View Full Version : hijacked internet, can't load virus software, spybot runs very slow
janegard
2007-05-14, 05:26
Hello, thanks in advance for assistance. I am struggling with my laptop. I did run spybot last week and found many issues. I then tried to load Norton Internet Security, and of course they told me incompatable with Spybot.
I deleted spybot, but still cant load norton. I am working on my desktop to try to resolve the issues on laptop. I can occasionally access the internet on the laptop. I do have a program that consistantly pops up -- telling me my computer is infected and recomming a fix. I believe the fix being recommended is "win.antispyware.com". It is very persistent. I ran "fixwareout" and will post the report. I also ran Hijack This. I was unable to run a virus scan. And it is difficult to run spybot -- takes forever -- stumbled at "bacaimi" and "comload". I was unable to find "spybot" while in "safe mode". I can access in regular windows but it runs very slowly.
Thanks, Jane Hijack This and Fixwareout rept are below.
Here is my Hijack This Log:
Logfile of HijackThis v1.99.1
Scan saved at 10:33:38 PM, on 5/13/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\repair\cmsvc.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
c:\program files\internet explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\tcpipmon.exe
C:\WINDOWS\System32\tcpipmon.exe
C:\WINDOWS\retadpu11.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\CROSOF~1\tracert.exe
C:\Documents and Settings\Jane Gardner\Application Data\?racle\n?lookup.exe
C:\Documents and Settings\Jane Gardner\Desktop\hijackthis_sfx.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Jane Gardner\Application Data\Mozilla\Profiles\default\vcp9pfnw.slt\prefs.js)
O2 - BHO: (no name) - {000006b1-19b5-414a-849f-2a3c64ae6939} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10C048DE-A025-4606-A2F6-95F5A4BE7B09} - C:\WINDOWS\System32\geecy.dll
O2 - BHO: (no name) - {383260CD-F6C2-4D3A-B623-0ADABF67FCDE} - C:\WINDOWS\System32\gebxvwu.dll
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: (no name) - {47E6FE33-14A2-3251-A34B-6EE33991FEE9} - C:\WINDOWS\System32\mwvkffc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {55AA2B30-C7FE-41E9-B911-87D03CD465Bb} - C:\WINDOWS\System32\cumajyjo.dll
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {6233D703-03D1-4928-8EA4-CE7E1120087a} - C:\WINDOWS\System32\cumajyjo.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: (no name) - {b96688f0-5816-41fe-94d0-fba5c8dfa36c} - C:\WINDOWS\system32\kbdbrd.dll
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\System32\tmp10.tmp.dll
O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\System32\opnmjhe.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB002" /M "Stylus CX4600"
O4 - HKLM\..\Run: [FCBA8EB1] C:\WINDOWS\system32\rsbmsc.exe
O4 - HKLM\..\Run: [RunAppBk] C:\Documents and Settings\Jane Gardner\tjAgent.exe
O4 - HKLM\..\Run: [AntiVirusUpdateExe] C:\WINDOWS\gsvpm.exe
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe
O4 - HKLM\..\Run: [tcpipmon] tcpipmon.exe
O4 - HKLM\..\Run: [gdmvidll] C:\WINDOWS\System32\dschkmos.exe
O4 - HKLM\..\Run: [inlodcxs] C:\WINDOWS\System32\iocndtl.exe
O4 - HKLM\..\Run: [selcnlm] C:\WINDOWS\System32\mseacx.exe
O4 - HKLM\..\Run: [mesjmvce] C:\WINDOWS\System32\adllsmmp.exe
O4 - HKLM\..\Run: [plmcsys2] clikjcfq.exe
O4 - HKLM\..\Run: [flxplamis] C:\WINDOWS\System32\iedledcs.exe
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\System32\hajksnvb.dll",realset
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu11.exe 61A847B5BBF72813338B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\RunServices: [FCBA8EB1] C:\WINDOWS\system32\rsbmsc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe (file missing)
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179025185128
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179025162936
O16 - DPF: {7142BA01-8BDF-11CF-9E23-0000E8A37440} (Surround Video Control Object) - http://admission.udayton.edu/virtour/svideo.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: gebxvwu - C:\WINDOWS\SYSTEM32\gebxvwu.dll
O20 - Winlogon Notify: geecy - C:\WINDOWS\System32\geecy.dll
O20 - Winlogon Notify: kbdbrd - C:\WINDOWS\SYSTEM32\kbdbrd.dll
O20 - Winlogon Notify: opnmjhe - C:\WINDOWS\SYSTEM32\opnmjhe.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O20 - Winlogon Notify: yaywxur - C:\WINDOWS\SYSTEM32\yaywxur.dll
O21 - SSODL: CDRecorder036 - {A3BC5E20-0235-1ABF-9CE1-00AA00512036} - C:\WINDOWS\System32\hndi32.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: COM+ System Client (ComSysCnt) - Unknown owner - C:\WINDOWS\repair\cmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Print Spooler Service (iatiyibgz0a) - Unknown owner - C:\WINDOWS\system32\rsbmsc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Here is my "fixwareout" report
Fixwareout Last edited 4/5/2007
Post this report in the forums please
...
»»»»»Prerun check
»»»»» System restarted
»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....
Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.
Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/
»»»»» Other
Hi janegard
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)
We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.
Should you have any questions, please feel free to ask.
Please let us know what you have decided to do in your next post
janegard
2007-05-16, 04:47
Thanks for your assistance. I think I would like to go ahead and try to clean the machine if possible. What is the Trojan that you have identified??
Thanks so much for your help.
Jane
Hi
Well for example this -> O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe is a downloader which replaces your legit files with malware.
Bots and backdoors:
O4 - HKLM\..\Run: [FCBA8EB1] C:\WINDOWS\system32\rsbmsc.exe
O4 - HKLM\..\Run: [RunAppBk] C:\Documents and Settings\Jane Gardner\tjAgent.exe
O4 - HKLM\..\Run: [AntiVirusUpdateExe] C:\WINDOWS\gsvpm.exe
O4 - HKLM\..\Run: [tcpipmon] tcpipmon.exe
O4 - HKLM\..\Run: [gdmvidll] C:\WINDOWS\System32\dschkmos.exe
O4 - HKLM\..\Run: [inlodcxs] C:\WINDOWS\System32\iocndtl.exe
O4 - HKLM\..\Run: [selcnlm] C:\WINDOWS\System32\mseacx.exe
O4 - HKLM\..\Run: [mesjmvce] C:\WINDOWS\System32\adllsmmp.exe
O4 - HKLM\..\Run: [plmcsys2] clikjcfq.exe
O4 - HKLM\..\Run: [flxplamis] C:\WINDOWS\System32\iedledcs.exe
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O21 - SSODL: CDRecorder036 - {A3BC5E20-0235-1ABF-9CE1-00AA00512036} - C:\WINDOWS\System32\hndi32.dll (file missing)
O23 - Service: COM+ System Client (ComSysCnt) - Unknown owner - C:\WINDOWS\repair\cmsvc.exe
O23 - Service: Print Spooler Service (iatiyibgz0a) - Unknown owner - C:\WINDOWS\system32\rsbmsc.exe
Still want to clean this machine?
janegard
2007-05-17, 01:22
Hello,
I think I would like to proceed with cleaning the machine if that is ok with you.
thanks,
Jane
Hi
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Please download the following program and save it to your desktop:
http://noahdfear.geekstogo.com/FindAWF.exe
Once downloaded, double-click on the file to run it. When it is done there will be a file called awf.txt on your desktop. Please post the contents of that file as a reply to this topic.
Post:
- a fresh HijackThis log
- vundofix report
- sdfix report
- findawf report
Due to lack of a response, this topic has been archived.
If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.
Re-opened upon request. :)
Hi janegard
Just follow instructions in my previous post and post back corresponding logs, please :)
janegard
2007-05-24, 20:58
Hello Shaba,
Thanks for taking me back -- sorry for my delay!!
Here is the Vundo Fix report:
VundoFix V6.3.23
Checking Java version...
Scan started at 8:40:00 AM 5/17/2007
Listing files found while scanning....
C:\Program Files\VSAdd-in\VSAdd-in.dll
C:\WINDOWS\system32\bvnskjah.ini
C:\WINDOWS\system32\cirocvga.dll
C:\WINDOWS\system32\efrgxwbb.dll
C:\WINDOWS\System32\gebxvwu.dll
C:\WINDOWS\System32\geecy.dll
C:\WINDOWS\system32\gvclwbxo.ini
C:\WINDOWS\system32\hajksnvb.dll
C:\WINDOWS\system32\hcoyhmwg.dll
C:\WINDOWS\system32\hxtscabx.dll
C:\WINDOWS\system32\iiffefe.dll
C:\WINDOWS\system32\iifgdbb.dll
C:\WINDOWS\system32\jwbahqrb.dll
C:\WINDOWS\system32\kbdbrd.dll
C:\WINDOWS\system32\kfxltoyu.dll
C:\WINDOWS\system32\ljsnustl.dll
C:\WINDOWS\system32\lkrycpjd.dll
C:\WINDOWS\system32\nnnopoo.dll
C:\WINDOWS\system32\nvnkpjvw.dll
C:\WINDOWS\system32\opnkkjj.dll
C:\WINDOWS\system32\opnmjhe.dll
C:\WINDOWS\system32\oxbwlcvg.dll
C:\WINDOWS\system32\rorwjfah.dll
C:\WINDOWS\system32\rqoonll.dll
C:\WINDOWS\system32\rqrsrpq.dll
C:\WINDOWS\system32\ssqrrqr.dll
C:\WINDOWS\System32\tmp10.tmp.dll
C:\WINDOWS\System32\tmp1F.tmp.dll
C:\WINDOWS\System32\tmp2.tmp.dll
C:\WINDOWS\System32\tmp8.tmp.dll
C:\WINDOWS\system32\tuvtqnn.dll
C:\WINDOWS\system32\udwjehho.dll
C:\WINDOWS\system32\xbacstxh.ini
C:\WINDOWS\system32\xgrqewxb.dll
C:\WINDOWS\system32\yaywxur.dll
C:\WINDOWS\System32\yceeg.bak1
C:\WINDOWS\System32\yceeg.bak2
C:\WINDOWS\System32\yceeg.ini
C:\WINDOWS\System32\yceeg.ini2
C:\WINDOWS\System32\yceeg.tmp
C:\WINDOWS\system32\yweyjhxc.dll
Beginning removal...
Attempting to delete C:\Program Files\VSAdd-in\VSAdd-in.dll
C:\Program Files\VSAdd-in\VSAdd-in.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\bvnskjah.ini
C:\WINDOWS\system32\bvnskjah.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\cirocvga.dll
C:\WINDOWS\system32\cirocvga.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\efrgxwbb.dll
C:\WINDOWS\system32\efrgxwbb.dll Has been deleted!
Attempting to delete C:\WINDOWS\System32\gebxvwu.dll
C:\WINDOWS\System32\gebxvwu.dll Could not be deleted.
Attempting to delete C:\WINDOWS\System32\geecy.dll
C:\WINDOWS\System32\geecy.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\gvclwbxo.ini
C:\WINDOWS\system32\gvclwbxo.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\hajksnvb.dll
C:\WINDOWS\system32\hajksnvb.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\hcoyhmwg.dll
C:\WINDOWS\system32\hcoyhmwg.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\hxtscabx.dll
C:\WINDOWS\system32\hxtscabx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\iiffefe.dll
C:\WINDOWS\system32\iiffefe.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\iifgdbb.dll
C:\WINDOWS\system32\iifgdbb.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jwbahqrb.dll
C:\WINDOWS\system32\jwbahqrb.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\kbdbrd.dll
C:\WINDOWS\system32\kbdbrd.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\kfxltoyu.dll
C:\WINDOWS\system32\kfxltoyu.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ljsnustl.dll
C:\WINDOWS\system32\ljsnustl.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\lkrycpjd.dll
C:\WINDOWS\system32\lkrycpjd.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nnnopoo.dll
C:\WINDOWS\system32\nnnopoo.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nvnkpjvw.dll
C:\WINDOWS\system32\nvnkpjvw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\opnkkjj.dll
C:\WINDOWS\system32\opnkkjj.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\opnmjhe.dll
C:\WINDOWS\system32\opnmjhe.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\oxbwlcvg.dll
C:\WINDOWS\system32\oxbwlcvg.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rorwjfah.dll
C:\WINDOWS\system32\rorwjfah.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rqoonll.dll
C:\WINDOWS\system32\rqoonll.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rqrsrpq.dll
C:\WINDOWS\system32\rqrsrpq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssqrrqr.dll
C:\WINDOWS\system32\ssqrrqr.dll Has been deleted!
Attempting to delete C:\WINDOWS\System32\tmp10.tmp.dll
C:\WINDOWS\System32\tmp10.tmp.dll Could not be deleted.
Attempting to delete C:\WINDOWS\System32\tmp1F.tmp.dll
C:\WINDOWS\System32\tmp1F.tmp.dll Has been deleted!
Attempting to delete C:\WINDOWS\System32\tmp2.tmp.dll
C:\WINDOWS\System32\tmp2.tmp.dll Has been deleted!
Attempting to delete C:\WINDOWS\System32\tmp8.tmp.dll
C:\WINDOWS\System32\tmp8.tmp.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\tuvtqnn.dll
C:\WINDOWS\system32\tuvtqnn.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\udwjehho.dll
C:\WINDOWS\system32\udwjehho.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\xbacstxh.ini
C:\WINDOWS\system32\xbacstxh.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\xgrqewxb.dll
C:\WINDOWS\system32\xgrqewxb.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\yaywxur.dll
C:\WINDOWS\system32\yaywxur.dll Could not be deleted.
Attempting to delete C:\WINDOWS\System32\yceeg.bak1
C:\WINDOWS\System32\yceeg.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\System32\yceeg.bak2
C:\WINDOWS\System32\yceeg.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\System32\yceeg.ini
C:\WINDOWS\System32\yceeg.ini Has been deleted!
Attempting to delete C:\WINDOWS\System32\yceeg.ini2
C:\WINDOWS\System32\yceeg.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\System32\yceeg.tmp
C:\WINDOWS\System32\yceeg.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\yweyjhxc.dll
C:\WINDOWS\system32\yweyjhxc.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.23
Checking Java version...
Scan started at 9:06:14 AM 5/17/2007
Listing files found while scanning....
VundoFix V6.3.23
Checking Java version...
Scan started at 9:20:14 AM 5/17/2007
Listing files found while scanning....
C:\WINDOWS\system32\bvnskjah.ini
C:\WINDOWS\system32\gebxvwu.dll
C:\WINDOWS\System32\geecy.dll
C:\WINDOWS\system32\hajksnvb.dll
C:\WINDOWS\system32\kbdbrd.dll
C:\WINDOWS\system32\opnmjhe.dll
C:\WINDOWS\system32\yaywxur.dll
C:\WINDOWS\System32\yceeg.ini
Beginning removal...
Attempting to delete C:\WINDOWS\system32\bvnskjah.ini
C:\WINDOWS\system32\bvnskjah.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\gebxvwu.dll
C:\WINDOWS\system32\gebxvwu.dll Has been deleted!
Attempting to delete C:\WINDOWS\System32\geecy.dll
C:\WINDOWS\System32\geecy.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\hajksnvb.dll
C:\WINDOWS\system32\hajksnvb.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\kbdbrd.dll
C:\WINDOWS\system32\kbdbrd.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\opnmjhe.dll
C:\WINDOWS\system32\opnmjhe.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\yaywxur.dll
C:\WINDOWS\system32\yaywxur.dll Has been deleted!
Attempting to delete C:\WINDOWS\System32\yceeg.ini
C:\WINDOWS\System32\yceeg.ini Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.23
Checking Java version...
Scan started at 9:36:09 AM 5/17/2007
Listing files found while scanning....
No infected files were found.
**********
I couldn't find report.txt in the SDFix folder. I did run SDfix with some difficulty.
*************
Here is the awf report:
Find AWF report by noahdfear ©2006
bak folders found
~~~~~~~~~~~
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
end of report
*************
Here is a hijack this log as of may23:
Logfile of HijackThis v1.99.1
Scan saved at 11:23:28 PM, on 5/23/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\repair\cmsvc.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
c:\program files\internet explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svsnt.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\tcpipmon.exe
C:\WINDOWS\retadpu11.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\CROSOF~1\tracert.exe
C:\WINDOWS\System32\tcpipmon.exe
C:\Documents and Settings\Jane Gardner\Application Data\?racle\n?lookup.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Jane Gardner\Application Data\Mozilla\Profiles\default\vcp9pfnw.slt\prefs.js)
O2 - BHO: (no name) - {000006b1-19b5-414a-849f-2a3c64ae6939} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {47E6FE33-14A2-3251-A34B-6EE33991FEE9} - C:\WINDOWS\System32\mwvkffc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {55AA2B30-C7FE-41E9-B911-87D03CD465Bb} - C:\WINDOWS\System32\cumajyjo.dll
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {6233D703-03D1-4928-8EA4-CE7E1120087a} - C:\WINDOWS\System32\cumajyjo.dll
O2 - BHO: (no name) - {785B071F-3303-410A-A936-0DA6FF1608E3} - C:\WINDOWS\System32\geecy.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: (no name) - {b96688f0-5816-41fe-94d0-fba5c8dfa36c} - C:\WINDOWS\system32\kbdbrd.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB002" /M "Stylus CX4600"
O4 - HKLM\..\Run: [FCBA8EB1] C:\WINDOWS\system32\rsbmsc.exe
O4 - HKLM\..\Run: [RunAppBk] C:\Documents and Settings\Jane Gardner\tjAgent.exe
O4 - HKLM\..\Run: [AntiVirusUpdateExe] C:\WINDOWS\gsvpm.exe
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe
O4 - HKLM\..\Run: [tcpipmon] tcpipmon.exe
O4 - HKLM\..\Run: [gdmvidll] C:\WINDOWS\System32\dschkmos.exe
O4 - HKLM\..\Run: [inlodcxs] C:\WINDOWS\System32\iocndtl.exe
O4 - HKLM\..\Run: [selcnlm] C:\WINDOWS\System32\mseacx.exe
O4 - HKLM\..\Run: [mesjmvce] C:\WINDOWS\System32\adllsmmp.exe
O4 - HKLM\..\Run: [plmcsys2] clikjcfq.exe
O4 - HKLM\..\Run: [flxplamis] C:\WINDOWS\System32\iedledcs.exe
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\System32\hajksnvb.dll",realset
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu11.exe 61A847B5BBF72813338B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\RunServices: [FCBA8EB1] C:\WINDOWS\system32\rsbmsc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe (file missing)
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179025185128
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179025162936
O16 - DPF: {7142BA01-8BDF-11CF-9E23-0000E8A37440} (Surround Video Control Object) - http://admission.udayton.edu/virtour/svideo.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O21 - SSODL: CDRecorder036 - {A3BC5E20-0235-1ABF-9CE1-00AA00512036} - C:\WINDOWS\System32\hndi32.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: COM+ System Client (ComSysCnt) - Unknown owner - C:\WINDOWS\repair\cmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Print Spooler Service (iatiyibgz0a) - Unknown owner - C:\WINDOWS\system32\rsbmsc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Internal AntiVirus (SVSAV) - Unknown owner - C:\WINDOWS\system32\svsnt.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Some notes:
When I turn my computer on and log into windows I get this message
Rundll
Error Loading C:\Windown\System32\hajksnvb.dll
Specified module could not be found
Hi
How about sdfix report? :)
Also, vundofix has been updated.
Please delete old version, download new one and run a scan with it :)
janegard
2007-05-30, 20:18
Hello Shaba,
I am trying to run the sdfix program without success.
When it starts up i get this message:
sdfix
c:\Program^1\Symantec\s32evnt1.dll.
An installable virtual device driver failed Dll initialization.
Choose "close" to terminate the application.
then I chose "Close"
Now it says:
Starting repairs:
Checking running processes, services, and files...
Please be patient as this may take up to 10 minutes
That was 20 minutes ago
This is the same problem i had last time I tried to run it.
and then i couldn't find a file that was the report txt
What do you suggest??
Thanks,
Jane
Hi
1. Download combofix from one of these links:
Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
janegard
2007-05-31, 18:11
Hello,
Here is the combofix log:
"Jane Gardner" - 2007-05-31 8:18:36 Service Pack 1
ComboFix 07-05.27.BV - Running from: "E:\"
(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\arfmshge.dll
C:\WINDOWS\system32\crioffat.dll
C:\WINDOWS\system32\cumajyjo.dll
C:\WINDOWS\system32\dlxgmlqf.dll
C:\WINDOWS\system32\dxyjtdpb.dll
C:\WINDOWS\system32\fxdmxpoh.dll
C:\WINDOWS\system32\gjotvonu.dll
C:\WINDOWS\system32\joljwqli.dll
C:\WINDOWS\system32\kcxnxglh.dll
C:\WINDOWS\system32\oelxagmh.dll
C:\WINDOWS\system32\xnnlmtsq.dll
C:\WINDOWS\system32\yhgoxwvv.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
"C:\Program Files\Common Files\Yazzle1275OinAdmin.exe"
"C:\Program Files\Common Files\Yazzle1275OinUninstaller.exe"
"C:\WINDOWS\retadpu11.exe"
"C:\WINDOWS\system32\wnsinticomsv32.exe"
"C:\66299569.exe"
"C:\WINDOWS\764.exe"
"C:\WINDOWS\system32\max1d1641.exe"
"C:\WINDOWS\system32\tmp10.tmp.dll"
"C:\WINDOWS\system32\tmp7.tmp.dll"
"C:\WINDOWS\system32\tmpB.tmp.dll"
"C:\Program Files\outerinfo\Terms.rtf"
"C:\WINDOWS\wpcjmd.log"
"C:\WINDOWS\system32\lsasss.exe"
"C:\WINDOWS\system32\tcpipmon.exe"
"C:\Program Files\outerinfo"
"C:\Program Files\vsadd-in"
"C:\WINDOWS\system32\rpcc.dll"
"C:\WINDOWS\system32\kprof" . . . . failed to delete
"C:\WINDOWS\system32\koos.exe" . . . . failed to delete
"C:\WINDOWS\system32\poof" . . . . failed to delete
-- Purity Folders:
C:\Program Files\CROSOF~1
C:\DOCUME~1\JANEGA~1\APPLIC~1\RACLE~1
((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_POOF
((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-31 ))))))))))))))))))))))))))))))))))
2007-05-17 08:40 <DIR> d-------- C:\VundoFix Backups
2007-05-13 17:28 31,232 --a------ C:\WINDOWS\system32\2854952ld.exe
2007-05-13 00:10 60,928 --a------ C:\WINDOWS\system32\mwvkffc.dll
2007-05-12 23:01 41,240 --a------ C:\WINDOWS\system32\wups.dll
2007-05-12 23:01 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2007-05-12 23:01 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2007-05-12 23:01 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2007-05-12 23:00 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2007-05-12 23:00 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-05-12 22:59 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2007-05-12 10:25 <DIR> d-------- C:\WINDOWS\bak
2007-05-12 10:25 <DIR> d-------- C:\Documents and Settings\Jane Gardner\bak
2007-05-12 10:25 <DIR> d-------- C:\DOCUME~1\JANEGA~1\bak
2007-05-11 09:43 <DIR> d-------- C:\Program Files\Symantec
2007-05-09 12:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-17 15:37 75,412 --a------ C:\WINDOWS\brertberg.exe
2007-04-17 14:50 72,337 --a------ C:\WINDOWS\rrthgfdsfgre.exe
2007-04-17 14:15 15,360 --a------ C:\WINDOWS\system32\dsbshell32.dll
2007-04-14 18:53 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-04-14 18:53 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-04-12 22:11 74,102 --a------ C:\WINDOWS\fregtregrehge.exe
2007-04-12 11:02 76,352 --a------ C:\WINDOWS\utyttyhrgrgre.exe
2007-04-12 10:42 72,337 --a------ C:\WINDOWS\mjhygtvnyhbtgv.exe
2007-04-10 15:08 8,704 --a------ C:\WINDOWS\system32\osuafcw.sys
2007-04-10 15:08 <DIR> d-------- C:\zx
2007-04-10 14:45 48,128 --a------ C:\kfdem.exe
2007-04-03 10:59 8,432 --a------ C:\aulr.exe
2007-04-03 10:59 107,520 -rahs---- C:\WINDOWS\system32\spoolsmc.exe
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-05-17 16:57:17 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-05-13 03:01:45 -------- d--h--w C:\Program Files\WindowsUpdate
2007-05-12 14:25:22 -------- d-----w C:\Program Files\QuickTime
2007-05-12 14:24:03 37,026 ----a-w C:\WINDOWS\system32\rsbmsc.exe
2007-05-12 14:24:03 37,026 ----a-w C:\WINDOWS\system32\mseacx.exe
2007-05-12 14:24:03 37,026 ----a-w C:\WINDOWS\system32\iocndtl.exe
2007-05-12 14:24:03 37,026 ----a-w C:\WINDOWS\system32\iedledcs.exe
2007-05-12 14:24:03 37,026 ----a-w C:\WINDOWS\system32\hphmon05.exe
2007-05-12 14:24:03 37,026 ----a-w C:\WINDOWS\system32\dschkmos.exe
2007-05-12 14:24:03 37,026 ----a-w C:\WINDOWS\system32\adllsmmp.exe
2007-05-12 14:24:03 37,026 ----a-w C:\WINDOWS\gsvpm.exe
2007-04-18 00:06:51 -------- d-----w C:\Program Files\America Online 9.0b
2007-04-17 23:28:15 -------- d-----w C:\Program Files\iTunes
2007-04-17 23:08:22 -------- d-----w C:\Program Files\Google
2007-03-26 04:48:03 7,200 ----a-w C:\xwiuirgd.exe
2007-03-25 23:08:16 9,728 ----a-w C:\WINDOWS\vxddsk.exe
2007-03-25 23:08:16 16,896 ----a-w C:\WINDOWS\system32\vxddsk.exe
2007-03-25 23:08:15 29,696 ----a-w C:\WINDOWS\system32\wml.exe
2007-03-25 23:08:14 29,440 ----a-w C:\WINDOWS\satmat.exe
2007-03-25 23:08:14 21,760 ----a-w C:\WINDOWS\wml.exe
2007-03-25 23:08:14 13,312 ----a-w C:\WINDOWS\SUSP.exe
2007-03-25 23:08:13 9,728 ----a-w C:\WINDOWS\Biprep.exe
2007-03-25 23:08:12 25,600 ----a-w C:\WINDOWS\7search.dll
2007-03-25 23:08:12 22,016 ----a-w C:\WINDOWS\bi.dll
2007-03-25 23:08:11 31,488 ----a-w C:\WINDOWS\flt.dll
2007-03-25 23:08:10 30,720 ----a-w C:\WINDOWS\pbar.dll
2007-03-25 23:08:08 32,512 ----a-w C:\WINDOWS\stcloader.exe
2007-03-25 23:08:07 28,928 ----a-w C:\WINDOWS\voiceip.dll
2007-03-25 23:08:06 29,440 ----a-w C:\WINDOWS\bokja.exe
2007-03-25 23:08:06 15,360 ----a-w C:\WINDOWS\swin32.dll
2007-03-25 23:08:06 12,288 ----a-w C:\WINDOWS\cdsm32.dll
2007-03-25 23:08:05 29,184 ----a-w C:\WINDOWS\mssvr.exe
2007-03-25 23:08:04 26,368 ----a-w C:\WINDOWS\mspphe.dll
2007-03-25 23:08:03 11,520 ----a-w C:\WINDOWS\bjam.dll
2007-03-25 23:08:01 26,624 ----a-w C:\WINDOWS\system32\WER8274.DLL
2007-03-25 23:08:01 24,576 ----a-w C:\WINDOWS\system32\MSIXU.DLL
2007-03-25 23:08:00 11,520 ----a-w C:\WINDOWS\180ax.exe
2007-03-25 23:07:59 8,448 ----a-w C:\WINDOWS\salm.exe
2007-03-25 23:07:59 15,872 ----a-w C:\WINDOWS\saiemod.dll
2007-03-25 23:07:59 12,544 ----a-w C:\WINDOWS\updatetc.exe
2007-03-25 22:51:43 12 ----a-w C:\WINDOWS\system32\gtv_sd.bin
2007-03-25 22:51:39 78,340 ----a-w C:\WINDOWS\system32\msdtc_32.exe
2007-03-25 22:51:37 9,216 ----a-w C:\jppvil.exe
2007-03-16 00:43:11 48,128 ----a-w C:\wvgm.exe
2007-03-16 00:43:08 25,088 ------w C:\WINDOWS\system32\koos.exe
2007-03-16 00:42:36 36,352 ----a-w C:\mqusagpb.exe
2007-03-16 00:42:32 7,200 ----a-w C:\drboej.exe
2007-03-16 00:42:27 1,024 ----a-w C:\fpnmiwpv.exe
2007-03-16 00:42:16 6,604 ----a-w C:\smgr.exe
2007-03-15 02:37:57 65,536 --sha-r C:\WINDOWS\system32\msdpsv.exe
2007-03-10 01:48:48 47,340 ----a-w C:\sioc8.exe
2007-03-10 01:48:41 52,224 ----a-w C:\WINDOWS\vbsmg.exe
2007-03-04 04:16:27 67,584 --sha-r C:\WINDOWS\system32\vpnsvc.exe
2006-12-28 22:44:53 57,856 --sha-r C:\WINDOWS\system32\hpsvc.exe
2006-09-18 16:12:23 49,664 --sha-r C:\WINDOWS\system32\ntps.exe
2006-08-07 18:26:52 38,912 --sh--r C:\WINDOWS\system32\svsnt.exe
2003-03-31 02:00:00 94,351 --sha-r C:\WINDOWS\system32\advwekpt.exe
2003-03-31 02:00:00 88,219 --sha-r C:\WINDOWS\system32\fxsmunws.exe
2003-03-31 02:00:00 76,352 --sha-r C:\WINDOWS\system32\bak\mseacx.exe
2003-03-31 02:00:00 75,412 --sha-r C:\WINDOWS\system32\bak\dschkmos.exe
2003-03-31 02:00:00 74,102 --sha-r C:\WINDOWS\system32\bak\adllsmmp.exe
2003-03-31 02:00:00 72,412 --sha-r C:\WINDOWS\system32\bak\iedledcs.exe
2003-03-31 02:00:00 72,337 --sha-r C:\WINDOWS\system32\bak\iocndtl.exe
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 03:47]
{47E6FE33-14A2-3251-A34B-6EE33991FEE9}=C:\WINDOWS\System32\mwvkffc.dll [2007-03-19 14:30]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{785B071F-3303-410A-A936-0DA6FF1608E3}=C:\WINDOWS\System32\geecy.dll []
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar5.dll [2007-01-20 00:55]
{b96688f0-5816-41fe-94d0-fba5c8dfa36c}=C:\WINDOWS\system32\kbdbrd.dll []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 12:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-05-12 10:24]
"Display Settings"="C:\Program Files\HPQ\Notebook Utilities\hptasks.exe" [2007-05-12 10:24]
"QT4HPOT"="C:\Program Files\HPQ\One-Touch\OneTouch.EXE" [2007-05-12 10:24]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-05-12 10:24]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-12 10:24]
"HPHUPD05"="c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2007-05-12 10:24]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2007-05-12 10:24]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2007-05-12 10:24]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2007-05-12 10:24]
"CARPService"="carpserv.exe" [2003-04-14 21:00 C:\WINDOWS\system32\carpserv.exe]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-05-12 10:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-05-12 10:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-05-12 10:24]
"plmcsys2"="clikjcfq.exe" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18]
"NVIEW"="nview.dll,nViewLoadHook" []
"EPSON Stylus CX4600 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.exe" [2007-05-12 10:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-05-12 10:24]
"Aaou"="C:\PROGRA~1\CROSOF~1\tracert.exe" []
"Xjtvkwia"="C:\Documents and Settings\Jane Gardner\Application Data\?racle\n?lookup.exe" []
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"FCBA8EB1"=C:\WINDOWS\system32\rsbmsc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{8BFA0939-92D5-4762-B188-2F45AE6D445B}"="C:\WINDOWS\System32\dsbshell32.dll" [2007-04-17 15:15]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{A3BC5E20-0235-1ABF-9CE1-00AA00512036}"="C:\WINDOWS\System32\hndi32.dll" []
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
********************************************************************
catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-31 11:09:50
Windows 5.1.2600 Service Pack 1 NTFS
detected NTDLL code modification:
ZwEnumerateKey, ZwEnumerateValueKey, ZwOpenFile, ZwQueryDirectoryFile, ZwQuerySystemInformation
scanning hidden processes ...
cjnr4r4lxjufqcoz.exe [1648]
scanning hidden autostart entries ...
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus CX4600 Series = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /M "Stylus CX4600" /EF "HKCU"????????????????????????????????????????p??? 9?wh??w????3;?w?D?w???????w??f???????????????Z??E?w????????????????????T??????????? 9?w???w?????E?wI??w??Z?????????k??w?????????????????????????????]?w??????????Z????????????????w?D?w}??ww??w??f?????????????????????)???o?+$????H???????4??????w??f?????????????P???????????????T??????w????P????????S???????????????V?w????P????????V?wP???????8???????????`??
scanning hidden files ...
C:\WINDOWS\system32\cjnr4r4wjwjufrco.exe
C:\WINDOWS\system32\cjnr4r48844760.exe
C:\WINDOWS\system32\cjnr4r4eseqbnykwh.exe
C:\WINDOWS\system32\cjnr4r4hvhsdpamxj.exe
C:\WINDOWS\system32\cjnr4r4lxjufqcoz.exe
C:\WINDOWS\system32\cjnr4r4mhauo.exe
C:\WINDOWS\system32\cjnr4r4ofqbny.exe
C:\WINDOWS\system32\cjnr4r4uiuhsdp.exe
C:\WINDOWS\system32\nlkfev76171202.exe
C:\WINDOWS\system32\nlkfev77489512.exe
C:\WINDOWS\system32\nlkfev7csdozlwiug.exe
C:\WINDOWS\system32\nlkfev7drdpamxjvg.exe
C:\WINDOWS\system32\nlkfev7jtepbmxj.exe
C:\WINDOWS\system32\nlkfev7ugrcnykv.exe
C:\WINDOWS\system32\SecMon.sys
C:\WINDOWS\system32\sklrr7y237033.exe
C:\WINDOWS\system32\sklrr7ycrcn.exe
C:\WINDOWS\system32\sklrr7yftfrcnzkw.exe
C:\WINDOWS\system32\sklrr7yhwhsdoa.exe
C:\WINDOWS\system32\sklrr7yncoamxiug.exe
C:\WINDOWS\system32\sklrr7yqdoal.exe
C:\WINDOWS\system32\timedrv26.sys
C:\WINDOWS\system32\mlsdf8h3608669.exe
C:\WINDOWS\system32\mlsdf8hhsdozl.exe
C:\WINDOWS\system32\mlsdf8hiufqbmyjvh.exe
C:\WINDOWS\system32\mlsdf8hlxitepbm.exe
C:\WINDOWS\system32\mlsdf8hsdozkwhtfq.exe
C:\WINDOWS\system32\mlsdf8hthtgr.exe
C:\WINDOWS\system32\mlsdf8hugrcnzkw.exe
C:\WINDOWS\system32\mlsdf8hztnh.exe
C:\WINDOWS\system32\sklrr7ywlxjvgr.exe
C:\WINDOWS\system32\dior4f47540231.exe
C:\WINDOWS\system32\dior4f4dpal.exe
C:\WINDOWS\system32\dior4f4dqcpalx.exe
C:\WINDOWS\system32\dior4f4grcn.exe
C:\WINDOWS\system32\dior4f4gzkvgrdoam.exe
C:\WINDOWS\system32\dior4f4jvgrcozl.exe
C:\WINDOWS\system32\dior4f4mxiteqbnyk.exe
C:\WINDOWS\system32\dior4f4nbnzkwhtf.exe
C:\WINDOWS\system32\dior4f4ymylwht.exe
scan completed successfully
hidden files: 40
********************************************************************
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"RunAppBk"="C:\\Documents and Settings\\Jane Gardner\\tjAgent.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Time]
"ImagePath"="C:\WINDOWS\System32\cjnr4r4lxjufqcoz.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\WTime]
"ImagePath"="\??\C:\WINDOWS\System32\timedrv26.sys"
Completion time: 2007-05-31 11:14:03 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-31 11:13
--- E O F ---
Hi
Wow, a lot of rootkits :spider:
* Download GMER from
here (http://www.gmer.net/gmer.zip):
Unzip it and start GMER.exe
Click the rootkit-tab and click scan.
Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.
janegard
2007-05-31, 21:57
Hello,
Here is the first half of the gmer report.
Jane
GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-05-31 15:51:22
Windows 5.1.2600 Service Pack 1
---- System - GMER 1.0.12 ----
SSDT \??\C:\WINDOWS\system32\SecMon.sys ZwEnumerateKey
SSDT \??\C:\WINDOWS\system32\SecMon.sys ZwEnumerateValueKey
SSDT \??\C:\WINDOWS\system32\SecMon.sys ZwQueryDirectoryFile
---- Kernel code sections - GMER 1.0.12 ----
.text ntoskrnl.exe!CcCopyWrite + 4 804DD434 1 Byte [ 03 ]
PAGE ntoskrnl.exe!CcCopyRead + 4 80547A84 1 Byte [ 03 ]
PAGE ntoskrnl.exe!NtReadFile + 4 80559E6A 1 Byte [ 03 ]
PAGE ntoskrnl.exe!NtCreateSection + 4 80585EBA 1 Byte [ 03 ]
PAGE ntoskrnl.exe!NtMapViewOfSection + 4 8058CA0E 1 Byte [ 03 ]
PAGE Ntfs.sys F7423BC0 1 Byte [ 00 ]
? C:\WINDOWS\System32\timedrv26.sys The system cannot find the file specified.
.text ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 7FFA8381
.text ntdll.dll!NtCreateFile 77F5B688 5 Bytes JMP 7FFA8B36
.text ntdll.dll!NtDeviceIoControlFile 77F5B858 5 Bytes JMP 7FFA87AC
.text ntdll.dll!NtEnumerateKey 77F5B8A8 5 Bytes JMP 7FFA8009
.text ntdll.dll!NtEnumerateValueKey 77F5B8C8 5 Bytes JMP 7FFA810E
.text ntdll.dll!NtOpenFile 77F5BB78 5 Bytes JMP 7FFA8BBF
.text ntdll.dll!NtOpenProcess 77F5BBD8 5 Bytes JMP 7FFA8ACB
.text ntdll.dll!NtQueryDirectoryFile 77F5BD48 5 Bytes JMP 7FFA7EC4
.text ntdll.dll!NtQuerySystemInformation 77F5BF08 5 Bytes JMP 7FFA7D26
.text ntdll.dll!NtQueryVolumeInformationFile 77F5BF68 5 Bytes JMP 7FFA86DC
.text ntdll.dll!NtReadVirtualMemory 77F5BFD8 5 Bytes JMP 7FFA8181
.text ntdll.dll!NtResumeThread 77F5C118 5 Bytes JMP 7FFA7FA2
.text ntdll.dll!NtVdmControl 77F5C4F8 5 Bytes JMP 7FFA7F33
.text ntdll.dll!RtlRunEncodeUnicodeString 77F7E50C 5 Bytes JMP 7FFA8BFA
---- User code sections - GMER 1.0.12 ----
.text C:\WINDOWS\system32\winlogon.exe[636] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 7FF98381
.text C:\WINDOWS\system32\winlogon.exe[636] ntdll.dll!NtCreateFile 77F5B688 5 Bytes JMP 7FF98B36
.text C:\WINDOWS\system32\winlogon.exe[636] ntdll.dll!NtDeviceIoControlFile 77F5B858 5 Bytes JMP 7FF987AC
.text C:\WINDOWS\system32\winlogon.exe[636] ntdll.dll!NtEnumerateKey 77F5B8A8 5 Bytes JMP 7FF98009
.text C:\WINDOWS\system32\winlogon.exe[636] ntdll.dll!NtEnumerateValueKey 77F5B8C8 5 Bytes JMP 7FF9810E
.text C:\WINDOWS\system32\winlogon.exe[636] ntdll.dll!NtOpenFile 77F5BB78 5 Bytes JMP 7FF98BBF
.text C:\WINDOWS\system32\winlogon.exe[636] ntdll.dll!NtOpenProcess 77F5BBD8 5 Bytes JMP 7FF98ACB
.text C:\WINDOWS\system32\winlogon.exe[636] ntdll.dll!NtQueryDirectoryFile 77F5BD48 5 Bytes JMP 7FF97EC4
.text C:\WINDOWS\system32\winlogon.exe[636] ntdll.dll!NtQuerySystemInformation 77F5BF08 5 Bytes JMP 7FF97D26
.text C:\WINDOWS\system32\winlogon.exe[636] ntdll.dll!NtQueryVolumeInformationFile 77F5BF68 5 Bytes JMP 7FF986DC
.text C:\WINDOWS\system32\winlogon.exe[636] ntdll.dll!NtReadVirtualMemory 77F5BFD8 5 Bytes JMP 7FF98181
.text C:\WINDOWS\system32\winlogon.exe[636] ntdll.dll!NtResumeThread 77F5C118 5 Bytes JMP 7FF97FA2
.text C:\WINDOWS\system32\winlogon.exe[636] ntdll.dll!NtVdmControl 77F5C4F8 5 Bytes JMP 7FF97F33
.text C:\WINDOWS\system32\winlogon.exe[636] ntdll.dll!RtlRunEncodeUnicodeString 77F7E50C 5 Bytes JMP 7FF98BFA
.text C:\WINDOWS\system32\winlogon.exe[636] kernel32.dll!ReadFile 77E7AB4E 5 Bytes JMP 7FF97C3C
.text C:\WINDOWS\system32\winlogon.exe[636] ADVAPI32.dll!EnumServicesStatusA 77DD6C34 5 Bytes JMP 7FF9855F
.text C:\WINDOWS\system32\winlogon.exe[636] ADVAPI32.dll!EnumServiceGroupW 77DDD67B 5 Bytes JMP 7FF984F6
.text C:\WINDOWS\system32\winlogon.exe[636] ADVAPI32.dll!EnumServicesStatusExW 77DF4A9C 5 Bytes JMP 7FF985C5
.text C:\WINDOWS\system32\winlogon.exe[636] ADVAPI32.dll!EnumServicesStatusExA 77DF58B9 5 Bytes JMP 7FF98631
.text C:\WINDOWS\system32\winlogon.exe[636] Secur32.dll!LsaLogonUser 76F942B7 5 Bytes JMP 7FF98C6B
.text C:\WINDOWS\system32\winlogon.exe[636] WS2_32.dll!WSARecv 71AB19A0 5 Bytes JMP 7FF98423
.text C:\WINDOWS\system32\winlogon.exe[636] WS2_32.dll!recv 71AB5690 5 Bytes JMP 7FF983C3
.text C:\WINDOWS\system32\services.exe[680] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 7FF98381
.text C:\WINDOWS\system32\services.exe[680] ntdll.dll!NtCreateFile 77F5B688 5 Bytes JMP 7FF98B36
.text C:\WINDOWS\system32\services.exe[680] ntdll.dll!NtDeviceIoControlFile 77F5B858 5 Bytes JMP 7FF987AC
.text C:\WINDOWS\system32\services.exe[680] ntdll.dll!NtEnumerateKey 77F5B8A8 5 Bytes JMP 7FF98009
.text C:\WINDOWS\system32\services.exe[680] ntdll.dll!NtEnumerateValueKey 77F5B8C8 5 Bytes JMP 7FF9810E
.text C:\WINDOWS\system32\services.exe[680] ntdll.dll!NtOpenFile 77F5BB78 5 Bytes JMP 7FF98BBF
.text C:\WINDOWS\system32\services.exe[680] ntdll.dll!NtOpenProcess 77F5BBD8 5 Bytes JMP 7FF98ACB
.text C:\WINDOWS\system32\services.exe[680] ntdll.dll!NtQueryDirectoryFile 77F5BD48 5 Bytes JMP 7FF97EC4
.text C:\WINDOWS\system32\services.exe[680] ntdll.dll!NtQuerySystemInformation 77F5BF08 5 Bytes JMP 7FF97D26
.text C:\WINDOWS\system32\services.exe[680] ntdll.dll!NtQueryVolumeInformationFile 77F5BF68 5 Bytes JMP 7FF986DC
.text C:\WINDOWS\system32\services.exe[680] ntdll.dll!NtReadVirtualMemory 77F5BFD8 5 Bytes JMP 7FF98181
.text C:\WINDOWS\system32\services.exe[680] ntdll.dll!NtResumeThread 77F5C118 5 Bytes JMP 7FF97FA2
.text C:\WINDOWS\system32\services.exe[680] ntdll.dll!NtVdmControl 77F5C4F8 5 Bytes JMP 7FF97F33
.text C:\WINDOWS\system32\services.exe[680] ntdll.dll!RtlRunEncodeUnicodeString 77F7E50C 5 Bytes JMP 7FF98BFA
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!ReadFile 77E7AB4E 5 Bytes JMP 7FF97C3C
.text C:\WINDOWS\system32\services.exe[680] ADVAPI32.dll!EnumServicesStatusA 77DD6C34 5 Bytes JMP 7FF9855F
.text C:\WINDOWS\system32\services.exe[680] ADVAPI32.dll!EnumServiceGroupW 77DDD67B 5 Bytes JMP 7FF984F6
.text C:\WINDOWS\system32\services.exe[680] ADVAPI32.dll!EnumServicesStatusExW 77DF4A9C 5 Bytes JMP 7FF985C5
.text C:\WINDOWS\system32\services.exe[680] ADVAPI32.dll!EnumServicesStatusExA 77DF58B9 5 Bytes JMP 7FF98631
.text C:\WINDOWS\system32\services.exe[680] secur32.dll!LsaLogonUser 76F942B7 5 Bytes JMP 7FF98C6B
.text C:\WINDOWS\system32\services.exe[680] WS2_32.dll!WSARecv 71AB19A0 5 Bytes JMP 7FF98423
.text C:\WINDOWS\system32\services.exe[680] WS2_32.dll!recv 71AB5690 5 Bytes JMP 7FF983C3
.text C:\WINDOWS\system32\svchost.exe[888] ntdll.dll!LdrLoadDll 77F56F1B 5 Bytes JMP 7FF88381
.text C:\WINDOWS\system32\svchost.exe[888] ntdll.dll!NtCreateFile 77F5B688 5 Bytes JMP 7FF88B36
.text C:\WINDOWS\system32\svchost.exe[888] ntdll.dll!NtDeviceIoControlFile 77F5B858 5 Bytes JMP 7FF887AC
.text C:\WINDOWS\system32\svchost.exe[888] ntdll.dll!NtEnumerateKey 77F5B8A8 5 Bytes JMP 7FF88009
.text C:\WINDOWS\system32\svchost.exe[888] ntdll.dll!NtEnumerateValueKey 77F5B8C8 5 Bytes JMP 7FF8810E
.text C:\WINDOWS\system32\svchost.exe[888] ntdll.dll!NtOpenFile 77F5BB78 5 Bytes JMP 7FF88BBF
.text C:\WINDOWS\system32\svchost.exe[888] ntdll.dll!NtOpenProcess 77F5BBD8 5 Bytes JMP 7FF88ACB
.text C:\WINDOWS\system32\svchost.exe[888] ntdll.dll!NtQueryDirectoryFile 77F5BD48 5 Bytes JMP 7FF87EC4
.text C:\WINDOWS\system32\svchost.exe[888] ntdll.dll!NtQuerySystemInformation 77F5BF08 5 Bytes JMP 7FF87D26
.text C:\WINDOWS\system32\svchost.exe[888] ntdll.dll!NtQueryVolumeInformationFile 77F5BF68 5 Bytes JMP 7FF886DC
.text C:\WINDOWS\system32\svchost.exe[888] ntdll.dll!NtReadVirtualMemory 77F5BFD8 5 Bytes JMP 7FF88181
.text C:\WINDOWS\system32\svchost.exe[888] ntdll.dll!NtResumeThread 77F5C118 5 Bytes JMP 7FF87FA2
.text C:\WINDOWS\system32\svchost.exe[888] ntdll.dll!NtVdmControl 77F5C4F8 5 Bytes JMP 7FF87F33
.text C:\WINDOWS\system32\svchost.exe[888] ntdll.dll!RtlRunEncodeUnicodeString 77F7E50C 5 Bytes JMP 7FF88BFA
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!ReadFile 77E7AB4E 5 Bytes JMP 7FF87C3C
.text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!EnumServicesStatusA 77DD6C34 5 Bytes JMP 7FF8855F
.text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!EnumServiceGroupW 77DDD67B 5 Bytes JMP 7FF884F6
.text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!EnumServicesStatusExW 77DF4A9C 5 Bytes JMP 7FF885C5
.text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!EnumServicesStatusExA 77DF58B9 5 Bytes JMP 7FF88631
.text C:\WINDOWS\system32\svchost.exe[888] WS2_32.dll!WSARecv 71AB19A0 5 Bytes JMP 7FF88423
.text C:\WINDOWS\system32\svchost.exe[888] WS2_32.dll!recv 71AB5690 5 Bytes JMP 7FF883C3
.text C:\WINDOWS\system32\svchost.exe[888] Secur32.dll!LsaLogonUser 76F942B7 5 Bytes JMP 7FF88C6B
---- Threads - GMER 1.0.12 ----
Thread 4:1796 83D8D338
---- Processes - GMER 1.0.12 ----
Process C:\WINDOWS\system32\cjnr4r4lxjufqcoz.exe (*** hidden *** ) 192
Library C:\WINDOWS\System32\cjnr4r4lxjufqcoz.exe (*** hidden *** ) @ C:\WINDOWS\system32\cjnr4r4lxjufqcoz.exe [192] 0x00400000
---- Services - GMER 1.0.12 ----
Service C:\WINDOWS\System32\cjnr4r4lxjufqcoz.exe (*** hidden *** ) [AUTO] Time <-- ROOTKIT !!!
Service C:\WINDOWS\System32\timedrv26.sys (*** hidden *** ) [MANUAL] WTime <-- ROOTKIT !!!
janegard
2007-05-31, 22:05
---- Registry - GMER 1.0.12 ----
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\Files@*setup*.exe
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\Files@*instal*.exe
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\Files@*setup*.bat
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\Files@*instal*.bat
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\Files@*setup*.cmd
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\Files@*instal*.cmd
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\Files@*setup*.com
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\Files@*instal*.com
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Accepted Documents@** application/vnd.ms-excel
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Accepted Documents@*** application/vnd.ms-powerpoint
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Accepted Documents@* application/msword
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run@RunAppBk C:\Documents and Settings\Jane Gardner\tjAgent.exe
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run@plmcsys2 clikjcfq.exe
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run@RunAppBk C:\Documents and Settings\Jane Gardner\tjAgent.exe
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run@plmcsys2 clikjcfq.exe
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Time
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Time@ Service
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Time
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Time@ Service
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GMER\0000\Control@*NewlyCreated* 0
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TIME
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TIME@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WTIME
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WTIME@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\Time
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\Time@Type 272
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\Time@Start 2
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\Time@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\Time@ImagePath C:\WINDOWS\System32\cjnr4r4lxjufqcoz.exe
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\Time@DisplayName Time Service
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\Time@ObjectName LocalSystem
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\Time@Description Maintains date and time synchronization on all clients and servers in the network.
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\WTime
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\WTime@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\WTime@ImagePath \??\C:\WINDOWS\System32\timedrv26.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\WTime@Start 3
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\WTime@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Time
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Time@ Service
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\Time
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\Time@ Service
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TIME
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TIME@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WTIME
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WTIME@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\Time
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\Time@Type 272
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\Time@Start 2
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\Time@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\Time@ImagePath C:\WINDOWS\System32\cjnr4r4lxjufqcoz.exe
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\Time@DisplayName Time Service
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\Time@ObjectName LocalSystem
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\Time@Description Maintains date and time synchronization on all clients and servers in the network.
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\WTime
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\WTime@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\WTime@ImagePath \??\C:\WINDOWS\System32\timedrv26.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\WTime@Start 3
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\WTime@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Time
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Time@ Service
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Time
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Time@ Service
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GMER\0000\Control@*NewlyCreated* 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TIME
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TIME@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WTIME
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WTIME@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\Time
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\Time@Type 272
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\Time@Start 2
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\Time@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\Time@ImagePath C:\WINDOWS\System32\cjnr4r4lxjufqcoz.exe
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\Time@DisplayName Time Service
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\Time@ObjectName LocalSystem
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\Time@Description Maintains date and time synchronization on all clients and servers in the network.
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\WTime
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\WTime@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\WTime@ImagePath \??\C:\WINDOWS\System32\timedrv26.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\WTime@Start 3
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\WTime@Type 1
Reg \Registry\USER\.DEFAULT\Software\Microsoft\Secures
Reg \Registry\USER\.DEFAULT\Software\Microsoft\Secures@ID C5EA17BC84274ea793AB0E2A56599D2A
Reg \Registry\USER\.DEFAULT\Software\Microsoft\Secures@ 11836
Reg \Registry\USER\S-1-5-21-3308599156-3893318532-2028504928-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\aol.com\objects@* 5
Reg \Registry\USER\S-1-5-21-3308599156-3893318532-2028504928-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hotfreebies.com@* 1
Reg \Registry\USER\S-1-5-21-3308599156-3893318532-2028504928-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1@* 1
janegard
2007-05-31, 22:06
---- Files - GMER 1.0.12 ----
File C:\Documents and Settings\Jane Gardner\bak\tjAgent.exe
File C:\Documents and Settings\Jane Gardner\SecMon.sys
File C:\Documents and Settings\Jane Gardner\tjAgent.exe
File C:\WINDOWS\system32\cjnr4r48844760.exe
File C:\WINDOWS\system32\cjnr4r4eseqbnykwh.exe
File C:\WINDOWS\system32\cjnr4r4hvhsdpamxj.exe
File C:\WINDOWS\system32\cjnr4r4lxjufqcoz.exe <-- ROOTKIT !!!
File C:\WINDOWS\system32\cjnr4r4mhauo.exe
File C:\WINDOWS\system32\cjnr4r4ofqbny.exe
File C:\WINDOWS\system32\cjnr4r4uiuhsdp.exe
File C:\WINDOWS\system32\cjnr4r4wjwjufrco.exe
File C:\WINDOWS\system32\dior4f47540231.exe
File C:\WINDOWS\system32\dior4f4dpal.exe
File C:\WINDOWS\system32\dior4f4dqcpalx.exe
File C:\WINDOWS\system32\dior4f4grcn.exe
File C:\WINDOWS\system32\dior4f4gzkvgrdoam.exe
File C:\WINDOWS\system32\dior4f4jvgrcozl.exe
File C:\WINDOWS\system32\dior4f4mxiteqbnyk.exe
File C:\WINDOWS\system32\dior4f4nbnzkwhtf.exe
File C:\WINDOWS\system32\dior4f4ymylwht.exe
File C:\WINDOWS\system32\mlsdf8h3608669.exe
File C:\WINDOWS\system32\mlsdf8hhsdozl.exe
File C:\WINDOWS\system32\mlsdf8hiufqbmyjvh.exe
File C:\WINDOWS\system32\mlsdf8hlxitepbm.exe
File C:\WINDOWS\system32\mlsdf8hsdozkwhtfq.exe
File C:\WINDOWS\system32\mlsdf8hthtgr.exe
File C:\WINDOWS\system32\mlsdf8hugrcnzkw.exe
File C:\WINDOWS\system32\mlsdf8hztnh.exe
File C:\WINDOWS\system32\nlkfev76171202.exe
File C:\WINDOWS\system32\nlkfev77489512.exe
File C:\WINDOWS\system32\nlkfev7csdozlwiug.exe
File C:\WINDOWS\system32\nlkfev7drdpamxjvg.exe
File C:\WINDOWS\system32\nlkfev7jtepbmxj.exe
File C:\WINDOWS\system32\nlkfev7ugrcnykv.exe
File C:\WINDOWS\system32\SecMon.sys <-- ROOTKIT !!!
File C:\WINDOWS\system32\sklrr7y237033.exe
File C:\WINDOWS\system32\sklrr7ycrcn.exe
File C:\WINDOWS\system32\sklrr7yftfrcnzkw.exe
File C:\WINDOWS\system32\sklrr7yhwhsdoa.exe
File C:\WINDOWS\system32\sklrr7yncoamxiug.exe
File C:\WINDOWS\system32\sklrr7yqdoal.exe
File C:\WINDOWS\system32\sklrr7ywlxjvgr.exe
File C:\WINDOWS\system32\timedrv26.sys <-- ROOTKIT !!!
File C:\WINDOWS\Temp\cjnr4r4305FDC17.tmp
File C:\WINDOWS\Temp\cjnr4r468BAF45C.tmp
File C:\WINDOWS\Temp\cjnr4r468BAF45F.tmp
File C:\WINDOWS\Temp\cjnr4r468BAF7AF.tmp
File C:\WINDOWS\Temp\dior4f45740476.exe
File C:\WINDOWS\Temp\nlkfev775BFE4B9.tmp
---- Services - GMER 1.0.12 ----
Service C:\WINDOWS\system32\SecMon.sys [SYSTEM] SecurityMonitoringDriver <-- ROOTKIT !!!
---- EOF - GMER 1.0.12 ----
Hi
Yes, lots of stuff there.
I still highly recommend format & re-install because your system is highly compromised at the moment.
Let me know your decision.
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.