Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

?trojan Installation


  • Please log in to reply
24 replies to this topic

#16 InTrouble

InTrouble

    Authentic Member

  • Authentic Member
  • PipPip
  • 43 posts

Posted 16 May 2007 - 05:24 PM

shelf life,
the computer is running fine -- no problems on my end here.
i followed your instructions and here is what happened:
1) suspicious file packer found no problems (it actually said this immediately after i pasted in that line with the dll pathway), so there was no cab file formed (that i could see) to email to that address
2) i ran combofix -- my computer restarted and created the log pasted below.
3) i ran vundofix and it found no problems (no log to post).
i'm sorry my problem appears to be so complicated, but i appreciate you sticking it out with me!


ComboFix 07-05.17.V - Running from: "C:\Documents and Settings\Paulgun\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dnfgdnf.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\install.log
C:\WINDOWS\start.exe
C:\WINDOWS\system32\drivers\rlacmakv.sys
C:\WINDOWS\system32\dnfgdnf.dll.bak" . . . . failed to delete


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_GWIEKGJR
-------\LEGACY_KDPJLUAC
-------\gwiekgjr
-------\kdpjluac
-------\nm


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-16 ))))))))))))))))))))))))))))))))))


2007-05-16 14:01 684,567 --a------ C:\WINDOWS\SYSTEM32\libeay32.dll
2007-05-16 14:01 147,729 --a------ C:\WINDOWS\SYSTEM32\libssl32.dll
2007-05-16 13:57 587,264 --a------ C:\WINDOWS\SYSTEM32\awsetuyf.dll
2007-05-15 17:03 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-05-14 14:48 <DIR> d--hs---- C:\FOUND.017
2007-05-12 12:24 <DIR> d-------- C:\Program Files\Citrix
2007-05-07 07:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-07 07:18 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-05-07 07:18 <DIR> d-------- C:\DOCUME~1\Paulgun\APPLIC~1\SUPERAntiSpyware.com
2007-05-07 07:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-07 07:08 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-05-06 16:00 <DIR> d-------- C:\VundoFix Backups
2007-04-29 11:20 99,840 --a------ C:\WINDOWS\SYSTEM32\lswihykm.dll
2007-04-29 11:20 43,520 --a------ C:\WINDOWS\SYSTEM32\lixigsnp.dll
2007-04-29 11:20 125,440 --a------ C:\WINDOWS\SYSTEM32\fzlgloqo.dll
2007-04-29 09:32 66,048 --a------ C:\WINDOWS\SYSTEM32\bdqiqaaa.exe
2007-04-29 09:32 17,408 --a------ C:\WINDOWS\SYSTEM32\xikoayon.exe
2007-04-29 09:32 138,752 --a------ C:\WINDOWS\SYSTEM32\wlmfaaaa.exe
2007-04-29 09:32 11,264 --a------ C:\WINDOWS\SYSTEM\wmecst32.dll
2007-04-29 09:32 1,046 --a------ C:\WINDOWS\SYSTEM32\kyjtyvqk.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-23 04:56:22 51,716 ----a-w C:\WINDOWS\system32\pdf995mon.dll
2007-02-23 04:56:22 118,784 ----a-w C:\WINDOWS\system32\pdfmona.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}=E:\SpywareGuard\dlprotect.dll [2003-08-02 23:24]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe" [2001-06-27 13:15]
"@"="" []
"Alogserv"="C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe" [2001-09-27 06:01]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-05-18 14:49]
"IPInSightLAN 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 01:52]
"IPInSightMonitor 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 01:52]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 04:52]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-06-09 01:32]
"WinampAgent"="E:\Program Files II\Winamp\winampa.exe" [2006-06-21 12:14]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 07:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 21:49]
"McAfee.InstantUpdate.Monitor"="C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" [2001-09-27 01:01]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-23 12:00]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" []
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 09:29]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-01 09:29]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 09:13]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0
Security Packages kerberos msv1_0 schannel wdigest
Notification Packages scecli

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^UT Southwestern Medical Center VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\UT Southwestern Medical Center VPN Client.lnk
backup=C:\WINDOWS\pss\UT Southwestern Medical Center VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Vanderbilt University VUMC VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Vanderbilt University VUMC VPN Client.lnk
backup=C:\WINDOWS\pss\Vanderbilt University VUMC VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Paulgun^Start Menu^Programs^Startup^Skyscape smARTupdate.lnk]
path=C:\Documents and Settings\Paulgun\Start Menu\Programs\Startup\Skyscape smARTupdate.lnk
backup=C:\WINDOWS\pss\Skyscape smARTupdate.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Disk Keeper]
C:\WINDOWS\System32\Services\{841438A6-84BD-451D-8453-97BDDC7F1404}\SECURITY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
rpcss RpcSs
LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
NetworkService DnsCache
imgsvc StiSvc
termsvcs TermService

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
kdpjluac



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070507-181126-503
O4 - HKCU\..\Run: [xqrufaaa] C:\WINDOWS\System32\xqrufaaa.exe
backup-20070507-181126-611
O2 - BHO: (no name) - {C2022590-0A91-42A4-A98C-19F8646617FB} - c:\windows\system32\dnfgdnf.dll
backup-20070507-181126-752
O20 - Winlogon Notify: zzddmjgz - C:\WINDOWS\SYSTEM32\dnfgdnf.dll
backup-20070506-170007-804
O4 - HKLM\..\Run: [xqrufaaa] C:\WINDOWS\System32\xqrufaaa.exe
backup-20050616-174725-229
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
backup-20050616-174726-963
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
backup-20050616-174725-863
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
backup-20050616-174725-865
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
backup-20050616-174725-655
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
backup-20050522-110535-786
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{841438A6-84BD-451D-8453-97BDDC7F1404}\SECURITY.EXE
backup-20050522-105505-947
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{841438A6-84BD-451D-8453-97BDDC7F1404}\SECURITY.EXE
backup-20050522-105505-727
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
backup-20050522-105505-154
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/
backup-20050520-144551-767
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{841438A6-84BD-451D-8453-97BDDC7F1404}\SVCHOST.EXE
backup-20050520-144551-547
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{841438A6-84BD-451D-8453-97BDDC7F1404}\SECURITY.EXE
backup-20050519-150018-149
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{841438A6-84BD-451D-8453-97BDDC7F1404}\SECURITY.EXE
backup-20050519-150018-140
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{841438A6-84BD-451D-8453-97BDDC7F1404}\SVCHOST.EXE
backup-20050519-145839-154
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{841438A6-84BD-451D-8453-97BDDC7F1404}\SVCHOST.EXE
backup-20050519-145839-868
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{841438A6-84BD-451D-8453-97BDDC7F1404}\SECURITY.EXE
backup-20050518-192437-212
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
backup-20050518-192437-651
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://up1.interneti...x/PCAXSetup.cab?
backup-20050518-192436-862
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_4us.cab
backup-20050518-192436-126
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
backup-20050518-192435-437
O16 - DPF: {A7B17C34-D894-11D3-AE37-0050DA39FE5C} (WebClientInstall Class) - https://sw2kpacs01.s...ientInstall.cab
backup-20050518-192437-158
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio....abasetup144.cab
backup-20050518-192433-946
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
backup-20050518-192435-916
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
backup-20050518-192434-692
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095739174916
backup-20050518-192434-258
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
backup-20050518-192432-768
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
backup-20050518-192432-747
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
backup-20050518-192432-188
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{841438A6-84BD-451D-8453-97BDDC7F1404}\SVCHOST.EXE
backup-20050518-192432-793
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20050518-192432-264
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bits...om/tdserver.cab
backup-20050518-192432-271
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
backup-20050518-192432-602
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
backup-20050518-192432-357
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
backup-20050518-192432-825
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{841438A6-84BD-451D-8453-97BDDC7F1404}\SECURITY.EXE
backup-20050516-161914-610
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
backup-20050516-161914-386
O4 - Global Startup: 289904.exe
backup-20050320-143618-925
O2 - BHO: (no name) - {5E6215EB-9FB8-414F-9DEB-0104D3BCCDEC} - C:\WINDOWS\System32\nida.dll (file missing)
backup-20050320-143618-658
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
backup-20050320-143618-835
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
backup-20050320-143618-625
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Paulgun\LOCALS~1\Temp\se.dll/sp.html
backup-20050320-143618-315
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
backup-20050317-222935-366
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
backup-20050317-222935-954
O18 - Filter: text/plain - {26372F4C-0EBF-4CC2-BBF6-F85947DEE766} - C:\WINDOWS\System32\nida.dll
backup-20050317-222935-524
O18 - Filter: text/html - {26372F4C-0EBF-4CC2-BBF6-F85947DEE766} - C:\WINDOWS\System32\nida.dll
backup-20050317-222935-264
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Paulgun\LOCALS~1\Temp\se.dll,DllInstall
backup-20050317-222935-244
O4 - HKLM\..\Run: [MoviePlace] "C:\Program Files\MoviePlace\MoviePlace.exe" /H
backup-20050317-222935-782
O2 - BHO: (no name) - {AAD40D86-F882-4031-BB61-7BD11F3C311A} - C:\WINDOWS\System32\nida.dll
backup-20050317-222935-113
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
backup-20050317-222935-914
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
backup-20050317-222935-647
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
backup-20050317-222935-356
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
backup-20050317-222935-541
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
backup-20050317-222935-146
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Paulgun\LOCALS~1\Temp\se.dll/sp.html
backup-20050317-222935-701
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Paulgun\LOCALS~1\Temp\se.dll/sp.html
backup-20041219-161839-615
O15 - Trusted IP range: 206.161.125.149
backup-20041219-161839-456
O15 - Trusted IP range: (HKLM)
backup-20041218-222031-475
O15 - Trusted Zone: *.mt-download.com
backup-20041218-222031-379
O15 - Trusted Zone: *.my-internet.info
backup-20041218-222031-151
O15 - Trusted Zone: *.scoobidoo.com
backup-20041218-222031-101
O15 - Trusted Zone: *.searchbarcash.com
backup-20041218-222031-984
O15 - Trusted Zone: *.searchmiracle.com
backup-20041218-222031-336
O15 - Trusted Zone: *.slotch.com
backup-20041218-222031-451
O15 - Trusted Zone: *.static.topconverting.com
backup-20041218-222031-872
O15 - Trusted Zone: *.05p.com (HKLM)
backup-20041218-222031-396
O15 - Trusted Zone: *.frame.crazywinnings.com
backup-20041218-222031-458
O15 - Trusted Zone: *.blazefind.com (HKLM)
backup-20041218-222031-180
O15 - Trusted Zone: *.clickspring.net (HKLM)
backup-20041218-222031-404
O15 - Trusted Zone: *.flingstone.com (HKLM)
backup-20041218-222031-466
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
backup-20041218-222031-750
O15 - Trusted Zone: *.mt-download.com (HKLM)
backup-20041218-222031-162
O15 - Trusted Zone: *.my-internet.info (HKLM)
backup-20041218-222031-597
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
backup-20041218-222031-779
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
backup-20041218-222031-968
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
backup-20041218-222031-868
O15 - Trusted Zone: *.slotch.com (HKLM)
backup-20041218-222031-667
O15 - Trusted Zone: *.flingstone.com
backup-20041218-222031-332
O15 - Trusted Zone: *.clickspring.net
backup-20041218-222031-891
O15 - Trusted Zone: *.blazefind.com
backup-20041218-222031-470
O15 - Trusted IP range: 206.161.125.149
backup-20041218-222031-375
O15 - Trusted Zone: *.05p.com
backup-20041218-222031-945
O4 - HKLM\..\RunOnce: [javawn32.exe] C:\WINDOWS\system32\javawn32.exe
backup-20041218-222031-421
O4 - HKLM\..\Run: [ipxt32.exe] C:\WINDOWS\system32\ipxt32.exe
backup-20041218-222031-403
O2 - BHO: (no name) - {9AA00624-7341-B480-F29F-F48388C6D50A} - C:\WINDOWS\system32\ipmd32.dll
backup-20041218-222031-831
O15 - Trusted IP range: 206.161.125.149 (HKLM)
backup-20041218-222031-648
R3 - Default URLSearchHook is missing
backup-20041218-222031-655
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bqjpv.dll/sp.html#12345
backup-20041218-222031-252
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bqjpv.dll/sp.html#12345
backup-20041218-222031-786
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bqjpv.dll/sp.html#12345
backup-20041218-222031-963
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bqjpv.dll/sp.html#12345
backup-20041218-222031-149
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bqjpv.dll/sp.html#12345
backup-20041218-222031-754
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
backup-20041218-222031-443
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bqjpv.dll/sp.html#12345
backup-20041218-222031-325
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bqjpv.dll/sp.html#12345
backup-20041218-222031-218
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\system32\ipbm.exe (file missing)
backup-20041218-222031-344
O15 - Trusted Zone: *.awmdabest.com (HKLM)
backup-20041218-222031-169
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
backup-20041218-222031-616
O15 - Trusted Zone: *.awmdabest.com
backup-20040829-234924-321
O4 - HKLM\..\RunOnce: [sysav32.exe] C:\WINDOWS\sysav32.exe
backup-20040829-234924-649
O4 - HKLM\..\Run: [SysA] C:\windows\system32\windnf32.exe
backup-20040829-234924-392
O2 - BHO: (no name) - {7174FA43-6EAE-0B62-2831-9FFAA3A3EAFE} - C:\WINDOWS\system32\sysop32.dll
backup-20040829-234924-655
R3 - Default URLSearchHook is missing
backup-20040829-234924-900
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ftpzt.dll/sp.html#29126
backup-20040829-234924-907
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ftpzt.dll/sp.html#29126
backup-20040829-234924-517
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ftpzt.dll/sp.html#29126
backup-20040829-234924-318
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ftpzt.dll/sp.html#29126
backup-20040829-234924-229
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ftpzt.dll/sp.html#29126
backup-20040829-234924-414
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
backup-20040829-234924-505
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ftpzt.dll/sp.html#29126
backup-20040829-234924-853
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ftpzt.dll/sp.html#29126
backup-20040829-122452-923
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...8a29296baabe1d6
backup-20040829-122452-652
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
backup-20040829-122452-769
O15 - Trusted Zone: *.searchmiracle.com
backup-20040829-122452-350
O15 - Trusted Zone: *.scoobidoo.com
backup-20040829-122452-578
O15 - Trusted Zone: *.my-internet.info
backup-20040829-122452-273
O15 - Trusted Zone: *.mt-download.com
backup-20040829-122452-937
O15 - Trusted Zone: *.clickspring.net
backup-20040829-122452-294
O15 - Trusted Zone: *.05p.com
backup-20040829-122452-604
O4 - HKCU\..\Run: [Kyuqjdy] C:\WINDOWS\System32\zrgzb.exe
backup-20040829-122452-174
O4 - HKCU\..\Run: [Csno] C:\Documents and Settings\Paulgun\Application Data\aeao.exe
backup-20040829-122452-650
O4 - HKCU\..\Run: [cvchost] c:\windows\svchost.exe
backup-20040829-122452-913
O4 - HKLM\..\Run: [SysA] C:\windows\system32\windnf32.exe
backup-20040829-122452-956
O2 - BHO: (no name) - {66FE21E9-AAFF-8176-C0E2-D570E58BD83C} - C:\WINDOWS\winwd.dll
backup-20040829-122452-494
R3 - Default URLSearchHook is missing
backup-20040829-122452-825
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jsfcp.dll/sp.html#29126
backup-20040829-122452-626
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jsfcp.dll/sp.html#29126
backup-20040829-122452-359
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jsfcp.dll/sp.html#29126
backup-20040829-122452-536
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jsfcp.dll/sp.html#29126
backup-20040829-122452-722
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jsfcp.dll/sp.html#29126
backup-20040829-122452-655
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
backup-20040829-122452-875
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jsfcp.dll/sp.html#29126
backup-20040829-122452-223
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jsfcp.dll/sp.html#29126
backup-20040828-203531-225
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://yoursearcher.com/index.htm

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Tune-up Application Start.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-16 17:10:30
Windows 5.1.2600 FAT

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-16 17:19:39 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-16 17:19


--- E O F ---

    Advertisements

Register to Remove


#17 InTrouble

InTrouble

    Authentic Member

  • Authentic Member
  • PipPip
  • 43 posts

Posted 16 May 2007 - 07:52 PM

one more quick 'dumb' question. after following your last set of instructions, an internet explorer icon (not shortcut but actually the program icon) appeared on the desktop (which i do not want -- i just click on the miniature icon on the system tray at the bottom). can i just delete the icon?

#18 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 17 May 2007 - 06:39 PM

hi InTrouble,

the computer is running fine -- no problems on my end here

ok good. the combofix log still shows some .dlls. its possible to have dlls left without having any problems though. what about superantispyware and avg antispyware? are they coming up clean?

your question: yes just delete the icon off of the desktop.

shelf life
How Can I Reduce My Risk?

#19 InTrouble

InTrouble

    Authentic Member

  • Authentic Member
  • PipPip
  • 43 posts

Posted 18 May 2007 - 05:13 PM

shelf life, superantispyware and avg antispyware appear to have come up clean (except the usual tracking cookies). so.... case closed? thanks!

#20 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 19 May 2007 - 03:58 PM

hi InTrouble,

superantispyware and avg antispyware appear to have come up clean


ok good. but how about posting another combofix log for me.

shelf life
How Can I Reduce My Risk?

#21 InTrouble

InTrouble

    Authentic Member

  • Authentic Member
  • PipPip
  • 43 posts

Posted 20 May 2007 - 10:59 AM

As requested, here is my combofix log:

ComboFix 07-05.17.V - Running from: "C:\Documents and Settings\Paulgun\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-20 ))))))))))))))))))))))))))))))))))


2007-05-16 17:19 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-16 14:01 684,567 --a------ C:\WINDOWS\SYSTEM32\libeay32.dll
2007-05-16 14:01 147,729 --a------ C:\WINDOWS\SYSTEM32\libssl32.dll
2007-05-16 13:57 587,264 --a------ C:\WINDOWS\SYSTEM32\awsetuyf.dll
2007-05-14 14:48 <DIR> d--hs---- C:\FOUND.017
2007-05-12 12:24 <DIR> d-------- C:\Program Files\Citrix
2007-05-07 07:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-07 07:18 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-05-07 07:18 <DIR> d-------- C:\DOCUME~1\Paulgun\APPLIC~1\SUPERAntiSpyware.com
2007-05-07 07:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-07 07:08 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-05-06 16:00 <DIR> d-------- C:\VundoFix Backups
2007-04-29 11:20 99,840 --a------ C:\WINDOWS\SYSTEM32\lswihykm.dll
2007-04-29 11:20 43,520 --a------ C:\WINDOWS\SYSTEM32\lixigsnp.dll
2007-04-29 11:20 125,440 --a------ C:\WINDOWS\SYSTEM32\fzlgloqo.dll
2007-04-29 09:32 66,048 --a------ C:\WINDOWS\SYSTEM32\bdqiqaaa.exe
2007-04-29 09:32 17,408 --a------ C:\WINDOWS\SYSTEM32\xikoayon.exe
2007-04-29 09:32 138,752 --a------ C:\WINDOWS\SYSTEM32\wlmfaaaa.exe
2007-04-29 09:32 11,264 --a------ C:\WINDOWS\SYSTEM\wmecst32.dll
2007-04-29 09:32 1,046 --a------ C:\WINDOWS\SYSTEM32\kyjtyvqk.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-23 04:56:22 51,716 ----a-w C:\WINDOWS\system32\pdf995mon.dll
2007-02-23 04:56:22 118,784 ----a-w C:\WINDOWS\system32\pdfmona.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}=E:\SpywareGuard\dlprotect.dll [2003-08-02 23:24]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe" [2001-06-27 13:15]
"@"="" []
"Alogserv"="C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe" [2001-09-27 06:01]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-05-18 14:49]
"IPInSightLAN 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 01:52]
"IPInSightMonitor 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 01:52]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 04:52]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-06-09 01:32]
"WinampAgent"="E:\Program Files II\Winamp\winampa.exe" [2006-06-21 12:14]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 07:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 21:49]
"McAfee.InstantUpdate.Monitor"="C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" [2001-09-27 01:01]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-23 12:00]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" []
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 09:29]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-01 09:29]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 09:13]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0
Security Packages kerberos msv1_0 schannel wdigest
Notification Packages scecli

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^UT Southwestern Medical Center VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\UT Southwestern Medical Center VPN Client.lnk
backup=C:\WINDOWS\pss\UT Southwestern Medical Center VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Vanderbilt University VUMC VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Vanderbilt University VUMC VPN Client.lnk
backup=C:\WINDOWS\pss\Vanderbilt University VUMC VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Paulgun^Start Menu^Programs^Startup^Skyscape smARTupdate.lnk]
path=C:\Documents and Settings\Paulgun\Start Menu\Programs\Startup\Skyscape smARTupdate.lnk
backup=C:\WINDOWS\pss\Skyscape smARTupdate.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Disk Keeper]
C:\WINDOWS\System32\Services\{841438A6-84BD-451D-8453-97BDDC7F1404}\SECURITY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
rpcss RpcSs
LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
NetworkService DnsCache
imgsvc StiSvc
termsvcs TermService

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
kdpjluac



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Tune-up Application Start.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-20 11:47:15
Windows 5.1.2600 FAT

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-20 11:50:07 - machine was rebooted
C:\ComboFix2.txt ... 2007-05-16 17:27
C:\ComboFix-quarantined-files.txt ... 2007-05-20 11:50


--- E O F ---

#22 InTrouble

InTrouble

    Authentic Member

  • Authentic Member
  • PipPip
  • 43 posts

Posted 20 May 2007 - 11:39 AM

actually there may be a problem? the last 2 times i have restarted my computer (once with combofix, and then once again after my last post0, upon restarting a frame titled "spywareguard browser protection alert"
"an attempt to change IE settings has been detected."
"warning your IE search page has been changed!"
"Your IE current user search page has been changed from
<none>
to
[url="http://www.microsoft.com/isapi/redir.dll?prd=iear=iesearch""]http://www.microsoft.com/isapi/redir.dll?p...=iesearch"[/url]
"what would you like to do? restore old value or keep new value"
without choosing anything, i opened IE and my homepage was still cnn.com, and i then typed up this post. now i'll click on "restore old value" but since this has happened on the last 2 restarts, is this a problem?
thanks

#23 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 20 May 2007 - 05:15 PM

hi InTrouble,

ok thanks for the info, forgot to ask for another hjt log last time.
that search page warning must be IE default search page, maybe because you dont have one selected? why it would just start alerting you now dont know. iam not familiar with spyware guard.

look you are way behind on windows updates and service packs. these updates patch vulnerabilites in the OS and browser.you have a bucket trying to hold water but have a few holes in the bucket. do this first though:
-------------------------------------------------
Download Pocket KillBox from here:

http://www.atribune....ads/KillBox.exe

check the options: Replace on Reboot AND use dummy

copy paste this line into the field Full Path of File to Delete:

C:\WINDOWS\SYSTEM32\lswihykm.dll

then click the button with a white X on red background

When asked if you would like to Reboot, select No.


Once again, in Full Path of File to Delete, copy and paste the following one at a time, clicking the red X, then no to the reboot prompts:

C:\WINDOWS\SYSTEM32\fzlgloqo.dll
C:\WINDOWS\SYSTEM32\bdqiqaaa.exe
C:\WINDOWS\SYSTEM32\xikoayon.exe
C:\WINDOWS\SYSTEM32\wlmfaaaa.exe
C:\WINDOWS\SYSTEM\wmecst32.dll
C:\WINDOWS\SYSTEM32\kyjtyvqk.exe

when you've copy/pasted the last file on the list

Press the button with a red circle and a white X.
When asked to Reboot, select Yes this time

your computer will reboot-
-------------------------
rescan and post a new hjt log please. lets make sure all is good and we make new restore points before you go to window updates

shelf life
How Can I Reduce My Risk?

#24 InTrouble

InTrouble

    Authentic Member

  • Authentic Member
  • PipPip
  • 43 posts

Posted 21 May 2007 - 03:42 PM

shelf life,
i followed your instructions -- here is the hjt log after the scan and reboot:

Logfile of HijackThis v1.99.1
Scan saved at 4:36:38 PM, on 5/21/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\One-VA VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
E:\Program Files II\Winamp\winampa.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
E:\SpywareGuard\sgmain.exe
C:\Program Files\AIM6\aolsoftware.exe
E:\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Hijack This\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.swmed.edu:3128
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - E:\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files II\Winamp\winampa.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: SpywareGuard.lnk = E:\SpywareGuard\sgmain.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: One-VA VPN Client.lnk = C:\Program Files\One-VA VPN Client\vpngui.exe
O8 - Extra context menu item: Download All Files by HiDownload - E:\PROGRA~1\HIDOWN~1\HIDOWN~1\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - E:\PROGRA~1\HIDOWN~1\HIDOWN~1\HDGet.htm
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - E:\PROGRA~1\HIDOWN~1\HIDOWN~1\hidownload.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A7B17C34-D894-11D3-AE37-0050DA39FE5C} (WebClientInstall Class) - https://sw2kpacs01.s...ientInstall.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_6us.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\One-VA VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#25 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 21 May 2007 - 04:13 PM

hi InTrouble,

ok good. log looks ok, antimalware scanners come up clean. i would say its time to make new restore points, then hit windows updates. youve never updated before, cant pass "the genuine windows test"? --the download will be massive as well the installation. hope you have broadband.

to make new restore points:

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*. To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.


---------------------------------------------------

you might want to read up on it first:

Windows XP service pack 1
http://www.winsupers...sp1_preview.asp

Service pack 2
http://www.microsoft...p2/default.mspx
http://www.winsupers...ndowsxp_sp2.asp

shelf life
How Can I Reduce My Risk?

    Advertisements

Register to Remove

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users