Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Windows counterfeting -hijackthis-problem

Started by falconme , Jan 05 2008 02:01 PM

  • This topic is locked This topic is locked
10 replies to this topic

#1 falconme

falconme

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 05 January 2008 - 02:01 PM

HI everybody,
I was asked to resubmit my problem in this forum, by a senior Whatthetech member.
The problem:
It all began when I was trying to empty some space in my hard disk. I was removing some programs in the control panel.
I noticed that I could not delete some applications. I had to do a system restore a couple of times but after a while the system would not allow me to go to any point beyond the previous day.
The deleted space was not being reflected in the C:/drive.
Each time I restarted the system, I would get a new error for a software application.

Ultimately I used Hijackthis s/w (I know I shud've consulted someone) and deleted all theentries it showed me.
This however stopped the error messages but created a new message "" You are using counterfeit windows software"

Now I keep getting weird pop-ups.

I have SPYBOT, SPYWARE BLASTER and SPYWARE GUARD apart from AVG ANtivirus.

I really require some assistance from all of you in setting right my laptop.

The deleted space is not being reflected in the C:/ drive.

Please help!!!!!!!


Here is the LOG FILE:::: (I had to backdate my sytem to save the log file since the SAS license had expired)
Logfile of HijackThis v1.99.1




Scan saved at 2:47:36 PM, on 11/5/2007




Platform: Windows XP SP2 (WinNT 5.01.2600)




MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)









Running processes:




C:\WINDOWS\System32\smss.exe




C:\WINDOWS\system32\winlogon.exe




C:\WINDOWS\system32\services.exe




C:\WINDOWS\system32\lsass.exe




C:\WINDOWS\system32\svchost.exe




C:\Program Files\Windows Defender\MsMpEng.exe




C:\WINDOWS\System32\svchost.exe




C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe




C:\WINDOWS\system32\LEXBCES.EXE




C:\WINDOWS\system32\spoolsv.exe




C:\WINDOWS\system32\LEXPPS.EXE




C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe




C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe




C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe




C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe


C:\WINDOWS\system32\svchost.exe




C:\WINDOWS\system32\WgaTray.exe




C:\WINDOWS\Explorer.EXE




C:\Program Files\Google\Google Updater\GoogleUpdater.exe




C:\Program Files\Internet Explorer\iexplore.exe




C:\Program Files\Internet Explorer\IEXPLORE.EXE




C:\Program Files\Yahoo!\Messenger\YPager.exe




C:\PROGRA~1\MOZILL~1\FIREFOX.EXE




C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe




C:\WINDOWS\system32\igfxext.exe




C:\WINDOWS\system32\igfxsrvc.exe




C:\WINDOWS\system32\SNDVOL32.EXE




C:\WINDOWS\system32\notepad.exe




C:\Program Files\SAS\SAS 9.1\sas.exe




C:\Program Files\Hijackthis\HijackThis.exe









R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoomail.com/


O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-

784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0

\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-

5B79BFDFEA60} - C:\Program

Files\BitComet\tools\BitCometBHO_1.1.5.19.dll


O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-

96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll


O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} -

C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)


O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-

2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file

missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890}

- C:\WINDOWS\system32\dla\tfswshx.dll


O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-

CF10577473F7} - c:\program files\google\googletoolbar1.dll


O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-

CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {CE648D1C-7E55-485D-99A8-7FEFAF78F8C0} -

C:\WINDOWS\system32\urspq.dll


O2 - BHO: (no name) - {FA16FE06-B462-470E-9653-79C54B1871FF} -

C:\WINDOWS\system32\mljhfgf.dll


O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar1.dll


O4 - HKCU\..\Run: [swg] C:\Program

Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe


O4 - Global Startup: Google Updater.lnk = C:\Program

Files\Google\Google Updater\GoogleUpdater.exe


O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll




O20 - Winlogon Notify: IntelWireless - C:\Program

Files\Intel\Wireless\Bin\LgNotify.dll


O20 - Winlogon Notify: mljhfgf - C:\WINDOWS\SYSTEM32\mljhfgf.dll




O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll




O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT,

s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe


O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe


O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. -

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe


O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe


O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common Files\InstallShield\Driver\11

\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc.

- C:\WINDOWS\system32\LEXBCES.EXE


O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel

Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe


Thanks for your time and assistance.

    Advertisements

Register to Remove

#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 05 January 2008 - 05:45 PM

Hello and welcome to the forum. HijackThis creates a backup folder and you can restore what you removed unless you deleted that folder Please open Notepad and uncheck Word Wrap to turn it off. Scan again with HijackThis, and copy/paste" a new log file into this thread.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#3 falconme

falconme

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 05 January 2008 - 10:42 PM

Thanks LDTate for your reply. That is a huge relief.

Logfile of HijackThis v1.99.1
Scan saved at 11:40:27 PM, on 11/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\NOTEPAD.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoomail.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {CE648D1C-7E55-485D-99A8-7FEFAF78F8C0} - C:\WINDOWS\system32\urspq.dll
O2 - BHO: (no name) - {FA16FE06-B462-470E-9653-79C54B1871FF} - C:\WINDOWS\system32\mljhfgf.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: mljhfgf - C:\WINDOWS\SYSTEM32\mljhfgf.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 06 January 2008 - 06:22 AM

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.

Next:

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.


(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Next:

Download ComboFix from Here to your Desktop.

**Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
  • Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
  • Please do not re-connect your machine back to the Internet until Combofix has completely finished.
--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#5 falconme

falconme

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 06 January 2008 - 02:51 PM

Thanks for your response.
I noticed the free space on the hard disk which was not showing earlier.

COMBO log file:
ComboFix 08-01-04.1 - Enigma 2008-01-06 12:54:03.1 - NTFSx86
Running from: C:\Documents and Settings\Enigma\Local Settings\Temporary Internet Files\Content.IE5\PBZLVPNC\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\qpsru.ini
C:\WINDOWS\system32\qpsru.ini2
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\unsvchosts.lzma
C:\WINDOWS\system32\urspq.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_COM+_MESSAGES
-------\LEGACY_FOPN


((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
.

2008-01-06 12:51 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-02 17:30 . 2008-01-05 21:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-31 10:23 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-12-30 21:03 . 2007-12-30 21:03 <DIR> d-------- C:\Program Files\CleanMyPC
2007-12-30 21:03 . 2007-12-30 23:13 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-30 20:48 . 2007-12-30 20:48 3,584 --a------ C:\WINDOWS\system32\urspq.exe
2007-12-30 13:05 . 2007-12-30 13:05 38,912 --a------ C:\WINDOWS\system32\yayywxy.dll
2007-12-30 13:05 . 2007-12-30 13:05 38,912 --a------ C:\WINDOWS\system32\qomjjij.dll
2007-12-30 13:05 . 2007-12-30 13:05 38,912 --a------ C:\WINDOWS\system32\mljhfgf.dll
2007-12-30 13:05 . 2007-12-30 13:05 38,912 --a------ C:\WINDOWS\system32\hggdaab.dll
2007-12-29 22:57 . 2007-12-29 23:00 <DIR> d-------- C:\Program Files\InterActual
2007-12-29 22:57 . 2003-11-11 10:44 333,600 --a------ C:\WINDOWS\system32\drivers\ctdvda2k.sys
2007-12-29 22:57 . 2003-07-14 16:49 122,880 --a------ C:\WINDOWS\system32\cddvdint.dll
2007-12-29 22:57 . 2003-11-11 10:43 77,824 --a------ C:\WINDOWS\system32\ctdvda32.dll
2007-12-29 22:51 . 2002-11-15 11:14 5 --a------ C:\WINDOWS\system32\drivers\DELL_INS_700M.MRK
2007-12-29 22:49 . 2003-03-06 14:02 666 --a------ C:\WINDOWS\speed.reg
2007-12-29 22:45 . 2000-03-23 12:50 446,464 -ra------ C:\WINDOWS\system32\hhactivex.dll
2007-12-29 22:45 . 1999-05-07 13:24 414,944 --a------ C:\WINDOWS\system32\COMCT332.OCX
2007-12-29 22:45 . 1998-11-10 10:46 328,480 --a------ C:\WINDOWS\system32\ssa3d30.ocx
2007-12-29 22:45 . 2002-01-08 17:00 176,128 --a------ C:\WINDOWS\system32\RcdScan.dll
2007-12-29 22:45 . 1998-09-24 12:03 171,967 --a------ C:\WINDOWS\system32\Odbcjet.hlp
2007-12-29 22:45 . 1998-06-17 23:00 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2007-12-29 22:45 . 1998-09-24 12:03 7,348 --a------ C:\WINDOWS\system32\Odbcjet.cnt
2007-12-29 22:30 . 2007-12-29 22:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-29 22:30 . 2007-12-29 22:30 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-29 18:53 . 2007-12-29 18:53 <DIR> d-------- C:\Program Files\Dell Computer
2007-12-29 18:53 . 2007-12-29 18:53 <DIR> d-------- C:\Documents and Settings\Enigma\Application Data\Jasc Software Inc
2007-12-29 18:52 . 2007-12-29 18:52 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2007-12-29 18:50 . 2007-12-29 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-23 17:29 . 2007-12-23 17:29 <DIR> d-------- C:\Program Files\Dell Photo Printer 720
2007-12-23 17:29 . 2007-12-23 17:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell Photo Printer 720
2007-12-23 17:28 . 2008-01-06 12:24 376 --a------ C:\WINDOWS\dellstat.ini
2007-12-23 17:27 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-12-23 17:27 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-05 04:28 --------- d-----w C:\Documents and Settings\Enigma\Application Data\AVG7
2008-01-05 04:23 --------- d-----w C:\Program Files\SpywareBlaster
2008-01-05 04:22 --------- d-----w C:\Program Files\SpywareGuard
2008-01-03 22:36 --------- d-----w C:\Program Files\Google
2007-12-31 02:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-30 18:27 --------- d-----w C:\Program Files\DellSupport
2007-12-30 18:13 --------- d-----w C:\Program Files\Windows Defender
2007-12-30 03:49 --------- d-----w C:\Program Files\Dell
2007-12-30 03:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-30 03:30 --------- d-----w C:\Program Files\QuickTime
2007-12-30 03:24 --------- d-----w C:\Program Files\Common Files\PCSuite
2007-12-29 23:50 --------- d-----w C:\Program Files\Common Files\Corel
2007-12-29 23:50 --------- d-----w C:\Documents and Settings\Enigma\Application Data\Yahoo!
2007-12-29 23:10 --------- d-----w C:\Program Files\Common Files\Intuit
2007-11-30 01:06 --------- d-----w C:\Program Files\Common Files\Canon
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FA16FE06-B462-470E-9653-79C54B1871FF}]
2007-12-30 13:05 38912 --a------ C:\WINDOWS\system32\mljhfgf.dll

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 17:30 219136]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-11-10 13:52 34832]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-01-02 17:30:36]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FA16FE06-B462-470E-9653-79C54B1871FF}"= C:\WINDOWS\system32\mljhfgf.dll [2007-12-30 13:05 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljhfgf]
mljhfgf.dll 2007-12-30 13:05 38912 C:\WINDOWS\system32\mljhfgf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Enigma^Start Menu^Programs^Startup^Cyber-shot Viewer Media Check Tool.lnk]
path=C:\Documents and Settings\Enigma\Start Menu\Programs\Startup\Cyber-shot Viewer Media Check Tool.lnk
backup=C:\WINDOWS\pss\Cyber-shot Viewer Media Check Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-01-27 02:02 86016 --a------ C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-02-23 14:45 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2005-09-06 12:39]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2005-09-06 12:39]
R3 tifm;tifm;C:\WINDOWS\system32\drivers\tifm.sys [2004-05-21 20:18]
S3 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2005-09-06 12:39]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-06 15:29:23 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 13:00:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-06 13:03:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-06 18:03:08
.
2008-01-03 22:41:09 --- E O F ---


HIJACKTHIS LOG:::
Logfile of HijackThis v1.99.1
Scan saved at 1:12:20 PM, on 11/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoomail.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {FA16FE06-B462-470E-9653-79C54B1871FF} - C:\WINDOWS\system32\mljhfgf.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: mljhfgf - C:\WINDOWS\SYSTEM32\mljhfgf.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 06 January 2008 - 02:57 PM

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\urspq.exe
C:\WINDOWS\system32\yayywxy.dll
C:\WINDOWS\system32\qomjjij.dll
C:\WINDOWS\system32\mljhfgf.dll
C:\WINDOWS\system32\hggdaab.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FA16FE06-B462-470E-9653-79C54B1871FF}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FA16FE06-B462-470E-9653-79C54B1871FF}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljhfgf]


Save this as Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.


Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#7 falconme

falconme

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 06 January 2008 - 03:38 PM

Thanks for your prompt response.

I restarted the system after creating teh combo file and before windows loads, I am still getting teh same erroer message viz.
"This copy of WIndows is not genuine
You may be a victim of s/w counterfeiting. This copy of windows is not genuine and you are not eligible
to receive the full range of upgrades and product support from Microsoft.
Click Get Genuine now to get mor information"
There are 2 buttons: GET GENUINE or RESOLVE LATER.
Get Genuine takes me to the Microsoft webpage.


The HIJACK THIS LOG FILE
Logfile of HijackThis v1.99.1
Scan saved at 4:31:48 PM, on 11/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoomail.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe



COMBO LOGFILE

ComboFix 08-01-04.1 - Enigma 2007-11-06 16:21:56.2 - NTFSx86
Running from: C:\Documents and Settings\Enigma\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Enigma\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\hggdaab.dll
C:\WINDOWS\system32\mljhfgf.dll
C:\WINDOWS\system32\qomjjij.dll
C:\WINDOWS\system32\urspq.exe
C:\WINDOWS\system32\yayywxy.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\hggdaab.dll
C:\WINDOWS\system32\mljhfgf.dll
C:\WINDOWS\system32\qomjjij.dll
C:\WINDOWS\system32\urspq.exe
C:\WINDOWS\system32\yayywxy.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))
.

2008-01-06 12:51 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-02 17:30 . 2008-01-05 21:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-31 10:23 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-12-30 21:03 . 2007-12-30 21:03 <DIR> d-------- C:\Program Files\CleanMyPC
2007-12-30 21:03 . 2007-12-30 23:13 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-29 22:57 . 2007-12-29 23:00 <DIR> d-------- C:\Program Files\InterActual
2007-12-29 22:57 . 2003-11-11 10:44 333,600 --a------ C:\WINDOWS\system32\drivers\ctdvda2k.sys
2007-12-29 22:57 . 2003-07-14 16:49 122,880 --a------ C:\WINDOWS\system32\cddvdint.dll
2007-12-29 22:57 . 2003-11-11 10:43 77,824 --a------ C:\WINDOWS\system32\ctdvda32.dll
2007-12-29 22:51 . 2002-11-15 11:14 5 --a------ C:\WINDOWS\system32\drivers\DELL_INS_700M.MRK
2007-12-29 22:49 . 2003-03-06 14:02 666 --a------ C:\WINDOWS\speed.reg
2007-12-29 22:45 . 2000-03-23 12:50 446,464 -ra------ C:\WINDOWS\system32\hhactivex.dll
2007-12-29 22:45 . 1999-05-07 13:24 414,944 --a------ C:\WINDOWS\system32\COMCT332.OCX
2007-12-29 22:45 . 1998-11-10 10:46 328,480 --a------ C:\WINDOWS\system32\ssa3d30.ocx
2007-12-29 22:45 . 2002-01-08 17:00 176,128 --a------ C:\WINDOWS\system32\RcdScan.dll
2007-12-29 22:45 . 1998-09-24 12:03 171,967 --a------ C:\WINDOWS\system32\Odbcjet.hlp
2007-12-29 22:45 . 1998-06-17 23:00 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2007-12-29 22:45 . 1998-09-24 12:03 7,348 --a------ C:\WINDOWS\system32\Odbcjet.cnt
2007-12-29 22:30 . 2007-12-29 22:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-29 22:30 . 2007-12-29 22:30 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-29 18:53 . 2007-12-29 18:53 <DIR> d-------- C:\Program Files\Dell Computer
2007-12-29 18:53 . 2007-12-29 18:53 <DIR> d-------- C:\Documents and Settings\Enigma\Application Data\Jasc Software Inc
2007-12-29 18:52 . 2007-12-29 18:52 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2007-12-29 18:50 . 2007-12-29 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-23 17:29 . 2007-12-23 17:29 <DIR> d-------- C:\Program Files\Dell Photo Printer 720
2007-12-23 17:29 . 2007-12-23 17:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell Photo Printer 720
2007-12-23 17:28 . 2008-01-06 12:24 376 --a------ C:\WINDOWS\dellstat.ini
2007-12-23 17:27 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-12-23 17:27 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-05 04:28 --------- d-----w C:\Documents and Settings\Enigma\Application Data\AVG7
2008-01-05 04:23 --------- d-----w C:\Program Files\SpywareBlaster
2008-01-05 04:22 --------- d-----w C:\Program Files\SpywareGuard
2008-01-03 22:36 --------- d-----w C:\Program Files\Google
2007-12-31 02:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-30 18:27 --------- d-----w C:\Program Files\DellSupport
2007-12-30 18:13 --------- d-----w C:\Program Files\Windows Defender
2007-12-30 03:49 --------- d-----w C:\Program Files\Dell
2007-12-30 03:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-30 03:30 --------- d-----w C:\Program Files\QuickTime
2007-12-30 03:24 --------- d-----w C:\Program Files\Common Files\PCSuite
2007-12-29 23:50 --------- d-----w C:\Program Files\Common Files\Corel
2007-12-29 23:50 --------- d-----w C:\Documents and Settings\Enigma\Application Data\Yahoo!
2007-12-29 23:10 --------- d-----w C:\Program Files\Common Files\Intuit
2007-12-09 22:02 4,912 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-11-30 01:06 --------- d-----w C:\Program Files\Common Files\Canon
2007-11-14 07:26 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 10:16 3,058,688 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:36 8,454,656 ------w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-11 06:13 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2007-10-11 06:13 659,456 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-11 06:13 615,424 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-11 06:13 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-11 06:13 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-11 06:13 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-10-11 06:13 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-11 06:13 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-10-11 06:13 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-10-11 06:13 251,392 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-10-11 06:13 205,312 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-11 06:13 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-11 06:13 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-10-11 06:13 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-11 06:13 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-10-11 06:13 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-10-11 06:13 1,023,488 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-10-10 11:16 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 17:30 219136]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-11-10 13:52 34832]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-01-02 17:30:36]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Enigma^Start Menu^Programs^Startup^Cyber-shot Viewer Media Check Tool.lnk]
path=C:\Documents and Settings\Enigma\Start Menu\Programs\Startup\Cyber-shot Viewer Media Check Tool.lnk
backup=C:\WINDOWS\pss\Cyber-shot Viewer Media Check Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-01-27 02:02 86016 --a------ C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-02-23 14:45 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2005-09-06 12:39]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2005-09-06 12:39]
R3 tifm;tifm;C:\WINDOWS\system32\drivers\tifm.sys [2004-05-21 20:18]
S3 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2005-09-06 12:39]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-06 18:03:01 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 16:25:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-04 16:25:58
ComboFix-quarantined-files.txt 2008-01-04 21:25:42
ComboFix2.txt 2008-01-06 18:03:17
.
2008-01-03 22:41:09 --- E O F ---

#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 06 January 2008 - 03:47 PM

Only one leftover

Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a checkmark/tick in the box on the left side on these:

O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)

Close ALL windows and browsers except HijackThis and click "Fix checked"

I suggest you follow-up with that Microsoft webpage.

If it still says your OS isn't legit and you know it is, you should be able to call them free of charge.

That happened to me a couple times after running the updates.

After the above: Be sure to do this.

Good job :thumbup:

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

    • Posted Image


    Here's my usual all clean post

    Log looks good :D


    You need to create a new Clean restore point.

    Note: This will remove all previous Restore Points

    Click Start Menu > Run > copy and paste

    %SystemRoot%\System32\restore\rstrui.exe

    Press OK. Choose Create a Restore Point then click Next. Name it (something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

    Double-click My Computer.
    Click the Tools menu, and then click Folder Options.
    Click the View tab.
    Check "Hide file extensions for known file types."
    Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
    Check "Hide protected operating system files."
    Click Apply, and then click OK.

    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      • From within Internet Explorer click on the Tools menu and then click on Options.
      • Click once on the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Click once on the Custom Level button.
        [list=a]
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
    Without a firewall your computer is succeptible to being hacked and taken over.
    I am very serious about this and see it happen almost every day with my clients.
    Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
    This will ensure your computer has always the latest security updates available installed on your computer.
    If there are new updates to install, install them immediately, reboot your computer, and revisit the site
    until there are no more critical updates.

  • Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
    settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

    Using IE-SPYAD to help block unwanted sites and activities

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly.
    Without regular updates you WILL NOT be protected when new malicious programs are released.

Only run one Anti-Virus and Firewall program.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#9 falconme

falconme

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 06 January 2008 - 08:21 PM

Thanks for all your help. I appreciate it. The windows pop-up is still there. I am going to contact them for more information. Can I get back to this thread if I have more questions/issues?

#10 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 06 January 2008 - 08:28 PM

I'll leave this open for a couple more days :thumbup:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#11 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 16 January 2008 - 06:44 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·