Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hijackthis Log


  • This topic is locked This topic is locked

#16
Rcfan717

Rcfan717

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hello again, I apologize for not posting an update in a couple days, I have been out of town and now I am having some trouble with hijackthis working right, so I need to fix that and I will post my progress tomorrow. Thanks.
  • 0

Advertisements


#17
Rcfan717

Rcfan717

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Something is seriously wrong now with my computer. I can't even use hijackthis because it performs an illegal operation, when I go to safe mode the screen is black and there is a background saying my computer is infected and there are bugs crawling around.
  • 0

#18
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Hi Rcfan717,

We were pretty much clean when I asked for the last scan, so you must have gotten re-infected somehow. As you know we have been working on this for about a month now. I know work and family takes preference over cleaning the computer but please try to stick with it, and not allow several days to pass before replying. All that does is allow time for new infections to set in or old infections time to mutate and we have to keep starting over.


Lets uninstall the ComboFix you have now, and re-download the newest version.

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image

Then….

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

======================================================

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

======================================================

Needed in your next reply:

"C:\ComboFix.txt"
Deckard's System Scanner main.txt and extra.txt

* NOTE * you will most likely have to post in two or more posts as the results will be long.
  • 0

#19
Rcfan717

Rcfan717

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
ComboFix 08-05-20.4 - John Kellogg 2008-05-20 21:56:24.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.35 [GMT -7:00]
Running from: C:\Documents and Settings\John Kellogg\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\acfhbklk.ini
C:\WINDOWS\SYSTEM32\aqpckevg.ini
C:\WINDOWS\SYSTEM32\bmovcide.ini
C:\WINDOWS\SYSTEM32\caevoynl.ini
C:\WINDOWS\SYSTEM32\cavruhmm.ini
C:\WINDOWS\system32\cjmpbdig.ini
C:\WINDOWS\system32\ctfmona.exe
C:\WINDOWS\system32\djvtoiod.ini
C:\WINDOWS\system32\drivers\uaG06.sys
C:\WINDOWS\system32\epvcqthm.ini
C:\WINDOWS\system32\erjsrfaw.dll
C:\WINDOWS\SYSTEM32\fjymynce.ini
C:\WINDOWS\system32\flsdmrvu.ini
C:\WINDOWS\system32\gfjdnljb.ini
C:\WINDOWS\system32\goyabqhc.ini
C:\WINDOWS\SYSTEM32\iqyohnbp.ini
C:\WINDOWS\system32\jmpmgrkd.ini
C:\WINDOWS\system32\khfDwtuT.dll
C:\WINDOWS\SYSTEM32\lnyqfsks.ini
C:\WINDOWS\system32\oogyjgdq.ini
C:\WINDOWS\SYSTEM32\oqlprwoe.ini
C:\WINDOWS\SYSTEM32\oqnsuxvu.ini
C:\WINDOWS\SYSTEM32\oqtosmbv.ini
C:\WINDOWS\system32\osdmpths.ini
C:\WINDOWS\SYSTEM32\pbffvulq.ini
C:\WINDOWS\system32\pdldiyue.ini
C:\WINDOWS\SYSTEM32\phwsifqw.ini
C:\WINDOWS\system32\poqysdnt.ini
C:\WINDOWS\SYSTEM32\qbavhcpe.ini
C:\WINDOWS\SYSTEM32\qqphabmi.ini
C:\WINDOWS\SYSTEM32\qqxeeixs.ini
C:\WINDOWS\SYSTEM32\sctqbksr.ini
C:\WINDOWS\system32\taqtjhak.ini
C:\WINDOWS\SYSTEM32\trsmiorp.ini
C:\WINDOWS\system32\TutwDfhk.ini
C:\WINDOWS\SYSTEM32\TutwDfhk.ini2
C:\WINDOWS\SYSTEM32\ugnpoiro.ini
C:\WINDOWS\SYSTEM32\uoubwpvh.ini
C:\WINDOWS\system32\vrgbybhj.ini
C:\WINDOWS\SYSTEM32\wafrsjre.ini
C:\WINDOWS\SYSTEM32\whtxrbhk.ini
C:\WINDOWS\SYSTEM32\wpswiwve.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UAG06
-------\Service_uaG06


((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 )))))))))))))))))))))))))))))))
.

2017-10-26 01:39 . 2017-10-26 01:39 <DIR> d---s---- C:\Microsoft
2017-04-03 03:54 . 2017-04-03 03:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MVTLogs
2016-02-13 01:10 . 2008-01-12 21:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2014-09-17 03:26 . 2014-09-17 03:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2011-04-11 05:17 . 2011-04-11 05:17 29,824 --a------ C:\WINDOWS\SYSTEM32\qoMdDsSm.dll
2011-04-11 05:17 . 2009-11-17 13:01 14,336 --a------ C:\WINDOWS\SYSTEM32\WinCtrl32.dll
2011-04-11 05:16 . 2009-11-17 13:04 160,256 --a------ C:\WINDOWS\SYSTEM32\blackster.scr
2011-04-11 05:15 . 2009-11-17 13:03 269,334 --a------ C:\WINDOWS\SYSTEM32\ctfmonb.bmp
2010-10-16 11:35 . 2010-10-16 11:35 <DIR> d-------- C:\WINDOWS\SYSTEM32\Logs
2009-12-10 04:38 . 2007-07-30 19:18 34,136 --a--c--- C:\WINDOWS\SYSTEM32\wucltui.dll.mui
2009-12-10 04:38 . 2007-07-30 19:19 25,944 --a--c--- C:\WINDOWS\SYSTEM32\wuaucpl.cpl.mui
2009-12-10 04:38 . 2007-07-30 19:19 25,944 --a--c--- C:\WINDOWS\SYSTEM32\wuapi.dll.mui
2009-12-10 04:38 . 2007-07-30 19:18 20,312 --a--c--- C:\WINDOWS\SYSTEM32\wuaueng.dll.mui
2009-11-04 03:07 . 2009-09-19 20:25 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2009-11-04 03:07 . 2009-11-04 03:07 1,409 --a------ C:\WINDOWS\QTFont.for
2009-01-11 19:02 . 2012-08-10 03:44 160,256 --a------ C:\WINDOWS\SYSTEM32\96.tmp
2008-06-06 01:03 . 2008-06-06 01:03 319,360 --a------ C:\WINDOWS\SYSTEM32\yayyAtSk.dll
2008-06-06 01:03 . 2008-06-06 01:05 344 --ahs---- C:\WINDOWS\SYSTEM32\kStAyyay.ini
2008-06-06 00:57 . 2008-06-06 00:57 29,056 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ejO51.sys
2008-06-06 00:57 . 2008-06-06 00:57 14,336 --a------ C:\WINDOWS\SYSTEM32\WinCtrl32.dl_
2008-06-04 23:46 . 2008-06-04 23:46 <DIR> d-------- C:\SiteAdvisor
2008-06-04 23:46 . 2008-06-04 23:46 <DIR> d-------- C:\McAfee
2008-05-20 21:33 . 2008-05-20 21:33 91,264 --a------ C:\WINDOWS\SYSTEM32\evwiwspw.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2023-06-29 18:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2018-07-17 20:23 --------- d-----w C:\Program Files\Yahoo!
2015-05-13 01:51 --------- d-----w C:\Program Files\CCleaner
2014-09-27 06:11 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Grisoft
2011-03-17 23:09 --------- d--h--w C:\Documents and Settings\John Kellogg\Application Data\Gtek
2009-09-27 18:35 --------- d-----w C:\Program Files\LimeWire
2009-09-20 03:17 --------- d-----w C:\Documents and Settings\John Kellogg\Application Data\SiteAdvisor
2009-08-28 01:47 --------- d-----w C:\Documents and Settings\John Kellogg\Application Data\Yahoo!
2009-08-27 02:27 --------- d-----w C:\Program Files\QuickTime
2008-10-14 21:26 --------- d-----w C:\Program Files\Trend Micro
2008-09-30 19:22 --------- d-----w C:\Program Files\SolidWorks
2008-09-30 19:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bluebeam Software
2008-06-21 00:50 1,848 ----a-w C:\WINDOWS\SYSTEM32\tmp.reg
2008-05-27 01:24 --------- d-----w C:\Program Files\Java
2008-05-27 01:04 --------- d-----w C:\Program Files\McAfee
2008-05-24 00:07 --------- d-----w C:\Program Files\Google
2008-05-05 16:29 --------- d-----w C:\Documents and Settings\Dick Dastardly\Application Data\SiteAdvisor
2008-05-05 16:00 --------- d-----w C:\Documents and Settings\Dick Dastardly\Application Data\Apple Computer
2008-05-02 08:37 --------- d-----w C:\Documents and Settings\Dick Dastardly\Application Data\AdobeUM
2008-05-01 00:57 --------- d-----w C:\Documents and Settings\John Kellogg\Application Data\Malwarebytes
2008-05-01 00:56 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-05-01 00:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-23 23:46 --------- d-----w C:\Documents and Settings\Dick Dastardly\Application Data\GTek
2008-04-23 23:45 --------- d--h--r C:\Documents and Settings\Dick Dastardly\Application Data\yahoo!
2008-04-18 17:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18F4FBD5-CDE8-492C-9365-1912378EECFE}]
2011-04-11 05:17 29824 --a------ C:\WINDOWS\system32\qoMdDsSm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{73310A01-D415-46D3-B2D2-76896509CCDC}]
C:\WINDOWS\system32\khfDwtuT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA2173B0-9A36-48FB-8C8A-1C5D08F3FBF5}]
2008-06-06 01:03 319360 --a------ C:\WINDOWS\system32\yayyAtSk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-12-11 15:28 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 14:55 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 14:51 118784]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 18:23 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 08:35 536576]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 10:43 53248]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2004-10-07 18:44 610304]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 00:01 110592]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [ ]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-11-16 01:05 127035]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"ctfmona"="C:\WINDOWS\system32\ctfmona.exe" [ ]
"advap32"="C:\DOCUME~1\JOHNKE~1\LOCALS~1\Temp\stdcons.exe/r" [ ]
"0cc38031"="C:\WINDOWS\system32\evwiwspw.dll" [2008-05-20 21:33 91264]
"combofix"="C:\WINDOWS\system32\CF23691.exe" [2004-08-04 04:00 388608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"RunStartupScriptSync"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"RunStartupScriptSync"= 1 (0x1)
"DisableTaskMgr"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{18F4FBD5-CDE8-492C-9365-1912378EECFE}"= C:\WINDOWS\system32\qoMdDsSm.dll [2011-04-11 05:17 29824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMdDsSm]
qoMdDsSm.dll 2011-04-11 05:17 29824 C:\WINDOWS\SYSTEM32\qoMdDsSm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll 2009-11-17 13:01 14336 C:\WINDOWS\SYSTEM32\WinCtrl32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\yayyAtSk

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ejO51.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\uaG06.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

R0 ejO51;ejO51;C:\WINDOWS\system32\Drivers\ejO51.sys [2008-06-06 00:57]

*Newly Created Service* - EJO51
.
Contents of the 'Scheduled Tasks' folder
"2011-01-19 16:38:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-19 06:35:18 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-09-01 08:00:15 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 01:01:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\yayyAtSk.dll 319360 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\qoMdDsSm.dll
-> C:\WINDOWS\system32\WinCtrl32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\WLTRYSVC.EXE
C:\WINDOWS\SYSTEM32\BCMWLTRY.EXE
C:\WINDOWS\SYSTEM32\WSCNTFY.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2008-06-06 1:10:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-06 08:10:11
ComboFix2.txt 2008-05-08 03:38:54

Pre-Run: 20,740,583,424 bytes free
Post-Run: 21,119,299,584 bytes free

233 --- E O F --- 2008-05-19 20:24:12
  • 0

#20
Rcfan717

Rcfan717

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Deckard's System Scanner v20071014.68
Run by John Kellogg on 2008-06-06 01:23:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
50: 2008-06-06 08:23:32 UTC - RP4814 - Deckard's System Scanner Restore Point
49: 2008-06-06 08:05:27 UTC - RP4813 - Last known good configuration
48: 2008-05-21 04:53:20 UTC - RP4812 - ComboFix created restore point
47: 2009-10-11 10:53:50 UTC - RP4811 - System Checkpoint
46: 2009-08-29 18:50:30 UTC - RP4810 - System Checkpoint


-- First Restore Point --
1: 2009-07-15 22:23:19 UTC - RP4765 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 79% (more than 75%).
Total Physical Memory: 255 MiB (512 MiB recommended).


-- HijackThis (run as John Kellogg.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:25:32 AM, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Documents and Settings\John Kellogg\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\John Kellogg.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.metacrawler.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com...mp;dtag=j6ljk61
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: (no name) - {18F4FBD5-CDE8-492C-9365-1912378EECFE} - C:\WINDOWS\system32\qoMdDsSm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {73310A01-D415-46D3-B2D2-76896509CCDC} - C:\WINDOWS\system32\khfDwtuT.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {CA2173B0-9A36-48FB-8C8A-1C5D08F3FBF5} - C:\WINDOWS\system32\yayyAtSk.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [0cc38031] rundll32.exe "C:\WINDOWS\system32\evwiwspw.dll",b
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O20 - Winlogon Notify: qoMdDsSm - C:\WINDOWS\SYSTEM32\qoMdDsSm.dll
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O21 - SSODL: ?H? - {aa0421f1-7371-4841-b9f5-f9e136eee572} - (no file)
O21 - SSODL:
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9713 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080507-201729-853 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
backup-20080507-201729-957 O21 - SSODL: ?H? - {aa0421f1-7371-4841-b9f5-f9e136eee572} - (no file)
backup-20080522-024515-662 O21 - SSODL: ?H? - {aa0421f1-7371-4841-b9f5-f9e136eee572} - (no file)
backup-20080522-024657-933 O21 - SSODL: ?H? - {aa0421f1-7371-4841-b9f5-f9e136eee572} - (no file)
backup-20080522-024711-264 O21 - SSODL: ?H? - {aa0421f1-7371-4841-b9f5-f9e136eee572} - (no file)
backup-20080606-011828-935 O21 - SSODL: ?H? - {aa0421f1-7371-4841-b9f5-f9e136eee572} - (no file)
backup-20090611-041659-462 O21 - SSODL: ?H? - {aa0421f1-7371-4841-b9f5-f9e136eee572} - (no file)
backup-20090702-121550-867 O21 - SSODL: ?H? - {aa0421f1-7371-4841-b9f5-f9e136eee572} - (no file)
backup-20100807-093732-431 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
backup-20100807-093732-440 O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL (file missing)
backup-20100807-093732-457 R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
backup-20100807-093732-756 O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
backup-20100807-093732-774 O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...Bridge-c139.cab
backup-20100807-093737-213 O20 - Winlogon Notify: awvsq - C:\WINDOWS\system32\awvsq.dll (file missing)
backup-20260511-110237-395 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
backup-20260511-110238-339 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
backup-20260511-110238-419 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
backup-20260511-110238-826 O2 - BHO: GNX Rolex - {5AA7A19E-2809-4DC0-9F3A-BD860C517469} - C:\WINDOWS\drnpfdxpgn.dll
backup-20260511-110239-662 O4 - HKCU\..\Run: [SysCleaner] "C:\Program Files\SysCleaner\SysCleaner.exe" hide
backup-20260511-110239-731 O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
backup-20260511-110239-942 O21 - SSODL: ServiceMon - {396ad4c8-dc19-4071-9979-6bb516bd8d65} - C:\WINDOWS\Installer\{396ad4c8-dc19-4071-9979-6bb516bd8d65}\ServiceMon.dll
backup-20260511-110247-454 O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 ejO51 - c:\windows\system32\drivers\ejo51.sys
R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.7) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.7>
R3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>

S3 SDDMI2 - c:\windows\system32\ddmi2.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2011-01-19 09:38:10 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-09-01 01:00:15 346 --a------ C:\WINDOWS\Tasks\McQcTask.job
2008-05-18 23:35:18 354 --a------ C:\WINDOWS\Tasks\McDefragTask.job


-- Files created between 2008-05-06 and 2008-06-06 -----------------------------

2021-04-18 03:20:00 0 d-------- C:\Program Files\Apple Software Update
2017-10-26 01:39:55 0 d---s---- C:\Microsoft
2017-04-03 03:54:49 0 d-------- C:\Documents and Settings\All Users\Application Data\MVTLogs
2016-02-13 01:10:24 0 d-------- C:\WINDOWS\system32\ActiveScan
2015-05-12 18:59:35 0 dr-h----- C:\Documents and Settings\John Kellogg\Recent
2015-05-12 18:51:11 0 d-------- C:\Program Files\CCleaner
2014-09-26 23:11:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2014-09-17 03:26:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2011-11-16 09:07:47 1755 --a----c- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
2011-04-11 05:17:43 14336 --a------ C:\WINDOWS\system32\WinCtrl32.dll
2011-04-11 05:17:04 29824 --a------ C:\WINDOWS\system32\qoMdDsSm.dll
2011-04-11 05:16:00 160256 --a------ C:\WINDOWS\system32\blackster.scr <Not Verified; Peter's Productions; Bugs!>
2010-10-16 11:35:48 0 d-------- C:\WINDOWS\system32\Logs
2010-07-04 15:40:28 0 d-------- C:\Program Files\DellSupport
2009-08-26 19:21:18 0 d-------- C:\Program Files\QuickTime
2008-10-14 14:26:32 0 d-------- C:\Program Files\Trend Micro
2008-06-06 01:03:37 344 --ahs---- C:\WINDOWS\system32\kStAyyay.ini2
2008-06-06 01:03:22 319360 --a------ C:\WINDOWS\system32\yayyAtSk.dll
2008-06-06 00:57:24 29056 --a------ C:\WINDOWS\system32\drivers\ejO51.sys
2008-06-05 00:39:51 0 d-------- C:\Documents and Settings\Dick Dastardly\Application Data\Google
2008-06-04 23:46:44 0 d-------- C:\SiteAdvisor
2008-06-04 23:46:44 0 d-------- C:\McAfee
2008-05-26 18:25:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-05-20 21:48:30 68096 --a------ C:\WINDOWS\zip.exe
2008-05-20 21:48:30 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-20 21:48:30 98816 --a------ C:\WINDOWS\sed.exe
2008-05-20 21:48:30 80412 --a------ C:\WINDOWS\grep.exe
2008-05-20 21:48:29 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-20 21:48:29 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-20 21:48:29 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-20 21:48:29 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-20 21:33:11 91264 --a------ C:\WINDOWS\system32\evwiwspw.dll


-- Find3M Report ---------------------------------------------------------------

2018-07-17 13:23:42 0 d-------- C:\Program Files\Yahoo!
2011-03-17 16:09:38 0 d--h----- C:\Documents and Settings\John Kellogg\Application Data\Gtek
2009-10-19 00:09:01 0 d-------- C:\Documents and Settings\John Kellogg\Application Data\Google
2009-09-27 11:35:44 0 d-------- C:\Program Files\LimeWire
2009-09-19 20:17:38 0 d-------- C:\Documents and Settings\John Kellogg\Application Data\SiteAdvisor
2009-08-27 18:47:49 0 d-------- C:\Documents and Settings\John Kellogg\Application Data\Yahoo!
2008-09-30 12:22:16 0 d-------- C:\Program Files\SolidWorks
2008-06-20 17:50:27 1848 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-26 18:24:00 0 d-------- C:\Program Files\Java
2008-05-26 18:04:21 0 d-------- C:\Program Files\McAfee
2008-05-23 17:07:50 0 d-------- C:\Program Files\Google
2008-04-30 17:57:17 0 d-------- C:\Documents and Settings\John Kellogg\Application Data\Malwarebytes
2008-04-30 17:56:54 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18F4FBD5-CDE8-492C-9365-1912378EECFE}]
04/11/2011 05:17 AM 29824 --a------ C:\WINDOWS\system32\qoMdDsSm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{73310A01-D415-46D3-B2D2-76896509CCDC}]
C:\WINDOWS\system32\khfDwtuT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA2173B0-9A36-48FB-8C8A-1C5D08F3FBF5}]
06/06/2008 01:03 AM 319360 --a------ C:\WINDOWS\system32\yayyAtSk.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [08/29/2003 04:59 AM C:\WINDOWS\BCMSMMSG.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [08/20/2004 02:55 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [08/20/2004 02:51 PM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [05/13/2004 06:23 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [05/14/2004 08:35 AM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [04/11/2004 10:43 AM]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [10/07/2004 06:44 PM]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [01/07/2004 12:01 AM]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" []
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [11/16/2004 01:05 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/10/2008 03:27 PM]
"ctfmona"="C:\WINDOWS\system32\ctfmona.exe" []
"0cc38031"="C:\WINDOWS\system32\evwiwspw.dll" [05/20/2008 09:33 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 11:09 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 04:00 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 AM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 05:43 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [12/11/2010 03:28 PM]

C:\Documents and Settings\John Kellogg\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 12:04:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 12:04:12 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{18F4FBD5-CDE8-492C-9365-1912378EECFE}"= C:\WINDOWS\system32\qoMdDsSm.dll [04/11/2011 05:17 AM 29824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMdDsSm]
qoMdDsSm.dll 04/11/2011 05:17 AM 29824 C:\WINDOWS\SYSTEM32\qoMdDsSm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll 11/17/2009 01:01 PM 14336 C:\WINDOWS\SYSTEM32\WinCtrl32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\yayyAtSk

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ejO51.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\uaG06.sys]
@="Driver"

*Newly Created Service* - EJO51



-- End of Deckard's System Scanner: finished at 2008-06-06 01:28:31 ------------
  • 0

#21
Rcfan717

Rcfan717

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Mobile Intel® Pentium® 4 CPU 2.80GHz
Percentage of Memory in Use: 87%
Physical Memory (total/avail): 254.33 MiB / 31.3 MiB
Pagefile Memory (total/avail): 623.93 MiB / 272.65 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1929.07 MiB

C: is Fixed (NTFS) - 34.27 GiB total, 19.64 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - FUJITSU MHT2040AH - 37.26 GiB - 3 partitions
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 (bootable) - Installable File System - 34.27 GiB - C:
\PARTITION2 - Unknown - 2.94 GiB



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.

FW: McAfee Personal Firewall v (McAfee)
AV: McAfee VirusScan v (McAfee) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\John Kellogg\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_04\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JOHN
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\John Kellogg
LOGONSERVER=\\JOHN
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Microsoft SQL Server\80\Tools\Binn;C:\Program Files\Common Files\Sonic Shared;C:\Program Files\QuickTime\QTSystem;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_04\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\JOHNKE~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\JOHNKE~1\LOCALS~1\Temp
USERDOMAIN=JOHN
USERNAME=John Kellogg
USERPROFILE=C:\Documents and Settings\John Kellogg
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

John Kellogg (admin)
Dick Dastardly (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat - Reader 6.0.2 Update --> MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01}
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Apple Mobile Device Support --> MsiExec.exe /I{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
BCM V.92 56K Modem --> C:\WINDOWS\BCMSMU.exe quiet
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Media Experience Update --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CDE4CC8B-134B-421E-943C-90799E56F664}\setup.exe" -l0x9 -L0x9 /SMAINT
Dell Photo Printer 720 --> C:\WINDOWS\system32\spool\drivers\w32x86\3\DLBCUN5C.EXE -dDell Photo Printer 720
Dell Picture Studio v3.0 --> MsiExec.exe /I{AF06CAE4-C134-44B1-B699-14FBDB63BD37}
Dell Wireless WLAN Utility --> C:\WINDOWS\system32\BCMWLU00.exe verbose
DellSupport --> MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
FinePixViewer Ver.4.2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{24ED4D80-8294-11D5-96CD-0040266301AD}\SETUP.EXE"
FUJIFILM USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5490882C-6961-11D5-BAE5-00E0188E010B}\SETUP.EXE"
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
ImageMixer VCD2 for FinePix --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{934E9442-D305-4ACF-AD87-A6C11D677CB9}\setup.exe"
iMesh --> C:\PROGRA~1\IMESHA~1\iMesh\UNWISE.EXE C:\PROGRA~1\IMESHA~1\iMesh\INSTALL.LOG
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582
Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
iTunes --> MsiExec.exe /I{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}
Jasc Paint Shop Photo Album --> MsiExec.exe /I{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}
Jasc Paint Shop Photo Album 5 --> MsiExec.exe /I{4192EAC0-6B36-4723-B216-D0E86E7757AC}
Jasc Paint Shop Pro Studio, Dell Editon --> MsiExec.exe /I{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}
Java™ 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
John Deere American Farmer TM v1.0 --> "C:\Program Files\John Deere American Farmer\unins000.exe"
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LimeWire PRO 4.10.3 --> "C:\Program Files\LimeWire\uninstall.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft Office Small Business Edition 2003 --> MsiExec.exe /I{91CA0409-6000-11D3-8CFE-0150048383C9}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSN Messenger 7.5 --> MsiExec.exe /I{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5}
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
Photo Click --> MsiExec.exe /I{6E179C77-7335-458D-9537-4F4EAC0181ED}
PowerDVD 5.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickSet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 UNINSTALL APPDRVNT4
QuickTime --> MsiExec.exe /I{6EC874C2-F950-4B7E-A5B7-B1066D6B74AA}
screen_mx Screen Saver --> C:\WINDOWS\system32\screen_mx.scr /u
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Spybot - Search & Destroy 1.3 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Sun Download Manager 2.0 (web) --> C:\WINDOWS\system32\javaws.exe -uninstall -prompt "http://javadl-esd.su...m20/sdm20.jnlp"
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Trial Bike Pro Full Version --> C:\PROGRA~1\TRIALB~1\UNWISE.EXE C:\PROGRA~1\TRIALB~1\INSTALL.LOG
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type56160 / Error
Event Submitted/Written: 09/19/2009 08:27:40 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application QuickTimePlayer.exe, version 7.4.0.91, faulting module QuickTimePlayer.exe, version 7.4.0.91, fault address 0x0000130d.
Processing media-specific event for [QuickTimePlayer.exe!ws!]

Event Record #/Type56158 / Error
Event Submitted/Written: 06/24/2008 10:36:45 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16640, faulting module flash9e.ocx, version 9.0.115.0, fault address 0x00083126.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type56152 / Error
Event Submitted/Written: 07/02/2009 00:17:25 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application hijackthis.exe, version 2.0.0.2, faulting module khfdwtut.dll, version 0.0.0.0, fault address 0x00062df3.
Processing media-specific event for [hijackthis.exe!ws!]

Event Record #/Type56150 / Error
Event Submitted/Written: 06/11/2009 04:17:07 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application hijackthis.exe, version 2.0.0.2, faulting module khfdwtut.dll, version 0.0.0.0, fault address 0x00062df3.
Processing media-specific event for [hijackthis.exe!ws!]

Event Record #/Type56145 / Error
Event Submitted/Written: 05/22/2008 02:47:17 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application hijackthis.exe, version 2.0.0.2, faulting module khfdwtut.dll, version 0.0.0.0, fault address 0x00062df3.
Processing media-specific event for [hijackthis.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type207576 / Warning
Event Submitted/Written: 06/06/2008 01:12:37 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type207570 / Warning
Event Submitted/Written: 06/06/2008 00:58:55 AM / 06/06/2008 00:58:56 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type207564 / Error
Event Submitted/Written: 06/06/2008 00:57:39 AM
Event ID/Source: 10010 / DCOM
Event Description:
The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register with DCOM within the required timeout.

Event Record #/Type207551 / Error
Event Submitted/Written: 06/06/2008 00:57:26 AM
Event ID/Source: 7011 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for a transaction response from the mcpromgr service.

Event Record #/Type207542 / Warning
Event Submitted/Written: 05/30/2008 02:09:11 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.



-- End of Deckard's System Scanner: finished at 2008-06-06 01:28:31 ------------
  • 0

#22
Rcfan717

Rcfan717

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Here are the log results.
I just want to let you know in advance that I will be out of town this friday to sunday. What should I do in order to protect the computer while I am gone? Should I just shut the computer off?
  • 0

#23
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Hopefully we can get done before you leave; if not just disconnect you PC from the internet, and power it down before you leave.

I will look through your logs and post back later today. :)
  • 0

#24
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Hi Rcfan717,


Combofix Script.txt
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\SYSTEM32\qoMdDsSm.dll
C:\WINDOWS\SYSTEM32\WinCtrl32.dll
C:\WINDOWS\SYSTEM32\blackster.scr
C:\WINDOWS\SYSTEM32\ctfmonb.bmp
C:\WINDOWS\SYSTEM32\96.tmp
C:\WINDOWS\SYSTEM32\yayyAtSk.dll
C:\WINDOWS\SYSTEM32\kStAyyay.ini
C:\WINDOWS\SYSTEM32\DRIVERS\ejO51.sys
C:\WINDOWS\SYSTEM32\WinCtrl32.dl_
C:\WINDOWS\SYSTEM32\evwiwspw.dll
C:\WINDOWS\SYSTEM32\WinCtrl32.dll
C:\WINDOWS\SYSTEM32\tmp.reg
C:\WINDOWS\system32\khfDwtuT.dll
C:\WINDOWS\system32\Drivers\ejO51.sys
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18F4FBD5-CDE8-492C-9365-1912378EECFE}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{73310A01-D415-46D3-B2D2-76896509CCDC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA2173B0-9A36-48FB-8C8A-1C5D08F3FBF5}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{18F4FBD5-CDE8-492C-9365-1912378EECFE}"=- 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMdDsSm]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ejO51.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\uaG06.sys]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmona"=-
"advap32"=- 
"0cc38031"=- 
"combofix"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


===============================================

Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


===============================================

Needed in your next reply:

Combofix.txt
Malwarebytes' log
A new HijackThis log

Also let me know how things are running now.
  • 0

#25
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Unfortunately I will no longer be able to assist you with this topic. With you not responding in a timely manner ( and I mentioned this to you before) all you are doing is wasting both of our time. We have been working on a simple problem for well over 35 days only due do to lack of your response.



I am going on vacation, so I will not be reopening this topic. If you would like, you can start a new topic and wait for another available helper to assist you.


Sorry and best of luck getting sorted...
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP