Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Can't Log In (no Icons, No Task Manager), Others Logged Out Immediately


  • Please log in to reply
6 replies to this topic

#1 meakerb

meakerb

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 01 September 2008 - 04:44 PM

I have a PC that, when I log in, doesn't show any desktop icons. Hitting Ctrl-Alt-Del doesn't bring up the task manager. If I right-click on the desktop, no menu appears. Also, instead of the list of users appearing after boot-up, it's the single box that prompts for username and password. If any of the other users of the machine log in, their background picture shows up briefly, but then they are immediately loged out.

I can start up in safe mode (and when I do the list of users, including Administrator, is there), but when I log in I still don't get desktop icons. Hitting Ctrl-Alt-Del (in Safe mode) brings up a task manager window with no top section. There's no title bar (which would normally say "Windows Task Manager" and have the minimize, maximize, and close buttons on it). There are also no tabs (normally would have Applications, Process, Performance, and Networking). Also, at the bottom it has the three buttons: End Task, Switch To, and New Task..., but nothing below that (i.e. no process count, CPU usage, or Commit Charge). Using the New Task... and browsing, I was able to run DSS, which runs a version of HijackThis (I couldn't find a direct copy of HijackThis to run). So I am attaching the log from that run.

I tried to run explorer and found that in the C:\WINDOWS directory, the explorer.exe file was missing. I have since taken the hard drive out and put it as a second drive in my main PC (the one I'm sending this from). I transfered the log file from the bad PC to the good PC, and copied explorer.exe from the good PC to the bad PC. Putting the hard drive back into the bad PC, the symtoms are the same. Only now, when I start in safe mode and do a New Task... and browse to C:\WINDOWS and start explorer.exe, all the icons appear and a explorer window opens!

Thanks for all your help in advance.

Barry


Deckard's System Scanner v20071014.68
Run by Barry on 2008-08-29 21:41:32
Computer is in Safe Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Barry.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:46 PM, on 8/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Barry\My Documents\Anti-Spyware\dss.exe
C:\MGTools\Barry.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy-support.boeing.com:31060/proxy.pac
O2 - BHO: gooochi browser optimizer - {0123253f-8062-f585-c900-705afbd16a86} - C:\WINDOWS\system32\{7428e102-8a8e-9357-774c-4dd17c570e57}.dll
O2 - BHO: {498D520C-88E1-4F11-861D-B70A69F53691} - {05CADC55-BBFF-457C-93D1-9A18D1E3A351} - C:\WINDOWS\system32\geedbaa.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0FA83120-8A93-CB05-B912-0934C1EEACE4} - C:\DOCUME~1\Max\LOCALS~1\Temp\setwebinfo.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {3F34A306-8E74-40C9-BAA0-93609E4813C6} - C:\WINDOWS\system32\iifcYOHA.dll (file missing)
O2 - BHO: (no name) - {45080112-43D4-4B43-A8BC-7F1DFBFDCEAF} - C:\WINDOWS\system32\MYBHO.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Burn4Free Toolbar Helper - {60BF5EE3-0105-4858-AD98-17C19F86B042} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O2 - BHO: (no name) - {61F4D495-2DA9-330D-539D-0A5DDA60C61F} - C:\DOCUME~1\Barry\LOCALS~1\Temp\strsrvsh.dll (file missing)
O2 - BHO: (no name) - {6DC7765E-626F-6B99-EC43-012DDFF27C98} - C:\DOCUME~1\Owen\LOCALS~1\Temp\monwebdb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {EAC24787-4D86-4481-AC4F-DAE27671476C} - C:\WINDOWS\system32\ATIDD.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [vlioluyy] C:\WINDOWS\system32\binefyrs.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [0A1a5b13Hn] C:\Documents and Settings\All Users\Application Data\bgvelupa\xsbqfijg.exe
O4 - HKUS\S-1-5-21-1614895754-776561741-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1614895754-776561741-725345543-1003\..\Run: [vlioluyy] C:\WINDOWS\system32\binefyrs.exe (User '?')
O4 - HKUS\S-1-5-21-1614895754-776561741-725345543-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User '?')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - S-1-5-21-1614895754-776561741-725345543-1003 Startup: Deewoo.lnk = C:\WINDOWS\system32\mcntskdm.exe (User '?')
O4 - S-1-5-21-1614895754-776561741-725345543-1003 Startup: DW_Start.lnk = C:\qoobox\Quarantine\C\WINDOWS\system32\rwwnw64d.exe.vir (User '?')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\mcntskdm.exe
O4 - Startup: DW_Start.lnk = C:\qoobox\Quarantine\C\WINDOWS\system32\rwwnw64d.exe.vir
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office2K\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Image in New Window - res://C:\PROGRA~1\PopUpCop\popupcop.dll/imagenew
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Office2K\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://vpn01.kent.k12.wa.us/vdesk/terminal...,2007,0223,0327
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://vpn01.kent.k12.wa.us/vdesk/terminal...llerControl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1206007043403
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://vpn01.kent.k12.wa.us/vdesk/terminal...,2007,0223,0314
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1206007032978
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://host.oddcast.com/hostClientIE.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://vpn01.kent.k12.wa.us/vdesk/terminal...,2007,0223,0320
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/popc...aploader_v6.cab
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://vpn01.kent.k12.wa.us/vdesk/terminal...,2007,0223,0312
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A52027A-94E6-4239-81F2-6B01ABAA4490}: NameServer = 68.87.69.146,68.87.85.98
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ds.boeing.com,nw.nos.boeing.com,hsd1.wa.comcast.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ds.boeing.com,nw.nos.boeing.com,hsd1.wa.comcast.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ds.boeing.com,nw.nos.boeing.com,hsd1.wa.comcast.net
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: iifcYOHA - iifcYOHA.dll (file missing)
O21 - SSODL: engenact - {162140E1-3850-6051-C4A9-043EA025A3B9} - C:\Program Files\pgtpflf\engenact.dll
O23 - Service: AcrSch2Svc - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe
O23 - Service: Apple Mobile Device - Unknown owner - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (file missing)
O23 - Service: AppMgmt - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AudioSrv - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: avg8emc - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: avg8wd - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BITS - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Browser - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: cisvc - Unknown owner - C:\WINDOWS\system32\cisvc.exe
O23 - Service: clr_optimization_v2.0.50727_32 - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
O23 - Service: CryptSvc - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: DcomLaunch - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Dhcp - Unknown owner - C:\WINDOWS\TEMP\DILA.tmp
O23 - Service: dmserver - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: DNS Client (Dnscache) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: ERSvc - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: EventSystem - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: ExtranetAccess - Unknown owner - C:\Program Files\Nortel Networks\Extranet_serv.exe (file missing)
O23 - Service: FastUserSwitchingCompatibility - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: helpsvc - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: HTTPFilter - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: ImapiService - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JavaHMO - Unknown owner - C:\Program Files\JavaHMO\bin\Wrapper.exe (file missing)
O23 - Service: lanmanserver - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: lanmanworkstation - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: ltefx13n - Unknown owner - C:\WINDOWS\system32\ltefx13n.exe (file missing)
O23 - Service: mnmsrvc - Unknown owner - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe
O23 - Service: Netman - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Nla - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: NtmsSvc - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: RasAuto - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: RasMan - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: RDSessMgr - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Remote Registry (RemoteRegistry) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\System32\locator.exe
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: RSVP - Unknown owner - C:\WINDOWS\System32\rsvp.exe
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Schedule - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: seclogon - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: SENS - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: SharedAccess - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: ShellHWDetection - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Spooler - Unknown owner - C:\WINDOWS\system32\spoolsv.exe
O23 - Service: srservice - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: SSDP Discovery Service (SSDPSRV) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: stisvc - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: TapiSrv - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: TermService - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Themes - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: TivoBeacon2 - Unknown owner - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe (file missing)
O23 - Service: TlntSvr - Unknown owner - C:\WINDOWS\System32\tlntsvr.exe
O23 - Service: TrkWks - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: UleadBurningHelper - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)
O23 - Service: Universal Plug and Play Device Host (upnphost) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe
O23 - Service: VSS - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: W32Time - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: WebClient - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: winmgmt - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: WmdmPmSN - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Wmi - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: WmiApSrv - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)
O23 - Service: wscsvc - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: wuauserv - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: WudfSvc - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: WZCSVC - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: xmlprov - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)

--
End of file - 17545 bytes

-- Files created between 2008-07-29 and 2008-08-29 -----------------------------

2008-08-16 19:18:50 54272 --a------ C:\WINDOWS\17PHolmes1001186.exe
2008-08-16 16:58:31 91648 --a------ C:\WINDOWS\system32\ATIDD.dll
2008-08-16 16:57:58 3584 --a------ C:\WINDOWS\system32\MYBHO.DLL


-- Find3M Report ---------------------------------------------------------------

2008-08-29 21:40:16 15872 --a------ C:\WINDOWS\system32\vssvc.exe
2008-08-29 21:40:05 15872 --a------ C:\WINDOWS\system32\ups.exe
2008-08-29 21:39:52 15872 --a------ C:\WINDOWS\system32\tlntsvr.exe
2008-08-29 21:39:26 15872 --a------ C:\WINDOWS\system32\smlogsvc.exe
2008-08-29 21:38:59 15872 --a------ C:\WINDOWS\system32\spoolsv.exe
2008-08-29 21:38:25 15872 --a------ C:\WINDOWS\system32\scardsvr.exe
2008-08-29 21:38:18 15872 --a------ C:\WINDOWS\system32\rsvp.exe
2008-08-29 21:38:14 15872 --a------ C:\WINDOWS\system32\locator.exe
2008-08-29 21:38:10 15872 --a------ C:\WINDOWS\system32\sessmgr.exe
2008-08-29 21:37:50 15872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-08-29 21:37:18 15872 --a------ C:\WINDOWS\system32\netdde.exe
2008-08-29 21:37:08 15872 --a------ C:\WINDOWS\system32\msdtc.exe
2008-08-29 21:37:07 15872 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2008-08-29 21:36:39 15872 --a------ C:\WINDOWS\system32\imapi.exe
2008-08-29 21:35:16 15872 --a------ C:\WINDOWS\system32\clipsrv.exe
2008-08-29 21:35:12 15872 --a------ C:\WINDOWS\system32\cisvc.exe
2008-08-29 21:34:49 15872 --a------ C:\WINDOWS\system32\ati2sgag.exe
2008-08-29 21:34:07 15872 --a------ C:\WINDOWS\system32\alg.exe
2008-08-17 04:12:40 15872 --a------ C:\WINDOWS\system32\ati2evxx.exe
2008-08-16 19:00:30 54272 --a------ C:\WINDOWS\mrofinu1001186.exe
2008-07-15 04:27:17 0 d-------- C:\Program Files\XviD
2008-07-15 04:26:46 0 d-------- C:\Program Files\WinImage
2008-07-15 04:26:41 0 d-------- C:\Program Files\Windows NT
2008-07-15 04:26:22 0 d-------- C:\Program Files\Windows Media Connect 2
2008-07-15 04:25:21 0 d-------- C:\Program Files\Warcraft III
2008-07-15 03:53:40 0 d-------- C:\Program Files\TuneSleeve
2008-07-15 03:53:31 0 d-------- C:\Program Files\Trillian
2008-07-15 03:51:21 0 d-------- C:\Program Files\Snapshot Viewer
2008-07-15 03:51:13 0 d-------- C:\Program Files\Sierra On-Line
2008-07-15 03:50:55 0 d-------- C:\Program Files\Savings Bond Wizard
2008-07-15 03:50:53 0 d-------- C:\Program Files\Ringo
2008-07-15 03:50:49 0 d-------- C:\Program Files\RFlowCollector
2008-07-15 03:48:38 0 d-------- C:\Program Files\QuickTime
2008-07-15 03:48:26 0 d-------- C:\Program Files\PunkBuster
2008-07-15 03:48:19 0 d-------- C:\Program Files\PopUpCop
2008-07-15 03:48:12 0 d-------- C:\Program Files\PlayLinc
2008-07-15 03:46:06 0 d-------- C:\Program Files\PictureProject In Touch Downloader
2008-07-15 03:45:56 0 d-------- C:\Program Files\OpenAL
2008-07-15 03:42:39 0 d-------- C:\Program Files\Nortel Networks
2008-07-15 03:38:50 0 d-------- C:\Program Files\Movie Maker
2008-07-15 03:34:52 0 d-------- C:\Program Files\Messenger
2008-07-15 03:18:53 0 d-------- C:\Program Files\Java Web Start
2008-07-15 03:13:24 0 d-------- C:\Program Files\iDump
2008-07-15 03:09:47 0 d-------- C:\Program Files\Guild Wars
2008-07-15 03:09:23 0 d-------- C:\Program Files\Game_Maker7
2008-07-15 03:08:18 0 d-------- C:\Program Files\Doom 3
2008-07-15 03:06:41 0 d-------- C:\Program Files\Diablo
2008-07-15 03:03:49 0 d-------- C:\Program Files\CPU-Z
2008-07-15 03:03:46 0 d-------- C:\Program Files\ConTEXT
2008-07-15 02:57:39 0 d-------- C:\Program Files\Calendar Creator 7.0
2008-07-15 02:57:12 0 d-------- C:\Program Files\Burn4Free
2008-07-15 02:57:06 0 d-------- C:\Program Files\Bumper Wars
2008-07-15 02:55:33 0 d-------- C:\Program Files\AV Music Morpher Gold
2008-07-15 02:54:59 0 d-------- C:\Program Files\Audacity
2008-07-15 02:53:17 0 d-------- C:\Program Files\AOD
2008-07-15 02:53:11 0 d-------- C:\Program Files\AIM
2008-07-15 00:42:16 0 d-------- C:\Program Files\AVG
2008-07-15 00:31:03 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-15 00:12:55 4096 --a------ C:\WINDOWS\system32\winlogonpc.exe
2008-07-15 00:12:54 4096 --a------ C:\WINDOWS\system32\taack.exe
2008-07-15 00:12:54 4096 --a------ C:\WINDOWS\system32\taack.dat
2008-07-15 00:12:54 4096 --a------ C:\WINDOWS\system32\sncntr.exe
2008-07-15 00:12:54 4096 --a------ C:\WINDOWS\system32\psoft1.exe
2008-07-15 00:12:54 4096 --a------ C:\WINDOWS\system32\psof1.exe
2008-07-15 00:12:54 4096 --a------ C:\WINDOWS\system32\ps1.exe
2008-07-15 00:12:54 4096 --a------ C:\WINDOWS\system32\mwin32.exe
2008-07-15 00:12:54 4096 --a------ C:\WINDOWS\system32\hxiwlgpm.exe
2008-07-15 00:12:54 4096 --a------ C:\WINDOWS\system32\hxiwlgpm.dat
2008-07-15 00:12:54 4096 --a------ C:\WINDOWS\system32\hoproxy.dll
2008-07-15 00:12:54 4096 --a------ C:\WINDOWS\system32\bsva-egihsg52.exe
2008-07-15 00:12:53 4096 --a------ C:\WINDOWS\system32\temp#01.exe
2008-07-15 00:12:53 4096 --a------ C:\WINDOWS\system32\ssurf022.dll
2008-07-15 00:12:53 4096 --a------ C:\WINDOWS\system32\netode.exe
2008-07-15 00:12:53 4096 --a------ C:\WINDOWS\system32\mtr2.exe
2008-07-15 00:12:53 4096 --a------ C:\WINDOWS\system32\msnbho.dll
2008-07-15 00:12:53 4096 --a------ C:\WINDOWS\system32\msgp.exe
2008-07-15 00:12:53 4096 --a------ C:\WINDOWS\system32\medup012.dll
2008-07-15 00:12:52 4096 --a------ C:\WINDOWS\system32\thun32.dll
2008-07-15 00:12:52 4096 --a------ C:\WINDOWS\system32\thun.dll
2008-07-15 00:12:52 4096 --a------ C:\WINDOWS\system32\ssvchost.exe
2008-07-15 00:12:52 4096 --a------ C:\WINDOWS\system32\ssvchost.com
2008-07-15 00:12:52 4096 --a------ C:\WINDOWS\system32\regm64.dll
2008-07-15 00:12:52 4096 --a------ C:\WINDOWS\system32\regc64.dll
2008-07-15 00:12:52 4096 --a------ C:\WINDOWS\system32\msvchost.exe
2008-07-15 00:12:52 4096 --a------ C:\WINDOWS\system32\dpcproxy.exe
2008-07-15 00:12:51 4096 --a------ C:\WINDOWS\system32\winsystem.exe
2008-07-15 00:12:51 4096 --a------ C:\WINDOWS\system32\vcatchpi.dll
2008-07-15 00:12:51 4096 --a------ C:\WINDOWS\system32\Rundl1.exe
2008-07-15 00:12:51 4096 --a------ C:\WINDOWS\system32\newsd32.exe
2008-07-15 00:12:51 4096 --a------ C:\WINDOWS\system32\mssecu.exe
2008-07-15 00:12:51 4096 --a------ C:\WINDOWS\system32\emesx.dll
2008-07-15 00:12:51 4096 --a------ C:\WINDOWS\system32\anticipator.dll
2008-07-15 00:12:51 4096 --a------ C:\WINDOWS\system32\akttzn.exe
2008-07-15 00:12:50 4096 --a------ C:\WINDOWS\system32\WINWGPX.EXE
2008-07-15 00:12:50 4096 --a------ C:\WINDOWS\system32\sysreq.exe
2008-07-15 00:12:50 4096 --a------ C:\WINDOWS\system32\bdn.com
2008-07-15 00:12:50 4096 --a------ C:\WINDOWS\system32\awtoolb.dll
2008-07-15 00:12:47 4096 --a------ C:\WINDOWS\system32\vbsys2.dll
2008-07-15 00:12:35 145932 --a------ C:\WINDOWS\system32\hszkvkju.exe
2008-07-14 20:31:07 145848 --a------ C:\WINDOWS\system32\nuvsfwji.exe
2008-07-06 19:55:54 114744 --a------ C:\WINDOWS\system32\tkpoxkhu.exe
2008-07-05 19:58:35 122888 --a------ C:\WINDOWS\system32\mjobcpsz.exe
2008-06-20 10:41:10 245248 --a------ C:\WINDOWS\system32\mswsock.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-14 11:49:31 114688 --a------ C:\WINDOWS\system32\lmduxsdw.exe
2008-06-13 23:42:01 110592 --a------ C:\WINDOWS\system32\tydkfajs.exe
2008-06-13 23:35:45 2543 --a------ C:\WINDOWS\unins000.dat
2008-06-13 23:32:23 860 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-06-13 23:32:05 401964 --a------ C:\WINDOWS\system32\g27.exe
2008-06-13 23:31:59 691545 --a------ C:\WINDOWS\unins000.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0123253f-8062-f585-c900-705afbd16a86}]
05/27/2008 06:36 AM 370176 --a------ C:\WINDOWS\system32\{7428e102-8a8e-9357-774c-4dd17c570e57}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{05CADC55-BBFF-457C-93D1-9A18D1E3A351}]
C:\WINDOWS\system32\geedbaa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0FA83120-8A93-CB05-B912-0934C1EEACE4}]
06/20/2008 11:21 PM 102400 --a------ C:\DOCUME~1\Max\LOCALS~1\Temp\setwebinfo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3F34A306-8E74-40C9-BAA0-93609E4813C6}]
C:\WINDOWS\system32\iifcYOHA.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45080112-43D4-4B43-A8BC-7F1DFBFDCEAF}]
08/17/2008 04:11 AM 3584 --a------ C:\WINDOWS\system32\MYBHO.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{61F4D495-2DA9-330D-539D-0A5DDA60C61F}]
C:\DOCUME~1\Barry\LOCALS~1\Temp\strsrvsh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DC7765E-626F-6B99-EC43-012DDFF27C98}]
06/15/2008 02:33 PM 102400 --a------ C:\DOCUME~1\Owen\LOCALS~1\Temp\monwebdb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
07/15/2008 12:42 AM 2055960 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EAC24787-4D86-4481-AC4F-DAE27671476C}]
03/28/2008 08:52 PM 91648 --a------ C:\WINDOWS\system32\ATIDD.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/15/2008 12:42 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" []
"vlioluyy"="C:\WINDOWS\system32\binefyrs.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"0A1a5b13Hn"=C:\Documents and Settings\All Users\Application Data\bgvelupa\xsbqfijg.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3F34A306-8E74-40C9-BAA0-93609E4813C6}"= C:\WINDOWS\system32\iifcYOHA.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"engenact"= {162140E1-3850-6051-C4A9-043EA025A3B9} - C:\Program Files\pgtpflf\engenact.dll [05/25/2008 12:08 PM 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifcYOHA]
iifcYOHA.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1614895754-776561741-725345543-1005\Scripts\Logoff\0\0]
"Script"=loguserout.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1614895754-776561741-725345543-1005\Scripts\Logon\0\0]
"Script"=loguserin.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1614895754-776561741-725345543-1005\Scripts\Logon\0\1]
"Script"=copydir.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1614895754-776561741-725345543-1006\Scripts\Logoff\0\0]
"Script"=loguserout.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1614895754-776561741-725345543-1006\Scripts\Logon\0\0]
"Script"=loguserin.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1614895754-776561741-725345543-1006\Scripts\Logon\0\1]
"Script"=copydir.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"b4d7cdf4"=rundll32.exe "C:\WINDOWS\opmmnl.dll",b
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"MaxBlastMonitor.exe"=C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
"ExploreUpdSched"=C:\WINDOWS\system32\mcntskdm.exe DWram




-- End of Deckard's System Scanner: finished at 2008-08-29 21:43:36 ------------

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:57 AM

Posted 01 September 2008 - 06:28 PM

Hello meakerb,

Welcome to Bleeping Computer :)

You're in really bad shape here. :thumbsup: I need a file uploaded so I know how to proceed, please.

Please navigate to the following file:

C:\DOCUME~1\Max\LOCALS~1\Temp\setwebinfo.dll

Please do the same for : C:\DOCUME~1\Owen\LOCALS~1\Temp\monwebdb.dll
And: C:\Program Files\pgtpflf\engenact.dll

Please go to VirusTotal and submit the file for a scan and post the results in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 meakerb

meakerb
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 01 September 2008 - 08:39 PM

Thanks for the fast response.
For the file C:\DOCUME~1\Max\LOCALS~1\Temp\setwebinfo.dll
the scan found 3 issues: (sorry the cut and paste is not formatted well, and I didn't include the Additional Information section)

File setwebinfo.dll received on 09.02.2008 03:16:58 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 3/36 (8.34%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 46 and 66 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.9.2.0 2008.09.01 -
AntiVir 7.8.1.23 2008.09.01 TR/Crypt.XPACK.Gen
Authentium 5.1.0.4 2008.09.01 -
Avast 4.8.1195.0 2008.09.01 -
AVG 8.0.0.161 2008.09.01 -
BitDefender 7.2 2008.09.02 -
CAT-QuickHeal 9.50 2008.08.29 -
ClamAV 0.93.1 2008.09.02 -
DrWeb 4.44.0.09170 2008.09.01 -
eSafe 7.0.17.0 2008.09.01 -
eTrust-Vet 31.6.6062 2008.09.01 -
Ewido 4.0 2008.09.01 -
F-Prot 4.4.4.56 2008.09.02 -
F-Secure 7.60.13501.0 2008.09.02 -
Fortinet 3.14.0.0 2008.09.01 -
GData 19 2008.09.02 -
Ikarus T3.1.1.34.0 2008.09.02 -
K7AntiVirus 7.10.435 2008.09.01 -
Kaspersky 7.0.0.125 2008.09.02 -
McAfee 5374 2008.09.01 -
Microsoft 1.3807 2008.08.25 -
NOD32v2 3405 2008.09.01 -
Norman 5.80.02 2008.09.01 -
Panda 9.0.0.4 2008.09.01 -
PCTools 4.4.2.0 2008.09.01 -
Prevx1 V2 2008.09.02 -
Rising 20.60.01.00 2008.09.01 -
Sophos 4.33.0 2008.09.02 Mal/EncPk-DG
Sunbelt 3.1.1592.1 2008.08.30 -
Symantec 10 2008.09.02 -
TheHacker 6.3.0.8.069 2008.09.01 -
TrendMicro 8.700.0.1004 2008.09.01 -
VBA32 3.12.8.4 2008.09.01 -
ViRobot 2008.9.1.1359 2008.09.01 -
VirusBuster 4.5.11.0 2008.09.01 -
Webwasher-Gateway 6.6.2 2008.09.01 Trojan.Crypt.XPACK.Gen


======
For the file C:\DOCUME~1\Owen\LOCALS~1\Temp\monwebdb.dll



File monwebdb.dll received on 09.02.2008 03:28:16 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 3/36 (8.34%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.9.2.0 2008.09.01 -
AntiVir 7.8.1.23 2008.09.01 TR/Crypt.XPACK.Gen
Authentium 5.1.0.4 2008.09.01 -
Avast 4.8.1195.0 2008.09.01 -
AVG 8.0.0.161 2008.09.01 -
BitDefender 7.2 2008.09.02 -
CAT-QuickHeal 9.50 2008.08.29 -
ClamAV 0.93.1 2008.09.02 -
DrWeb 4.44.0.09170 2008.09.01 -
eSafe 7.0.17.0 2008.09.01 -
eTrust-Vet 31.6.6062 2008.09.01 -
Ewido 4.0 2008.09.01 -
F-Prot 4.4.4.56 2008.09.02 -
F-Secure 7.60.13501.0 2008.09.02 -
Fortinet 3.14.0.0 2008.09.01 -
GData 19 2008.09.02 -
Ikarus T3.1.1.34.0 2008.09.02 -
K7AntiVirus 7.10.435 2008.09.01 -
Kaspersky 7.0.0.125 2008.09.02 -
McAfee 5374 2008.09.01 -
Microsoft 1.3807 2008.08.25 -
NOD32v2 3405 2008.09.01 -
Norman 5.80.02 2008.09.01 -
Panda 9.0.0.4 2008.09.01 -
PCTools 4.4.2.0 2008.09.01 -
Prevx1 V2 2008.09.02 -
Rising 20.60.01.00 2008.09.01 -
Sophos 4.33.0 2008.09.02 Mal/EncPk-DG
Sunbelt 3.1.1592.1 2008.08.30 -
Symantec 10 2008.09.02 -
TheHacker 6.3.0.8.069 2008.09.01 -
TrendMicro 8.700.0.1004 2008.09.01 -
VBA32 3.12.8.4 2008.09.01 -
ViRobot 2008.9.1.1359 2008.09.01 -
VirusBuster 4.5.11.0 2008.09.01 -
Webwasher-Gateway 6.6.2 2008.09.01 Trojan.Crypt.XPACK.Gen


====
for the file C:\Program Files\pgtpflf\engenact.dll

File has already been analysed:
MD5: c310c1cb82fe2c2177a78a3ad722491b
First received: 05.26.2008 16:12:37 (CET)
Date: 05.26.2008 16:12:37 (CET) [>98D]
Results: 4/33
Permalink: analisis/9fe5781f08f0bb17268ff0441ae5083d


If I click on the show last report button, it gives me the following results:

File engenact.dll received on 05.26.2008 16:12:37 (CET)
Current status: finished

Result: 4/33 (12.12%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - HEUR/Crypted
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
F-Prot - - -
F-Secure - - -
FileAdvisor - - -
Fortinet - - -
GData - - -
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - Suspicious file
Prevx1 - - -
Rising - - -
Sophos - - Mal/EncPk-DG
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - Heuristic.Crypted

Edited by meakerb, 02 September 2008 - 01:15 AM.


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:57 AM

Posted 04 September 2008 - 08:54 PM

Hello,

Thanks for that. :thumbsup:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 meakerb

meakerb
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 05 September 2008 - 03:16 AM

Arggggg! What a mess! This is what happened...
  • With the hard drive in the good computer, I downloaded ComboFix to it.
  • Transfered the hard drive to the bad computer.
  • Logged in in safe mode.
  • Started ComboFix
  • Was told that C:\WINDOWS\regedit.exe didn't exist
  • Transfered the hard drive back to the good computer, copied regedit.exe, and then moved the hard drive back to the bad computer
  • logged in again in safe mode and started ComboFix
  • Once it started running and looked like everything was progressing I left the machine for a while
  • When I came back, the screen was the login screen (showing the list of users)
  • So I logged in again (but not in safe mode)
  • Still no desktop icons or task bar. I had to do CTRL-ALT-DEL to get the task manager (with no tabs) and used start task... to start explorer.
  • About that time the desktop icons appear, but the background is replaced with the screen that says "Warning: Spyware threat has been detected on your PC" bla bla bla click here to scan.
  • Can't find the log file that I thought ComboFix was supposed to create...
  • Tried to run ComboFix again, but each time I try I get a windows message box labeled "327882RFWJFW\hidec.exe" that tells me "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item."
  • After several attempts to fix the access rights to the folder C:\327882RFWJFW and the hidec.exe file within it (which I never saw why I wouldn't have execute access rights) I gave up
  • Rebooted into safe mode
  • Reran ComboFix
  • This time when the machine rebooted, I went back into safe mode before logging in
  • ComboFix completed it's run and created a log file (attached below)
  • Moved the hard drive back to the good machine so I could read the log file and post this reply.
Whew!

A couple of notes:
1) On the hard drive I noticed that in Documents and Settings there is a folder for Barry (my account name) plus there is one for Barry.PAPABEAR (which is not on the "good" computer's hard drive).

2) When I was looking at the differences between the \WINDOW directories I noticed that notepad.exe was the same date, but the one on the bad hard drive was larger (72KB vs 68KB). So I copied the one from my good hard drive over the top of the bad one.

Let's hope this helps!
Thanks,
Barry


ComboFix 08-09-04.08 - Barry 2008-09-04 23:28:49.7 - NTFSx86 MINIMAL
Running from: C:\Anti-Spyware\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Barry\Desktop\blackbird.jpg
C:\Documents and Settings\Barry\Desktop\virii
C:\Documents and Settings\Barry\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Barry\Start Menu\Programs\Startup\DW_Start.lnk
C:\Documents and Settings\Caity\Cookies\caity@a[1].txt
C:\Documents and Settings\Caity\Cookies\caity@a[2].txt
C:\Documents and Settings\Caity\Cookies\caity@a[3].txt
C:\Documents and Settings\Caity\Cookies\caity@offeroptimizer[1].txt
C:\Documents and Settings\Caity\Cookies\caity@rightmedia[1].txt
C:\Documents and Settings\Max\Cookies\max@hb.autodesk[2].txt
C:\Documents and Settings\Max\Cookies\max@newgrounds[2].txt
C:\Documents and Settings\Max\Cookies\max@spamblockerutility[1].txt
C:\Documents and Settings\Max\Cookies\max@www35.vzw[1].txt
C:\Documents and Settings\Owen\My Documents\WNSXS~1
C:\Program Files\PC-Cleaner
C:\test.txt
C:\WINDOWS\17PHolmes1001186.exe
C:\WINDOWS\mrofinu1001186.exe
C:\WINDOWS\mrofinu1001186.exe.tmp
C:\WINDOWS\system32\actived.dll
C:\WINDOWS\system32\actskn43.ocx
C:\WINDOWS\system32\akttzn.exe
C:\WINDOWS\system32\ALu.dll
C:\WINDOWS\system32\anticipator.dll
C:\WINDOWS\system32\ATIDD.dll
C:\WINDOWS\system32\awtoolb.dll
C:\WINDOWS\system32\bdn.com
C:\WINDOWS\system32\bsva-egihsg52.exe
C:\WINDOWS\system32\dpcproxy.exe
C:\WINDOWS\system32\emesx.dll
C:\WINDOWS\system32\hoproxy.dll
C:\WINDOWS\system32\hxiwlgpm.dat
C:\WINDOWS\system32\hxiwlgpm.exe
C:\WINDOWS\system32\medup012.dll
C:\WINDOWS\system32\msgp.exe
C:\WINDOWS\system32\msnbho.dll
C:\WINDOWS\system32\mssecu.exe
C:\WINDOWS\system32\msvchost.exe
C:\WINDOWS\system32\mtr2.exe
C:\WINDOWS\system32\mwin32.exe
C:\WINDOWS\system32\MYBHO.DLL
C:\WINDOWS\system32\netode.exe
C:\WINDOWS\system32\newsd32.exe
C:\WINDOWS\system32\ps1.exe
C:\WINDOWS\system32\psof1.exe
C:\WINDOWS\system32\psoft1.exe
C:\WINDOWS\system32\regc64.dll
C:\WINDOWS\system32\regm64.dll
C:\WINDOWS\system32\rtl60.bpl
C:\WINDOWS\system32\Rundl1.exe
C:\WINDOWS\system32\smp
C:\WINDOWS\system32\smp\msrc.exe
C:\WINDOWS\system32\sncntr.exe
C:\WINDOWS\system32\ssurf022.dll
C:\WINDOWS\system32\ssvchost.com
C:\WINDOWS\system32\ssvchost.exe
C:\WINDOWS\system32\sysreq.exe
C:\WINDOWS\system32\taack.dat
C:\WINDOWS\system32\taack.exe
C:\WINDOWS\system32\temp#01.exe
C:\WINDOWS\system32\thun.dll
C:\WINDOWS\system32\thun32.dll
C:\WINDOWS\system32\VBIEWER.OCX
C:\WINDOWS\system32\vbsys2.dll
C:\WINDOWS\system32\vcatchpi.dll
C:\WINDOWS\system32\winlogonpc.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\winsystem.exe
C:\WINDOWS\system32\WINWGPX.EXE

.
((((((((((((((((((((((((( Files Created from 2008-08-05 to 2008-09-05 )))))))))))))))))))))))))))))))
.

2008-09-05 00:10 . 2004-08-04 00:56 40,448 --a------ C:\WINDOWS\system32\rundll32.exe
2008-09-04 23:27 . 2008-09-04 23:27 <DIR> d-------- C:\327882R2FWJFW
2008-09-04 23:00 . 2008-09-04 23:00 <DIR> d-------- C:\Documents and Settings\Barry\Application Data\AVGTOOLBAR
2008-09-04 22:19 . 2004-08-04 00:56 153,600 --a------ C:\WINDOWS\regedit.exe
2008-09-01 12:25 . 2008-09-01 12:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-01 12:17 . 2004-08-04 00:56 1,039,360 --a------ C:\WINDOWS\explorer.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-15 11:27 --------- d-----w C:\Program Files\XviD
2008-07-15 11:26 --------- d-----w C:\Program Files\WinImage
2008-07-15 11:26 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-15 11:25 --------- d-----w C:\Program Files\Warcraft III
2008-07-15 10:53 --------- d-----w C:\Program Files\TuneSleeve
2008-07-15 10:53 --------- d-----w C:\Program Files\Trillian
2008-07-15 10:52 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-15 10:51 --------- d-----w C:\Program Files\Snapshot Viewer
2008-07-15 10:51 --------- d-----w C:\Program Files\Sierra On-Line
2008-07-15 10:50 --------- d-----w C:\Program Files\Savings Bond Wizard
2008-07-15 10:50 --------- d-----w C:\Program Files\Ringo
2008-07-15 10:50 --------- d-----w C:\Program Files\RFlowCollector
2008-07-15 10:48 --------- d-----w C:\Program Files\QuickTime
2008-07-15 10:48 --------- d-----w C:\Program Files\PunkBuster
2008-07-15 10:48 --------- d-----w C:\Program Files\PopUpCop
2008-07-15 10:48 --------- d-----w C:\Program Files\PlayLinc
2008-07-15 10:46 --------- d-----w C:\Program Files\PictureProject In Touch Downloader
2008-07-15 10:45 --------- d-----w C:\Program Files\OpenAL
2008-07-15 10:42 --------- d-----w C:\Program Files\Nortel Networks
2008-07-15 10:18 --------- d-----w C:\Program Files\Java Web Start
2008-07-15 10:13 --------- d-----w C:\Program Files\iDump
2008-07-15 10:09 --------- d-----w C:\Program Files\Guild Wars
2008-07-15 10:09 --------- d-----w C:\Program Files\Game_Maker7
2008-07-15 10:08 --------- d-----w C:\Program Files\Doom 3
2008-07-15 10:06 --------- d-----w C:\Program Files\Diablo
2008-07-15 10:03 --------- d-----w C:\Program Files\CPU-Z
2008-07-15 10:03 --------- d-----w C:\Program Files\ConTEXT
2008-07-15 09:57 --------- d-----w C:\Program Files\Calendar Creator 7.0
2008-07-15 09:57 --------- d-----w C:\Program Files\Burn4Free
2008-07-15 09:57 --------- d-----w C:\Program Files\Bumper Wars
2008-07-15 09:55 --------- d-----w C:\Program Files\AV Music Morpher Gold
2008-07-15 09:54 --------- d-----w C:\Program Files\Audacity
2008-07-15 09:53 --------- d-----w C:\Program Files\AOD
2008-07-15 09:53 --------- d-----w C:\Program Files\AIM
2008-07-15 08:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\UtilUiProc
2008-07-15 08:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\utilappui
2008-07-15 08:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\SysChk
2008-07-15 08:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\srvdscgen
2008-07-15 08:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-07-15 08:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\HlpSmart
2008-07-15 08:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\hlpmon
2008-07-15 08:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\genapi
2008-07-15 08:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\GenAdmUi
2008-07-15 08:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\dbenmon
2008-07-15 08:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\cfgdbapl
2008-07-15 08:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\bgvelupa
2008-07-15 08:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\AplSmart
2008-07-15 07:42 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-15 07:42 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-15 07:42 --------- d-----w C:\Program Files\AVG
2008-07-15 07:42 --------- d-----w C:\Documents and Settings\Owen\Application Data\AVGTOOLBAR
2008-07-15 07:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-07-15 07:31 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-15 03:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\NexonUS
2008-07-15 00:43 23 ----a-w C:\Documents and Settings\Owen\jagex_runescape_preferences.dat
2008-06-14 06:31 691,545 ----a-w C:\WINDOWS\unins000.exe
2007-12-27 01:27 22,328 ----a-w C:\Documents and Settings\Owen\Application Data\PnkBstrK.sys
2007-12-26 23:36 22,328 ----a-w C:\Documents and Settings\Max\Application Data\PnkBstrK.sys
2007-12-22 00:23 1 ----a-w C:\Documents and Settings\Barry\SI.bin
1999-04-30 23:00 98,304 ------w C:\Program Files\internet explorer\plugins\UPjpeg.dll
2001-09-03 20:21 309,453 --sha-w C:\WINDOWS\rsx.exe
2005-08-02 23:58 304,128 --sha-r C:\WINDOWS\QmFycnkgTWVha2Vy\command.exe
2006-08-05 23:50 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-11-01 13:45 241,152 --sh--r C:\WINDOWS\system32\w?nlogon.exe
.

------- Sigcheck -------

2005-03-02 11:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 08:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2004-12-28 18:31 574464 0706e1cd6b89800781db038f4b3f5654 C:\WINDOWS\$NtServicePackUninstall$\user32.dll
2002-11-01 15:26 528896 68e1f4ef02df52ca9c5e157045d23582 C:\WINDOWS\$NtUninstallKB824141$\user32.dll
2003-09-25 09:49 560128 32173306185f603e75c477e117f3bb8d C:\WINDOWS\$NtUninstallKB840987$\user32.dll
2004-08-04 00:56 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2004-06-17 10:58 560128 31fb2d788a9aa618452c02e8375b6dcd C:\WINDOWS\$NtUninstallKB891711$\user32.dll
2005-03-02 11:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2002-08-29 03:41 560128 dd9269230c21ee8fb7fd3fccc3b1cfcb C:\WINDOWS\$NtUninstallQ328310$\user32.dll
2004-08-04 00:56 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\ServicePackFiles\i386\user32.dll
2007-03-08 08:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\user32.dll
2007-03-08 08:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\dllcache\user32.dll

2001-08-23 05:00 75264 8529c295df59b564d37a73b5629162b1 C:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll
2004-08-04 00:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll
2004-08-04 00:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll

2005-01-27 10:08 657920 a8eac5330876548e9966a7d13025d196 C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll
2005-05-02 13:57 658944 e1e18136f9dd3df1ad9c82193a5898a6 C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll
2005-03-10 00:43 657920 c8663b488996e89a84c3d17c1d12b79e C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll
2005-09-02 16:53 660480 97a6fd7cafd688cf2c78939ebaf0cd0c C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\wininet.dll
2005-07-02 19:09 659456 6e533d155b259eb2363d3e04b5be309f C:\WINDOWS\$hf_mig$\KB896727\SP2QFE\wininet.dll
2005-10-20 20:38 661504 af785c4947676a7fc1673fdc5c8d0b5b C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\wininet.dll
2006-03-03 20:58 663552 c0845ecbf4f9164e618ee381b79c9032 C:\WINDOWS\$hf_mig$\KB912812\SP2QFE\wininet.dll
2006-05-09 22:25 663552 d94cffdb53e7ac867438e2dfd50e7cbc C:\WINDOWS\$hf_mig$\KB916281\SP2QFE\wininet.dll
2006-06-23 04:25 664576 64ce26db72810b30f7855ea51e1df836 C:\WINDOWS\$hf_mig$\KB918899\SP2QFE\wininet.dll
2006-09-14 01:31 664576 d207370287cf769aebebf03837784963 C:\WINDOWS\$hf_mig$\KB922760\SP2QFE\wininet.dll
2008-04-20 23:56 666624 2e7de1bf9418b071799eb53de8cc22f5 C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\wininet.dll
2008-04-20 23:44 666112 2b0c24aa747a93a28987b6d65a4a74bc C:\WINDOWS\$hf_mig$\KB950759\SP3GDR\wininet.dll
2008-04-20 23:24 666624 26f240c250e5b4b395cb4b178ba75437 C:\WINDOWS\$hf_mig$\KB950759\SP3QFE\wininet.dll
2004-12-07 17:37 590336 9ffcb74df9474fd2a4148c355b40fc55 C:\WINDOWS\$NtServicePackUninstall$\wininet.dll
2004-08-04 00:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\$NtUninstallKB867282$\wininet.dll
2004-02-06 19:05 588288 4f64d1df989e3aa2fad91a2f1167b9c7 C:\WINDOWS\$NtUninstallKB867282-IE6SP1-20050127.163319$\wininet.dll
2005-03-10 01:02 656896 6f018d6319be4f96426ea829b79e05d5 C:\WINDOWS\$NtUninstallKB883939$\wininet.dll
2005-01-27 10:13 656896 b5e043e440b210014e021b24cf0a72e3 C:\WINDOWS\$NtUninstallKB890923$\wininet.dll
2005-07-02 19:11 658432 5b5ff992c0fa762ccf8655fc290e6e52 C:\WINDOWS\$NtUninstallKB896688$\wininet.dll
2005-05-02 13:52 657920 1a078af3f85d10ba56444c23b3a18e74 C:\WINDOWS\$NtUninstallKB896727$\wininet.dll
2005-09-02 16:52 658432 af61ebb1f550175eff406d545d6ab086 C:\WINDOWS\$NtUninstallKB905915$\wininet.dll
2005-10-20 20:39 658432 e7b27b6b6e06ce34ea019fd8b858c613 C:\WINDOWS\$NtUninstallKB912812$\wininet.dll
2006-03-03 20:33 658432 1c0979c7a489bee573cd0bf4ad94bb06 C:\WINDOWS\$NtUninstallKB916281$\wininet.dll
2006-05-09 22:23 658432 38ab7a56f566d9aaad31812494944824 C:\WINDOWS\$NtUninstallKB918899$\wininet.dll
2006-06-23 04:02 658944 2b4db890936430c71419037039502752 C:\WINDOWS\$NtUninstallKB922760$\wininet.dll
2006-09-14 01:39 658944 621af3f6174a3f60677f5230e28bcc07 C:\WINDOWS\$NtUninstallKB950759$\wininet.dll
2004-08-04 00:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\ServicePackFiles\i386\wininet.dll
2007-12-06 18:07 659456 57d1b5150cf6331fac6b3e04c1fcb966 C:\WINDOWS\SoftwareDistribution\Download\b386176bfcde202f7ed536e83198267a\sp2gdr\wininet.dll
2007-12-06 17:44 666112 085a7c37f9c6ede1ba870b7dbec06399 C:\WINDOWS\SoftwareDistribution\Download\b386176bfcde202f7ed536e83198267a\sp2qfe\wininet.dll
2008-04-21 00:04 659456 1efb8a3ea8454aec1bb8a240a2845598 C:\WINDOWS\system32\wininet.dll
2008-04-21 00:04 659456 1efb8a3ea8454aec1bb8a240a2845598 C:\WINDOWS\system32\dllcache\wininet.dll

2005-05-25 12:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 10:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 05:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 09:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 03:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 04:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 04:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2002-08-29 01:58 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 12:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-12 19:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 04:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 10:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2008-06-20 03:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 C:\WINDOWS\SoftwareDistribution\Download\663e7188bbb3d768555f5280d384ddab\sp2gdr\tcpip.sys
2008-06-20 03:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\SoftwareDistribution\Download\663e7188bbb3d768555f5280d384ddab\sp2qfe\tcpip.sys
2008-06-20 04:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\SoftwareDistribution\Download\663e7188bbb3d768555f5280d384ddab\sp3gdr\tcpip.sys
2008-06-20 04:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\SoftwareDistribution\Download\663e7188bbb3d768555f5280d384ddab\sp3qfe\tcpip.sys
2008-06-20 03:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 03:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 C:\WINDOWS\system32\drivers\tcpip.sys

2004-05-26 18:38 490496 c7d2cafb456c827148ec86f4683accb9 C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2002-08-29 03:41 523776 315d6b6e8cb09faa178c3e0a4af50414 C:\WINDOWS\$NtUninstallKB840987$\winlogon.exe
2004-08-04 00:56 509440 ac873c738031f1405b3641ab1b4e371b C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-08-04 00:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe

2002-08-29 02:09 167552 3b350e5a2a5e951453f3993275a4523a C:\WINDOWS\$NtServicePackUninstall$\ndis.sys
2004-08-03 23:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\ServicePackFiles\i386\ndis.sys
2004-08-03 23:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys
2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

2005-03-01 17:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2007-02-28 02:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2004-10-22 00:29 1955840 efa7883018f42295d927121808ae6cee C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2003-04-24 08:57 1949440 46ae6f2d416c39ffdcfc8bcb01203ea3 C:\WINDOWS\$NtUninstallKB840987$\ntkrnlpa.exe
2004-06-17 01:03 1954688 ed0d7a5f1138ccfd3ecaf8f6ac691f13 C:\WINDOWS\$NtUninstallKB885835_0$\ntkrnlpa.exe
2004-08-03 22:58 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 17:34 2056832 81013f36b21c7f72cf784cc6731e0002 C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2002-08-29 01:04 1947904 0e8efb15746878a9b256e75267337233 C:\WINDOWS\$NtUninstallQ811493$\ntkrnlpa.exe
2007-02-28 01:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2004-08-03 22:58 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
2007-02-28 01:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\system32\ntkrnlpa.exe
2007-02-28 01:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

2005-03-01 18:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2007-02-28 02:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2004-10-22 01:33 2088448 5a7eb0c9f96917b7ecf5adf70c4b1bae C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2003-04-24 08:57 1925760 97ec4ab4650da6fc521cf16f8a6ddcb0 C:\WINDOWS\$NtUninstallKB840987$\ntoskrnl.exe
2004-06-17 10:22 2051584 f240dc474f8edb2d95514d831df069e5 C:\WINDOWS\$NtUninstallKB885835_0$\ntoskrnl.exe
2004-08-03 23:19 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-01 17:59 2179328 4d4cf2c14550a4b7718e94a6e581856e C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2002-08-29 02:03 2042240 b9080d97dbd631aadf9128f7316958d2 C:\WINDOWS\$NtUninstallQ811493$\ntoskrnl.exe
2007-02-28 02:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2004-08-03 23:19 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
2007-02-28 02:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 02:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\system32\dllcache\ntoskrnl.exe

2004-08-04 00:56 1039360 b7cb8d46f1e71283d8317398e12439e3 C:\WINDOWS\explorer.exe
2007-06-13 04:26 1040384 a4f6976973fc838a6daaa71e217bdfdb C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2002-08-29 03:41 1011200 a7ffcb0d7a511f82251af440fc37836b C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 00:56 1039360 3322278fddb6564d7b69e4f11141427b C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2004-08-04 00:56 1039360 d66171bb12672bbe2c3d3b076b4abb82 C:\WINDOWS\ServicePackFiles\i386\explorer.exe
2007-06-13 03:23 1040384 b0cbb4abadeaec6a123633808bf15396 C:\WINDOWS\system32\dllcache\explorer.exe

2001-08-23 05:00 108544 17b0c6d06ed23255c1cae31d48cf9c6f C:\WINDOWS\$NtServicePackUninstall$\services.exe
2004-08-04 00:56 115200 3a2c26c19d957f1bacab786f274da5dc C:\WINDOWS\ServicePackFiles\i386\services.exe
2004-08-04 00:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\services.exe

2002-08-29 03:41 18944 91b02659775a0a3911e991137b64b5ce C:\WINDOWS\$NtServicePackUninstall$\lsass.exe
2004-08-04 00:56 20480 de0e091d6452a6e9d6dbfc6943bac8e4 C:\WINDOWS\ServicePackFiles\i386\lsass.exe
2004-08-04 00:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\lsass.exe

2005-06-10 17:17 65024 f78823f0eb23dc5d4685c2e7bb8b9b35 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2001-08-23 05:00 58368 6b8dea30c24b711bc076f088d7b4d838 C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 00:56 65024 3080a5b3abf85bc4131c63d1515504f4 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2004-08-04 00:56 65024 78ade78ef6306e5bfdfc41786402fdce C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe
2008-09-05 00:28 15872 2cf8c888391dc44c2be66a5a7ba8a76c C:\WINDOWS\system32\spoolsv.exe

2002-08-29 03:41 29184 7ab10b407755209dfea0d7acad3b8933 C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
2004-08-04 00:56 31744 6af15763523adfa000b9b158f661c35e C:\WINDOWS\ServicePackFiles\i386\userinit.exe
2004-08-04 00:56 31744 3a614f7917528cb036ace905e5e2f456 C:\WINDOWS\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0123253f-8062-f585-c900-705afbd16a86}]
2008-05-27 06:36 370176 --a------ C:\WINDOWS\system32\{7428e102-8a8e-9357-774c-4dd17c570e57}.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-15 1232152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"engenact"= {162140E1-3850-6051-C4A9-043EA025A3B9} - C:\Program Files\pgtpflf\engenact.dll [2008-05-25 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.DVSD"= miroDV2avi.DLL
"VIDC.PIM1"= pclepim1.dll
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1614895754-776561741-725345543-1005\Scripts\Logoff\0\0]
"Script"=loguserout.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1614895754-776561741-725345543-1005\Scripts\Logon\0\0]
"Script"=loguserin.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1614895754-776561741-725345543-1005\Scripts\Logon\0\1]
"Script"=copydir.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1614895754-776561741-725345543-1006\Scripts\Logoff\0\0]
"Script"=loguserout.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1614895754-776561741-725345543-1006\Scripts\Logon\0\0]
"Script"=loguserin.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1614895754-776561741-725345543-1006\Scripts\Logon\0\1]
"Script"=copydir.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"b4d7cdf4"=rundll32.exe "C:\WINDOWS\opmmnl.dll",b
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"MaxBlastMonitor.exe"=C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
"ExploreUpdSched"=C:\WINDOWS\system32\mcntskdm.exe DWram

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Microsoft Games\\Halo Custom Edition\\haloce.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"C:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-07-15 00:42]
R2 avg8emc;avg8emc;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-05 00:22]
R2 avg8wd;avg8wd;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-05 00:22]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\System32\Drivers\avgtdix.sys [2008-07-15 00:42]
R2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2002-04-30 23:16]
R2 JavaHMO;JavaHMO;C:\Program Files\JavaHMO\bin\Wrapper.exe []
R2 ltefx13n;ltefx13n;C:\WINDOWS\system32\ltefx13n.exe []
R2 TivoBeacon2;TivoBeacon2;C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe []
R3 asbp2poa;asbp2poa;C:\DOCUME~1\Owen\LOCALS~1\Temp\asbp2poa.sys []
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2002-04-22 14:50]
R3 ExtranetAccess;ExtranetAccess;C:\Program Files\Nortel Networks\Extranet_serv.exe []
R3 f5ipfw;F5 Networks StoneWall Filter;C:\WINDOWS\system32\drivers\urfltw2k.sys [2005-12-15 00:41]
R3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-08-28 23:54]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2002-04-30 23:16]
R3 urvpndrv;F5 Networks VPN Adapter;C:\WINDOWS\system32\DRIVERS\urvpndrv.sys [2007-02-22 20:29]
R3 WCPUID;WCPUID;C:\BabyBear Backup\Junk\WCPUID.SYS [2000-08-16 02:08]
R4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.syS []
S0 Si3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\System32\DRIVERS\si3112r.sys [2002-10-15 19:57]
S2 VPCAppSv;Virtual PC Application Services;C:\WINDOWS\system32\DRIVERS\VPCAppSv.sys [2001-10-29 05:20]

.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{05CADC55-BBFF-457C-93D1-9A18D1E3A351} - C:\WINDOWS\system32\geedbaa.dll
BHO-{0FA83120-8A93-CB05-B912-0934C1EEACE4} - C:\DOCUME~1\Max\LOCALS~1\Temp\setwebinfo.dll
BHO-{61F4D495-2DA9-330D-539D-0A5DDA60C61F} - C:\DOCUME~1\Barry\LOCALS~1\Temp\strsrvsh.dll
BHO-{6DC7765E-626F-6B99-EC43-012DDFF27C98} - C:\DOCUME~1\Owen\LOCALS~1\Temp\monwebdb.dll
HKCU-Run-ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe
HKCU-Run-vlioluyy - C:\WINDOWS\system32\binefyrs.exe
HKLM-Explorer_Run-0A1a5b13Hn - C:\Documents and Settings\All Users\Application Data\bgvelupa\xsbqfijg.exe
Notify-iifcYOHA - iifcYOHA.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\2l8hixbr.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
.
.
------- File Associations (Beta) -------
.
txtfile=%windir%\NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-05 00:23:35
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Apple Mobile Device]
"ImagePath"="C:\WINDOWS\TEMP\DIL25.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dhcp]
"ImagePath"="C:\WINDOWS\TEMP\DILA.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
.
**************************************************************************
.
Completion time: 2008-09-05 0:35:06 - machine was rebooted [Barry]
ComboFix-quarantined-files.txt 2008-09-05 07:34:59
ComboFix2.txt 2008-06-14 06:26:47

Pre-Run: 245,630,623,744 bytes free
Post-Run: 245,607,510,016 bytes free

399 --- E O F --- 2008-07-09 10:03:42

#6 meakerb

meakerb
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 05 September 2008 - 03:51 AM

Opps, I forgot you had asked for a HijackThis log.

After putting the hard drive back into the bad computer, I tried to log in (not in safe mode). Instead of the list of accounts, it was the username and password box. When I logged in, I would immediately be logged out. So I went back to safe mode.

I had noticed, during the many times I had booted this drive up, that the machine was running EXTREMELY slow. So this time, once I was logged in, I didn't do the CTRL-ALT-DEL. Sure enough, given enough time, the windows message came up that it was running in safe mode. After saying YES, that was Ok, the desktop icons appeared!

However, the task bar at the bottom was just a solid grey bar a couple of pixels high - no start button, clock, or anything. So I still had to do the CTRL-ALT-DEL to get to the taskmanager and then start explorer. From there I ran HijackThis.

Once I saved the log file, I tried to reopen it. But the system wouldn't let me do that.

Thanks again for your help.

Barry
===================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:34:53 AM, on 9/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy-support.boeing.com:31060/proxy.pac
O2 - BHO: gooochi browser optimizer - {0123253f-8062-f585-c900-705afbd16a86} - C:\WINDOWS\system32\{7428e102-8a8e-9357-774c-4dd17c570e57}.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Burn4Free Toolbar Helper - {60BF5EE3-0105-4858-AD98-17C19F86B042} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1614895754-776561741-725345543-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User '?')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office2K\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Image in New Window - res://C:\PROGRA~1\PopUpCop\popupcop.dll/imagenew
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Office2K\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://vpn01.kent.k12.wa.us/vdesk/terminal...,2007,0223,0327
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://vpn01.kent.k12.wa.us/vdesk/terminal...llerControl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1206007043403
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://vpn01.kent.k12.wa.us/vdesk/terminal...,2007,0223,0314
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1206007032978
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://host.oddcast.com/hostClientIE.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://vpn01.kent.k12.wa.us/vdesk/terminal...,2007,0223,0320
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://vpn01.kent.k12.wa.us/vdesk/terminal...,2007,0223,0312
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A52027A-94E6-4239-81F2-6B01ABAA4490}: NameServer = 68.87.69.146,68.87.85.98
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ds.boeing.com,nw.nos.boeing.com,hsd1.wa.comcast.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ds.boeing.com,nw.nos.boeing.com,hsd1.wa.comcast.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ds.boeing.com,nw.nos.boeing.com,hsd1.wa.comcast.net
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O21 - SSODL: engenact - {162140E1-3850-6051-C4A9-043EA025A3B9} - C:\Program Files\pgtpflf\engenact.dll
O23 - Service: AcrSch2Svc - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe
O23 - Service: Apple Mobile Device - Unknown owner - C:\WINDOWS\TEMP\DIL25.tmp (file missing)
O23 - Service: AppMgmt - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AudioSrv - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: avg8emc - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: avg8wd - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BITS - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Browser - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: cisvc - Unknown owner - C:\WINDOWS\system32\cisvc.exe
O23 - Service: clr_optimization_v2.0.50727_32 - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
O23 - Service: CryptSvc - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: DcomLaunch - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Dhcp - Unknown owner - C:\WINDOWS\TEMP\DILA.tmp (file missing)
O23 - Service: dmserver - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: DNS Client (Dnscache) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: ERSvc - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: EventSystem - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: ExtranetAccess - Unknown owner - C:\Program Files\Nortel Networks\Extranet_serv.exe (file missing)
O23 - Service: FastUserSwitchingCompatibility - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: helpsvc - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: HTTPFilter - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: ImapiService - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JavaHMO - Unknown owner - C:\Program Files\JavaHMO\bin\Wrapper.exe (file missing)
O23 - Service: lanmanserver - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: lanmanworkstation - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: ltefx13n - Unknown owner - C:\WINDOWS\system32\ltefx13n.exe (file missing)
O23 - Service: mnmsrvc - Unknown owner - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe
O23 - Service: Netman - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Nla - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: NtmsSvc - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: RasAuto - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: RasMan - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: RDSessMgr - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Remote Registry (RemoteRegistry) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\System32\locator.exe
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: RSVP - Unknown owner - C:\WINDOWS\System32\rsvp.exe
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Schedule - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: seclogon - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: SENS - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: SharedAccess - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: ShellHWDetection - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Spooler - Unknown owner - C:\WINDOWS\system32\spoolsv.exe
O23 - Service: srservice - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: SSDP Discovery Service (SSDPSRV) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: stisvc - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: TapiSrv - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: TermService - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Themes - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: TivoBeacon2 - Unknown owner - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe (file missing)
O23 - Service: TlntSvr - Unknown owner - C:\WINDOWS\System32\tlntsvr.exe
O23 - Service: TrkWks - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: UleadBurningHelper - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)
O23 - Service: Universal Plug and Play Device Host (upnphost) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe
O23 - Service: VSS - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: W32Time - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: WebClient - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: winmgmt - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: WmdmPmSN - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Wmi - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: WmiApSrv - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)
O23 - Service: wscsvc - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: wuauserv - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: WudfSvc - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: WZCSVC - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: xmlprov - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)

--
End of file - 15622 bytes

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:57 AM

Posted 06 September 2008 - 04:21 PM

Hello,

Thanks Barry.....this really is a tough one. :) Let's see if we can make some more progress. :thumbsup: But, this stuff is new and nasty, so I would feel much better if I knew you had a backup of your important documents. From your description it sounds like your computer has been compromised and. to be honest, may not ever be secure again, no matter what we do here. :)

Please download and run Bit Defender 8 online scanner
  • Install the program and then follow the prompts to download all available updates.
  • Select Antivirus and then click the Settings button. Click Default. Click Ok.
  • Select Local Drives and click Scan.
  • When the scan is complete save the log and post it back here in your next reply.
Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users