Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Not sure what is wrong with my computer. [RESOLVED]


  • This topic is locked This topic is locked

#1
chrissym

chrissym

    Member

  • Member
  • PipPip
  • 12 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:42:48, on 6/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 4862 bytes
  • 0

Advertisements


#2
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Hello chrissym and Welcome to Geeks to Go!

Sorry for the delay. We've been quite busy this week.

Let's do some scans first.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next,

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Post back with the following logs.

- MBAM log
- SuperAntispyware log
  • 0

#3
chrissym

chrissym

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Okay, I'll start now.

Thank you for your help. I'll post with the logs as soon as I am done.
  • 0

#4
chrissym

chrissym

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Okay, Here it goes:

Malwarebytes' Anti-Malware 1.17
Database version: 862

2:59:39 PM 6/16/2008
mbam-log-6-16-2008 (14-59-39).txt

Scan type: Quick Scan
Objects scanned: 40665
Time elapsed: 7 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\1B.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\31.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\4E.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\C3.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\JeffnChrissy\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\JeffnChrissy\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\JeffnChrissy\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\JeffnChrissy\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\JeffnChrissy\Local Settings\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\JeffnChrissy\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\JeffnChrissy\Local Settings\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\JeffnChrissy\Local Settings\Temp\.ttB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\JeffnChrissy\Local Settings\Temp\.ttD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\JeffnChrissy\Local Settings\Temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
-----



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/16/2008 at 03:55 PM

Application Version : 4.15.1000

Core Rules Database Version : 3482
Trace Rules Database Version: 1473

Scan type : Complete Scan
Total Scan Time : 00:48:24

Memory items scanned : 390
Memory threats detected : 0
Registry items scanned : 5347
Registry threats detected : 11
File items scanned : 57642
File threats detected : 97

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1759A31-E627-4758-9562-6899DF36C9C2}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{E1759A31-E627-4758-9562-6899DF36C9C2}

Adware.Tracking Cookie
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][2].txt
C:\Documents and Settings\JeffnChrissy\Cookies\jeffnchrissy@cgi-bin[1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\jeffnchrissy@indiads[1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\jeffnchrissy@adbrite[2].txt
C:\Documents and Settings\JeffnChrissy\Cookies\jeffnchrissy@advertising[2].txt
C:\Documents and Settings\JeffnChrissy\Cookies\jeffnchrissy@p[2].txt
C:\Documents and Settings\JeffnChrissy\Cookies\jeffnchrissy@247realmedia[1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\jeffnchrissy@adprofile[1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\jeffnchrissy@questionmarket[2].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\jeffnchrissy@dealtime[1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][3].txt
C:\Documents and Settings\JeffnChrissy\Cookies\jeffnchrissy@adserver[1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][2].txt
C:\Documents and Settings\JeffnChrissy\Cookies\jeffnchrissy@eyewonder[2].txt
C:\Documents and Settings\JeffnChrissy\Cookies\jeffnchrissy@findwhat[2].txt
C:\Documents and Settings\JeffnChrissy\Cookies\jeffnchrissy@myroitracking[1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\jeffnchrissy@realmedia[1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][2].txt
C:\Documents and Settings\JeffnChrissy\Cookies\jeffnchrissy@trafficmp[1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][3].txt
C:\Documents and Settings\JeffnChrissy\Cookies\jeffnchrissy@hypertracker[2].txt
C:\Documents and Settings\JeffnChrissy\Cookies\jeffnchrissy@roiservice[1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\jeffnchrissy@insightexpressai[1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][3].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][2].txt
C:\Documents and Settings\JeffnChrissy\Cookies\jeffnchrissy@tacoda[1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\jeffnchrissy@revsci[1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\jeffnchrissy@linkstattrack[2].txt
C:\Documents and Settings\JeffnChrissy\Cookies\jeffnchrissy@media6degrees[1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\jeffnchrissy@adbrite[1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][2].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][2].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][2].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][2].txt
C:\Documents and Settings\JeffnChrissy\Cookies\jeffnchrissy@adserving[1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\jeffnchrissy@banners[1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\jeffnchrissy@clicksor[1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\jeffnchrissy@collective-media[1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\jeffnchrissy@findwhat[1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][2].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][2].txt
C:\Documents and Settings\JeffnChrissy\Cookies\jeffnchrissy@lynxtrack[2].txt
C:\Documents and Settings\JeffnChrissy\Cookies\jeffnchrissy@media6degrees[2].txt
C:\Documents and Settings\JeffnChrissy\Cookies\jeffnchrissy@networkadvertising[1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][2].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][2].txt
C:\Documents and Settings\JeffnChrissy\Cookies\jeffnchrissy@spamblockerutility[2].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][2].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][2].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][1].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][2].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][2].txt
C:\Documents and Settings\JeffnChrissy\Cookies\[email protected][1].txt

Trojan.NetMon/DNSChange
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#DeviceDesc

Trojan.FakeAlert/Variant
C:\DOCUMENTS AND SETTINGS\JEFFNCHRISSY\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\ED29CR6P\SECURE[1]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1008\A0027981.EXE

Bugs! Screensaver
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1000\A0027444.SCR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1006\A0027694.SCR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1006\A0027711.SCR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1007\A0027833.SCR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1008\A0027855.SCR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1008\A0027873.SCR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1008\A0027900.SCR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1008\A0027904.SCR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1008\A0027911.SCR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1008\A0027980.SCR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP997\A0027111.SCR

Rootkit.TNCore-Variant/A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1008\A0027888.SYS

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP960\A0026261.VBS

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\VYBEG.INI

Trace.Known Threat Sources
C:\Documents and Settings\JeffnChrissy\Local Settings\Temporary Internet Files\Content.IE5\ZCO9RIUL\index.zp[1].htm
C:\Documents and Settings\JeffnChrissy\Local Settings\Temporary Internet Files\Content.IE5\6RETIN09\sh[1].gif
C:\Documents and Settings\JeffnChrissy\Local Settings\Temporary Internet Files\Content.IE5\8S6GWQX7\scan[1].htm
C:\Documents and Settings\JeffnChrissy\Local Settings\Temporary Internet Files\Content.IE5\ED29CR6P\secstat[1].gif
C:\Documents and Settings\JeffnChrissy\Local Settings\Temporary Internet Files\Content.IE5\GLOJK1UB\fileslist[2].js
C:\Documents and Settings\JeffnChrissy\Local Settings\Temporary Internet Files\Content.IE5\U37ZCWR6\progressbar[2].js
C:\Documents and Settings\JeffnChrissy\Local Settings\Temporary Internet Files\Content.IE5\E9KLUJY3\common[2].js
C:\Documents and Settings\JeffnChrissy\Local Settings\Temporary Internet Files\Content.IE5\MNSD09UL\rd-fakeout2-720x300[1].gif
C:\Documents and Settings\JeffnChrissy\Local Settings\Temporary Internet Files\Content.IE5\SD7PTIC0\index.zp[1].htm
C:\Documents and Settings\JeffnChrissy\Local Settings\Temporary Internet Files\Content.IE5\6RETIN09\index.zp[1].htm
----

thank you for your help,
Chrissy.
  • 0

#5
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Well that took care of some badfiles.

Let's use a different tool to see what else might be hiding.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.[list]

Close all other windows before proceeding.

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt
  • 0

#6
chrissym

chrissym

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Here it it:

Deckard's System Scanner v20071014.68
Run by JeffnChrissy on 2008-06-16 21:43:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
122: 2008-06-17 04:43:42 UTC - RP1017 - Deckard's System Scanner Restore Point
121: 2008-06-16 22:04:29 UTC - RP1016 - Installed SUPERAntiSpyware Free Edition
120: 2008-06-16 12:12:41 UTC - RP1015 - System Checkpoint
119: 2008-06-15 12:00:40 UTC - RP1014 - System Checkpoint
118: 2008-06-14 10:36:40 UTC - RP1013 - System Checkpoint


-- First Restore Point --
1: 2008-03-19 20:29:19 UTC - RP896 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as JeffnChrissy.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:45:39, on 6/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JeffnChrissy.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.c...spx?tb_id=60327
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7C80A3A3-D12B-4344-998B-291196BBDC6E} - (no file)
O2 - BHO: (no name) - {959FE850-BCA8-4A35-9C87-D59E12D420C5} - (no file)
O2 - BHO: (no name) - {DDBCE50E-41E9-46E2-9B04-7E16DFAC770B} - (no file)
O2 - BHO: (no name) - {F6C82F67-B8E6-4A00-99A6-6E50E046BF80} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: mljkhhi - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 5848 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080609-200730-359 O4 - HKLM\..\Run: [lphcp4bj0erb9] C:\WINDOWS\system32\lphcp4bj0erb9.exe
backup-20080609-201330-167 O2 - BHO: 0 - {7C80A3A3-D12B-4344-998B-291196BBDC6E} - C:\Program Files\Windows NT\rylitynaf358.dll (file missing)
backup-20080609-201330-259 O2 - BHO: (no name) - {DDBCE50E-41E9-46E2-9B04-7E16DFAC770B} - C:\Program Files\Messenger\nizybim4444.dll (file missing)
backup-20080609-201330-864 O2 - BHO: (no name) - {959FE850-BCA8-4A35-9C87-D59E12D420C5} - C:\Program Files\Messenger\nizybim83122.dll (file missing)
backup-20080609-201330-896 O2 - BHO: (no name) - {E1759A31-E627-4758-9562-6899DF36C9C2} - C:\WINDOWS\system32\mljkhhi.dll (file missing)
backup-20080609-201331-611 O2 - BHO: (no name) - {F6C82F67-B8E6-4A00-99A6-6E50E046BF80} - C:\WINDOWS\system32\gebyv.dll (file missing)
backup-20080610-181656-352 R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
backup-20080610-181656-531 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.c...spx?tb_id=60327
backup-20080610-181656-573 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.c...aspx?TbId=60327
backup-20080610-181656-747 O20 - Winlogon Notify: mljkhhi - mljkhhi.dll (file missing)

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - AutoCADScriptFile - shell\open\command - "C:\WINDOWS\system32\notepad.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 AvFlt (Antivirus Filter Driver) - c:\windows\system32\drivers\av5flt.sys (file missing)
S3 ComFiltr (Panda Anti-Dialer) - c:\windows\system32\drivers\comfiltr.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-16 21:44:00 366 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2008-05-16 and 2008-06-16 -----------------------------

2008-06-16 21:43:15 686630 --a------ C:\Program Files\dss.exe
2008-06-16 15:04:40 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-16 15:04:30 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-16 15:04:30 0 d-------- C:\Documents and Settings\JeffnChrissy\Application Data\SUPERAntiSpyware.com
2008-06-16 15:04:04 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-16 14:48:30 0 d-------- C:\Documents and Settings\JeffnChrissy\Application Data\Malwarebytes
2008-06-16 14:48:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-16 14:48:20 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-09 20:02:09 0 d-------- C:\Program Files\Trend Micro
2008-06-09 15:53:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-09 15:45:31 0 d-------- C:\Program Files\SpywareBlaster
2008-06-09 11:20:24 0 d-------- C:\Documents and Settings\JeffnChrissy\Application Data\shcv4bj0erb9
2008-06-09 11:11:58 0 d-------- C:\kav
2008-06-09 11:11:22 0 d-------- C:\WINDOWS\SxsCaPendDel
2008-06-05 00:52:17 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-05 00:49:21 353792 --a------ C:\Program Files\AIMFix.exe
2008-06-05 00:21:46 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-06-05 00:21:46 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-05 00:21:46 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-06-05 00:21:46 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-05 00:21:46 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-06-05 00:21:46 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-06-05 00:21:46 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-05 00:21:46 0 d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-06-05 00:21:46 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-06-05 00:21:45 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-05 00:21:45 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-05 00:21:45 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-05 00:21:45 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-06-05 00:21:45 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-05 00:21:45 2097152 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-05 00:21:45 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-05 00:21:45 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-06-05 00:21:45 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-05 00:10:50 2772 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-03 14:07:54 0 d-------- C:\WINDOWS\Cache
2008-06-03 14:07:53 0 d-------- C:\Program Files\Coupons
2008-05-22 20:30:08 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-05-22 20:30:08 0 d-------- C:\Program Files\AutoCAD 2006
2008-05-22 20:30:08 0 d-------- C:\Documents and Settings\JeffnChrissy\Application Data\Autodesk
2008-05-22 20:30:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Autodesk


-- Find3M Report ---------------------------------------------------------------

2008-06-16 15:04:04 0 d-------- C:\Program Files\Common Files
2008-06-09 12:54:44 0 d-------- C:\Program Files\Shutterfly
2008-06-09 12:53:25 0 d-------- C:\Program Files\Sonic
2008-06-09 12:52:18 0 d-------- C:\Program Files\Common Files\Sonic Shared
2008-06-09 12:38:51 0 d-------- C:\Program Files\Jasc Software Inc
2008-06-09 12:28:23 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-09 11:20:55 0 d-------- C:\Program Files\Windows NT
2008-06-06 10:22:31 9836 --a------ C:\Program Files\DBPerf.log
2008-05-27 08:53:41 0 d-------- C:\Documents and Settings\JeffnChrissy\Application Data\AdobeUM
2008-05-14 10:06:25 0 d-------- C:\Documents and Settings\JeffnChrissy\Application Data\Jasc Software Inc
2008-04-21 16:39:24 101752 --a------ C:\Documents and Settings\JeffnChrissy\Application Data\GDIPFONTCACHEV1.DAT
2008-04-21 13:19:19 0 d-------- C:\Documents and Settings\JeffnChrissy\Application Data\Shutterfly


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C80A3A3-D12B-4344-998B-291196BBDC6E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{959FE850-BCA8-4A35-9C87-D59E12D420C5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DDBCE50E-41E9-46E2-9B04-7E16DFAC770B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F6C82F67-B8E6-4A00-99A6-6E50E046BF80}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [10/14/2004 17:42]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [09/03/2003 18:12]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [02/23/2005 14:19]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" []
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/2004 14:50]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [03/15/2005 08:58]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [09/20/2005 09:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 09:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 09:36]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [03/06/2007 10:21]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/15/2008 16:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/28/2008 10:33]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [3/5/2005 9:18:22 PM]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [7/11/2005 4:28:44 PM]
eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [1/8/2008 4:39:26 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]
QuickBooks 2002 Delivery Agent.lnk - C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe [7/10/2005 3:57:00 PM]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [10/26/2005 4:09:52 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"DisableRegedit"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljkhhi]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\gebyv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d60a72e-0e54-11dc-a6e8-00132044e3d4}]
AutoRun\command- E:\system\viewer\Viewer.exe
View your videos\command- E:\system\viewer\Viewer.exe




-- End of Deckard's System Scanner: finished at 2008-06-16 21:47:12 ------------






Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 47%
Physical Memory (total/avail): 509.98 MiB / 268.72 MiB
Pagefile Memory (total/avail): 1248.82 MiB / 1037.85 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1933.72 MiB

C: is Fixed (NTFS) - 71.13 GiB total, 56 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD800BB-75JHC0 - 74.5 GiB - 3 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 71.13 GiB - C:
\PARTITION2 - Unknown - 3.34 GiB



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: avast! antivirus 4.8.1201 [VPS 080616-0] v4.8.1201 (ALWIL Software) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe:*:Enabled:QuickBooks 2006 Data Manager"
"C:\\kav\\kav7\\setup.exe"="C:\\kav\\kav7\\setup.exe:*:Enabled:Kaspersky Anti-Virus 7.0 Setup"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\JeffnChrissy\Application Data
ASLOGDIR=C:\Program Files\Intuit\QuickBooks 2006\
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MINICK
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\JeffnChrissy
LOGONSERVER=\\MINICK
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\SYSTEM32;C:\WINDOWS;C:\WINDOWS\SYSTEM32\WBEM;C:\Program Files\Common Files\Autodesk Shared\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\JEFFNC~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\JEFFNC~1\LOCALS~1\Temp
USERDOMAIN=MINICK
USERNAME=JeffnChrissy
USERPROFILE=C:\Documents and Settings\JeffnChrissy
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

JeffnChrissy (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> MsiExec.exe /I{688A3383-3CE7-4094-9188-9C39D1E4FCB6}
--> MsiExec.exe /I{F543B12A-13F5-487E-9314-F7D25E1BBE3E}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat - Reader 6.0.2 Update --> MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01}
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
AutoCAD 2006 - English --> MsiExec.exe /I{5783F2D7-4001-0409-0002-0060B0CE6BBA}
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Photo Printer 720 --> C:\WINDOWS\system32\spool\drivers\w32x86\3\DLBCUN5C.EXE -dDell Photo Printer 720
Dell Photo Printer 720 Logger --> C:\Program Files\Dell Photo Printer 720\dlbcunst.exe
eFax Messenger 4.3 --> C:\Program Files\eFax Messenger 4.3\Uninstall.exe
Google SketchUp 6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98736A65-3C79-49EC-B7E9-A3C77774B0E6}\setup.exe" -l0x9 -removeonly
Google SketchUp 6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3D8B2F8-3C2C-45BC-933E-8B60E78F6684}\setup.exe" -l0x9 -removeonly
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel® 537EP V9x DF PCI Modem --> rundll32 IntelCci.dll,iSMUninstallation "Intel® 537EP V9x DF PCI Modem"
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Intel® PROSet for Wired Connections --> MsiExec.exe /I{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}
Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
LG USB Modem driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C3ABE126-2BB2-4246-BFE1-6797679B3579}\Setup.exe" -l0x9 LG
Macromedia Flash Player --> MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office XP Media Content --> MsiExec.exe /I{90300409-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Professional --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0050048383C9}
Microsoft Publisher 2002 --> MsiExec.exe /I{91190409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Modem Event Monitor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}\setup.exe" -l0x9
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Modem On Hold --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8EF1122E-E90C-4EE9-AB0C-7FDE2BA42C26}\setup.exe" -l0x9 -uninst
My Way Search Assistant --> rundll32 C:\PROGRA~1\MyWaySA\SrchAsDe\1.bin\desrcas.dll,O
PowerDVD 5.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickBooks Premier: Contractor Edition 2006 --> msiexec.exe /I {688A3383-3CE7-4094-9188-9C39D1E4FCB6} UNIQUE_NAME="contractor" QBFULLNAME="QuickBooks Premier: Contractor Edition 2006" ADDREMOVE=1
QuickBooks Pro 2002 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{809987B2-F964-11D4-A1A5-00104BD190B1}\setup.exe" -addremove
QuickBooks Simple Start Special Edition --> msiexec.exe /I {F543B12A-13F5-487E-9314-F7D25E1BBE3E} UNIQUE_NAME="atomlimited" QBFULLNAME="QuickBooks Simple Start Special Edition" ADDREMOVE=1
Remote Control USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8471021C-F529-43DE-84DF-3612E10F58C4}\setup.exe" -l0x9 -removeonly
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.0 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WordPerfect Office 12 --> MsiExec.exe /I{AF19F291-F22F-4798-9662-525305AE9E48}


-- Application Event Log -------------------------------------------------------

Event Record #/Type840 / Error
Event Submitted/Written: 06/10/2008 06:16:22 PM
Event ID/Source: 1001 / Application Hang
Event Description:
Fault bucket 126648864.

Event Record #/Type839 / Error
Event Submitted/Written: 06/10/2008 06:16:02 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application rundll32.exe, version 5.1.2600.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type808 / Warning
Event Submitted/Written: 06/09/2008 11:17:16 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type804 / Error
Event Submitted/Written: 06/09/2008 11:13:23 AM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type802 / Error
Event Submitted/Written: 06/09/2008 11:10:18 AM
Event ID/Source: 0 / pctsSvc.exe
Event Description:
The service process could not connect to the service controller



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type11762 / Warning
Event Submitted/Written: 06/13/2008 11:27:15 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type11761 / Warning
Event Submitted/Written: 06/12/2008 11:26:57 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type11760 / Warning
Event Submitted/Written: 06/12/2008 10:52:11 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type11759 / Warning
Event Submitted/Written: 06/12/2008 10:35:17 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type11758 / Warning
Event Submitted/Written: 06/12/2008 04:48:20 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.



-- End of Deckard's System Scanner: finished at 2008-06-16 21:47:12 ------------
  • 0

#7
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Still some more steps to do. :)

First,

Please Enable Avast Antivirus.
Right-click on Avast icon located in system tray
Select "Start On-Access Protection:

Avast will now be activated.

Next,

Click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /DAFT
Click on the Scan button.
Select everything it is displaying there
Click the Fix button.
Then rescan with DAFT again - it should say now that "All associations are OK"
Close DAFT if you receive that message.

Finally,

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#8
chrissym

chrissym

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I am entering the copy and paste into the open window and it says that it isn't valid
  • 0

#9
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Let's revise the fix slightly.

First,

Please Enable Avast Antivirus.
Right-click on Avast icon located in system tray
Select "Start On-Access Protection:

Avast will now be activated.

Next,
Please download DAFT and save it to your desktop:
  • Double-click the daft.exe icon.
  • Click on the Scan button.
  • Select everything it is displaying there
  • Click the Fix button.
  • Then rescan with DAFT again - it should say now that "All associations are OK"
  • Close DAFT if you receive that message. This means that it is fixed now.

Finally,

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#10
chrissym

chrissym

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
ComboFix 08-06-16.5 - JeffnChrissy 2008-06-17 12:37:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.186 [GMT -7:00]
Running from: C:\Documents and Settings\JeffnChrissy\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\sstem~1
C:\Program Files\sstem~1\s?stem\
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\BM138ea50e.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cogwjyrw.ini
C:\WINDOWS\system32\gqghlryx.ini
C:\WINDOWS\system32\iyivkvdi.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\ttfawkcb.ini
C:\WINDOWS\system32\vybeg.ini2
C:\WINDOWS\system32\yxrwxokj.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 )))))))))))))))))))))))))))))))
.

2008-06-17 12:34 . 2008-06-17 12:33 245,902 --a------ C:\Program Files\daft.exe
2008-06-16 21:43 . 2008-06-16 21:43 <DIR> d-------- C:\Deckard
2008-06-16 21:43 . 2008-06-16 21:43 686,630 --a------ C:\Program Files\dss.exe
2008-06-16 15:04 . 2008-06-16 15:04 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-16 15:04 . 2008-06-16 15:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-16 15:04 . 2008-06-16 15:04 <DIR> d-------- C:\Documents and Settings\JeffnChrissy\Application Data\SUPERAntiSpyware.com
2008-06-16 15:04 . 2008-06-16 15:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-16 15:03 . 2008-06-16 15:04 6,467,096 --a------ C:\Program Files\SUPERAntiSpyware.exe
2008-06-16 14:48 . 2008-06-16 14:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-16 14:48 . 2008-06-16 14:48 <DIR> d-------- C:\Documents and Settings\JeffnChrissy\Application Data\Malwarebytes
2008-06-16 14:48 . 2008-06-16 14:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-16 14:48 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-16 14:48 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-16 14:47 . 2008-06-16 14:47 1,628,032 --a------ C:\Program Files\mbam-setup.exe
2008-06-11 03:53 . 2008-04-14 04:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 03:53 . 2008-04-14 04:01 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-09 20:02 . 2008-06-09 20:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-09 20:01 . 2008-06-09 20:01 812,344 --a------ C:\Program Files\HJTInstall.exe
2008-06-09 16:31 . 2008-06-09 17:19 23,047,784 --a------ C:\Program Files\setupeng.exe
2008-06-09 15:53 . 2008-06-09 15:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-09 15:53 . 2008-06-09 16:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-09 15:50 . 2008-06-09 15:52 9,722,720 --a------ C:\Program Files\spybotsd152.exe
2008-06-09 15:45 . 2008-06-10 17:44 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-09 15:45 . 2008-06-09 15:44 2,671,816 --a------ C:\Program Files\spywareblastersetup40.exe
2008-06-09 11:20 . 2008-06-09 11:20 <DIR> d-------- C:\Documents and Settings\JeffnChrissy\Application Data\shcv4bj0erb9
2008-06-09 11:11 . 2008-06-09 11:18 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-06-09 11:11 . 2008-06-09 11:11 <DIR> d-------- C:\kav
2008-06-09 11:11 . 2008-06-09 11:11 29,143,641 --a------ C:\Program Files\kav7.0.1.325en.exe
2008-06-05 00:52 . 2008-06-12 23:29 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-05 00:51 . 2008-06-05 00:51 18,473,000 --a------ C:\Program Files\sdsetup.exe
2008-06-05 00:49 . 2008-06-05 00:49 353,792 --a------ C:\Program Files\AIMFix.exe
2008-06-05 00:21 . 2005-06-21 06:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-06-05 00:21 . 2005-06-21 06:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-06-05 00:21 . 2008-06-05 00:21 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-05 00:10 . 2008-06-05 00:31 2,772 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-03 14:07 . 2008-06-03 14:07 <DIR> d-------- C:\WINDOWS\Cache
2008-06-03 14:07 . 2008-06-09 16:30 <DIR> d-------- C:\Program Files\Coupons
2008-06-03 14:07 . 2008-06-03 14:07 1,243,184 --a------ C:\Program Files\CouponPrinter.exe
2008-05-22 20:30 . 2008-05-22 20:32 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2008-05-22 20:30 . 2008-05-22 20:32 <DIR> d-------- C:\Program Files\AutoCAD 2006
2008-05-22 20:30 . 2008-05-22 20:34 <DIR> d-------- C:\Documents and Settings\JeffnChrissy\Application Data\Autodesk
2008-05-22 20:30 . 2008-05-22 20:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Autodesk
2008-05-21 18:23 . 2008-05-21 18:23 1,478,696 --a------ C:\Program Files\GenuineCheck.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-11 05:16 1,495,112 ----a-w C:\Program Files\install_flash_player.exe
2008-06-09 19:54 --------- d-----w C:\Program Files\Shutterfly
2008-06-09 19:53 --------- d-----w C:\Program Files\Sonic
2008-06-09 19:52 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-06-09 19:38 --------- d-----w C:\Program Files\Jasc Software Inc
2008-06-09 19:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-06 17:22 9,836 ----a-w C:\Program Files\DBPerf.log
2008-05-27 15:53 --------- d-----w C:\Documents and Settings\JeffnChrissy\Application Data\AdobeUM
2008-05-14 17:06 --------- d-----w C:\Documents and Settings\JeffnChrissy\Application Data\Jasc Software Inc
2008-05-14 16:55 7,789,520 ----a-w C:\Program Files\SpywareTerminatorSetup.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-21 23:39 101,752 ----a-w C:\Documents and Settings\JeffnChrissy\Application Data\GDIPFONTCACHEV1.DAT
2008-04-21 20:19 --------- d-----w C:\Documents and Settings\JeffnChrissy\Application Data\Shutterfly
2008-03-24 16:05 20,394,752 ----a-w C:\Program Files\VZMM2-DL-LG-Bld41-10000-001.exe
2008-03-14 17:09 34,130,184 ----a-w C:\Program Files\GoogleSketchUpWEN.exe
2008-01-28 05:15 21,364,592 ----a-w C:\Program Files\aaw2007.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C80A3A3-D12B-4344-998B-291196BBDC6E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{959FE850-BCA8-4A35-9C87-D59E12D420C5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DDBCE50E-41E9-46E2-9B04-7E16DFAC770B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F6C82F67-B8E6-4A00-99A6-6E50E046BF80}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 17:42 1404928]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 18:12 221184]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 14:19 53248]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 14:50 81920]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2005-03-15 08:58 53248]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 10:21 116224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 21:18:22 10872]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2005-07-11 16:28:44 315392]
eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [2008-01-08 16:39:26 629248]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
QuickBooks 2002 Delivery Agent.lnk - C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe [2005-07-10 15:57:00 315392]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-10-26 04:09:52 811008]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljkhhi]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"C:\\kav\\kav7\\setup.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 16:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 16:16]
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
S3 ComFiltr;Panda Anti-Dialer;C:\WINDOWS\system32\DRIVERS\COMFiltr.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d60a72e-0e54-11dc-a6e8-00132044e3d4}]
\Shell\AutoRun\command - E:\system\viewer\Viewer.exe
\Shell\View your videos\command - E:\system\viewer\Viewer.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-17 19:54:04 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 12:51:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-06-17 12:56:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-17 19:56:12

Pre-Run: 60,008,677,376 bytes free
Post-Run: 60,123,066,368 bytes free

169 --- E O F --- 2008-06-12 10:02:42



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:57:58, on 6/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.c...spx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7C80A3A3-D12B-4344-998B-291196BBDC6E} - (no file)
O2 - BHO: (no name) - {959FE850-BCA8-4A35-9C87-D59E12D420C5} - (no file)
O2 - BHO: (no name) - {DDBCE50E-41E9-46E2-9B04-7E16DFAC770B} - (no file)
O2 - BHO: (no name) - {F6C82F67-B8E6-4A00-99A6-6E50E046BF80} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: mljkhhi - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 5860 bytes
  • 0

Advertisements


#11
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Please run the MGA Diagnostic Tool and post back the report it shall produce:

1. Download MGADiag to your desktop.
2. Double-click on MGADiag.exe to launch the program
3. Click "Continue"
4. Ensure that the "Windows" tab is selected (it should be by default).
5. Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
6. Paste the MGA Diagnostic Report back here in your next reply.
  • 0

#12
chrissym

chrissym

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Diagnostic Report (1.7.0095.0):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-GD6GR-K6DP3-4C8MT
Windows Product Key Hash: s2kt66ZJWfV4nS1wFD5F9bxTSDw=
Windows Product ID: 76477-OEM-2111907-00102
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.2.0.hom
CSVLK Server: N/A
CSVLK PID: N/A
ID: {A2172DB1-E9E6-4D26-9145-56605A93822E}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.7.18.5
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: 0
File Exists: Yes
Version: 1.7.18.5
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: Microsoft
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office XP Professional - 100 Genuine
Microsoft Publisher 2002 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-171-1_E2AD56EA-338-8009_E2AD56EA-339-2f0d_16E0B333-89-80004005_B4D0AA8B-1029-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{A2172DB1-E9E6-4D26-9145-56605A93822E}</UGUID><Version>1.7.0095.0</Version><OS>5.1.2600.2.00010300.2.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-4C8MT</PKey><PID>76477-OEM-2111907-00102</PID><PIDType>2</PIDType><SID>S-1-5-21-4010284753-39737447-2460344831</SID><SYSTEM><Manufacturer>Dell Computer Corporation</Manufacturer><Model>Dimension 3000 </Model></SYSTEM><BIOS><Manufacturer>Dell Computer Corporation</Manufacturer><Version>A02</Version><SMBIOSVersion major="2" minor="3"/><Date>20041108000000.000000+000</Date><SLPBIOS>Dell System,Dell Computer,Dell System,Dell System</SLPBIOS></BIOS><HWID>F98939E70184605C</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Dell Dimension DIM3000</name><model></model></SBID><OEM/><BRT/></MachineData> <Software><Office><Result>100</Result><Products><Product GUID="{91110409-6000-11D3-8CFE-0050048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office XP Professional</Name><Ver>10</Ver><Val>8539B00EBBDE27C</Val><Hash>3QZcZiuJv48M62OY9fuofq0ZP/o=</Hash><Pid>54186-OEM-1790387-03198</Pid><PidType>4</PidType></Product><Product GUID="{91190409-6000-11D3-8CFE-0050048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Publisher 2002</Name><Ver>10</Ver><Val>98DB716B8657BC</Val><Hash>hZ+tuEGLGnzF/WVsnZkhdAdDzh8=</Hash><Pid>54197-OEM-1690192-83198</Pid><PidType>4</PidType></Product></Products><Applications><App Id="15" Version="10" Result="100"/><App Id="16" Version="10" Result="100"/><App Id="18" Version="10" Result="100"/><App Id="19" Version="10" Result="100"/><App Id="1A" Version="10" Result="100"/><App Id="1B" Version="10" Result="100"/></Applications></Office></Software></GenuineResults>
  • 0

#13
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Ok, let's get rid of the rest. :)

First,

Please Enable Avast Antivirus.
Right-click on Avast icon located in system tray
Select "Start On-Access Protection:

Avast will now be activated.

Next,

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {7C80A3A3-D12B-4344-998B-291196BBDC6E} - (no file)
O2 - BHO: (no name) - {959FE850-BCA8-4A35-9C87-D59E12D420C5} - (no file)
O2 - BHO: (no name) - {DDBCE50E-41E9-46E2-9B04-7E16DFAC770B} - (no file)
O2 - BHO: (no name) - {F6C82F67-B8E6-4A00-99A6-6E50E046BF80} - (no file)
O20 - Winlogon Notify: mljkhhi - C:\WINDOWS\

Now close all windows other than HiJackThis, then click Fix Checked.
Close HiJackThis.

Then,

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\lphcp4bj0erb9.exe
    C:\Program Files\Windows NT\rylitynaf358.dll 
    C:\Program Files\Messenger\nizybim83122.dll 
    C:\WINDOWS\system32\mljkhhi.dll
    C:\WINDOWS\system32\gebyv.dll 
    C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll 
    C:\Program Files\GenuineCheck.exe

  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post back with the following logs.

- OTMoveIt log
- New HijackThis log

Edited by koko_crunch, 17 June 2008 - 06:49 PM.

  • 0

#14
chrissym

chrissym

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
/Folder C:\WINDOWS\system32\lphcp4bj0erb9.exe not found.
File/Folder C:\Program Files\Windows NT\rylitynaf358.dll not found.
File/Folder C:\Program Files\Messenger\nizybim83122.dll not found.
File/Folder C:\WINDOWS\system32\mljkhhi.dll not found.
File/Folder C:\WINDOWS\system32\gebyv.dll not found.
File/Folder C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll not found.
C:\Program Files\GenuineCheck.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06172008_181712



ile of Trend Micro HijackThis v2.0.2
Scan saved at 18:18:51, on 6/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ashDisp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.c...spx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 5650 bytes
  • 0

#15
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Now a series of scan to be sure we didn't miss any...


First,

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.c...spx?tb_id=60327

Now close all windows other than HiJackThis, then click Fix Checked.
Close HijackThis.

Next,

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Finally,

Please do an online scan with Kaspersky WebScanner

Welcome Information page will open. Click on Accept
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded, click on Scan
    • Now under that section select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report as button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Please post back with
-SuperAntispyware log
-Kaspersky log

Edited by koko_crunch, 17 June 2008 - 08:53 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP