Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unwanted Pop Ups and Freezing


  • This topic is locked This topic is locked
29 replies to this topic

#1 cardinals5883

cardinals5883

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 01 December 2008 - 11:15 PM

My computer recently started getting pop ups every few minutes and has been locking up a lot. One of the common pop ups is for AntiVirus2009, asking me to download it. Here is my HijackThis log:





Logfile of random's system information tool 1.04 (written by random/random)
Run by Brian at 2008-12-01 23:02:00
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 25 GB (64%) free of 39 GB
Total RAM: 223 MB (30% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:27 PM, on 12/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Brian\Desktop\RSIT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\trend micro\Brian.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: {5d497741-884e-3798-c744-11a29577a021} - {120a7759-2a11-447c-8973-e488147794d5} - C:\WINDOWS\system32\pvchsm.dll
O2 - BHO: (no name) - {A63E645F-13BD-45ED-B15F-6E8C1BD57279} - C:\WINDOWS\system32\qoMedecc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {FF819240-DDAB-4A2C-B6E0-69DD2555037A} - C:\WINDOWS\system32\pmnlmnMe.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-18\..\Run: [Test] "C:\WINDOWS\ECURIT~1\wuauclt.exe" -vt yazr (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ooqag] C:\WINDOWS\system32\safhfh.exe reg_run (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [kmff] C:\PROGRA~1\COMMON~1\kmff\kmffm.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Rygtml] C:\Documents and Settings\LocalService\Application Data\?icrosoft.NET\?hkdsk.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Test] "C:\WINDOWS\ECURIT~1\wuauclt.exe" -vt yazr (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1225851144712
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O20 - AppInit_DLLs: pvchsm.dll
O20 - Winlogon Notify: qoMedecc - C:\WINDOWS\SYSTEM32\qoMedecc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe

--
End of file - 8401 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Brian.job
C:\WINDOWS\tasks\Symantec NetDetect.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{120a7759-2a11-447c-8973-e488147794d5}]
C:\WINDOWS\system32\pvchsm.dll [2008-12-01 129024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A63E645F-13BD-45ED-B15F-6E8C1BD57279}]
C:\WINDOWS\system32\qoMedecc.dll [2008-11-30 25600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2006-02-14 1191424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF819240-DDAB-4A2C-B6E0-69DD2555037A}]
C:\WINDOWS\system32\pmnlmnMe.dll [2008-11-30 318464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2006-02-14 1191424]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"LXSUPMON"=C:\WINDOWS\system32\LXSUPMON.EXE [2002-01-28 885760]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2006-09-25 229952]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2006-12-21 185896]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper"=C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe [2004-08-25 3321344]
"AIM"=C:\Program Files\AIM\aim.exe [2005-06-02 67160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="pvchsm.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qoMedecc]
C:\WINDOWS\system32\qoMedecc.dll [2008-11-30 25600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
C:\WINDOWS\system32\wzcdlg.dll [2004-08-04 378368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"=C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll [2006-06-16 73728]
"{A63E645F-13BD-45ED-B15F-6E8C1BD57279}"=C:\WINDOWS\system32\qoMedecc.dll [2008-11-30 25600]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\pmnlmnMe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SYMTDI]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableTaskMgr"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\myTunes Redux\mDNSResponder.exe"="C:\Program Files\myTunes Redux\mDNSResponder.exe:*:Disabled:mDNSResponder"
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"="C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Disabled:Internet Explorer"
"C:\Program Files\Common Files\AOL\1133205346\ee\aim6.exe"="C:\Program Files\Common Files\AOL\1133205346\ee\aim6.exe:*:Disabled:AIM"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Disabled:AOL Instant Messenger"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Disabled:AOL Loader"
"C:\Program Files\Common Files\AOL\1133205346\ee\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1133205346\ee\aolsoftware.exe:*:Disabled:AOL Services"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Disabled:iTunes"
"C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE"="C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE:*:Disabled:Microsoft Office Word"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\Firefly Studios\Stronghold Crusader\Stronghold Crusader.exe"="C:\Program Files\Firefly Studios\Stronghold Crusader\Stronghold Crusader.exe:*:Disabled:Stronghold Crusader"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Disabled:Yahoo! FT Server"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Disabled:Yahoo! Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2008-12-01 23:02:04 ----D---- C:\Program Files\trend micro
2008-12-01 23:02:00 ----D---- C:\rsit
2008-12-01 21:25:33 ----A---- C:\WINDOWS\system32\pvchsm.dll
2008-12-01 21:25:31 ----A---- C:\WINDOWS\system32\usljupwo.dll
2008-12-01 21:24:54 ----SH---- C:\WINDOWS\system32\levbnitm.ini
2008-12-01 21:24:46 ----A---- C:\WINDOWS\system32\mtinbvel.dll
2008-12-01 18:09:36 ----SH---- C:\WINDOWS\system32\xutbkrlm.ini
2008-12-01 18:09:19 ----A---- C:\WINDOWS\system32\mlrkbtux.dll
2008-11-30 21:34:24 ----A---- C:\WINDOWS\system32\nsiudi.dll
2008-11-30 21:34:19 ----A---- C:\WINDOWS\system32\lybekdak.dll
2008-11-30 21:33:30 ----A---- C:\WINDOWS\system32\bfa88775-.txt
2008-11-30 21:26:00 ----ASH---- C:\WINDOWS\system32\eMnmlnmp.ini2
2008-11-30 21:25:57 ----ASH---- C:\WINDOWS\system32\eMnmlnmp.ini
2008-11-30 21:25:35 ----A---- C:\WINDOWS\system32\pmnlmnMe.dll
2008-11-30 21:20:55 ----D---- C:\Documents and Settings\Brian\Application Data\gadcom
2008-11-30 21:20:30 ----D---- C:\Documents and Settings\Brian\Application Data\GetModule
2008-11-30 21:20:27 ----D---- C:\Program Files\GetModule
2008-11-30 21:20:25 ----D---- C:\Program Files\iCheck
2008-11-30 21:20:00 ----A---- C:\WINDOWS\system32\jkkhfghF.dll
2008-11-30 21:19:57 ----A---- C:\WINDOWS\system32\qoMedecc.dll
2008-11-30 21:19:24 ----A---- C:\WINDOWS\system32\digeste.dll
2008-11-04 21:53:26 ----SHDC---- C:\Program Files\Common Files\WindowsLiveInstaller
2008-11-04 21:52:17 ----D---- C:\Program Files\Windows Live
2008-11-04 21:51:46 ----D---- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-11-04 21:13:22 ----A---- C:\WINDOWS\system32\wucltui.dll.mui
2008-11-04 21:13:22 ----A---- C:\WINDOWS\system32\wuaueng.dll.mui
2008-11-04 21:13:21 ----A---- C:\WINDOWS\system32\wuapi.dll.mui

======List of files/folders modified in the last 1 months======

2008-12-01 23:02:04 ----AD---- C:\Program Files
2008-12-01 23:01:54 ----D---- C:\WINDOWS\Prefetch
2008-12-01 22:58:23 ----D---- C:\WINDOWS
2008-12-01 22:57:01 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-01 22:50:18 ----D---- C:\WINDOWS\temp
2008-12-01 21:25:33 ----D---- C:\WINDOWS\system32
2008-12-01 19:10:20 ----D---- C:\Program Files\Mozilla Firefox
2008-12-01 19:03:44 ----SD---- C:\WINDOWS\Tasks
2008-12-01 19:02:20 ----D---- C:\WINDOWS\system32\CatRoot
2008-11-30 23:37:38 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-27 00:08:34 ----SD---- C:\Documents and Settings\Brian\Application Data\Microsoft
2008-11-05 07:05:44 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-11-04 21:53:26 ----D---- C:\Program Files\Common Files
2008-11-04 21:53:16 ----SHD---- C:\WINDOWS\Installer
2008-11-04 21:44:51 ----D---- C:\WINDOWS\SoftwareDistribution
2008-11-04 21:36:41 ----HD---- C:\WINDOWS\inf
2008-11-04 21:13:26 ----D---- C:\WINDOWS\Help
2008-11-04 21:12:38 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-11-03 21:34:05 ----A---- C:\WINDOWS\win.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\system32\DRIVERS\amdk7.sys [2004-08-04 37376]
R1 ewido anti-spyware 4.0 driver;ewido anti-spyware 4.0 driver; \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys []
R1 SAVRT;SAVRT; \??\C:\Program Files\Norton AntiVirus\SAVRT.SYS []
R1 SAVRTPEL;SAVRTPEL; \??\C:\Program Files\Norton AntiVirus\SAVRTPEL.SYS []
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2005-01-21 267384]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2005-11-23 17801]
R2 symlcbrd;symlcbrd; \??\C:\WINDOWS\system32\drivers\symlcbrd.sys []
R3 BCM43XX;Linksys Wireless-G PCI Network Adapter Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2004-12-22 369024]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-07-14 14448]
R3 GTNDIS5;GTNDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\GTNDIS5.SYS []
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 ltmodem5;Agere Modem Driver; C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys [2003-12-12 652689]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060510.019\NAVENG.Sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060510.019\NavEx15.Sys []
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
R3 S3Psddr;S3Psddr; C:\WINDOWS\system32\DRIVERS\s3gnbm.sys [2004-03-02 167040]
R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 VIAudio;Vinyl AC'97 Audio Controller (WDM); C:\WINDOWS\system32\drivers\vinyl97.sys [2005-04-08 179968]
S1 ASPI32;ASPI32; C:\WINDOWS\system32\drivers\ASPI32.sys []
S3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-10-01 2279424]
S3 S3SavageNB;S3SavageNB; C:\WINDOWS\system32\DRIVERS\s3gnbm.sys [2004-03-02 167040]
S3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2005-01-21 26424]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 mchInjDrv;mchInjDrv; \??\C:\DOCUME~1\Brian\LOCALS~1\Temp\mc23.tmp []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2004-12-22 255600]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2004-12-22 235120]
R2 ewido anti-spyware 4.0 guard;ewido anti-spyware 4.0 guard; C:\Program Files\ewido anti-spyware 4.0\guard.exe [2006-06-16 172032]
R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2002-02-14 299008]
R2 navapsvc;Norton AntiVirus Auto Protect Service; C:\Program Files\Norton AntiVirus\navapsvc.exe [2003-11-24 158664]
R2 SAVScan;SAVScan; C:\Program Files\Norton AntiVirus\SAVScan.exe [2005-01-25 194272]
R2 Symantec Core LC;Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [2005-11-26 585728]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2006-09-25 451136]
S2 SBService;ScriptBlocking Service; C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe [2003-06-24 66784]
S2 WMP54GSSVC;WMP54GSSVC; C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe [2004-02-06 41025]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 ccPwdSvc;Symantec Password Validation; C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe [2004-12-22 87664]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2005-01-21 206552]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]

-----------------EOF-----------------

BC AdBot (Login to Remove)

 


#2 cardinals5883

cardinals5883
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 02 December 2008 - 07:19 AM

I ran SpyBot and some things were removed but I am still having problems. Here is my new log.



Logfile of random's system information tool 1.04 (written by random/random)
Run by Brian at 2008-12-02 07:10:14
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 26 GB (66%) free of 39 GB
Total RAM: 223 MB (17% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:10:30 AM, on 12/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Brian\Desktop\RSIT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\trend micro\Brian.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: {5d497741-884e-3798-c744-11a29577a021} - {120a7759-2a11-447c-8973-e488147794d5} - C:\WINDOWS\system32\pvchsm.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {90041DCF-7171-4AB0-855A-0E07D2A4BC6D} - C:\WINDOWS\system32\pmnlmnMe.dll
O2 - BHO: (no name) - {A63E645F-13BD-45ED-B15F-6E8C1BD57279} - C:\WINDOWS\system32\qoMedecc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Test] "C:\WINDOWS\ECURIT~1\wuauclt.exe" -vt yazr (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ooqag] C:\WINDOWS\system32\safhfh.exe reg_run (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [kmff] C:\PROGRA~1\COMMON~1\kmff\kmffm.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Rygtml] C:\Documents and Settings\LocalService\Application Data\?icrosoft.NET\?hkdsk.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Test] "C:\WINDOWS\ECURIT~1\wuauclt.exe" -vt yazr (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1225851144712
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O20 - AppInit_DLLs: pvchsm.dll
O20 - Winlogon Notify: qoMedecc - C:\WINDOWS\SYSTEM32\qoMedecc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe

--
End of file - 8952 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Brian.job
C:\WINDOWS\tasks\Symantec NetDetect.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{120a7759-2a11-447c-8973-e488147794d5}]
C:\WINDOWS\system32\pvchsm.dll [2008-12-01 129024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2008-08-14 1562448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{90041DCF-7171-4AB0-855A-0E07D2A4BC6D}]
C:\WINDOWS\system32\pmnlmnMe.dll [2008-11-30 318464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A63E645F-13BD-45ED-B15F-6E8C1BD57279}]
C:\WINDOWS\system32\qoMedecc.dll [2008-11-30 25600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2006-02-14 1191424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2006-02-14 1191424]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"LXSUPMON"=C:\WINDOWS\system32\LXSUPMON.EXE [2002-01-28 885760]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2006-09-25 229952]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2006-12-21 185896]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper"=C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe [2004-08-25 3321344]
"AIM"=C:\Program Files\AIM\aim.exe [2005-06-02 67160]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="pvchsm.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qoMedecc]
C:\WINDOWS\system32\qoMedecc.dll [2008-11-30 25600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
C:\WINDOWS\system32\wzcdlg.dll [2004-08-04 378368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"=C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll [2006-06-16 73728]
"{A63E645F-13BD-45ED-B15F-6E8C1BD57279}"=C:\WINDOWS\system32\qoMedecc.dll [2008-11-30 25600]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\pmnlmnMe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SYMTDI]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableTaskMgr"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\myTunes Redux\mDNSResponder.exe"="C:\Program Files\myTunes Redux\mDNSResponder.exe:*:Disabled:mDNSResponder"
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"="C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Disabled:Internet Explorer"
"C:\Program Files\Common Files\AOL\1133205346\ee\aim6.exe"="C:\Program Files\Common Files\AOL\1133205346\ee\aim6.exe:*:Disabled:AIM"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Disabled:AOL Instant Messenger"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Disabled:AOL Loader"
"C:\Program Files\Common Files\AOL\1133205346\ee\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1133205346\ee\aolsoftware.exe:*:Disabled:AOL Services"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Disabled:iTunes"
"C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE"="C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE:*:Disabled:Microsoft Office Word"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\Firefly Studios\Stronghold Crusader\Stronghold Crusader.exe"="C:\Program Files\Firefly Studios\Stronghold Crusader\Stronghold Crusader.exe:*:Disabled:Stronghold Crusader"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Disabled:Yahoo! FT Server"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Disabled:Yahoo! Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2008-12-02 00:11:44 ----ASH---- C:\WINDOWS\system32\eMnmlnmp.ini2
2008-12-02 00:09:47 ----A---- C:\WINDOWS\wininit.ini
2008-12-01 23:24:36 ----D---- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-12-01 23:24:36 ----D---- C:\Program Files\SDHelper (Spybot - Search & Destroy)
2008-12-01 23:24:36 ----D---- C:\Program Files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-01 23:24:36 ----D---- C:\Program Files\File Scanner Library (Spybot - Search & Destroy)
2008-12-01 23:02:04 ----D---- C:\Program Files\trend micro
2008-12-01 23:02:00 ----D---- C:\rsit
2008-12-01 21:25:33 ----A---- C:\WINDOWS\system32\pvchsm.dll
2008-12-01 21:25:31 ----A---- C:\WINDOWS\system32\usljupwo.dll
2008-12-01 18:09:19 ----A---- C:\WINDOWS\system32\mlrkbtux.dll
2008-11-30 21:34:24 ----A---- C:\WINDOWS\system32\nsiudi.dll
2008-11-30 21:34:19 ----A---- C:\WINDOWS\system32\lybekdak.dll
2008-11-30 21:33:30 ----A---- C:\WINDOWS\system32\bfa88775-.txt
2008-11-30 21:25:57 ----ASH---- C:\WINDOWS\system32\eMnmlnmp.ini
2008-11-30 21:25:35 ----A---- C:\WINDOWS\system32\pmnlmnMe.dll
2008-11-30 21:20:00 ----A---- C:\WINDOWS\system32\jkkhfghF.dll
2008-11-30 21:19:57 ----A---- C:\WINDOWS\system32\qoMedecc.dll
2008-11-30 21:19:24 ----A---- C:\WINDOWS\system32\digeste.dll
2008-11-04 21:53:26 ----SHDC---- C:\Program Files\Common Files\WindowsLiveInstaller
2008-11-04 21:52:17 ----D---- C:\Program Files\Windows Live
2008-11-04 21:51:46 ----D---- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-11-04 21:13:22 ----A---- C:\WINDOWS\system32\wucltui.dll.mui
2008-11-04 21:13:22 ----A---- C:\WINDOWS\system32\wuaueng.dll.mui
2008-11-04 21:13:21 ----A---- C:\WINDOWS\system32\wuapi.dll.mui

======List of files/folders modified in the last 1 months======

2008-12-02 07:07:07 ----D---- C:\WINDOWS\temp
2008-12-02 07:06:57 ----D---- C:\WINDOWS\Prefetch
2008-12-02 07:05:51 ----D---- C:\WINDOWS\system32
2008-12-02 00:13:40 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-02 00:11:54 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-02 00:09:52 ----AD---- C:\Program Files
2008-12-02 00:09:47 ----D---- C:\WINDOWS
2008-12-01 23:31:01 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-12-01 22:57:01 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-01 19:10:20 ----D---- C:\Program Files\Mozilla Firefox
2008-12-01 19:03:44 ----SD---- C:\WINDOWS\Tasks
2008-12-01 19:02:20 ----D---- C:\WINDOWS\system32\CatRoot
2008-11-27 00:08:34 ----SD---- C:\Documents and Settings\Brian\Application Data\Microsoft
2008-11-05 07:05:44 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-11-04 21:53:26 ----D---- C:\Program Files\Common Files
2008-11-04 21:53:16 ----SHD---- C:\WINDOWS\Installer
2008-11-04 21:44:51 ----D---- C:\WINDOWS\SoftwareDistribution
2008-11-04 21:36:41 ----HD---- C:\WINDOWS\inf
2008-11-04 21:13:26 ----D---- C:\WINDOWS\Help
2008-11-04 21:12:38 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-11-03 21:34:05 ----A---- C:\WINDOWS\win.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\system32\DRIVERS\amdk7.sys [2004-08-04 37376]
R1 ewido anti-spyware 4.0 driver;ewido anti-spyware 4.0 driver; \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys []
R1 SAVRT;SAVRT; \??\C:\Program Files\Norton AntiVirus\SAVRT.SYS []
R1 SAVRTPEL;SAVRTPEL; \??\C:\Program Files\Norton AntiVirus\SAVRTPEL.SYS []
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2005-01-21 267384]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2005-11-23 17801]
R2 symlcbrd;symlcbrd; \??\C:\WINDOWS\system32\drivers\symlcbrd.sys []
R3 BCM43XX;Linksys Wireless-G PCI Network Adapter Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2004-12-22 369024]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-07-14 14448]
R3 GTNDIS5;GTNDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\GTNDIS5.SYS []
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 ltmodem5;Agere Modem Driver; C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys [2003-12-12 652689]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060510.019\NAVENG.Sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060510.019\NavEx15.Sys []
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
R3 S3Psddr;S3Psddr; C:\WINDOWS\system32\DRIVERS\s3gnbm.sys [2004-03-02 167040]
R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 VIAudio;Vinyl AC'97 Audio Controller (WDM); C:\WINDOWS\system32\drivers\vinyl97.sys [2005-04-08 179968]
S1 ASPI32;ASPI32; C:\WINDOWS\system32\drivers\ASPI32.sys []
S3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-10-01 2279424]
S3 S3SavageNB;S3SavageNB; C:\WINDOWS\system32\DRIVERS\s3gnbm.sys [2004-03-02 167040]
S3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2005-01-21 26424]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 mchInjDrv;mchInjDrv; \??\C:\DOCUME~1\Brian\LOCALS~1\Temp\mc27.tmp []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2004-12-22 255600]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2004-12-22 235120]
R2 ewido anti-spyware 4.0 guard;ewido anti-spyware 4.0 guard; C:\Program Files\ewido anti-spyware 4.0\guard.exe [2006-06-16 172032]
R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2002-02-14 299008]
R2 navapsvc;Norton AntiVirus Auto Protect Service; C:\Program Files\Norton AntiVirus\navapsvc.exe [2003-11-24 158664]
R2 SAVScan;SAVScan; C:\Program Files\Norton AntiVirus\SAVScan.exe [2005-01-25 194272]
R2 Symantec Core LC;Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [2005-11-26 585728]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2006-09-25 451136]
S2 SBService;ScriptBlocking Service; C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe [2003-06-24 66784]
S2 WMP54GSSVC;WMP54GSSVC; C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe [2004-02-06 41025]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 ccPwdSvc;Symantec Password Validation; C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe [2004-12-22 87664]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2005-01-21 206552]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]

-----------------EOF-----------------

#3 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:49 PM

Posted 08 December 2008 - 12:57 AM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files before we run OTScanIt. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
  • If you use any other browsers, select them appropriately from the top and empty all items.
Download and Run OTScanIt
Download OTScanIt by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Check the Scan all users box at the top left.
  • Click the Extras button under "Additional Scans".
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessary).
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt folder and named OTScanIt.txt.
Download and Run Scan with GMER
We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close all other running programs. There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>.
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • Click OK.
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode
Important!:Please do not select the Show all checkbox during the scan..

In your next reply include:
-the OTScanIt log (attached)
-the GMER log (pasted directly into your reply)

Please also tell me of any changes you have made to your computer since your topic was started.

If you do not make a reply in 5 days, we will need to close your topic.

With Regards,
The Panda

Important Note to Other Users Reading this Topic: The instructions provided in this topic below this point are for the original topic starter only. Even if you have similar problems or log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic. Feel free to link to any relevant topics as needed.

#4 cardinals5883

cardinals5883
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 08 December 2008 - 06:46 PM

Thank you for the help Panda. I followed all of your instructions and did not encounter any problems. No changes that I know of have been made to my computer since I started this topic. The OTScanIT log is attached and here is the GMER log:


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-08 18:31:52
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT FFB349A0 ZwConnectPort
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwOpenProcess [0xFA5C78AC]
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess [0xFA5C7812]

---- Kernel code sections - GMER 1.0.14 ----

? C:\DOCUME~1\Brian\LOCALS~1\Temp\mc21.tmp The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Norton AntiVirus\navapsvc.exe[136] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[136] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[136] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[136] kernel32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe[188] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe[188] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe[188] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe[188] kernel32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe[268] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe[268] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe[268] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe[268] kernel32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\Explorer.EXE[364] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\Explorer.EXE[364] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.EXE[364] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\Explorer.EXE[364] kernel32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\csrss.exe[644] KERNEL32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\csrss.exe[644] KERNEL32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\csrss.exe[644] KERNEL32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\csrss.exe[644] KERNEL32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\winlogon.exe[668] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\winlogon.exe[668] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\winlogon.exe[668] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\winlogon.exe[668] kernel32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\services.exe[712] kernel32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Norton AntiVirus\SAVScan.exe[1144] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Norton AntiVirus\SAVScan.exe[1144] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Norton AntiVirus\SAVScan.exe[1144] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Norton AntiVirus\SAVScan.exe[1144] kernel32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1396] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1396] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1396] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1396] kernel32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1420] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1420] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1420] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1420] kernel32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[1708] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[1708] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[1708] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[1708] kernel32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1736] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\spoolsv.exe[1736] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1736] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\spoolsv.exe[1736] kernel32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[1744] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[1744] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[1744] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[1744] kernel32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\System32\alg.exe[1764] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\alg.exe[1764] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\alg.exe[1764] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\alg.exe[1764] kernel32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\wscntfy.exe[1816] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\wscntfy.exe[1816] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\wscntfy.exe[1816] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wscntfy.exe[1816] kernel32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe[1952] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe[1952] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe[1952] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe[1952] kernel32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\ewido anti-spyware 4.0\guard.exe[1960] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\ewido anti-spyware 4.0\guard.exe[1960] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\ewido anti-spyware 4.0\guard.exe[1960] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\ewido anti-spyware 4.0\guard.exe[1960] kernel32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\wdfmgr.exe[2016] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\wdfmgr.exe[2016] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\wdfmgr.exe[2016] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wdfmgr.exe[2016] kernel32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\LXSUPMON.EXE[2108] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\LXSUPMON.EXE[2108] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\LXSUPMON.EXE[2108] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\LXSUPMON.EXE[2108] kernel32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A
.text C:\Documents and Settings\Brian\Desktop\gmer\gmer.exe[2316] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Documents and Settings\Brian\Desktop\gmer\gmer.exe[2316] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Documents and Settings\Brian\Desktop\gmer\gmer.exe[2316] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Documents and Settings\Brian\Desktop\gmer\gmer.exe[2316] kernel32.dll!FreeLibrary + 15 7C80AA7B 4 Bytes [ BD, 55, 7F, E2 ]
.text C:\Documents and Settings\Brian\Desktop\gmer\gmer.exe[2316] kernel32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2464] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2464] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2464] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2464] kernel32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[2508] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[2508] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[2508] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[2508] kernel32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[2824] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[2824] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[2824] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[2824] kernel32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\AIM\aim.exe[3088] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\AIM\aim.exe[3088] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\AIM\aim.exe[3088] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\AIM\aim.exe[3088] kernel32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\iPod\bin\iPodService.exe[3604] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\iPod\bin\iPodService.exe[3604] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\iPod\bin\iPodService.exe[3604] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\iPod\bin\iPodService.exe[3604] kernel32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3648] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3648] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3648] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3648] kernel32.dll!WinExec 7C86114D 6 Bytes JMP 5F0D0F5A

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[2824] @ C:\WINDOWS\system32\user32.dll [KERNEL32.dll!CreateThread] [00427F50] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe (Spy Sweeper/Webroot Software, Inc.)
IAT C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[2824] @ C:\WINDOWS\system32\advapi32.dll [KERNEL32.dll!CreateThread] [00427F50] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe (Spy Sweeper/Webroot Software, Inc.)
IAT C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[2824] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateThread] [00427F50] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe (Spy Sweeper/Webroot Software, Inc.)
IAT C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[2824] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] [00427F50] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe (Spy Sweeper/Webroot Software, Inc.)
IAT C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[2824] @ C:\WINDOWS\system32\shell32.dll [KERNEL32.dll!CreateThread] [00427F50] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe (Spy Sweeper/Webroot Software, Inc.)
IAT C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[2824] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [00427F50] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe (Spy Sweeper/Webroot Software, Inc.)
IAT C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[2824] @ C:\WINDOWS\system32\wininet.dll [KERNEL32.dll!CreateThread] [00427F50] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe (Spy Sweeper/Webroot Software, Inc.)
IAT C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[2824] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!CreateThread] [00427F50] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe (Spy Sweeper/Webroot Software, Inc.)
IAT C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[2824] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!CreateThread] [00427F50] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe (Spy Sweeper/Webroot Software, Inc.)
IAT C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[2824] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!CreateThread] [00427F50] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe (Spy Sweeper/Webroot Software, Inc.)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- EOF - GMER 1.0.14 ----

Attached Files



#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:49 PM

Posted 08 December 2008 - 08:32 PM

Hello cardinals.

Ewido is outdated and is now part of AVG. Please uninstall that program as it will not provide effective protection anymore.

By the way, is your Norton program suscription still active?

I see that you have TClock on your computer. This program is is "Distributed and installed without user permission by other rogue software or malware. TClock contains no uninstall facility through Windows. As TClock is of dubious origin and usefulness". Therefore, we will remove it.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run. Please disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable Norton Antivirus.
  • Right click on thr Norton icon (Posted Image) beside your click and select Disable Auto-Protect.
  • Select a disabled duration of 5 hours to ensure that it will not interfere with this fix.
  • Click OK to apply the settings.
When done properly, you should recieve a pop-up warning saying that protection was disabled. The Norton icon should now look like Posted Image.

To disable SpyBot's TeaTimer:
You can find instructions with visuals here.
  • Run Spybot-S&D in Advanced Mode. If it is not already set to do this Go to the Mode menu select Advanced Mode.
  • On the left hand side, Click on Tools.
  • Click on the Resident icon in the list.
  • Uncheck Resident TeaTimer and OK any prompts.
  • Download ResetTeaTimer.bat and run it to remove entries set by TeaTimer. If you are not using Internet Explorer, you may not be prompted to download the file when you click it. In that case, right click it and select "Save Target/Link as" and save the file onto your desktop.
    The file should take only a second to finish. Delete this file after use.
Restart your computer for the changes to take affect.

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.

Run Fix with OTScanIt
We will run OTScanIt with directives. If you have lost your copy of OTScanIt, download it here and extract it like you did last time.
  • Double click the OTScanIt.exe icon in the OTScanIt folder on your desktop. If you are using Windows Vista, right click OTScanIt.exe and select Run as Administrator.
  • Copy the contents of the codebox below into the "Paste fix here" box.
    [Kill Explorer]
    [Registry - Safe List]
    < Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> 
    YN -> HKEY_USERS\S-1-5-18\: URLSearchHooks\\"{212C0749-CA83-CF27-A168-991C83ECE7BE}" [HKLM] -> %SystemRoot%\system32\edpuddag.dll [Reg Error: Value  does not exist or could not be read.]
    < BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    YN -> {032FB204-4344-4E0A-93E8-9076EDF1E217} [HKLM] -> %SystemRoot%\system32\pmnlmnMe.dll [Reg Error: Value  does not exist or could not be read.]
    YN -> {58355581-56b3-449c-a0d5-be4f9396316d} [HKLM] -> %SystemRoot%\system32\fxangh.dll [Reg Error: Value  does not exist or could not be read.]
    YN -> {58F801A2-8DFB-4C69-8DDB-9110C9E3F997} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> {6C91115C-8589-4FFE-8BCB-4C9595901EEE} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> {A63E645F-13BD-45ED-B15F-6E8C1BD57279} [HKLM] -> %SystemRoot%\system32\qoMedecc.dll [Reg Error: Value  does not exist or could not be read.]
    < Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> "AIM" -> %ProgramFiles%\AIM\aim.exe -cnetwait.odl [C:\Program Files\AIM\aim.exe -cnetwait.odl]
    < Run [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> "kmff" -> %SystemDrive%\PROGRA~1\COMMON~1\kmff\kmffm.exe [C:\PROGRA~1\COMMON~1\kmff\kmffm.exe]
    YN -> "ooqag" -> %SystemRoot%\system32\safhfh.exe [C:\WINDOWS\system32\safhfh.exe reg_run]
    YN -> "Rygtml" -> %SystemDrive%\Documents and Settings\LocalService\Application Data\Мicrosoft.NET\сhkdsk.exe [C:\Documents and Settings\LocalService\Application Data\Мicrosoft.NET\сhkdsk.exe]
    YN -> "sys_up1" -> %CommonProgramFiles%\svchostsys\svchostsys.exe [C:\Program Files\Common Files\svchostsys\svchostsys.exe]
    YN -> "TClock.exe" -> %ProgramFiles%\TClock\tclock_install.exe [C:\Program Files\TClock\tclock_install.exe]
    YN -> "Test" -> %SystemRoot%\ECURIT~1\wuauclt.exe ["C:\WINDOWS\ECURIT~1\wuauclt.exe" -vt yazr]
    < Run [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> "kmff" -> %SystemDrive%\PROGRA~1\COMMON~1\kmff\kmffm.exe [C:\PROGRA~1\COMMON~1\kmff\kmffm.exe]
    YN -> "ooqag" -> %SystemRoot%\system32\safhfh.exe [C:\WINDOWS\system32\safhfh.exe reg_run]
    YN -> "Rygtml" -> %SystemDrive%\Documents and Settings\LocalService\Application Data\Мicrosoft.NET\сhkdsk.exe [C:\Documents and Settings\LocalService\Application Data\Мicrosoft.NET\сhkdsk.exe]
    YN -> "sys_up1" -> %CommonProgramFiles%\svchostsys\svchostsys.exe [C:\Program Files\Common Files\svchostsys\svchostsys.exe]
    YN -> "TClock.exe" -> %ProgramFiles%\TClock\tclock_install.exe [C:\Program Files\TClock\tclock_install.exe]
    YN -> "Test" -> %SystemRoot%\ECURIT~1\wuauclt.exe ["C:\WINDOWS\ECURIT~1\wuauclt.exe" -vt yazr]
    < Run [HKEY_USERS\S-1-5-21-1645522239-1993962763-1801674531-1004\] > -> HKEY_USERS\S-1-5-21-1645522239-1993962763-1801674531-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> "AIM" -> %ProgramFiles%\AIM\aim.exe -cnetwait.odl [C:\Program Files\AIM\aim.exe -cnetwait.odl]
    < AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
    *AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
    YN -> fxangh.dll -> %SystemRoot%\system32\fxangh.dll
    < AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
    < Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    YN -> qoMedecc -> %SystemRoot%\system32\qoMedecc.dll
    YN -> wzcnotif -> %SystemRoot%\system32\wzcdlg.dll
    < ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
    YN -> "{A63E645F-13BD-45ED-B15F-6E8C1BD57279}" [HKLM] -> %SystemRoot%\system32\qoMedecc.dll []
    < SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
    *SecurityProviders* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
    YN ->  digeste.dll -> %SystemRoot%\system32\digeste.dll
    < SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
    < LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
    *LSA Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
    YN -> C:\WINDOWS\system32\pmnlmnMe -> %SystemRoot%\system32\pmnlmnMe.dll
    < LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
    [Files/Folders - Created Within 30 Days]
    NY -> qahyglba.ini -> %SystemRoot%\System32\qahyglba.ini
    NY -> ablgyhaq.dll -> %SystemRoot%\System32\ablgyhaq.dll
    NY -> fxangh.dll -> %SystemRoot%\System32\fxangh.dll
    NY -> tetuwxxq.dll -> %SystemRoot%\System32\tetuwxxq.dll
    NY -> bshrdd.dll -> %SystemRoot%\System32\bshrdd.dll
    NY -> fpgctcvm.dll -> %SystemRoot%\System32\fpgctcvm.dll
    NY -> orlopwnd.ini -> %SystemRoot%\System32\orlopwnd.ini
    NY -> dnwpolro.dll -> %SystemRoot%\System32\dnwpolro.dll
    NY -> Antivirus 2009 -> %ProgramFiles%\Antivirus 2009
    NY -> jcweqd.dll -> %SystemRoot%\System32\jcweqd.dll
    NY -> fisjjhud.dll -> %SystemRoot%\System32\fisjjhud.dll
    NY -> gtwwumgb.ini -> %SystemRoot%\System32\gtwwumgb.ini
    NY -> bgmuwwtg.dll -> %SystemRoot%\System32\bgmuwwtg.dll
    NY -> eMnmlnmp.ini2 -> %SystemRoot%\System32\eMnmlnmp.ini2
    NY -> pvchsm.dll -> %SystemRoot%\System32\pvchsm.dll
    NY -> usljupwo.dll -> %SystemRoot%\System32\usljupwo.dll
    NY -> mlrkbtux.dll -> %SystemRoot%\System32\mlrkbtux.dll
    NY -> nsiudi.dll -> %SystemRoot%\System32\nsiudi.dll
    NY -> lybekdak.dll -> %SystemRoot%\System32\lybekdak.dll
    NY -> eMnmlnmp.ini -> %SystemRoot%\System32\eMnmlnmp.ini
    NY -> pmnlmnMe.dll -> %SystemRoot%\System32\pmnlmnMe.dll
    NY -> jkkhfghF.dll -> %SystemRoot%\System32\jkkhfghF.dll
    NY -> qoMedecc.dll -> %SystemRoot%\System32\qoMedecc.dll
    NY -> digeste.dll -> %SystemRoot%\System32\digeste.dll
    [Custom Items]
    :files
    %ProgramFiles%\TClock\
    :end
    [Empty Temp Folders]
    [Reboot]
  • Close all windows except OTScanIt.
  • Click it Run Fix button.
When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click OK and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix. Notepad will open with the final results at that time. Post that log back here in your next reply.

Download and run MalwareBytes Anti-Malware
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

You can refer to this page which has a visual of the instructions above.


Re-enable your protection at this time.
Please post back with:
-the OTScanIt fix log
-the MalwareBytes log
-a new OTScanIt scan log (leave settings they way they are when you open the program, log attached)

How is it running after?

With Regards,
The Panda

#6 cardinals5883

cardinals5883
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 09 December 2008 - 01:49 AM

Panda, I completed all of the steps up until the FixIt. I copied and pasted the fix and clicked Run Fix. The window of my topic was still open and I see in your intstructions that all windows besides OTScanIt were suppose to be closed. My computer crashed and now Windows will not load. It gets to the blue screen with the Windows XP logo and does not advance past that screen. What do I do now?

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:49 PM

Posted 09 December 2008 - 02:12 AM

Hello cardinals.

Are you able to boot into Safe Mode?

How to Boot into Safe Mode
Print out all intructions to be carried out in Safe Mode, or save them onto your desktop as you will not be able to access the forum where you are recieveing help.

If you are unfimiliar with the boot process, please jot down the boot instructions.
  • Shutdown your computer.
  • Press the power on button.
  • Wait for your computer to beep.
  • After hearing the beep, hit the F8 key repeatedly until you see a selection screen.
  • Use your arrow keys to navigate the highlight to Safe Mode.
  • Hit Enter.
  • You will now be asked to choose your operating system. Again, use the arrow keys to select Microsoft Windows XP, if the highlight was not already on it.
  • Hit Enter.
Your computer will proceed to booting into Safe Mode. During the boot process, you may see random code go past your screen. Simply wait for it to pass. Your computer should boot like usually, except with Safe Mode written in the corners of your screen. Your screen may also appear to be a different size because the video drivers are not loaded properly in Safe Mode.

After the boot, you will be asked whether you wish to use system restore, or to continue to Safe Mode. Select OK to choose Safe mode.
--
Please do not attempt do restore anything yet.
--
Do you have your Windows XP disk? We can use the recovery console there to restore from the ERUNT backup.

Otherwise, do you have a CD burner and a blank CD?

Very sorry for this to have occurred.

With Regards,
The Panda

Edited by PropagandaPanda, 09 December 2008 - 02:17 AM.


#8 cardinals5883

cardinals5883
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 09 December 2008 - 06:32 PM

Safe mode did not work either. It went through a black and white screen of codes and then got stuck on the same blue Windows XP screen as before. Anything else to try?

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:49 PM

Posted 10 December 2008 - 02:15 AM

Hello.

Do you have your Windows XP disk, or a blank CD and CD burner?

The Panda

#10 cardinals5883

cardinals5883
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 10 December 2008 - 08:08 AM

I'm not sure if I have my Windows XP disk but yes I do have a blank CD and a CD burner.

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:49 PM

Posted 10 December 2008 - 09:54 PM

Hello.

Please give me some time to decide how to proceed. We do have a backup of the registry. Everything that OTScanIt deletes is backed up as well, so there is a chance of recovery.

With Regards,
The Panda

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:49 PM

Posted 11 December 2008 - 05:35 AM

Hello.

Please open to the boot selection menu. Select Last known good configuration.

See if this gets the machine booting again.

If so, take a new OTScanIt log.

If not, we'll try something else.

With Regards,
The Panda

#13 cardinals5883

cardinals5883
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 12 December 2008 - 05:27 PM

Last known good configuration didn't work either. It freezed on the same screen as before.

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:49 PM

Posted 12 December 2008 - 10:50 PM

Using Knoppix to Restore Unbootable Machine
Allow me to stress that, before we begin this, ask if you have doubts about any step.

We will be using Knoppix, a bootable disk. From it, we can access your harddrive and do repairs.

From a working computer download and install IMGBurn.

Download Knoppix 5.1.1 to your desktop.

Open IMGBurn via the newly created icon on your desktop, or by pointing to Start->All Programs->ImgBurn->ImgBurn
Push the large "Write image file to disk" button.
Right under "Source" and next to "Please select a file" push the Posted Image button.
Browse to and select the Knoppix image file on your desktop.

Place a blank CD-R into your clean system's CD Burner, and press the large button that looks like a page going into a CD in the bottom left of IMGBurn.

Now place this CD into the non-bootable system. Configure the system to boot from CD. You can usually do this by pressing F10, F11, or F12 (try all of them if unsure) to bring up configuration options, and select CDRom as your boot device. Some machines will automatically attempt boot from the CD if one is inserted.

When you see this screen,
Posted Image
Press enter, and wait for Knoppix to boot.
On Knoppix' desktop, you should see an icon for your hard disk (Looks like Posted Image.)

Right click the drive, and select "Change Read\Write Mode". Press "Yes" at the prompt.


Then click the hard disk icon on your desktop.
Now double click _OTScanIt -> MovedFiles -> ****(DATE)***TIME -> C_Windows -> system32
Next go to Edit -> Selection -> Select all.
Next Edit -> Cut.
Now go back to the desktop (Just drag this open window out of the way)
and click on the hard disk icon again.
Now click on WINDOWS -> system32
Now go to Edit -> Paste XX files
(Where XX is some number)
Wait for the files to be copied back.
If, press the "Overwrite All" button.
---
Now we will need to restore your registry files.

Navigate through the folders like you did before.

First we will backup the current registry files.
Rename C:\WINDOWS\System32\CONFIG\SECURITY TO SECURITY.bak
Rename C:\WINDOWS\System32\CONFIG\SOFTWARE TO SOFTWARE.bak
Rename C:\WINDOWS\System32\CONFIG\SYSTEM TO SYSTEM.bak
Rename C:\WINDOWS\System32\CONFIG\DEFAULT TO DEFAULT.bak
Rename C:\WINDOWS\System32\CONFIG\SAM TO SAM.bak
---
Now will will replace them will the backups ERUNT created.

**Date**, choose the most current date.

Copy C:\WINDOWS\ERDNT\**DATE**\SECURITY INTO C:\WINDOWS\System32\CONFIG\
Copy C:\WINDOWS\ERDNT\**DATE**\SOFTWARE INTO C:\WINDOWS\System32\CONFIG\
Copy C:\WINDOWS\ERDNT\**DATE**\SYSTEM INTO C:\WINDOWS\System32\CONFIG\
Copy C:\WINDOWS\ERDNT\**DATE**\DEFAULT INTO C:\WINDOWS\System32\CONFIG\
Copy C:\WINDOWS\ERDNT\**DATE**\SAM INTO C:\WINDOWS\System32\CONFIG\

--
Once the files are done moving, press the large K button in the lower left corner of the screen, and select Log Out...
Then press "Turn off computer".

Now remove the knoppix disk from your CD drive when asked, and turn your system back on. Tell me if you can now boot normally. If so, you will probably recieve a lot of errors, which we will try to fix later.

With Regards,
The Panda

#15 cardinals5883

cardinals5883
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 15 December 2008 - 07:57 PM

Panda,

I got Knoopix to load from my computer, but when I right clicked the Hard Disk icon and chose CHange Read/Write Mode", I got a message saying "/dev/hda1 is not mounted. Please mount the partition prior to changing its read/write status."

When I tried again, I got a message saying:

could not mount device
The reported error was:
fusermount is not empty
fusermount: if you are sure this is safe, use the 'nonempty' mount option
Failed to create FUSE mount point: no such file or directory
Retry to create FU\use mount point
FATAl: module fuse not foud




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users