Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] Error messages when booting windows xp


  • This topic is locked This topic is locked
2 replies to this topic

#1 Cathy2007

Cathy2007

    New Member

  • New Member
  • Pip
  • 1 posts

Posted 26 November 2007 - 04:58 AM

When I boot into windows xp I get the following messages:

windows cannot find "C:\windows\shell.exe"

error loading c:\windows\system32\j7211632.dll

windows cannot open this file
File: AUTORUN.EXE

windows cannot open this file
File: FINDFAST.OXE

Copy of Combofix log

ComboFix 07-11-19.4 - Cathy 2007-11-26 4:16:57.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.90 [GMT -6:00]
Running from: C:\Documents and Settings\Cathy\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\Anika\Application Data\macromedia\Flash Player\#SharedObjects\4ZSFJAEV\www.broadcaster.com
C:\Documents and Settings\Anika\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Anika\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Cathy\Application Data\DriveCleaner Free
C:\Documents and Settings\Cathy\Application Data\DriveCleaner Free\Logs\update.log
C:\Documents and Settings\Cathy\Desktop\Find Spyware Remover.lnk
C:\Documents and Settings\Cathy\Desktop\Free Online Dating.lnk
C:\Documents and Settings\Cathy\Desktop\Go to Casino.lnk
C:\Documents and Settings\Cathy\err.log
C:\Documents and Settings\Cathy\ResErrors.log
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\Tiffany\Application Data\DriveCleaner Free
C:\Documents and Settings\Tiffany\Application Data\DriveCleaner Free\Logs\update.log
C:\Documents and Settings\Tiffany\err.log
C:\Documents and Settings\Tiffany\ResErrors.log
C:\Documents and Settings\Tiffany\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Tiffany\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Program Files\Ultimate Cleaner
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\temp\tn3
C:\UGA6P
C:\WINDOWS\Casino.ico
C:\WINDOWS\cookies.ini
C:\WINDOWS\Free Online Dating.ico
C:\WINDOWS\mantec~1
C:\WINDOWS\mantec~1\?xplorer.exe
C:\WINDOWS\Spyware Remover.ico
C:\WINDOWS\system32\atmtd.dll.tmp
C:\WINDOWS\system32\autorun.ini
C:\WINDOWS\system32\b1
C:\WINDOWS\system32\crd.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\eaogqaps.dll
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\fbctqiak.dll
C:\WINDOWS\system32\fdpsvnio.dll
C:\WINDOWS\system32\g2
C:\WINDOWS\system32\gkggpyba.dll
C:\WINDOWS\system32\i2
C:\WINDOWS\system32\ijkmp.bak1
C:\WINDOWS\system32\ijkmp.ini
C:\WINDOWS\system32\ijkmp.ini2
C:\WINDOWS\system32\jhbaowdm.ini
C:\WINDOWS\system32\jjllm.ini
C:\WINDOWS\system32\jjllm.ini2
C:\WINDOWS\system32\kmdgegkw.ini
C:\WINDOWS\system32\kpycaqh.dll
C:\WINDOWS\system32\mdwoabhj.dll
C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\n8
C:\WINDOWS\system32\n8\ensts2dll.exe
C:\WINDOWS\system32\nmllm.bak1
C:\WINDOWS\system32\nmllm.ini
C:\WINDOWS\system32\nnnmp.ini
C:\WINDOWS\system32\nnnmp.ini2
C:\WINDOWS\system32\pndmdfcs.ini
C:\WINDOWS\system32\pstwa.bak1
C:\WINDOWS\system32\pstwa.bak2
C:\WINDOWS\system32\pstwa.ini
C:\WINDOWS\system32\pstwa.ini2
C:\WINDOWS\system32\pstwa.tmp
C:\WINDOWS\system32\qpqss.bak1
C:\WINDOWS\system32\qpqss.ini
C:\WINDOWS\system32\sbgggcby.ini
C:\WINDOWS\system32\scfdmdnp.dll
C:\WINDOWS\system32\spaqgoae.ini
C:\WINDOWS\system32\spiolgcu.dll
C:\WINDOWS\system32\ucgloips.ini
C:\WINDOWS\system32\uibvydow.dll
C:\WINDOWS\system32\wkgegdmk.dll
C:\WINDOWS\system32\wodyvbiu.ini
C:\WINDOWS\system32\ybadd.bak1
C:\WINDOWS\system32\ybadd.ini
C:\WINDOWS\system32\ybcgggbs.dll
C:\WINDOWS\ystem~1
C:\WINDOWS\ystem~1\?ystem\
C:\WINDOWS\system32\drivers\gwqdgfyb.dat . . . . failed to delete
C:\WINDOWS\system32\drivers\htxoyega.dat . . . . failed to delete
C:\WINDOWS\system32\ntsdext.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FMTR
-------\LEGACY_LWQOOZSW
-------\core
-------\DomainService
-------\lwqoozsw


((((((((((((((((((((((((( Files Created from 2007-10-26 to 2007-11-26 )))))))))))))))))))))))))))))))
.

2007-11-26 03:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-25 16:49 43,816 --a------ C:\WINDOWS\system32\drivers\fssfltr.sys
2007-11-25 16:41 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-11-25 16:40 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-11-25 16:27 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2007-11-25 16:23 <DIR> d-------- C:\WINDOWS\system32\DRVSTORE
2007-11-25 16:06 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-25 16:06 <DIR> d-------- C:\Documents and Settings\Cathy\Application Data\SUPERAntiSpyware.com
2007-11-25 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-25 16:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-25 16:01 <DIR> d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-25 16:00 <DIR> d-------- C:\Program Files\Windows Live
2007-11-25 16:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-25 15:59 779,963 ---hs---- C:\WINDOWS\system32\ubpafxfc.ini
2007-11-25 15:59 86,080 --a------ C:\WINDOWS\system32\cfxfapbu.dll
2007-11-25 14:47 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-25 14:34 <DIR> d--hs---- C:\FOUND.038
2007-11-24 15:59 776,265 ---hs---- C:\WINDOWS\system32\guisusmt.ini
2007-11-24 15:07 <DIR> d--hs---- C:\FOUND.037
2007-11-24 15:01 414 ---hs---- C:\WINDOWS\system32\pfqxdmfp.ini
2007-11-23 13:22 9,728 --a------ C:\WINDOWS\system32\SPOOLVS.0XE
2007-11-23 13:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-23 13:05 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2007-11-23 13:05 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2007-11-23 13:04 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-11-23 13:04 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-11-23 13:04 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2007-11-23 13:04 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2007-11-23 13:04 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-11-23 13:03 <DIR> d-------- C:\Program Files\McAfee
2007-11-23 13:03 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-11-23 12:54 685,085 ---hs---- C:\WINDOWS\system32\xpjnovqy.ini
2007-11-23 12:54 86,080 --a------ C:\WINDOWS\system32\yqvonjpx.dll
2007-11-23 12:48 9,728 --a------ C:\WINDOWS\system32\PRINTER.0XE
2007-11-23 12:48 9,728 --------- C:\Program Files\xloader10181.exe
2007-11-23 12:37 <DIR> d--hs---- C:\FOUND.036
2007-11-22 07:47 <DIR> d-------- C:\Program Files\E404 Helper
2007-11-22 07:45 <DIR> d-------- C:\Documents and Settings\Cathy\Application Data\SpyGuardPro
2007-11-21 12:23 36,864 --a------ C:\WINDOWS\system32\gebyvur.dll
2007-11-21 12:21 36,864 --a------ C:\WINDOWS\system32\qomjkjh.dll
2007-11-21 12:21 36,864 --a------ C:\WINDOWS\system32\hgggdcb.dll
2007-11-21 12:18 <DIR> d-------- C:\Documents and Settings\Tiffany\Application Data\SpyGuardPro
2007-11-21 12:17 <DIR> d-------- C:\Program Files\SpyGuardPro
2007-11-21 12:17 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-11-21 12:17 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-11-21 12:17 36,864 --a------ C:\WINDOWS\system32\pmnmnkj.dll
2007-11-21 12:17 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-11-21 12:16 <DIR> d-------- C:\WINDOWS\system32\cc1
2007-11-21 12:16 <DIR> d--hs---- C:\WINDOWS\Q2F0aHkg
2007-11-21 12:16 <DIR> d-------- C:\temp\abW9
2007-11-21 12:16 36,864 --a------ C:\WINDOWS\system32\pmnkkij.dll
2007-11-20 10:28 <DIR> d-------- C:\tmp_mcafee
2007-11-14 07:12 <DIR> d--hs---- C:\FOUND.035
2007-11-13 06:10 <DIR> d--hs---- C:\FOUND.034
2007-11-07 03:52 13,942 --a------ C:\WINDOWS\system32\iphone-012.ico
2007-11-07 03:49 13,942 --a------ C:\WINDOWS\system32\cruise-006.ico
2007-11-07 03:48 13,942 --a------ C:\WINDOWS\system32\iphone-011.ico
2007-11-07 03:48 9,662 --a------ C:\WINDOWS\system32\alienware-005.ico
2007-11-02 18:32 <DIR> d-------- C:\Program Files\Investintech.com Inc
2007-11-02 18:23 <DIR> d-------- C:\Program Files\SimpleOCR
2007-10-30 21:55 <DIR> d--hs---- C:\FOUND.033
2007-10-30 08:26 <DIR> d-------- C:\Dell
2007-10-29 06:25 <DIR> d--hs---- C:\FOUND.032
2007-10-28 16:54 <DIR> d-------- C:\pebuilder3110a

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-23 17:42 5,120 ----a-w C:\WINDOWS\system32\drivers\htxoyega.dat
2007-10-23 17:42 18,688 ----a-w C:\WINDOWS\system32\drivers\gwqdgfyb.dat
2007-10-18 17:31 51,224 ----a-w C:\WINDOWS\system32\sirenacm.dll
2007-10-05 13:43 1,514,700 --sh--w C:\WINDOWS\system32\acbeg.bak1
2007-10-03 23:15 1,516,607 --sh--w C:\WINDOWS\system32\wybeg.bak1
2007-09-29 19:37 --------- d-----w C:\Program Files\Corel
2007-09-29 19:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2007-09-29 19:04 --------- d-----w C:\Documents and Settings\Cathy\Application Data\Snapfish
2007-09-24 21:29 2,025,329 --sh--w C:\WINDOWS\system32\sstwa.bak1
2007-09-11 14:36 2,041,206 --sh--w C:\WINDOWS\system32\rtvwa.bak1
2007-09-01 04:06 1,915,754 --sh--w C:\WINDOWS\system32\llkkj.bak1
2006-12-13 01:13 266 ----a-w C:\Documents and Settings\Cody\Application Data\config.dat
2006-12-10 23:25 274 ----a-w C:\Documents and Settings\Courtney\Application Data\config.dat
2006-12-07 22:19 268 ----a-w C:\Documents and Settings\Anika\Application Data\config.dat
2006-12-07 22:16 272 ----a-w C:\Documents and Settings\Tiffany\Application Data\config.dat
2006-12-06 12:07 280 ----a-w C:\Documents and Settings\Cathy-daily\Application Data\config.dat
2007-06-20 13:26 1,841,088 --sh--w C:\WINDOWS\system32\xbeeg.bak1
2007-07-12 23:38 1,948,624 --sh--w C:\WINDOWS\system32\accdd.bak1
2007-07-24 12:36 1,797,732 --sh--w C:\WINDOWS\system32\tstwa.bak1
2007-08-02 22:24 1,758,111 --sh--w C:\WINDOWS\system32\hgjlm.bak1
2007-08-04 02:50 1,758,071 --sh--w C:\WINDOWS\system32\orqss.bak1
2007-08-15 22:44 1,714,195 --sh--w C:\WINDOWS\system32\ehhkj.bak1
2007-05-21 17:09 10,240 --sha-w C:\WINDOWS\rnapxs\rnapxs.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{088A8F70-E027-4BB5-82C3-6D8604251DCE}]
C:\Program Files\Windows NT\vibyno4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A54500A-65FE-4F4A-B860-20EAE2F577F9}]
2007-11-21 12:16 36864 --a------ C:\WINDOWS\system32\pmnkkij.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4f3ed5cd-0726-42a9-87f5-d13f3d2976ac}]
2007-10-17 13:53 57384 --a------ C:\Program Files\Windows Live\Family Safety\fssbho.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87A6A53F-B957-4683-BAA0-0EC179DA63CB}]
2004-08-04 05:00 107776 --a------ C:\WINDOWS\system32\ntsdext.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F08D7D92-B089-4697-81CC-BA7A349C7A0D}]
C:\Program Files\Windows NT\vibyno83122.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" [2005-08-26 18:14]
"News Service"="C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe" [2005-05-31 07:45]
"j7211632"="C:\WINDOWS\system32\j7211632.dll" []
"F-Secure TNB"="C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" [2005-07-18 09:51]
"F-Secure Startup Wizard"="C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.exe" [2005-10-18 03:29]
"F-Secure Manager"="C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.exe" [2005-10-25 20:51]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-16 17:00]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 09:06 C:\WINDOWS\AGRSMMSG.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 05:00 C:\WINDOWS\system32\rundll32.exe]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2007-03-27 15:06]
"320d18a1"="C:\WINDOWS\system32\cfxfapbu.dll" [2007-11-25 15:59]
"fssui"="C:\Program Files\Windows Live\Family Safety\fssui.exe" [2007-10-17 13:53]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe" [2007-05-09 13:11]

C:\Documents and Settings\Tiffany\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-01-29 15:33:41]

C:\Documents and Settings\Cathy\Start Menu\Programs\Startup\
FINDFAST.0XE [2005-03-24 09:55:48]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
CallCenter Printer Interface.lnk - C:\Program Files\V3CallCenter\V3faxecp.exe [2007-01-29 12:20:08]
VPN Client.lnk - C:\WINDOWS\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2007-07-11 19:29:02]
AUTORUN.0XE [2005-03-24 10:10:08]
Charter High-Speed Security Suite.lnk - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe [2007-05-21 10:24:25]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4A54500A-65FE-4F4A-B860-20EAE2F577F9}"= C:\WINDOWS\system32\pmnkkij.dll [2007-11-21 12:16 36864]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsp]
C:\WINDOWS\system32\awtsp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkkij]
pmnkkij.dll 2007-11-21 12:16 36864 C:\WINDOWS\system32\pmnkkij.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmkji.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Cathy^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Cathy\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AspireService]
2006-01-19 09:46 110592 --a------ C:\Program Files\Acer\Acer eMode Management\AspireService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearFlix]
C:\Program Files\BearFlix\bearflix.exe /pause

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-12-22 08:38 241664 --a------ C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2004-02-18 12:55 49152 --a------ C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2004-03-04 10:46 172032 --a------ C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
Alaunch

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X74-X75]
2002-10-14 15:09 57344 --a------ C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaSync]
2005-09-21 13:48 425984 --a------ C:\Program Files\Acer\Acer eConsole\MediaSync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntiMUI]
2005-05-11 18:15 45056 --a------ C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2004-11-02 20:24 32768 --a------ C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sosi42]
C:\WINDOWS\sosi42

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe C:\WINDOWS\system32\roytecxp.dll,forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{ZN}]
C:\Documents and Settings\Tiffany\Local Settings\Temp\TICHD003.exe CHD003

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys
R0 lwqoozsw;lwqoozsw;C:\WINDOWS\system32\drivers\gwqdgfyb.dat
R1 mfetdik;McAfee Inc.;C:\WINDOWS\system32\drivers\mfetdik.sys
R1 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys
R2 BackWeb Plug-in - 3528733;Charter High-Speed Security Suite;C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
R2 F-Secure Filter;F-Secure File System Filter;\??\C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSfilter.sys
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSgk.sys
R2 F-Secure Recognizer;F-Secure File System Recognizer;\??\C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSrec.sys
R2 fssfltr;FssFltr;C:\WINDOWS\system32\DRIVERS\fssfltr.sys
R2 fsssvc;Windows Live OneCare Family Safety;"C:\Program Files\Windows Live\Family Safety\fsssvc.exe"
R2 int15.sys;int15.sys;\??\C:\Acer\Empowering Technology\eRecovery\int15.sys
R3 mfeapfk;McAfee Inc.;C:\WINDOWS\system32\drivers\mfeapfk.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30b3456c-b4a6-11db-aba7-001558390c75}]
\Shell\AutoRun\command - F:\Installer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8024417e-e781-11db-abaf-001558390c75}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

*Newly Created Service* - INT15.SYS
.
Contents of the 'Scheduled Tasks' folder
"2007-11-26 10:19:18 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-26 04:37:41
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-26 4:40:42 - machine was rebooted
.
--- E O F ---


Copy of HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:47:33 AM, on 11/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Windows Live\Family Safety\fssui.exe
C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\V3CallCenter\V3faxecp.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSLAUNCH.EXE
C:\Program Files\Trend Micro\HijackThis\Spyware.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {088A8F70-E027-4BB5-82C3-6D8604251DCE} - C:\Program Files\Windows NT\vibyno4444.dll (file missing)
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: (no name) - {4A54500A-65FE-4F4A-B860-20EAE2F577F9} - C:\WINDOWS\system32\pmnkkij.dll
O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6C4C2C88-4F63-499E-917A-E16E16A92629} - C:\WINDOWS\system32\ssqpq.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {87A6A53F-B957-4683-BAA0-0EC179DA63CB} - C:\WINDOWS\system32\ntsdext.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {F08D7D92-B089-4697-81CC-BA7A349C7A0D} - C:\Program Files\Windows NT\vibyno83122.dll (file missing)
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [j7211632] rundll32 C:\WINDOWS\system32\j7211632.dll sook
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [320d18a1] rundll32.exe "C:\WINDOWS\system32\cfxfapbu.dll",b
O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fssui.exe" -autorun
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Startup: FINDFAST.0XE
O4 - Global Startup: CallCenter Printer Interface.lnk = C:\Program Files\V3CallCenter\V3faxecp.exe
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: AUTORUN.0XE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.char...in/ssctlsma.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: awtsp - C:\WINDOWS\system32\awtsp.dll (file missing)
O20 - Winlogon Notify: pmnkkij - C:\WINDOWS\SYSTEM32\pmnkkij.dll
O23 - Service: Acer Media Server - Acer Inc. - C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe (file missing)
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe

--
End of file - 9400 bytes

    Advertisements

Register to Remove


#2 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 26 November 2007 - 09:29 AM

Hi! Welcome to the WTT forums.
My name is Scotty. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research.
Please be patient.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back in your next reply.



Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#3 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 03 December 2007 - 05:00 PM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users