Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log Would Some One Help Me Diagnose


  • Please log in to reply
2 replies to this topic

#1 ddamstedt

ddamstedt

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:14 AM

Posted 16 March 2007 - 09:02 PM

If somebody could help me diagnose my hijackthis log I would be very greatful!

Logfile of HijackThis v1.99.1
Scan saved at 6:46:34 PM, on 3/16/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\eSnips\ClientGW.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\COMMON~1\RACLE~1\wucrtupd.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Darrell A. Damstedt\Desktop\hijackthis_sfx.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\System32\ssmyst.scr

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: eSnips - {ED1184DA-E57E-4480-99D0-A16809037F54} - C:\Program Files\eSnips\SnipBar.dll
O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\Program Files\OIN Search\OINSearch.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [StrgSync.exe] C:\Program Files\StorageSync\StrgSync.exe -w
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [eSnips] "C:\Program Files\eSnips\ClientGW.exe"
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\System32\moypitgx.dll",setvm
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\DARREL~1.DAM\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Usrr] "C:\PROGRA~1\COMMON~1\RACLE~1\wucrtupd.exe" -vt yazr
O4 - HKCU\..\Run: [Hgzsd] "C:\Documents and Settings\Darrell A. Damstedt\My Documents\?ystem32\??chost.exe" 99001275
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: Snip to my eSnips account - C:\Program Files\eSnips\res\SnipIt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1149471306031
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\System32\mslse.dll dxclib303562752.dll
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 17 March 2007 - 06:21 AM

Welcome to the BleepingComputer HijackThis forum ddamstedt :thumbsup:

Please download Combofix and save to the desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply,along with a new Hijackthis log please.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Posted Image
Posted Image

#3 ddamstedt

ddamstedt
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:14 AM

Posted 18 March 2007 - 08:05 PM

OK. Here is the ComboFix log:

"Darrell A. Damstedt" - 07-03-18 16:41:36 Service Pack 1
ComboFix 07-03-15.2 - Running from: "C:\Documents and Settings\Darrell A. Damstedt\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\WINDOWS\1011_emi03.exe
C:\DOCUME~1\DARREL~1.DAM\APPLIC~1\Dxccwrd.dll
C:\DOCUME~1\DARREL~1.DAM\APPLIC~1\Dxcknwrd.dll
C:\Program Files\OIN Search\OINSearch.dll
C:\Program Files\OIN Search\Uninstall.exe
C:\Program Files\Outerinfo\OiUninstaller.exe
C:\Program Files\Outerinfo\outerinfo.ico
C:\Program Files\Outerinfo\Terms.rtf
C:\DOCUME~1\DARREL~1.DAM\Desktop\Internet.lnk
C:\WINDOWS\system32\adrot-uninst.exe
C:\WINDOWS\system32\adrotate.dll
C:\WINDOWS\system32\ipv6monl.dll
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\unsvchosts.lzma
C:\WINDOWS\system32\wtscc.exe
C:\WINDOWS\system32\wtssvcc.exe
C:\Windows\System32\explorer.exe
C:\WINDOWS\REGEDIT.com
C:\Program Files\Common Files\{24BA0~1
C:\Program Files\Common Files\{34BA0~1
C:\Program Files\OIN Search
C:\Program Files\Outerinfo
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\DOCUME~1
C:\qoobox\purity\DOCUME~1\DARREL~1.DAM
C:\qoobox\purity\DOCUME~1\DARREL~1.DAM\APPLIC~1
C:\qoobox\purity\DOCUME~1\DARREL~1.DAM\MYDOCU~1
C:\qoobox\purity\DOCUME~1\DARREL~1.DAM\APPLIC~1\CURITY~1
C:\qoobox\purity\DOCUME~1\DARREL~1.DAM\APPLIC~1\from.txt
C:\qoobox\purity\DOCUME~1\DARREL~1.DAM\APPLIC~1\MANTEC~1
C:\qoobox\purity\DOCUME~1\DARREL~1.DAM\APPLIC~1\PPATCH~1
C:\qoobox\purity\DOCUME~1\DARREL~1.DAM\MYDOCU~1\ASEMBL~1
C:\qoobox\purity\DOCUME~1\DARREL~1.DAM\MYDOCU~1\from.txt
C:\qoobox\purity\DOCUME~1\DARREL~1.DAM\MYDOCU~1\YSTEM3~1
C:\qoobox\purity\Program Files\ICROSO~1
C:\qoobox\purity\Program Files\WNSXS~1
C:\qoobox\purity\Program Files\Common Files\RACLE~1
C:\qoobox\purity\Program Files\Common Files\RACLE~1\RACLE~1
C:\qoobox\purity\Program Files\Common Files\RACLE~1\wucrtupd.exe
C:\qoobox\purity\WINDOWS\ICROSO~1
C:\qoobox\purity\WINDOWS\ICROSO~1.NET
C:\qoobox\purity\WINDOWS\system32\SSEMBL~1


((((((((((((((((((((((((((((((( Files Created from 2007-02-18 to 2007-03-18 ))))))))))))))))))))))))))))))))))


2007-03-18 08:36 132,116 --a------ C:\WINDOWS\system32\rhnexudk.dll
2007-03-17 13:00 116,952 --a------ C:\syszqdq.exe
2007-03-17 08:23 132,116 --a------ C:\WINDOWS\system32\wmiqtmfb.dll
2007-03-16 18:46 1,179,239 ---hs---- C:\WINDOWS\system32\wybeg.ini2
2007-03-16 17:56 <DIR> d-------- C:\DOCUME~1\DARREL~1.DAM\APPLIC~1\Comodo
2007-03-16 17:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-03-16 17:27 75,520 --a------ C:\WINDOWS\system32\drivers\cmdmon.sys
2007-03-16 17:27 51,328 --a------ C:\WINDOWS\system32\drivers\inspect.sys
2007-03-16 17:27 <DIR> d-------- C:\Program Files\Comodo
2007-03-16 08:41 60,416 --a------ C:\WINDOWS\system32\lrtzl.dll
2007-03-15 18:40 <DIR> d-------- C:\DOCUME~1\DARREL~1.DAM\APPLIC~1\PCToolsFirewallPlus
2007-03-15 17:54 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-03-15 17:03 <DIR> d-------- C:\DOCUME~1\DARREL~1.DAM\.housecall6.6
2007-03-14 10:36 132,116 --a------ C:\WINDOWS\system32\ahdpeodc.dll
2007-03-11 18:39 132,116 --a------ C:\WINDOWS\system32\minqsxut.dll
2007-03-11 17:03 <DIR> d-------- C:\Program Files\RegCure
2007-03-11 16:54 132,116 --a------ C:\WINDOWS\system32\cqylgykq.dll
2007-03-11 10:51 131,604 --a------ C:\WINDOWS\system32\bwaqpxea.dll
2007-03-11 09:22 1,613,449 ---hs---- C:\WINDOWS\system32\xgtipyom.ini2
2007-03-11 09:16 131,604 --a------ C:\WINDOWS\system32\yxyyngri.dll
2007-03-10 09:50 131,604 --a------ C:\WINDOWS\system32\kegpvpsh.dll
2007-03-10 09:50 123,412 --a------ C:\WINDOWS\system32\moypitgx.dll
2007-03-10 09:46 131,604 --a------ C:\WINDOWS\system32\cvrufqkm.dll
2007-03-09 21:10 <DIR> d-------- C:\DOCUME~1\DARREL~1.DAM\APPLIC~1\U3
2007-03-09 08:53 131,604 --a------ C:\WINDOWS\system32\stmiwtgs.dll
2007-03-09 08:38 131,604 --a------ C:\WINDOWS\system32\wdsfcsau.dll
2007-03-04 19:42 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-03-04 18:24 <DIR> d-------- C:\Program Files\Lavasoft
2007-03-04 18:22 <DIR> d-------- C:\Program Files\Google
2007-03-04 18:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-03-04 18:13 <DIR> d-------- C:\DOCUME~1\DARREL~1.DAM\APPLIC~1\PC Tools
2007-03-04 18:11 22,528 --a------ C:\WINDOWS\system32\drivers\AVHook.sys
2007-03-04 18:11 15,872 --a------ C:\WINDOWS\system32\drivers\AVRec.sys
2007-03-04 18:11 15,360 --a------ C:\WINDOWS\system32\drivers\AVFilter.sys
2007-03-04 18:11 <DIR> d-------- C:\Program Files\PC Tools AntiVirus
2007-03-04 18:11 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2007-03-04 18:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Tools
2007-03-04 18:09 134,144 --a------ C:\WINDOWS\R.COM
2007-03-04 18:09 128,512 --a------ C:\WINDOWS\system32\T.COM
2007-03-02 18:21 <DIR> d-------- C:\WINDOWS\Ódobe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-18 16:45 1179136 ---hs---- C:\WINDOWS\system32\wybeg.bak1
2007-03-18 16:45 1178889 ---hs---- C:\WINDOWS\system32\wybeg.bak2
2007-03-18 16:42 10614 --a------ C:\WINDOWS\system32\lprheyp.dat
2007-03-18 16:41 3401 --a------ C:\WINDOWS\system32\sensyfgz.dat
2007-03-18 16:41 32728 --a------ C:\WINDOWS\system32\netuu0l.dat
2007-03-18 16:41 16925 --a------ C:\WINDOWS\system32\kbdheqty.dat
2007-03-18 16:41 0 --a------ C:\WINDOWS\system32\wowfaxwi.dat
2007-03-18 16:41 0 --a------ C:\WINDOWS\system32\msidntlu.dat
2007-03-18 16:41 0 --a------ C:\WINDOWS\system32\mmcbaso.dat
2007-03-18 16:41 0 --a------ C:\WINDOWS\system32\accwgz.dat
2007-03-17 20:37 -------- d-------- C:\Program Files\udeaudit
2007-03-11 16:57 36864 --a------ C:\WINDOWS\system32\explareer.exe
2007-03-11 16:47 102400 --a------ C:\WINDOWS\system32\explarer.exe
2007-03-04 19:41 1760 --a------ C:\WINDOWS\nsreg.dat
2007-03-04 19:41 -------- d-------- C:\Program Files\Common Files\real
2007-03-01 16:50 -------- d-------- C:\Program Files\compuserve 7.0
2007-02-27 14:27 -------- d-------- C:\Program Files\limewire
2007-02-15 15:56 1 --a------ C:\WINDOWS\system32\wab.dat
2007-02-15 15:56 1 --a------ C:\WINDOWS\system32\ps.dat
2007-02-15 15:54 44544 --a------ C:\WINDOWS\system32\helper.dll
2007-02-15 12:22 32768 --a------ C:\WINDOWS\system32\svchtoost.exe
2007-02-15 12:22 32768 --a------ C:\WINDOWS\notedad.exe
2007-02-14 15:47 -------- d-------- C:\Program Files\skype
2007-02-14 15:45 -------- d-------- C:\Program Files\Common Files\skype
2007-02-12 20:58 -------- d-------- C:\DOCUME~1\DARREL~1.DAM\APPLIC~1\pdf995
2007-02-11 23:04 5406 --a------ C:\WINDOWS\system32\mt_32.dll
2007-02-11 11:33 -------- d-------- C:\Program Files\msn messenger
2007-02-10 08:30 53248 --a------ C:\WINDOWS\system32\ccppc.exe
2007-02-05 15:07 106496 --a------ C:\WINDOWS\system32\mp56.exe
2007-02-05 15:00 32768 --a------ C:\WINDOWS\system32\mp43.exe
2007-01-25 20:20 -------- d-------- C:\Program Files\esnips
2007-01-25 20:20 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-01-24 16:36 297 --a------ C:\WINDOWS\system32\mslse.dat
2007-01-20 20:47 -------- d-------- C:\Program Files\taxcut06
2007-01-20 20:45 51716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2007-01-20 20:45 118784 --a------ C:\WINDOWS\system32\pdfmona.dll
2007-01-19 12:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"
"Usrr"="\"C:\\PROGRA~1\\COMMON~1\\RACLE~1\\wucrtupd.exe\" -vt yazr"
"Hgzsd"="\"C:\\Documents and Settings\\Darrell A. Damstedt\\My Documents\\?ystem32\\??chost.exe\" 99001275"
"IESet"="IExplorer.dll .dbt"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"BluetoothAuthenticationAgent"="rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent"
"StrgSync.exe"="C:\\Program Files\\StorageSync\\StrgSync.exe -w"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"ClientGW"=""
"eSnips"="\"C:\\Program Files\\eSnips\\ClientGW.exe\""
"PCTAVApp"="\"C:\\Program Files\\PC Tools AntiVirus\\PCTAV.exe\" /MONITORSCAN"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"2chkdsk"="rundll32.exe \"C:\\WINDOWS\\System32\\moypitgx.dll\",setvm"
"COMODO Firewall Pro"="\"C:\\Program Files\\Comodo\\Firewall\\CPF.exe\" /background"
"IESet"="IExplorer.dll .dbt"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"DELDIR0.EXE"="\"C:\\DOCUME~1\\DARREL~1.DAM\\LOCALS~1\\Temp\\DELDIR0.EXE\" \"C:\\Program Files\\McAfee\\McAfee Shared Components\\Guardian\\\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"IESet"="IExplorer.dll .dbt"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
"item"="Adobe Reader Synchronizer"
"command"="C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\AdobeCollabSync.exe "
"location"="Common Startup"
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Synchronizer.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Synchronizer.lnkCommon Startup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
"item"="Google Updater"
"command"="C:\\Program Files\\Google\\Google Updater\\GoogleUpdater.exe -systray -startup"
"location"="Common Startup"
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Google Updater.lnk"
"backup"="C:\\WINDOWS\\pss\\Google Updater.lnkCommon Startup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
"item"="Microsoft Works Update Detection"
"command"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"hkey"="HKEY"
"key"="Run"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"item"="MSMSGS"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"hkey"="HKEY"
"key"="Run"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"item"="Skype"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"hkey"="HKEY"
"key"="Run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="C:\WINDOWS\System32\mslse.dll"


[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"IESet"="IExplorer.dll .dbt"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ http://www.long-hair-secrets.com/1979/bkgd.gif

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dgs13n
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebyw

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\RegCure Program Check.job
C:\WINDOWS\tasks\RegCure.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
DELDIR0.EXE = "C:\DOCUME~1\DARREL~1.DAM\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"????????????H?w(2?w?????? ?x????a?w???????w???wx????a?w????<????a?w????,??????????wx? ?N??w????j??w?? ?????h???????v???C?:?\?P?r?o?g?r?a?m? ?F?i?l?e?s?\?M?c?A?f?e?e?\?M?c?A?f?e?e? ?S?h?a?r?e?d? ?C?o?m?p?o?n?e?n?t?s?\?G?u?a?r?d?i?a?n?\?????????????????h???x???????p????? ????????w???w????j??w?%?w?????$?wT???????????????????03???? ?????v??????

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-18 16:46:26

Here is my new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 5:00:21 PM, on 3/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\eSnips\ClientGW.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\COMMON~1\RACLE~1\wucrtupd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: eSnips - {ED1184DA-E57E-4480-99D0-A16809037F54} - C:\Program Files\eSnips\SnipBar.dll
O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\Program Files\OIN Search\OINSearch.dll (file missing)
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [StrgSync.exe] C:\Program Files\StorageSync\StrgSync.exe -w
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [eSnips] "C:\Program Files\eSnips\ClientGW.exe"
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\System32\moypitgx.dll",setvm
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\DARREL~1.DAM\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Usrr] "C:\PROGRA~1\COMMON~1\RACLE~1\wucrtupd.exe" -vt yazr
O4 - HKCU\..\Run: [Hgzsd] "C:\Documents and Settings\Darrell A. Damstedt\My Documents\?ystem32\??chost.exe" 99001275
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: Snip to my eSnips account - C:\Program Files\eSnips\res\SnipIt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1149471306031
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\System32\mslse.dll
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thanks for your help!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users