNK.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-07-03 11:48:05 ------------

Insert topic link. ~ OB]

Attached Files


Edited by Orange Blossom, 04 July 2008 - 11:40 PM.


BC AdBot (Login to Remove)

 


m

#2 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:23 AM

Posted 23 July 2008 - 09:26 PM

Hello


Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.



Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#3 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:23 AM

Posted 03 August 2008 - 09:00 PM

Due to lack of the feedback this topic is closed.

If you still need help send a PM to moderating team for requesting reopening.

This applies to original thread starter only, everyone else start a new topic.
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users