Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

bad image issues [Solved]

Started by tower dog , Feb 06 2009 09:35 AM

  • This topic is locked This topic is locked

#1
tower dog
Posted 06 February 2009 - 09:35 AM

tower dog

    Member

  • Member
  • PipPip
  • 27 posts
whenever i start an app or something inline triggers it, i get a dwwin.exe bad image and it also says windows/system32/digeste.dll . here is my hijackthis log. please can anyone help?



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:33:12 AM, on 2/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\HP_Administrator\My Documents\LimeWire\LimeWire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Crawler\CToolbar.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearsh...ar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.c...a...&tbid=60316
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aol.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.c...spx?tb_id=60316
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.c...aspx?TbId=60316
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.c...spx?tb_id=60316
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.c...aspx?TbId=60316
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = www.linksys
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\ctbr.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\ctbr.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\nnnnOFWM.dll (file missing)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - C:\Program Files\Common\helper.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: (no name) - {D04C92CC-176F-4163-A299-1F08DDABDD38} - C:\WINDOWS\system32\hgGAsPFV.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\ctbr.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: PDC Poker - {4f34c291-5837-4f45-ade1-da5502c69fef} - C:\Documents and Settings\HP_Administrator\Start Menu\Programs\PDC Poker\PDC Poker.lnk (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com...OnlineGames.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://fubar.com/img...geUploader5.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...O/GAME_UNO1.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\ctbr.dll
O18 - Filter hijack: text/html - {5e8aea99-bccd-42e4-84ed-632cd1b57e19} - C:\WINDOWS\system32\mst122.dll
O20 - Winlogon Notify: nnnnOFWM - nnnnOFWM.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Unknown owner - C:\Program Files\D-Link\RangeBooster G WUA-2340\JSWUtil\jswpsapi.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O24 - Desktop Component 0: (no name) - http://webmail.aol.c...i...PA&partId=6

--
End of file - 9642 bytes




any ideas?

thanks!
  • 0

Advertisements

#2
Blade81
Posted 09 February 2009 - 12:37 PM

Blade81

    Member

  • Member
  • PipPipPip
  • 722 posts
  • MVP
Hi,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop. Post them back to your topic.

  • 0

#3
tower dog
Posted 10 February 2009 - 06:08 PM

tower dog

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
DDS (Ver_09-02-01.01) - NTFSx86
Run by HP_Administrator at 17:59:36.75 on Tue 02/10/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.404 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Crawler\CToolbar.exe
C:\Documents and Settings\HP_Administrator\My Documents\LimeWire\LimeWire.exe
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\E5RUVI9O\dds[1].com

============== Pseudo HJT Report ===============

uStart Page = hxxp://aol.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60316
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page =
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/verizon/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.crawler.com/search/ie.aspx?tb_id=60316
mCustomizeSearch = hxxp://dnl.crawler.com/support/sa_customize.aspx?TbId=60316
uURLSearchHooks: N/A: {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\ctbr.dll
mWinlogon: UIHost=c:\documents and settings\all users\application data\tuneup software\tuneup utilities\winstyler\tu_logonui.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn3\yt.dll
BHO: NoExplorer - No File
BHO: : {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\ctbr.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\nnnnOFWM.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Browser Helper Object: {afd4ad01-58c1-47db-a404-fbe00a6c5486} - c:\program files\common\helper.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: {d04c92cc-176f-4163-a299-1f08ddabdd38} - c:\windows\system32\hgGAsPFV.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn3\yt.dll
TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\ctbr.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - No File
EB: {12da1bc4-5384-42fd-a119-3c99d2d146a2} - Internet Speed Monitor
EB: {1ed6a320-8af3-4f06-868a-9ba95585712e} - Internet Speed Monitor
EB: {231f6fab-eced-4975-9ef2-c0c7bc81927b} - Internet Speed Monitor
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: Crawler Search - tbr:iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://fubar.com/imgs/ImageUploader5.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-_UNO/GAME_UNO1.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Filter: text/html - {5e8aea99-bccd-42e4-84ed-632cd1b57e19} - c:\windows\system32\mst122.dll
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\ctbr.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: nnnnOFWM - nnnnOFWM.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\nnnnOFWM.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\hgGAsPFV

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\enxah9ey.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - aol.com
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - plugin: c:\program files\google\google updater\2.4.1441.4352\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600

============= SERVICES / DRIVERS ===============

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [2009-1-8 377920]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2009-1-8 57376]
S1 cd7a9fa;cd7a9fa;c:\windows\system32\drivers\cd7a9fa.sys [2008-10-10 0]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-9-27 10664]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\d-link\rangebooster g wua-2340\jswutil\jswpsapi.exe --> c:\program files\d-link\rangebooster g wua-2340\jswutil\jswpsapi.exe [?]

=============== Created Last 30 ================

2009-02-08 19:55 <DIR> --d----- c:\program files\Visiosonic
2009-02-08 19:55 <DIR> --d----- c:\program files\Submersible
2009-02-08 19:38 54,156 a---h--- c:\windows\QTFont.qfn
2009-02-08 19:38 1,409 a------- c:\windows\QTFont.for
2009-02-06 09:21 <DIR> --d----- c:\program files\Trend Micro
2009-02-03 09:05 <DIR> --d----- c:\program files\Crawler
2009-02-02 22:50 <DIR> --d----- c:\program files\Common
2009-01-31 11:27 1,550,279 ---sh--- c:\windows\system32\bnceoxoo.ini
2009-01-31 11:26 314,276 a--sh--- c:\windows\system32\VFPsAGgh.ini2
2009-01-31 11:26 314,276 a--sh--- c:\windows\system32\VFPsAGgh.ini
2009-01-31 11:21 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\cogad
2009-01-31 11:21 48,128 a------- c:\windows\system32\fccdbArp.dll
2009-01-31 11:20 24,064 a------- c:\windows\system32\digeste.dll
2009-01-27 13:20 <DIR> --d----- C:\Video
2009-01-23 19:49 <DIR> --d-h--- c:\program files\Zero G Registry
2009-01-23 19:48 <DIR> --d-h--- c:\documents and settings\hp_administrator\InstallAnywhere
2009-01-23 19:06 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\SoundTrek
2009-01-23 19:04 <DIR> --d----- c:\windows\SoundTrek
2009-01-23 18:51 <DIR> --d----- c:\windows\system32\Adobe
2009-01-23 07:47 <DIR> --d----- c:\program files\MySpace
2009-01-15 12:55 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Sahmon Games
2009-01-13 23:43 <DIR> --d----- C:\programs2
2009-01-13 19:13 45,056 a------- c:\windows\system32\WNASPI32.DLL
2009-01-13 19:13 16,512 a------- c:\windows\system32\drivers\ASPI32.SYS
2009-01-13 19:13 <DIR> --d----- c:\program files\Xilisoft
2009-01-12 07:37 7 a------- c:\windows\system32\ANIWZCSUSERNAME

==================== Find3M ====================

2008-12-13 00:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,184 -------- c:\windows\system32\dllcache\srv.sys
2008-12-10 18:33 200,704 a------- c:\windows\system32\dtu100.dll
2008-12-10 18:33 86,016 a------- c:\windows\system32\dpl100.dll
2008-12-08 20:28 593,920 a------- c:\windows\system32\dpuGUI11.dll
2008-12-08 20:28 344,064 a------- c:\windows\system32\dpus11.dll
2008-12-08 20:28 294,912 a------- c:\windows\system32\dpu11.dll
2008-12-08 20:28 57,344 a------- c:\windows\system32\dpv11.dll
2008-02-26 22:58 8,578 a------- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
2007-03-21 07:16 300,680 -c------ c:\docume~1\alluse~1\applic~1\arclib.dll
2007-01-10 11:15 1 -c-sh--- c:\windows\fonts\svchost.exe
2008-10-10 07:55 44,032 a--sh--- c:\windows\system32\Crypt_16.dll
2008-10-10 07:57 16,384 ac-sh--- c:\windows\temp\cookies\index.dat
2008-10-10 07:57 16,384 ac-sh--- c:\windows\temp\history\history.ie5\index.dat
2008-10-10 07:57 32,768 ac-sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 18:00:18.01 ===============

Attached Files


  • 0

#4
Blade81
Posted 11 February 2009 - 10:14 AM

Blade81

    Member

  • Member
  • PipPipPip
  • 722 posts
  • MVP
Hi,

I see you have P2P software installed there. Nowadays, major part of infections spreads in P2P networks. I recommend uninstalling P2P clients to reduce infection risks. Whatever you do, please keep all P2P programs off during whole fixing process.


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingc...to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
  • 0

#5
tower dog
Posted 15 February 2009 - 01:05 PM

tower dog

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
new problems. internet explorer and moxilla thumbnails have disappeared. every time i try to access this website, windows update website, or trend micro, i get a website cannot be displayed page. unable to connect. i have no use of my hijackthis application. windows defender cannot update definitions. i get something called mzen8p5y0vcd.exe that runs on my task manager, but when i google it, no results come up. when i open an internet explorer, 2 or 3 open up in my task manager, but only one displays. i am using my laptop just to access this site. can i download this fixer you recommend, put it on disc, and install it to my pc? the pc seems to work just fine for everything else but online apps. any suggestions?

Edited by tower dog, 15 February 2009 - 01:08 PM.

  • 0

#6
tower dog
Posted 15 February 2009 - 01:15 PM

tower dog

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
also, upon restart, i have eb5yykacbo6.exe and cwiplo8s76w7t.exe as well as an internet explorer running in my task manager. neither of the former processes hit on google, and i certainly do not have ie on my msconfig or windows defender startup lists. as i end process on the three, other letters/numbers.exe's and ie's pop up.

Edited by tower dog, 15 February 2009 - 01:17 PM.

  • 0

#7
Blade81
Posted 15 February 2009 - 02:25 PM

Blade81

    Member

  • Member
  • PipPipPip
  • 722 posts
  • MVP
Hi,

You can transfer ComboFix from CD too if needed. Just remember copy it to desktop first before running :)
  • 0

#8
tower dog
Posted 15 February 2009 - 03:20 PM

tower dog

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
downloaded combofix on laptop. copied it to disc. opened it on pc, and copied it to desktop. i have come at the program 7 ways to sunday, including adding task in task manager. my pc will not run this program.
  • 0

#9
tower dog
Posted 15 February 2009 - 08:10 PM

tower dog

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
it also seems my regedit and msconfig are now disabled

Edited by tower dog, 15 February 2009 - 08:12 PM.

  • 0

#10
Blade81
Posted 16 February 2009 - 03:25 AM

Blade81

    Member

  • Member
  • PipPipPip
  • 722 posts
  • MVP

downloaded combofix on laptop. copied it to disc. opened it on pc, and copied it to desktop. i have come at the program 7 ways to sunday, including adding task in task manager. my pc will not run this program.

Any errors there? A little deeper description than just "my pc will not run this program." might help here :) Try rename ComboFix.exe file -> CombFxx.exe and then run it again.
  • 0

Advertisements

#11
tower dog
Posted 17 February 2009 - 07:23 PM

tower dog

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
i click combofix on my desktop, it will trip my cursor to show processing for a second or two and nothing happens, nothing displays on my task manager. i right click the desktop icon, and run it every way i can, it wont run, doesnt register on task mgr. i 'new process' in task manager, it wont run. i run from the start menu, it wont run. i open file location in c:programs, and run it, it wont run. my comp wont touch it, other than to view properties and so on.
  • 0

#12
Blade81
Posted 18 February 2009 - 03:11 AM

Blade81

    Member

  • Member
  • PipPipPip
  • 722 posts
  • MVP
Hi,

Did you try renaming ComboFix.exe file? Please delete present version of ComboFix.exe on your desktop and then follow instructions below.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
  • 0

#13
tower dog
Posted 19 February 2009 - 06:33 PM

tower dog

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
ComboFix 09-02-18.01 - HP_Administrator 2009-02-19 18:06:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.628 [GMT -6:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\crazybird.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Administrator\Favorites\Cheap Pharmacy Online.url
c:\documents and settings\HP_Administrator\Favorites\Search Online.url
c:\documents and settings\HP_Administrator\Favorites\SMS TRAP.url
c:\documents and settings\HP_Administrator\Favorites\VIP Casino.url
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\Common\helper.dll
c:\program files\Common\helper.sig
c:\windows\default.htm
c:\windows\Dxoju.dll
c:\windows\Fonts\svchost.exe
c:\windows\IE4 Error Log.txt
c:\windows\ios.dat
c:\windows\jestertb.dll
c:\windows\system32\_proxy.dll
c:\windows\system32\adzgalore-remove.exe
c:\windows\system32\bnceoxoo.ini
c:\windows\system32\bversion.dll
c:\windows\system32\c.ico
c:\windows\system32\comsa32.sys
c:\windows\system32\digeste.dll
c:\windows\system32\drivers\UACwkornpyk.sys
c:\windows\system32\fccdbArp.dll
c:\windows\system32\fejokt.dll
c:\windows\system32\fhpatch.dll
c:\windows\system32\fiplock.dll
c:\windows\system32\hsfd83jfdg.dll
c:\windows\system32\inf\rundll33.exe
c:\windows\system32\inf\xccdfb16_090131.dll
c:\windows\system32\inf\xccefb090131.scr
c:\windows\system32\IPHACTION.dll
c:\windows\system32\IPHOST.dll
c:\windows\system32\iphy.dll
c:\windows\system32\IpSvchostF.dll
c:\windows\system32\kernel32_check.dll
c:\windows\system32\m.ico
c:\windows\system32\m3.ico
c:\windows\system32\mt_32.dll
c:\windows\system32\NopAyJjl.ini
c:\windows\system32\NopAyJjl.ini2
c:\windows\system32\nvaux32.dll
c:\windows\system32\p.ico
c:\windows\system32\s.ico
c:\windows\system32\sf.ico
c:\windows\system32\tpszxyd.sys
c:\windows\system32\twain_32
c:\windows\system32\twain_32\local.ds
c:\windows\system32\twain_32\user.ds
c:\windows\system32\twain_32\user.ds.cla
c:\windows\system32\twext.exe
c:\windows\system32\UACafsxmlte.dat
c:\windows\system32\UACjyoaenqo.log
c:\windows\system32\UACmkvbwnab.dll
c:\windows\system32\UACppbesjka.dll
c:\windows\system32\UACrtqpkrod.dll
c:\windows\system32\UACuxdoldaf.dll
c:\windows\system32\UACuyfqvoiy.log
c:\windows\system32\UACvvvnwlfl.log
c:\windows\system32\VFPsAGgh.ini
c:\windows\system32\VFPsAGgh.ini2
c:\windows\system32\wini10251.exe
c:\windows\system32\xcchit32.ini
c:\windows\wiaserviv.log
c:\windows\wiaservv.log
c:\windows\xccdf16_090131a.dll
c:\windows\xccdf32_090131a.dll
c:\windows\xccwinsys.ini
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_uacd.sys


((((((((((((((((((((((((( Files Created from 2009-01-20 to 2009-02-20 )))))))))))))))))))))))))))))))
.

2009-02-14 15:57 . 2009-02-14 15:57 <DIR> d-------- c:\program files\LanqiEngine
2009-02-14 15:57 . 2009-02-14 15:57 735,232 --a------ c:\windows\system32\AdvOcr.dll
2009-02-14 15:57 . 2009-02-14 15:57 94,208 --a------ c:\windows\system32\TRSOCR.dll
2009-02-14 15:57 . 2009-02-14 15:57 94,208 --a------ c:\windows\system32\TOCRdll.dll
2009-02-14 15:57 . 2009-02-14 15:57 95 --a------ c:\windows\TOCR.ini
2009-02-14 15:57 . 2009-02-14 15:57 95 --a------ c:\windows\system32\TRSOCR.ini
2009-02-14 15:53 . 2009-02-14 15:53 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-14 15:44 . 2009-02-14 15:57 32,137,216 --a------ c:\windows\system32\TRSOCR.dat
2009-02-14 15:06 . 2009-02-14 15:06 133,632 --a------ c:\windows\otowihepalamu.dll
2009-02-14 14:47 . 2009-02-14 14:47 10,240 --a------ c:\windows\system32\Packer.dll
2009-02-14 14:47 . 2009-02-14 14:47 1,536 --a------ c:\windows\system32\AUTMGR.EXE
2009-02-14 14:26 . 2009-02-18 23:52 5,189 --a------ c:\windows\system32\uacinit.dll
2009-02-14 14:24 . 2009-02-14 14:25 38,912 --a------ C:\dykhyp.exe
2009-02-14 14:24 . 2009-02-14 14:24 2 --a------ C:\152667771
2009-02-14 14:23 . 2009-02-19 18:09 <DIR> d-------- c:\windows\system32\inf
2009-02-14 14:23 . 2009-02-14 14:23 204,800 --a------ C:\ypuweg.exe
2009-02-14 14:23 . 2009-02-14 14:23 204,800 --a------ c:\windows\system32\azton.mt
2009-02-14 14:23 . 2009-02-14 14:23 155,156 --a------ c:\windows\system\xccef090131.exe
2009-02-14 14:23 . 2009-02-14 14:23 72,704 --a------ c:\windows\system32\bbafbgrt.dll
2009-02-14 14:23 . 2009-02-14 14:23 64,512 --a------ c:\windows\system32\wer3.pf
2009-02-14 14:23 . 2009-02-14 14:23 40,448 --a------ C:\cwxwwgtl.exe
2009-02-14 14:23 . 2009-02-14 14:23 32,768 --a------ c:\windows\system32\febbn.wa
2009-02-14 14:21 . 2009-02-14 14:22 302,592 --a------ c:\windows\system32\ljJyApoN.dll.vir
2009-02-14 14:16 . 2009-02-14 14:16 36,352 --a------ c:\windows\system32\cbXQJBuU.dll
2009-02-08 19:55 . 2009-02-08 19:55 <DIR> d-------- c:\program files\Visiosonic
2009-02-08 19:55 . 2009-02-08 19:55 <DIR> d-------- c:\program files\Submersible
2009-02-06 09:21 . 2009-02-06 09:21 <DIR> d-------- c:\program files\Trend Micro
2009-02-02 22:50 . 2009-02-19 18:07 <DIR> d-------- c:\program files\Common
2009-01-31 11:21 . 2009-01-31 11:21 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\cogad
2009-01-27 13:20 . 2009-02-16 16:40 <DIR> d-------- C:\Video
2009-01-23 19:49 . 2009-01-23 19:49 <DIR> d--h----- c:\program files\Zero G Registry
2009-01-23 19:48 . 2009-01-23 19:48 <DIR> d--h----- c:\documents and settings\HP_Administrator\InstallAnywhere
2009-01-23 19:06 . 2009-01-23 19:06 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\SoundTrek
2009-01-23 19:04 . 2009-01-23 19:14 <DIR> d-------- c:\windows\SoundTrek
2009-01-23 18:51 . 2009-01-23 18:52 <DIR> d-------- c:\windows\system32\Adobe
2009-01-23 07:47 . 2009-01-23 07:47 <DIR> d-------- c:\program files\MySpace

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-20 00:06 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-19 06:04 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\HP
2009-02-16 04:34 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-16 02:06 --------- d-----w c:\program files\Yahoo! Games
2009-02-16 02:05 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-16 02:05 --------- d-----w c:\program files\Full Tilt Poker.Net
2009-02-14 19:03 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\LimeWire
2009-02-11 08:30 --------- d-----w c:\program files\PDCPoker
2009-02-03 18:27 --------- d-----w c:\program files\Java
2009-01-23 04:21 --------- d-----w c:\program files\Xilisoft
2009-01-22 08:53 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\vlc
2009-01-16 13:40 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2009-01-15 18:55 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Sahmon Games
2009-01-10 06:55 --------- d-----w c:\program files\Google
2009-01-09 23:06 --------- d-----w c:\program files\DivX
2009-01-08 17:30 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-01-08 17:28 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2009-01-03 03:57 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\U3
2008-12-29 02:34 --------- d-----w c:\documents and settings\All Users\Application Data\SecTaskMan
2008-12-29 02:12 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-29 02:12 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-29 00:04 --------- d-----w c:\program files\Oberon Media
2008-12-28 22:38 --------- d-----w c:\program files\Windows Live
2008-12-28 22:37 --------- d-----w c:\program files\Real
2008-12-28 22:17 --------- d-----w c:\program files\eGames
2008-12-28 22:15 --------- d-----w c:\program files\Yahoo!
2008-12-28 22:07 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo
2008-12-28 22:03 --------- d-----w c:\documents and settings\WESLEY\Application Data\Verizon
2008-12-28 22:03 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Verizon
2008-12-28 22:03 --------- d-----w c:\documents and settings\All Users\Application Data\Verizon
2008-12-28 21:59 --------- d-----w c:\program files\Common Files\SupportSoft
2008-12-28 21:58 --------- d-----w c:\program files\Common Files\Motive
2008-12-28 20:18 --------- d-----w c:\program files\Common Files\Real
2008-02-27 04:58 8,578 ----a-w c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2007-03-21 13:16 300,680 -c----w c:\documents and settings\All Users\Application Data\arclib.dll
2007-03-21 03:16 150 ----a-w c:\documents and settings\WESLEY\Application Data\wklnhst.dat
2008-10-10 13:55 44,032 --sha-w c:\windows\system32\Crypt_16.dll
.
file copied: c:\windows\system32\user32.dll -> c:\qoobox\Quarantine\C\WINDOWS\system32\user32.dll.vir ( 577536 bytes )
Infected c:\windows\system32\user32.dll hex repaired


------- Sigcheck -------

2009-02-14 14:23 215552 a77219a971029dc2fb683e8513713803 c:\windows\system32\termsrv.dll
2009-02-14 14:23 215552 a77219a971029dc2fb683e8513713803 c:\windows\system32\dllcache\termsrv.dll

2006-07-05 04:57 985088 0fdd84928a5dde2510761b7ec76ccec9 c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
2007-04-16 10:07 986112 09f7cb3687f86edaa4ca081f7ab66c03 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
2004-08-09 15:00 983552 888190e31455fad793312f8d087146eb c:\windows\$NtUninstallKB917422$\kernel32.dll
2006-07-05 04:55 984064 d8db5397de07577c1cb50ba6d23b3ad4 c:\windows\$NtUninstallKB935839$\kernel32.dll
2009-02-14 14:47 984576 be3941e1b96b5215127056e5107fbfc2 c:\windows\system32\kernel32.dll
2007-04-16 09:52 984576 a01f9ca902a88f7ced06884174d6419d c:\windows\system32\dllcache\kernel32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-09 15360]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-14 136600]
"Kqepejelapelep"="c:\windows\otowihepalamu.dll" [2009-02-14 133632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\matrix31290.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpa.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpb.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpc.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0stera

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^Adobe Media Player.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\Adobe Media Player.lnk
backup=c:\windows\pss\Adobe Media Player.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-06-06 10:04 50528 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--------- 2004-08-09 15:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
--a------ 2007-03-22 18:29 39264 c:\progra~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-21 01:12 133104 c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kqepejelapelep]
--a------ 2009-02-14 15:06 133632 c:\windows\otowihepalamu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
--a------ 2008-11-05 21:59 4347120 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2006-08-05 14:48 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 18:20 866584 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2008-11-05 21:59 4347120 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Documents and Settings\\HP_Administrator\\My Documents\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19112:TCP"= 19112:TCP:BitComet 19112 TCP
"19112:UDP"= 19112:UDP:BitComet 19112 UDP

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2009-01-08 57376]
S1 1860e4a3;1860e4a3;c:\windows\system32\drivers\1860e4a3.sys --> c:\windows\system32\drivers\1860e4a3.sys [?]
S1 cd7a9fa;cd7a9fa;c:\windows\system32\drivers\cd7a9fa.sys [2008-10-10 0]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [2009-01-08 377920]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-09-27 10664]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\D-Link\RangeBooster G WUA-2340\JSWUtil\jswpsapi.exe --> c:\program files\D-Link\RangeBooster G WUA-2340\JSWUtil\jswpsapi.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-02-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-10 00:55]

2008-10-09 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-21 01:12]

2009-02-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{C5BF49A2-94F3-42BD-F434-3604812C8955} - c:\windows\system32\hsfd83jfdg.dll
HKLM-Run-qdgnijbgaofzcq - c:\windows\system32\chuzvtnvhygsimne.dll
HKLM-Explorer_Run-xccinit - c:\windows\system32\inf\rundll33.exe
SharedTaskScheduler-{C5BF49A2-94F3-42BD-F434-3604812C8955} - c:\windows\system32\hsfd83jfdg.dll
Notify-nnnnOFWM - nnnnOFWM.dll
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-GetModule23 - c:\program files\GetModule\GetModule23.exe
MSConfigStartUp-GetPack22 - c:\program files\GetPack\GetPack22.exe
MSConfigStartUp-h9axno0mfc7eyypzvyho9 - c:\docume~1\HP_ADM~1\LOCALS~1\Temp\vvqd5n7er.exe
MSConfigStartUp-jsf8uiw3jnjgffght - c:\docume~1\HP_ADM~1\LOCALS~1\Temp\winlognn.exe
MSConfigStartUp-jv8gav6yanon05ryzbaumjw00j6qif9r275mdy9jj - c:\docume~1\HP_ADM~1\LOCALS~1\Temp\bpbk6g5tp4xdz.exe
MSConfigStartUp-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
MSConfigStartUp-n00ji2e5icz32w54w9rgks77j8bh7i63uy3gb9lqzhrtr - c:\docume~1\HP_ADM~1\LOCALS~1\Temp\ot6poa0fpu.exe
MSConfigStartUp-qa3a62no9fpu4892qg3c476p2ayar56 - c:\docume~1\HP_ADM~1\LOCALS~1\Temp\mzen8p5yb0vcd.exe
MSConfigStartUp-tezrtsjhfr84iusjfo84f - c:\docume~1\HP_ADM~1\LOCALS~1\Temp\csrssc.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-u9g9fq02xs8nizgt4tlzt1wynzwvk7oe8j589 - c:\docume~1\HP_ADM~1\LOCALS~1\Temp\vx0lctgfmg4au.exe
MSConfigStartUp-us6iqcddjkj8rq8d3vpyy2ms9ng16o6sb6vnzrhicu - c:\docume~1\HP_ADM~1\LOCALS~1\Temp\kku0r68df.exe
MSConfigStartUp-w0t72jr3zould841colgrrhreet - c:\docume~1\HP_ADM~1\LOCALS~1\Temp\cwiplo8s76w7t.exe
MSConfigStartUp-w8ksazthgphvwaz897b39msx6ebbnsw2z7qhl7uh5 - c:\docume~1\HP_ADM~1\LOCALS~1\Temp\hf4vpux0.exe
MSConfigStartUp-wqprste4k - c:\docume~1\HP_ADM~1\LOCALS~1\Temp\eb5yykacbo6.exe
MSConfigStartUp-x2qjrdk9z4ca0k8avkspxn1987urqm3ivvo - c:\docume~1\HP_ADM~1\LOCALS~1\Temp\zffcc1a5z8y3.exe
MSConfigStartUp-x5acw9lt4lhxat31egeamgnz91ovvdh5zd1bewq8u1k9xuc - c:\docume~1\HP_ADM~1\LOCALS~1\Temp\gnktwyuamyvw.exe
MSConfigStartUp-xqlpsxhbd2b20xu7sutajk10idc9wu9myfld9g47kt - c:\docume~1\HP_ADM~1\LOCALS~1\Temp\e1gvjlvbd4222.exe
MSConfigStartUp-yl5t46wjjcq03b3rcexzc6t6s3232ew437ltvd6mbuv2a8hxl - c:\docume~1\HP_ADM~1\LOCALS~1\Temp\zfqv2k.exe
MSConfigStartUp-z2a5q2depfp - c:\docume~1\HP_ADM~1\LOCALS~1\Temp\o8uldwi.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://aol.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/verizon/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\enxah9ey.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - aol.com
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - plugin: c:\program files\Google\Google Updater\2.4.1441.4352\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-19 18:17:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(480)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\arservice.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\dllhost.exe
c:\windows\system32\ati2evxx.exe
.
**************************************************************************
.
Completion time: 2009-02-19 18:21:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-20 00:20:37

Pre-Run: 38,234,243,072 bytes free
Post-Run: 39,083,704,320 bytes free

358 --- E O F --- 2009-01-30 04:10:27
  • 0

#14
tower dog
Posted 19 February 2009 - 08:21 PM

tower dog

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
things seem to be running alot better. all bugs seem to have been irradicated. i replaced my internet explorer with ie8, and it runs fine, but my thumbnails on the explorer are missing. i tried a regedit fix i found online, but was unable to complete the process. i had a problem in the past on another computer with disappearing thumbnails on ie, but i cannot recall how i fixed it.
  • 0

#15
Blade81
Posted 20 February 2009 - 10:40 AM

Blade81

    Member

  • Member
  • PipPipPip
  • 722 posts
  • MVP
Hi,

Let's continue cleaning process. That thumbnail problem shall wait until little later.



Open notepad and copy/paste the text in the quotebox below into it:

Driver::
1860e4a3
cd7a9fa

File::
c:\windows\otowihepalamu.dll
c:\windows\system32\uacinit.dll
C:\dykhyp.exe
C:\152667771
C:\ypuweg.exe
c:\windows\system32\azton.mt
c:\windows\system\xccef090131.exe
c:\windows\system32\bbafbgrt.dll
c:\windows\system32\wer3.pf
C:\cwxwwgtl.exe
c:\windows\system32\febbn.wa
c:\windows\system32\ljJyApoN.dll.vir
c:\windows\system32\cbXQJBuU.dll
c:\windows\system32\Crypt_16.dll
c:\windows\system32\drivers\1860e4a3.sys
c:\windows\system32\drivers\cd7a9fa.sys

Folder::
c:\documents and settings\HP_Administrator\Application Data\cogad

DirLook::
c:\windows\system32\inf

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kqepejelapelep"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\matrix31290.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpa.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpb.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpc.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kqepejelapelep]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,00


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 12.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version. Uncheck MSN toolbar if it's offered there.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here. If you get a message that latest Java must be installed "enable" the Java add-ons in IE7. Do that using "manage add-ons" from the IE7 toolbar.


Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP