Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help!


  • This topic is locked This topic is locked
14 replies to this topic

#1 shariisablonde

shariisablonde

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:08:32 PM

Posted 19 May 2007 - 09:53 PM

Obviously I'm not really experienced with computer infections or viruses..so please help..it's making me nuts!





Logfile of HijackThis v1.99.1
Scan saved at 10:45:20 PM, on 5/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\WINDOWS\cfgmng32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\DAO\COMPUTER-PXKSRE\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Shari\My Documents\My Music\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [dvHighMem] C:\WINDOWS\cfgmng32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Video Driver] C:\Program Files\Common Files\Microsoft Shared\DAO\COMPUTER-PXKSRE\svchost.exe
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\jtehexkh.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen9.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1009877631593
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: WinSock Extention Manager - Unknown owner - C:\WINDOWS\system32\mdmcls32.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 20 May 2007 - 04:06 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum shariisablonde :thumbsup:

First please delete:
C:\Documents and Settings\Shari\My Documents\My Music\HijackThis.exe

Now download and install Hijackthis.
This is a self-extracting version which will automatically install HJT to C:\Program Files\Hijackthis by default.
A desktop shortcut can be created during install under 'Select Additional Tasks'.

****************************

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.

******************************

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Please post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

******************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 shariisablonde

shariisablonde
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:08:32 PM

Posted 20 May 2007 - 07:11 PM

okay I got as far as choose usal account in safe mode-well actually just past that-looks like whatever it is OWNS safe mode in all accounts-I can't get the desktop to load -all I get is a black screen-so NOW What? Heres my logfile again..

Logfile of HijackThis v1.99.1
Scan saved at 8:00:49 PM, on 5/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\WINDOWS\cfgmng32.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [dvHighMem] C:\WINDOWS\cfgmng32.exe
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\jtehexkh.dll",realset
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen9.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1009877631593
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: WinSock Extention Manager - Unknown owner - C:\WINDOWS\system32\mdmcls32.exe

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 21 May 2007 - 01:32 AM

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Please post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

******************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log please.
Posted Image
Posted Image

#5 shariisablonde

shariisablonde
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:08:32 PM

Posted 21 May 2007 - 09:27 AM

:thumbsup: Okay here goes..

"Shari" - 2007-05-21 10:04:23 Service Pack 2
ComboFix 07-05.21.6.V - Running from: "C:\Documents and Settings\Shari\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\jkhfc.dll
C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\ajhohhfs.dll
C:\WINDOWS\system32\ewfvgnxm.dll
C:\WINDOWS\system32\rcxuqwog.dll
C:\WINDOWS\system32\sfxfkdsk.dll
C:\WINDOWS\system32\tkgllkdv.dll
C:\WINDOWS\system32\xpuqctcn.dll
C:\WINDOWS\system32\mljgggh.dll
C:\WINDOWS\system32\opnkkli.dll
C:\WINDOWS\system32\cfhkj.ini
C:\WINDOWS\system32\efhkj.bak1
C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\sfhhohja.ini
C:\WINDOWS\system32\efhkj.bak1
C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\gebxurr.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Shari\Desktop.\internet explorer.lnk
C:\Temp\17O7


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-21 ))))))))))))))))))))))))))))))))))


2007-05-21 06:58 <DIR> d-------- C:\VundoFix Backups
2007-05-20 20:22 <DIR> d-------- C:\!KillBox
2007-05-19 18:16 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-05-19 18:04 <DIR> d-------- C:\DOCUME~1\Shari\.housecall6.6
2007-05-19 10:34 <DIR> d-------- C:\DOCUME~1\Shari\APPLIC~1\Lavasoft
2007-05-19 10:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-18 08:30 <DIR> d-------- C:\WINDOWS\system32\SBO
2007-05-18 08:30 <DIR> d-------- C:\Temp
2007-05-13 19:33 99,328 --a------ C:\WINDOWS\system32\srusd.dll
2007-05-13 19:33 71,680 --a------ C:\WINDOWS\system32\fnfilter.dll
2007-05-13 19:33 6,784 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2007-05-13 19:26 94,208 --a------ C:\WINDOWS\system32\ippcv11.dll
2007-05-13 19:26 77,824 --a------ C:\WINDOWS\system32\ippsr11.dll
2007-05-13 19:26 65,536 --a------ C:\WINDOWS\system32\ippj11.dll
2007-05-13 19:26 466,944 --a------ C:\WINDOWS\system32\ippcvw711.dll
2007-05-13 19:26 40,960 --a------ C:\WINDOWS\system32\IPPCPUID.DLL
2007-05-13 19:26 266,240 --a------ C:\WINDOWS\system32\ippsrw711.dll
2007-05-13 19:26 225,280 --a------ C:\WINDOWS\system32\ippi11.dll
2007-05-13 19:26 2,592,768 --a------ C:\WINDOWS\system32\ippiw711.dll
2007-05-13 19:26 176,128 --a------ C:\WINDOWS\system32\ipps11.dll
2007-05-13 19:26 159,744 --a------ C:\WINDOWS\system32\ippjw711.dll
2007-05-13 19:26 122,880 --a------ C:\WINDOWS\system32\Nsvideo.dll
2007-05-13 19:26 1,589,248 --a------ C:\WINDOWS\system32\ippsw711.dll
2007-05-13 19:26 <DIR> d-------- C:\DOCUME~1\Shari\WINDOWS
2007-05-13 19:03 63,488 --a------ C:\WINDOWS\system32\unam4ie.exe
2007-05-13 19:03 4,608 --a------ C:\WINDOWS\system32\w95inf32.dll
2007-05-13 19:03 38,160 --a------ C:\WINDOWS\system32\LMRTREND.dll
2007-05-13 19:03 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-05-13 19:03 2,272 --a------ C:\WINDOWS\system32\w95inf16.dll
2007-05-13 19:03 194,320 --a------ C:\WINDOWS\system32\qcut.dll
2007-05-13 19:03 182,032 --a------ C:\WINDOWS\system32\dxtmsft3.dll
2007-05-13 19:03 10,240 --a------ C:\WINDOWS\system32\vidx16.dll
2007-05-11 12:43 <DIR> d-------- C:\PureSight
2007-05-07 15:24 <DIR> d-------- C:\DOCUME~1\Shari\awc_Shariisablonde
2007-05-06 11:19 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-05-06 11:19 249,856 --------- C:\WINDOWS\Setup1.exe
2007-05-06 11:19 <DIR> d-------- C:\Program Files\Web Services Accelerator
2007-05-01 12:59 2,064,384 --a------ C:\WINDOWS\system32\win32cpr.dll
2007-05-01 12:59 10,870,784 --a------ C:\WINDOWS\cfgmng32.exe
2007-05-01 12:59 1,822,720 --a------ C:\WINDOWS\system32\winsflte.dll
2007-05-01 12:59 1,294,422 --a------ C:\WINDOWS\system32\winsflt.dll
2007-05-01 12:59 1,032,192 --a------ C:\WINDOWS\system32\mdmcls32.exe
2007-05-01 12:58 7,440 --a------ C:\WINDOWS\system32\sporder.dll
2007-05-01 12:58 <DIR> d-------- C:\WINDOWS\rnapxs
2007-05-01 09:08 902 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-01 08:18 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-05-01 08:18 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-05-01 06:57 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-05-01 06:26 <DIR> d-------- C:\Program Files\SpyLocked 3.6
2007-05-01 06:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-04-29 13:13 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2007-04-29 13:13 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2007-04-29 13:13 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2007-04-29 13:13 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2007-04-29 13:13 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2007-04-29 13:13 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2007-04-29 09:22 <DIR> d-------- C:\Program Files\ColorWasher2
2007-04-28 06:25 <DIR> d-------- C:\DOCUME~1\Shari\APPLIC~1\Opera
2007-04-28 06:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
2007-04-28 06:06 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-04-28 06:02 20,640 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-04-28 06:02 109,568 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-04-28 06:02 108,544 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-04-28 04:11 1,700,352 --a------ C:\WINDOWS\system32\gdiplus.dll
2007-04-28 04:11 <DIR> dr-hs---- C:\Program Files\PSCS
2007-04-28 02:23 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-04-28 02:23 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-04-28 02:19 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-04-28 02:19 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-04-28 02:19 <DIR> d-------- C:\Program Files\The Weather Channel FW
2007-04-26 16:19 6 --a------ C:\WINDOWS\system32\mkghj.dll
2007-04-26 16:06 <DIR> d-------- C:\Program Files\PureSight Technologies Ltd
2007-04-23 19:07 <DIR> d-------- C:\DOCUME~1\Chris\APPLIC~1\MySpace
2007-04-23 08:13 <DIR> d-------- C:\Program Files\MySpace
2007-04-23 08:13 <DIR> d-------- C:\DOCUME~1\Shari\APPLIC~1\MySpace


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-21 01:37:46 -------- d--h--r C:\DOCUME~1\Shari\APPLIC~1\yahoo!
2007-05-20 19:13:23 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-20 19:12:40 -------- d-----w C:\Program Files\NewSoft
2007-05-20 19:08:20 -------- d-----w C:\Program Files\ArcSoft
2007-05-20 06:22:50 -------- d-----w C:\Program Files\Cute MP3 Converter
2007-05-07 16:37:47 -------- d-----w C:\Program Files\Yahoo!
2007-05-02 14:21:41 630,464 ----a-w C:\WINDOWS\system32\drivers\VetEFile.sys
2007-05-02 14:21:41 108,656 ----a-w C:\WINDOWS\system32\drivers\VetEBoot.sys
2007-04-28 13:18:58 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-04-21 00:42:54 -------- d-----w C:\Program Files\Creative
2007-04-18 23:25:54 -------- d-----w C:\DOCUME~1\Shari\APPLIC~1\StumbleUpon
2007-04-17 01:11:18 -------- d-----w C:\DOCUME~1\Shari\APPLIC~1\Help
2007-04-16 01:18:30 -------- d-----w C:\DOCUME~1\Shari\APPLIC~1\Roxio
2007-04-14 10:01:14 -------- d-----w C:\Program Files\Movie Maker
2007-04-14 09:56:50 -------- d-----w C:\Program Files\Windows NT
2007-04-14 03:43:34 -------- d-----w C:\Program Files\DSC Driver
2007-04-14 01:12:54 -------- d-----w C:\Program Files\Roxio
2007-04-14 01:07:36 -------- d-----w C:\Program Files\directx
2007-04-14 00:57:50 -------- d-----w C:\Program Files\Common Files\Roxio Shared
2007-04-13 23:57:19 -------- d-----w C:\Program Files\CCleaner
2007-04-13 23:29:48 26,787 ------w C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-04-13 23:29:08 74,864 ------w C:\WINDOWS\system32\VetRedir.dll
2007-04-13 23:29:08 115,824 ----a-w C:\WINDOWS\UnVet32.exe
2007-04-13 23:29:08 111,728 ----a-w C:\WINDOWS\AVShlExt.dll
2007-04-13 23:29:06 21,031 ------w C:\WINDOWS\system32\drivers\Vet-Filt.sys
2007-04-13 23:29:06 15,735 ------w C:\WINDOWS\system32\drivers\VetFDDNT.sys
2007-04-13 23:29:06 15,478 ------w C:\WINDOWS\system32\drivers\Vet-Rec.sys
2007-04-13 23:26:29 -------- d-----w C:\Program Files\CA
2007-04-13 22:09:15 -------- d-----w C:\Program Files\F-Secure Internet Security
2007-04-13 19:10:02 -------- d-----w C:\Program Files\MTV Networks
2007-04-13 18:55:57 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-04-13 18:29:48 -------- d-----w C:\Program Files\Messenger
2007-03-17 13:43:01 292,864 ------w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ------w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ------w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ------w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ------w C:\WINDOWS\system32\win32k.sys
2007-02-05 20:17:02 185,344 ------w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2007-03-20 14:39]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 15:29]
{FB04C1F0-F455-405E-B468-9AA8E1FCDE2B}=C:\WINDOWS\system32\gebyw.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 17:24]
"CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2007-04-13 16:29]
"CaAvTray"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe" [2007-04-13 16:29]
"dvHighMem"="C:\WINDOWS\cfgmng32.exe" [2006-10-15 15:26]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-27 16:13]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48]
"SbUsb AudCtrl"="sbusbdll.dll" [2005-05-26 17:52 C:\WINDOWS\system32\sbusbdll.dll]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Icatch(VI) SnapDetect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Icatch(VI) SnapDetect.lnk
backup=C:\WINDOWS\pss\Icatch(VI) SnapDetect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
"C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
"C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Video Driver]
C:\Program Files\Common Files\Microsoft Shared\DAO\COMPUTER-PXKSRE\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows LSSS Service]
C:\Program Files\Common Files\Microsoft Shared\DAO\COMPUTER-PXKSRE\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinLiveUpdate]
C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe


********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-21 10:14:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-21 10:16:27 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-21 10:16

--- E O F ---
and the Hijack this log...

Logfile of HijackThis v1.99.1
Scan saved at 10:23:08 AM, on 5/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\WINDOWS\cfgmng32.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {FB04C1F0-F455-405E-B468-9AA8E1FCDE2B} - C:\WINDOWS\system32\gebyw.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [dvHighMem] C:\WINDOWS\cfgmng32.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen9.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1009877631593
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: WinSock Extention Manager - Unknown owner - C:\WINDOWS\system32\mdmcls32.exe

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 21 May 2007 - 09:42 AM

Go here:http://virusscan.jotti.org/
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\mdmcls32.exe
Then press the 'Submit' button.
Wait while the file is scanned.
Post the results into your next reply please.

If Jotti's too busy,try here:
Go here:http://www.virustotal.com/en/virustotalf.html
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\mdmcls32.exe
Then click on 'Send'.
Post the results into your next reply please.


Then do exactly the same with:
C:\WINDOWS\cfgmng32.exe
Post both sets of results into your next reply.

Also post a new Hijackthis log please.

Edited by RichieUK, 21 May 2007 - 09:42 AM.

Posted Image
Posted Image

#7 shariisablonde

shariisablonde
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:08:32 PM

Posted 21 May 2007 - 06:24 PM

:thumbsup: okay got it!

Scan taken on 21 May 2007 21:31:14 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


The 2nd one-C:\WINDOWS\cfgmng32.exe will not scan on either site-hmmmmm..
okay heres my hijack this log..

Logfile of HijackThis v1.99.1
Scan saved at 7:19:14 PM, on 5/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\WINDOWS\cfgmng32.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {FB04C1F0-F455-405E-B468-9AA8E1FCDE2B} - C:\WINDOWS\system32\gebyw.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [dvHighMem] C:\WINDOWS\cfgmng32.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen9.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1009877631593
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: WinSock Extention Manager - Unknown owner - C:\WINDOWS\system32\mdmcls32.exe

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 21 May 2007 - 06:33 PM

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

*******************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log please.
Posted Image
Posted Image

#9 shariisablonde

shariisablonde
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:08:32 PM

Posted 21 May 2007 - 08:22 PM

:thumbsup: okay here it is-
ajhohhfs.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
ewfvgnxm.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Adware.Crew;Moved.;
rcxuqwog.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Adware.Crew;Moved.;
sfxfkdsk.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Adware.Crew;Moved.;
tkgllkdv.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
xpuqctcn.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Adware.Crew;Moved.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Moved.;
A0009145.exe;C:\System Volume Information\_restore{FA0C6AC5-D583-4101-827F-0C9A11756A7E}\RP60;Trojan.Popuper;Deleted.;
A0009215.exe;C:\System Volume Information\_restore{FA0C6AC5-D583-4101-827F-0C9A11756A7E}\RP60;Tool.Prockill;Moved.;
A0009217.exe;C:\System Volume Information\_restore{FA0C6AC5-D583-4101-827F-0C9A11756A7E}\RP60;Tool.ShutDown.11;Moved.;
A0009228.exe;C:\System Volume Information\_restore{FA0C6AC5-D583-4101-827F-0C9A11756A7E}\RP60;Tool.Prockill;Moved.;
A0009230.exe;C:\System Volume Information\_restore{FA0C6AC5-D583-4101-827F-0C9A11756A7E}\RP60;Tool.ShutDown.11;Moved.;
A0011597.dll;C:\System Volume Information\_restore{FA0C6AC5-D583-4101-827F-0C9A11756A7E}\RP81;Trojan.Virtumod;Deleted.;
A0011659.dll;C:\System Volume Information\_restore{FA0C6AC5-D583-4101-827F-0C9A11756A7E}\RP83;Trojan.Virtumod;Deleted.;
A0011749.exe;C:\System Volume Information\_restore{FA0C6AC5-D583-4101-827F-0C9A11756A7E}\RP83;Adware.ClickSpring;Moved.;
A0013079.exe;C:\System Volume Information\_restore{FA0C6AC5-D583-4101-827F-0C9A11756A7E}\RP89;Tool.Prockill;Moved.;
A0013253.dll;C:\System Volume Information\_restore{FA0C6AC5-D583-4101-827F-0C9A11756A7E}\RP89;Trojan.Virtumod;Deleted.;
A0013254.dll;C:\System Volume Information\_restore{FA0C6AC5-D583-4101-827F-0C9A11756A7E}\RP89;Trojan.Virtumod;Deleted.;
A0013280.dll;C:\System Volume Information\_restore{FA0C6AC5-D583-4101-827F-0C9A11756A7E}\RP89;Adware.Crew;Moved.;
A0013281.dll;C:\System Volume Information\_restore{FA0C6AC5-D583-4101-827F-0C9A11756A7E}\RP89;Adware.Crew;Moved.;
A0013282.dll;C:\System Volume Information\_restore{FA0C6AC5-D583-4101-827F-0C9A11756A7E}\RP89;Adware.Crew;Renamed.;
A0013283.dll;C:\System Volume Information\_restore{FA0C6AC5-D583-4101-827F-0C9A11756A7E}\RP89;Adware.Crew;Moved.;
hbcyhnbo.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
jtehexkh.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;Moved.;


and the combo fix log-
((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-21 ))))))))))))))))))))))))))))))))))


2007-05-21 20:03 <DIR> d-------- C:\DOCUME~1\Chris\DoctorWeb
2007-05-21 10:16 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-21 06:58 <DIR> d-------- C:\VundoFix Backups
2007-05-20 20:22 <DIR> d-------- C:\!KillBox
2007-05-19 18:16 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-05-19 10:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-18 08:30 <DIR> d-------- C:\WINDOWS\system32\SBO
2007-05-18 08:30 <DIR> d-------- C:\Temp
2007-05-13 19:33 99,328 --a------ C:\WINDOWS\system32\srusd.dll
2007-05-13 19:33 71,680 --a------ C:\WINDOWS\system32\fnfilter.dll
2007-05-13 19:33 6,784 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2007-05-13 19:26 94,208 --a------ C:\WINDOWS\system32\ippcv11.dll
2007-05-13 19:26 77,824 --a------ C:\WINDOWS\system32\ippsr11.dll
2007-05-13 19:26 65,536 --a------ C:\WINDOWS\system32\ippj11.dll
2007-05-13 19:26 466,944 --a------ C:\WINDOWS\system32\ippcvw711.dll
2007-05-13 19:26 40,960 --a------ C:\WINDOWS\system32\IPPCPUID.DLL
2007-05-13 19:26 266,240 --a------ C:\WINDOWS\system32\ippsrw711.dll
2007-05-13 19:26 225,280 --a------ C:\WINDOWS\system32\ippi11.dll
2007-05-13 19:26 2,592,768 --a------ C:\WINDOWS\system32\ippiw711.dll
2007-05-13 19:26 176,128 --a------ C:\WINDOWS\system32\ipps11.dll
2007-05-13 19:26 159,744 --a------ C:\WINDOWS\system32\ippjw711.dll
2007-05-13 19:26 122,880 --a------ C:\WINDOWS\system32\Nsvideo.dll
2007-05-13 19:26 1,589,248 --a------ C:\WINDOWS\system32\ippsw711.dll
2007-05-13 19:03 63,488 --a------ C:\WINDOWS\system32\unam4ie.exe
2007-05-13 19:03 4,608 --a------ C:\WINDOWS\system32\w95inf32.dll
2007-05-13 19:03 38,160 --a------ C:\WINDOWS\system32\LMRTREND.dll
2007-05-13 19:03 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-05-13 19:03 2,272 --a------ C:\WINDOWS\system32\w95inf16.dll
2007-05-13 19:03 194,320 --a------ C:\WINDOWS\system32\qcut.dll
2007-05-13 19:03 182,032 --a------ C:\WINDOWS\system32\dxtmsft3.dll
2007-05-13 19:03 10,240 --a------ C:\WINDOWS\system32\vidx16.dll
2007-05-11 12:43 <DIR> d-------- C:\PureSight
2007-05-06 11:19 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-05-06 11:19 249,856 --------- C:\WINDOWS\Setup1.exe
2007-05-06 11:19 <DIR> d-------- C:\Program Files\Web Services Accelerator
2007-05-01 12:59 2,064,384 --a------ C:\WINDOWS\system32\win32cpr.dll
2007-05-01 12:59 10,870,784 --a------ C:\WINDOWS\cfgmng32.exe
2007-05-01 12:59 1,822,720 --a------ C:\WINDOWS\system32\winsflte.dll
2007-05-01 12:59 1,294,422 --a------ C:\WINDOWS\system32\winsflt.dll
2007-05-01 12:59 1,032,192 --a------ C:\WINDOWS\system32\mdmcls32.exe
2007-05-01 12:58 7,440 --a------ C:\WINDOWS\system32\sporder.dll
2007-05-01 12:58 <DIR> d-------- C:\WINDOWS\rnapxs
2007-05-01 09:08 902 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-01 08:18 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-05-01 06:57 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-05-01 06:26 <DIR> d-------- C:\Program Files\SpyLocked 3.6
2007-05-01 06:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-04-29 13:13 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2007-04-29 13:13 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2007-04-29 13:13 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2007-04-29 13:13 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2007-04-29 13:13 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2007-04-29 13:13 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2007-04-29 09:22 <DIR> d-------- C:\Program Files\ColorWasher2
2007-04-28 06:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
2007-04-28 06:06 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-04-28 06:02 20,640 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-04-28 06:02 109,568 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-04-28 06:02 108,544 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-04-28 04:11 1,700,352 --a------ C:\WINDOWS\system32\gdiplus.dll
2007-04-28 04:11 <DIR> dr-hs---- C:\Program Files\PSCS
2007-04-28 02:23 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-04-28 02:23 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-04-28 02:19 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-04-28 02:19 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-04-28 02:19 <DIR> d-------- C:\Program Files\The Weather Channel FW
2007-04-26 16:19 6 --a------ C:\WINDOWS\system32\mkghj.dll
2007-04-26 16:06 <DIR> d-------- C:\Program Files\PureSight Technologies Ltd
2007-04-23 19:07 <DIR> d-------- C:\DOCUME~1\Chris\APPLIC~1\MySpace
2007-04-23 08:13 <DIR> d-------- C:\Program Files\MySpace


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-20 19:13:23 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-20 19:12:40 -------- d-----w C:\Program Files\NewSoft
2007-05-20 19:08:20 -------- d-----w C:\Program Files\ArcSoft
2007-05-20 06:22:50 -------- d-----w C:\Program Files\Cute MP3 Converter
2007-05-08 03:58:39 -------- d--h--r C:\DOCUME~1\Chris\APPLIC~1\yahoo!
2007-05-07 16:37:47 -------- d-----w C:\Program Files\Yahoo!
2007-05-02 14:21:41 630,464 ----a-w C:\WINDOWS\system32\drivers\VetEFile.sys
2007-05-02 14:21:41 108,656 ----a-w C:\WINDOWS\system32\drivers\VetEBoot.sys
2007-04-28 13:18:58 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-04-21 00:42:54 -------- d-----w C:\Program Files\Creative
2007-04-14 10:01:14 -------- d-----w C:\Program Files\Movie Maker
2007-04-14 09:56:50 -------- d-----w C:\Program Files\Windows NT
2007-04-14 03:43:34 -------- d-----w C:\Program Files\DSC Driver
2007-04-14 01:12:54 -------- d-----w C:\Program Files\Roxio
2007-04-14 01:07:36 -------- d-----w C:\Program Files\directx
2007-04-14 00:57:50 -------- d-----w C:\Program Files\Common Files\Roxio Shared
2007-04-13 23:57:19 -------- d-----w C:\Program Files\CCleaner
2007-04-13 23:29:48 26,787 ------w C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-04-13 23:29:08 74,864 ------w C:\WINDOWS\system32\VetRedir.dll
2007-04-13 23:29:08 115,824 ----a-w C:\WINDOWS\UnVet32.exe
2007-04-13 23:29:08 111,728 ----a-w C:\WINDOWS\AVShlExt.dll
2007-04-13 23:29:06 21,031 ------w C:\WINDOWS\system32\drivers\Vet-Filt.sys
2007-04-13 23:29:06 15,735 ------w C:\WINDOWS\system32\drivers\VetFDDNT.sys
2007-04-13 23:29:06 15,478 ------w C:\WINDOWS\system32\drivers\Vet-Rec.sys
2007-04-13 23:26:29 -------- d-----w C:\Program Files\CA
2007-04-13 22:09:15 -------- d-----w C:\Program Files\F-Secure Internet Security
2007-04-13 19:10:02 -------- d-----w C:\Program Files\MTV Networks
2007-04-13 18:55:57 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-04-13 18:29:48 -------- d-----w C:\Program Files\Messenger
2007-03-17 13:43:01 292,864 ------w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ------w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ------w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ------w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ------w C:\WINDOWS\system32\win32k.sys
2007-02-05 20:17:02 185,344 ------w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2007-03-20 14:39]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 15:29]
{FB04C1F0-F455-405E-B468-9AA8E1FCDE2B}=C:\WINDOWS\system32\gebyw.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 17:24]
"CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2007-04-13 16:29]
"CaAvTray"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe" [2007-04-13 16:29]
"dvHighMem"="C:\WINDOWS\cfgmng32.exe" [2006-10-15 15:26]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-27 16:13]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48]
"SbUsb AudCtrl"="sbusbdll.dll" [2005-05-26 17:52 C:\WINDOWS\system32\sbusbdll.dll]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2007-03-16 07:51]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Icatch(VI) SnapDetect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Icatch(VI) SnapDetect.lnk
backup=C:\WINDOWS\pss\Icatch(VI) SnapDetect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
"C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
"C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Video Driver]
C:\Program Files\Common Files\Microsoft Shared\DAO\COMPUTER-PXKSRE\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows LSSS Service]
C:\Program Files\Common Files\Microsoft Shared\DAO\COMPUTER-PXKSRE\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinLiveUpdate]
C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe


********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-21 21:08:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-21 21:09:27
C:\ComboFix-quarantined-files.txt ... 2007-05-21 21:09
C:\ComboFix2.txt ... 2007-05-21 10:16

--- E O F ---
and finally the hijackthis log-

Logfile of HijackThis v1.99.1
Scan saved at 9:18:25 PM, on 5/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\WINDOWS\cfgmng32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {FB04C1F0-F455-405E-B468-9AA8E1FCDE2B} - C:\WINDOWS\system32\gebyw.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [dvHighMem] C:\WINDOWS\cfgmng32.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen9.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1009877631593
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: WinSock Extention Manager - Unknown owner - C:\WINDOWS\system32\mdmcls32.exe

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 22 May 2007 - 03:44 AM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\system32\mkghj.dll
C:\WINDOWS\cfgmng32.exe
C:\WINDOWS\system32\mdmcls32.exe

Folders to delete:
C:\Program Files\SpyLocked 3.6

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

*****************************

Click on Start>Run and type Services.msc then hit Ok.
Scroll down and find the service called:
WinSock Extention Manager
When you find it, double-click on it.
In the next window that opens, click the 'Stop' button.
Then change the 'Startup Type:' to 'Disabled'.
Now press Apply and then Ok and close any open windows.

*****************************

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {FB04C1F0-F455-405E-B468-9AA8E1FCDE2B} - C:\WINDOWS\system32\gebyw.dll (file missing)
O4 - HKLM\..\Run: [dvHighMem] C:\WINDOWS\cfgmng32.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen9.exe
O23 - Service: WinSock Extention Manager - Unknown owner - C:\WINDOWS\system32\mdmcls32.exe

Exit Hijackthis.

Restart your pc.
Post the Avenger output.txt,and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.
Posted Image
Posted Image

#11 shariisablonde

shariisablonde
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:08:32 PM

Posted 22 May 2007 - 06:00 AM

okay-heres the avenger-I'll be back with the rest-

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\bxfig^dm

*******************

Script file located at: \??\C:\Documents and Settings\rjubkoqd.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\mkghj.dll deleted successfully.
File C:\WINDOWS\cfgmng32.exe deleted successfully.
File C:\WINDOWS\system32\mdmcls32.exe deleted successfully.
Folder C:\Program Files\SpyLocked 3.6 deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

#12 shariisablonde

shariisablonde
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:08:32 PM

Posted 22 May 2007 - 06:51 AM

okay problem-in hijack this..this was missing

O23 - Service: WinSock Extention Manager - Unknown owner - C:\WINDOWS\system32\mdmcls32.exe
so I deleted all the rest-restarted and couldn't get back online...so I restored everything but the avenger stuff I did.Obviously I'm back online. So now what? Heres my hijack this log-which obviously contains the missing file again..Hey I'm a blonde..what can I say? LOL

Logfile of HijackThis v1.99.1
Scan saved at 7:45:37 AM, on 5/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {FB04C1F0-F455-405E-B468-9AA8E1FCDE2B} - C:\WINDOWS\system32\gebyw.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [dvHighMem] C:\WINDOWS\cfgmng32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1009877631593
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: WinSock Extention Manager - Unknown owner - C:\WINDOWS\system32\mdmcls32.exe

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 22 May 2007 - 07:16 AM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {FB04C1F0-F455-405E-B468-9AA8E1FCDE2B} - C:\WINDOWS\system32\gebyw.dll (file missing)
Exit Hijackthis.

*****************************

I've been doing a lot of investigations and the following files do appear to be harmless,and nothing to be at all concerned about:
cfgmng32.exe
mdmcls32.exe


*****************************

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
SDFix.exe
VundoFix.exe
Combofix
KillBox
Avenger

C:\VundoFix Backups
C:\!KillBox
C:\Avenger
C:\QooBox

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

Please Note:
Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u1'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.
Posted Image
Posted Image

#14 shariisablonde

shariisablonde
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:08:32 PM

Posted 22 May 2007 - 08:35 AM

:thumbsup: Thank you so much! You're a lifesaver! MUAHHHH!!! :flowers:

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 22 May 2007 - 09:50 AM

You're most welcome :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users