Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis


  • This topic is locked This topic is locked
15 replies to this topic

#1 Clover K.

Clover K.

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Salt Lake City, UT
  • Local time:01:59 AM

Posted 21 June 2007 - 03:14 AM

Hi! I ran adaware, spybot, avast antivirus, hijack this a few times, and the mcafee stinger. i can't run windows updates because of missing or unregistered dll's. windows media player won't work. i've got it running quite a bit better than it was originally, but i feel like i'm missing something and i need help, so i'm posting this log.

Logfile of HijackThis v1.99.1
Scan saved at 3:08:12 AM, on 6/21/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\WINDOWS\DELLMMKB.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\WINDOWS\System32\taskmgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=sas.ce1.attbb.net:8000;gopher=sas.ce1.attbb.net:8000;http=sas.ce1.attbb.net:8000;https=sas.ce1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ce1.attbb.net

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O4 - HKLM\..\Run: [WorkFlo] D:\BrdJmp\WorkFlow.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1182401686687
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125968847607
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/Ocx/SurVid/MSSurVid.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} - http://www.flipside.com/cab/WONWebLauncherControl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://carpoint.msn.com/Components/Ocx/Exterior/Outside.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 21 June 2007 - 10:40 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Clover K. :thumbsup:

Before we can provide you with any further assistance,you first need to go here and install Service Pack 1;
http://www.microsoft.com/windowsxp/downloa...p1/default.mspx
This will patch numerous security vulnerabilities in Internet Explorer and the Windows operating system.
As your machine stands right now it's exremely vulnerable to infection.
You need to get these updates installed first before we can proceed or we’ll both be wasting our time.

Note:
Do not install Service pack 2.
If you install SP 2 on an infected machine it will cause serious problems within the operating system.

Post a new Hijackthis log into your next reply when you've done the above.
Posted Image
Posted Image

#3 Clover K.

Clover K.
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Salt Lake City, UT
  • Local time:01:59 AM

Posted 21 June 2007 - 04:14 PM

I'm remotely troubleshooting this computer, so I need to wait for my aunt to reconnect the computer. Will post back shortly! and thanks!

#4 Clover K.

Clover K.
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Salt Lake City, UT
  • Local time:01:59 AM

Posted 21 June 2007 - 07:27 PM

When I try to run updates, I get an error 0x800B001. When trying to follow the steps outlined in the knowledge base to register the modules specified, I get an error saying LoadLibrary Failed - the specified module could not be found.
wuapi.dll, wucltui.dll, wups.dll are the ones that won't register. is there a place that maybe i can download these?

EDIT: I fixed the issue. Will have my log soon.

Edited by Clover K., 21 June 2007 - 07:48 PM.


#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 21 June 2007 - 07:30 PM

See if the following helps:

Download/install Dial-a-Fix from here:
http://www.softpedia.com/get/System/System...ial-a-fix.shtml
Launch the program,place a check in ALL the boxes.
Then click on 'GO' at the bottom.
Restart your pc when Dial-a-Fix has done.
Posted Image
Posted Image

#6 Clover K.

Clover K.
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Salt Lake City, UT
  • Local time:01:59 AM

Posted 21 June 2007 - 09:35 PM

Thanks! Here's that log:

Logfile of HijackThis v1.99.1
Scan saved at 9:24:32 PM, on 6/21/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=sas.ce1.attbb.net:8000;gopher=sas.ce1.attbb.net:8000;http=sas.ce1.attbb.net:8000;https=sas.ce1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ce1.attbb.net

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182477039390
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182477034796
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/Ocx/SurVid/MSSurVid.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} - http://www.flipside.com/cab/WONWebLauncherControl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://carpoint.msn.com/Components/Ocx/Exterior/Outside.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 22 June 2007 - 03:04 AM

It appears you've no virus protection installed.
Download\install one of the following freeware options from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Avira AntiVir Personal Edition Classic
http://www.free-av.com/

**************

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,"

**************

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx

Exit Hijackthis.

**************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log please.

Posted Image
Posted Image

#8 Clover K.

Clover K.
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Salt Lake City, UT
  • Local time:01:59 AM

Posted 22 June 2007 - 09:04 PM

combofix:

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\msxml3a.dll


((((((((((((((((((((((((( Files Created from 2007-05-23 to 2007-06-23 )))))))))))))))))))))))))))))))


2007-06-22 20:57 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-22 17:07 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-06-21 22:52 <DIR> d-------- C:\Program Files\a-squared Free
2007-06-21 22:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-21 22:09 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-21 21:21 <DIR> d-------- C:\WINDOWS\Prefetch
2007-06-21 21:09 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-06-21 21:09 <DIR> d-------- C:\WINDOWS\ehome
2007-06-21 21:06 98,304 --a------ C:\WINDOWS\SYSTEM32\oleprn.dll
2007-06-21 21:06 95,744 --a------ C:\WINDOWS\SYSTEM32\nlhtml.dll
2007-06-21 21:06 94,208 --a------ C:\WINDOWS\SYSTEM32\odbccp32.dll
2007-06-21 21:06 91,136 --a------ C:\WINDOWS\SYSTEM32\rastls.dll
2007-06-21 21:06 9,856 --------- C:\WINDOWS\SYSTEM32\DRIVERS\tunmp.sys
2007-06-21 21:06 9,216 --a------ C:\WINDOWS\SYSTEM32\wuauserv.dll
2007-06-21 21:06 88,064 --a------ C:\WINDOWS\SYSTEM32\tscfgwmi.dll
2007-06-21 21:06 87,304 --a------ C:\WINDOWS\SYSTEM32\rdpdd.dll
2007-06-21 21:06 86,528 --a------ C:\WINDOWS\SYSTEM32\wlnotify.dll
2007-06-21 21:06 86,016 --a------ C:\WINDOWS\SYSTEM32\xactsrv.dll
2007-06-21 21:06 82,944 --a------ C:\WINDOWS\SYSTEM32\smlogsvc.exe
2007-06-21 21:06 82,944 --a------ C:\WINDOWS\SYSTEM32\psbase.dll
2007-06-21 21:06 81,920 --a------ C:\WINDOWS\SYSTEM32\trkwks.dll
2007-06-21 21:06 8,192 --a------ C:\WINDOWS\SYSTEM32\scrnsave.scr
2007-06-21 21:06 77,824 --a------ C:\WINDOWS\SYSTEM32\wmpstub.exe
2007-06-21 21:06 77,824 --a------ C:\WINDOWS\SYSTEM32\wmpshell.dll
2007-06-21 21:06 75,912 --a------ C:\WINDOWS\SYSTEM32\rdpwsx.dll
2007-06-21 21:06 74,240 --a------ C:\WINDOWS\SYSTEM32\rtcshare.exe
2007-06-21 21:06 71,168 --a------ C:\WINDOWS\SYSTEM32\telnet.exe
2007-06-21 21:06 71,168 --a------ C:\WINDOWS\SYSTEM32\storprop.dll
2007-06-21 21:06 71,168 --a------ C:\WINDOWS\SYSTEM32\sdbinst.exe
2007-06-21 21:06 686,080 --a------ C:\WINDOWS\SYSTEM32\opengl32.dll
2007-06-21 21:06 674,816 --a------ C:\WINDOWS\SYSTEM32\sxs.dll
2007-06-21 21:06 667,648 --a------ C:\WINDOWS\SYSTEM32\ss3dfo.scr
2007-06-21 21:06 66,560 --a------ C:\WINDOWS\SYSTEM32\spoolss.dll
2007-06-21 21:06 66,048 --a------ C:\WINDOWS\SYSTEM32\sigverif.exe
2007-06-21 21:06 638,976 --a------ C:\WINDOWS\SYSTEM32\sstext3d.scr
2007-06-21 21:06 63,488 --a------ C:\WINDOWS\SYSTEM32\srclient.dll
2007-06-21 21:06 62,976 --a------ C:\WINDOWS\SYSTEM32\shgina.dll
2007-06-21 21:06 61,952 --a------ C:\WINDOWS\SYSTEM32\webclnt.dll
2007-06-21 21:06 61,952 --a------ C:\WINDOWS\SYSTEM32\sti.dll
2007-06-21 21:06 61,440 --a------ C:\WINDOWS\SYSTEM32\odbccu32.dll
2007-06-21 21:06 61,440 --a------ C:\WINDOWS\SYSTEM32\odbccr32.dll
2007-06-21 21:06 60,416 --a------ C:\WINDOWS\SYSTEM32\wextract.exe
2007-06-21 21:06 60,416 --a------ C:\WINDOWS\SYSTEM32\shimeng.dll
2007-06-21 21:06 6,144 --a------ C:\WINDOWS\SYSTEM32\sensapi.dll
2007-06-21 21:06 58,880 --a------ C:\WINDOWS\SYSTEM32\pautoenr.dll
2007-06-21 21:06 57,856 --a------ C:\WINDOWS\SYSTEM32\raschap.dll
2007-06-21 21:06 569,344 --a------ C:\WINDOWS\SYSTEM32\sspipes.scr
2007-06-21 21:06 56,832 --a------ C:\WINDOWS\SYSTEM32\wzcdlg.dll
2007-06-21 21:06 56,320 --a------ C:\WINDOWS\SYSTEM32\remotepg.dll
2007-06-21 21:06 548,864 --a------ C:\WINDOWS\SYSTEM32\rtcdll.dll
2007-06-21 21:06 534,016 --a------ C:\WINDOWS\SYSTEM32\spider.exe
2007-06-21 21:06 53,248 --a------ C:\WINDOWS\SYSTEM32\packager.exe
2007-06-21 21:06 53,248 --a------ C:\WINDOWS\SYSTEM32\odbcconf.exe
2007-06-21 21:06 52,224 --a------ C:\WINDOWS\SYSTEM32\secur32.dll
2007-06-21 21:06 511,488 --a------ C:\WINDOWS\SYSTEM32\qedit.dll
2007-06-21 21:06 51,200 --a------ C:\WINDOWS\SYSTEM32\wmerrenu.dll
2007-06-21 21:06 5,504 --------- C:\WINDOWS\SYSTEM32\DRIVERS\smbali.sys
2007-06-21 21:06 49,152 --a------ C:\WINDOWS\SYSTEM32\npptools.dll
2007-06-21 21:06 48,640 --a------ C:\WINDOWS\SYSTEM32\vdmredir.dll
2007-06-21 21:06 48,128 --a------ C:\WINDOWS\SYSTEM32\winsta.dll
2007-06-21 21:06 48,128 --a------ C:\WINDOWS\SYSTEM32\reg.exe
2007-06-21 21:06 479,261 --a------ C:\WINDOWS\SYSTEM32\vbscript.dll
2007-06-21 21:06 47,616 --a------ C:\WINDOWS\SYSTEM32\utilman.exe
2007-06-21 21:06 446,464 --a------ C:\WINDOWS\SYSTEM32\wmvdmoe.dll
2007-06-21 21:06 442,398 --a------ C:\WINDOWS\SYSTEM32\wmadmoe.dll
2007-06-21 21:06 44,032 --a------ C:\WINDOWS\SYSTEM32\regapi.dll
2007-06-21 21:06 44,032 --a------ C:\WINDOWS\SYSTEM32\rdpclip.exe
2007-06-21 21:06 43,008 --a------ C:\WINDOWS\SYSTEM32\ssdpsrv.dll
2007-06-21 21:06 420,864 --a------ C:\WINDOWS\SYSTEM32\shimgvw.dll
2007-06-21 21:06 409,088 --a------ C:\WINDOWS\SYSTEM32\vssapi.dll
2007-06-21 21:06 40,960 --a------ C:\WINDOWS\SYSTEM32\tscupgrd.exe
2007-06-21 21:06 392,704 --a------ C:\WINDOWS\SYSTEM32\ntmssvc.dll
2007-06-21 21:06 385,024 --a------ C:\WINDOWS\SYSTEM32\sqlsrv32.dll
2007-06-21 21:06 384,000 --a------ C:\WINDOWS\SYSTEM32\themeui.dll
2007-06-21 21:06 38,912 --a------ C:\WINDOWS\SYSTEM32\wsnmp32.dll
2007-06-21 21:06 38,400 --a------ C:\WINDOWS\SYSTEM32\ntmsapi.dll
2007-06-21 21:06 38,400 --a------ C:\WINDOWS\SYSTEM32\ntlanman.dll
2007-06-21 21:06 364,544 --a------ C:\WINDOWS\SYSTEM32\ssflwbox.scr
2007-06-21 21:06 36,352 --a------ C:\WINDOWS\SYSTEM32\sens.dll
2007-06-21 21:06 357,376 --a------ C:\WINDOWS\SYSTEM32\qdvd.dll
2007-06-21 21:06 34,304 --a------ C:\WINDOWS\SYSTEM32\rcimlby.exe
2007-06-21 21:06 339,456 --a------ C:\WINDOWS\SYSTEM32\usp10.dll
2007-06-21 21:06 334,848 --a------ C:\WINDOWS\SYSTEM32\smlogcfg.dll
2007-06-21 21:06 33,808 --a------ C:\WINDOWS\SYSTEM32\ntio.sys
2007-06-21 21:06 33,280 --a------ C:\WINDOWS\SYSTEM32\shmgrate.exe
2007-06-21 21:06 328,704 --a------ C:\WINDOWS\SYSTEM32\oakley.dll
2007-06-21 21:06 32,768 --a------ C:\WINDOWS\SYSTEM32\odbcad32.exe
2007-06-21 21:06 32,256 --a------ C:\WINDOWS\SYSTEM32\umandlg.dll
2007-06-21 21:06 311,327 --a------ C:\WINDOWS\SYSTEM32\wmv8dmod.dll
2007-06-21 21:06 31,744 --a------ C:\WINDOWS\SYSTEM32\pid.dll
2007-06-21 21:06 3,338 --a------ C:\WINDOWS\SYSTEM32\redir.exe
2007-06-21 21:06 297,984 --a------ C:\WINDOWS\SYSTEM32\scesrv.dll
2007-06-21 21:06 296,448 --a------ C:\WINDOWS\SYSTEM32\wmstream.dll
2007-06-21 21:06 294,912 --a------ C:\WINDOWS\SYSTEM32\wmvdmod.dll
2007-06-21 21:06 274,432 --a------ C:\WINDOWS\SYSTEM32\wmasf.dll
2007-06-21 21:06 27,136 --a------ C:\WINDOWS\SYSTEM32\ssdpapi.dll
2007-06-21 21:06 266,752 --a------ C:\WINDOWS\winhlp32.exe
2007-06-21 21:06 264,704 --a------ C:\WINDOWS\SYSTEM32\wzcsvc.dll
2007-06-21 21:06 260,608 --a------ C:\WINDOWS\SYSTEM32\rpcss.dll
2007-06-21 21:06 254,976 --a------ C:\WINDOWS\SYSTEM32\pdh.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-22 23:49:04 -------- d-----w C:\Program Files\Diablo II
2007-06-22 04:45:21 -------- d-----w C:\Program Files\StreamCast
2007-06-22 02:09:36 -------- d-----w C:\Program Files\Movie Maker
2007-06-22 02:09:35 -------- d-----w C:\Program Files\Messenger
2007-06-22 00:20:43 -------- d--h--w C:\Program Files\WindowsUpdate
2007-06-21 06:16:44 -------- d-----w C:\Program Files\Online Services
2007-06-21 05:43:31 -------- d-----w C:\Program Files\Dell
2007-06-21 04:35:07 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-21 04:32:34 -------- d-----w C:\Program Files\Yahoo!
2007-06-21 04:31:36 -------- d-----w C:\Program Files\TPT Registry_Cleaner (Trial)
2007-06-21 04:25:35 -------- d-----w C:\Program Files\COPERN32
2007-06-21 04:24:06 -------- d-----w C:\Program Files\Bricks
2007-06-20 12:20:47 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll
2007-06-20 12:20:47 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll
2007-06-20 12:20:47 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll
2007-06-20 11:47:59 -------- d-----w C:\DOCUME~1\JANETM~1\APPLIC~1\Yahoo!
2007-06-20 07:39:00 -------- d-----w C:\Program Files\SoftwareOnline
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:43:44 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:43:40 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-13 20:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 17:39]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}=C:\Program Files\Microsoft Money\System\mnyviewer.dll [2001-07-25 11:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 14:03]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 14:08]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellTouch]
C:\WINDOWS\DELLMMKB.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C42 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"C:\Program Files\Microsoft Money\System\Money Express.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0]
"C:\Program Files\Microsoft Money\System\Activation.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorkFlo]
D:\BrdJmp\WorkFlow.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=2 (0x2)
"UMWdf"=2 (0x2)
"NVSvc"=2 (0x2)
"Nhksrv"=2 (0x2)
"LogMeIn"=2 (0x2)
"LMIMaint"=2 (0x2)
"ImapiService"=3 (0x3)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)
"AOL ACS"=2 (0x2)


Contents of the 'Scheduled Tasks' folder
2007-06-22 08:00:02 C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job
2002-03-08 00:45:31 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-22 20:59:32
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-22 21:00:02
C:\ComboFix-quarantined-files.txt ... 2007-06-22 20:59

--- E O F ---

hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 9:05:10 PM, on 6/22/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=sas.ce1.attbb.net:8000;gopher=sas.ce1.attbb.net:8000;http=sas.ce1.attbb.net:8000;https=sas.ce1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ce1.attbb.net

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182477039390
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182477034796
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/Ocx/SurVid/MSSurVid.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} - http://www.flipside.com/cab/WONWebLauncherControl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://carpoint.msn.com/Components/Ocx/Exterior/Outside.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 23 June 2007 - 03:45 AM

According to the above Hijackthis log,you've still no virus protection installed,could you do that now please, then post a new Hijackthis log into your next reply when you've done.

Edited by RichieUK, 23 June 2007 - 03:46 AM.

Posted Image
Posted Image

#10 Clover K.

Clover K.
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Salt Lake City, UT
  • Local time:01:59 AM

Posted 23 June 2007 - 04:37 AM

I have avast running on this machine. do you recommend anything else?

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 23 June 2007 - 05:48 AM

I have avast running on this machine. do you recommend anything else?

No,Avast is fine,how have you got it configured,because it should be showing in 'Running processes:' and in the services entries[023 -] in your Hijackthis log.
Make sure its configured to run at system startup.

If still no joy uninstall Avast via Add or Remove Programs,then restart your computer.
Then download/install AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Let me know how you get on,post a new Hijackthis log when you've done.
Posted Image
Posted Image

#12 Clover K.

Clover K.
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Salt Lake City, UT
  • Local time:01:59 AM

Posted 23 June 2007 - 04:55 PM

I'm reinstalling as we speak. It showed avast in the processes in the combofix log, so I don't know.

My responses today are going to be kind of sporadic, as I'm trying to spend time with my family. So bare with me.

#13 Clover K.

Clover K.
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Salt Lake City, UT
  • Local time:01:59 AM

Posted 23 June 2007 - 07:16 PM

Here ya go!

Logfile of HijackThis v1.99.1
Scan saved at 7:17:31 PM, on 6/23/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=sas.ce1.attbb.net:8000;gopher=sas.ce1.attbb.net:8000;http=sas.ce1.attbb.net:8000;https=sas.ce1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ce1.attbb.net

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182477039390
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182477034796
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/Ocx/SurVid/MSSurVid.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} - http://www.flipside.com/cab/WONWebLauncherControl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://carpoint.msn.com/Components/Ocx/Exterior/Outside.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 24 June 2007 - 03:36 AM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)

------------------------------------------

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
Combofix
C:\QooBox

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#15 Clover K.

Clover K.
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Salt Lake City, UT
  • Local time:01:59 AM

Posted 24 June 2007 - 01:25 PM

Thank you so much!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users