PDA

View Full Version : Pop ups,Virus Detected and getting nowhere



RandomHero
2007-08-16, 00:55
ok so i working on my friends computer and she has tons of pop ups, i cant get thru a full scan with AVG Anti-Virus Free im at the end of my rope someone please help me here is my Hijack This Log

Logfile of HijackThis v1.99.1
Scan saved at 5:51:13 PM, on 8/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Vicki\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://iesettingsupdate/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {64BAFD4D-68C9-4B12-B61B-8799E4BF7DD2} - C:\Program Files\WindowsUpdate\hopetewy4444.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: 0 - {D987FF50-217B-48C9-A2B6-254607D66E28} - C:\Program Files\Online Services\labu107.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file)
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [freexstylel] lockts.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/ALLTEL/static/controls/WebflowActiveXInstaller_2-0-0.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186982533437
O17 - HKLM\System\CCS\Services\Tcpip\..\{09155DD8-CCF1-4E57-A7BE-B94EA9F38CA3}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{88D64490-5249-4D85-ADF2-845A28DC5A8A}: NameServer = 85.255.115.18,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{A15A0747-117E-49C7-A7F9-B113A7C0E662}: NameServer = 85.255.115.18,85.255.112.77
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS7\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: SESSMGR.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: gebya - C:\WINDOWS\System32\gebya.dll (file missing)
O20 - Winlogon Notify: opnomjk - opnomjk.dll (file missing)
O21 - SSODL: ALLTEL DSL Check-up Center - {94375C39-5A0F-C2B3-22C0-1518175C6A47} - c:\progra~1\alltel~1\bin\dauvzd9.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\gxlsrcsk.exe (file missing)

pskelley
2007-08-16, 14:46
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You have quite the mess here, where did you go to get this nasty bundle? If you still need help, please keep the computer offline except when troubleshooting until I tell you that it is clean.

SESSMGR.dll <<< I need to know if that file is malware or not...do you know it? Here is the Google if it helps ID it:
http://www.google.com/search?hl=en&q=SESSMGR.dll&btnG=Google+Search
If you are still unsure, use one or more of these free scanners and post the results:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

Your spyware programs may block our fix, follow these instructions and turn them off.

AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.

SUPERAntiSpyware and Lavasoft\Ad-Aware 2007: I don't have instructions for stopping these, just make sure they are not running when you proceed. (Please tell me in your next post if you own any of these or if they are only trials)

It is important that you read and follow the directions carefully:

1) Thanks to LonnyBJones and anyone else who helped with this fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your Desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.

(do not post the reports and log until you are finished)

2) Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the report from Fixwareout, the combofix log and a new HJT log. We will have more to do.

Thanks

RandomHero
2007-08-16, 19:56
I have No clue what that thing is Sorry

Logfile of HijackThis v1.99.1
Scan saved at 12:52:14 PM, on 8/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Vicki\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://iesettingsupdate/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {64BAFD4D-68C9-4B12-B61B-8799E4BF7DD2} - C:\Program Files\WindowsUpdate\hopetewy4444.dll (file missing)
O2 - BHO: 0 - {D987FF50-217B-48C9-A2B6-254607D66E28} - C:\Program Files\Online Services\labu107.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file)
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [freexstylel] lockts.exe
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186982533437
O17 - HKLM\System\CCS\Services\Tcpip\..\{09155DD8-CCF1-4E57-A7BE-B94EA9F38CA3}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: SESSMGR.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: gebya - C:\WINDOWS\System32\gebya.dll (file missing)
O20 - Winlogon Notify: opnomjk - opnomjk.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe

Username "Vicki" - 08/16/2007 12:40:11 [Fixwareout edited 2007/07/05]

»»»»»Prerun check

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{88D64490-5249-4D85-ADF2-845A28DC5A8A}
"nameserver"="85.255.115.18,85.255.112.77" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{A15A0747-117E-49C7-A7F9-B113A7C0E662}
"nameserver"="85.255.115.18,85.255.112.77" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{A15A0747-117E-49C7-A7F9-B113A7C0E662}
"DhcpNameServer"="85.255.115.18,85.255.112.77" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»

RandomHero
2007-08-16, 19:56
ComboFix 07-08-14.4 - "Vicki" 2007-08-16 12:45:54.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.682 [GMT -4:00]


((((((((((((((((((((((((( Files Created from 2007-07-16 to 2007-08-16 )))))))))))))))))))))))))))))))


2007-08-16 12:42 <DIR> d-------- C:\WINDOWS\LastGood
2007-08-16 12:40 9,107 --a------ C:\dnsbak.reg
2007-08-15 23:50 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-15 18:08 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-15 17:34 262,144 --a------ C:\DOCUME~1\LISAGA~1\ntuser.dat
2007-08-15 11:10 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-08-15 11:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-15 10:39 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Prevx
2007-08-15 10:26 77,312 --a------ C:\WINDOWS\ua2.dll
2007-08-15 00:40 <DIR> d-------- C:\Program Files\GiPo@Utilities
2007-08-15 00:40 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared
2007-08-15 00:33 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-15 00:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-14 23:30 <DIR> d-------- C:\WINDOWS\Prefetch
2007-08-14 23:28 86,073 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\voicesub.dll
2007-08-14 23:28 76,288 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\uniime.dll
2007-08-14 23:28 48,256 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\w32.dll
2007-08-14 23:28 455,168 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\tintsetp.exe
2007-08-14 23:28 44,032 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\tintlphr.exe
2007-08-14 23:28 426,041 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\voicepad.dll
2007-08-14 23:28 41,600 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\weitekp9.dll
2007-08-14 23:28 31,232 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\weitekp9.sys
2007-08-14 23:28 14,336 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\tsprof.exe
2007-08-14 23:28 10,240 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\tmigrate.dll
2007-08-14 23:27 98,304 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msir3jp.dll
2007-08-14 23:27 92,416 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\mga.sys
2007-08-14 23:27 92,032 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\mga.dll
2007-08-14 23:27 9,728 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\query.exe
2007-08-14 23:27 9,216 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\kbdnecat.dll
2007-08-14 23:27 8,704 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\snmptrap.exe
2007-08-14 23:27 79,872 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\rwia330.dll
2007-08-14 23:27 79,872 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\rwia001.dll
2007-08-14 23:27 70,656 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\korwbrkr.dll
2007-08-14 23:27 70,144 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pintlphr.exe
2007-08-14 23:27 7,680 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\migregdb.exe
2007-08-14 23:27 7,680 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\kbdnecnt.dll
2007-08-14 23:27 7,168 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\kbdnec95.dll
2007-08-14 23:27 7,168 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_snprfdll.dll
2007-08-14 23:27 67,584 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pmigrate.dll
2007-08-14 23:27 65,536 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_mailmsg.dll
2007-08-14 23:27 6,144 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\snmpmib.dll
2007-08-14 23:27 6,144 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pmxgl.dll
2007-08-14 23:27 6,144 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\kbdth3.dll
2007-08-14 23:27 6,144 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\kbdth2.dll
2007-08-14 23:27 57,856 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_scripto.dll
2007-08-14 23:27 53,760 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pintlcsd.dll
2007-08-14 23:27 5,632 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\smimsgif.dll
2007-08-14 23:27 5,632 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\smierrsy.dll
2007-08-14 23:27 5,632 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\kbdvntc.dll
2007-08-14 23:27 5,632 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\kbdusa.dll
2007-08-14 23:27 5,632 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\kbdurdu.dll
2007-08-14 23:27 5,632 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\kbdth1.dll
2007-08-14 23:27 5,632 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\kbdth0.dll
2007-08-14 23:27 5,632 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\kbdsyr2.dll
2007-08-14 23:27 5,632 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\kbdsyr1.dll
2007-08-14 23:27 456,704 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\smtpsvc.dll
2007-08-14 23:27 40,448 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\snmpthrd.dll
2007-08-14 23:27 38,912 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\sm9aw.dll
2007-08-14 23:27 38,912 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_ntfsdrv.dll
2007-08-14 23:27 36,927 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\padrs411.dll
2007-08-14 23:27 358,400 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\snmpincl.dll
2007-08-14 23:27 33,792 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\lmmib2.dll
2007-08-14 23:27 32,768 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\snmp.exe
2007-08-14 23:27 31,744 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\smb6w.dll
2007-08-14 23:27 31,744 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\sma3w.dll
2007-08-14 23:27 30,208 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\sm87w.dll
2007-08-14 23:27 30,208 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\sm81w.dll
2007-08-14 23:27 29,184 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\sm8cw.dll
2007-08-14 23:27 26,624 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\sm93w.dll
2007-08-14 23:27 26,624 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\sm92w.dll
2007-08-14 23:27 26,624 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\rw330ext.dll
2007-08-14 23:27 26,112 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\sm90w.dll
2007-08-14 23:27 26,112 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\sm8dw.dll
2007-08-14 23:27 26,112 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\sm8aw.dll
2007-08-14 23:27 26,112 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\sm89w.dll
2007-08-14 23:27 26,112 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_seos.dll
2007-08-14 23:27 259,072 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\snmpcl.dll
2007-08-14 23:27 25,088 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\sm59w.dll
2007-08-14 23:27 24,576 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\rw001ext.dll
2007-08-14 23:27 236,544 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\smi2smir.exe
2007-08-14 23:27 23,040 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_regtrace.exe
2007-08-14 23:27 229,439 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\multibox.dll
2007-08-14 23:27 22,528 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\lpdsvc.dll
2007-08-14 23:27 21,896 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\tdipx.sys
2007-08-14 23:27 20,736 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ramdisk.sys
2007-08-14 23:27 19,464 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\tdspx.sys
2007-08-14 23:27 188,416 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\snmpsmir.dll
2007-08-14 23:27 185,344 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\thawbrkr.dll
2007-08-14 23:27 18,944 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\simptcp.dll
2007-08-14 23:27 18,944 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\lprmon.dll
2007-08-14 23:27 175,104 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pintlcsa.dll
2007-08-14 23:27 16,384 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\quser.exe
2007-08-14 23:27 15,872 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\smierrsm.dll
2007-08-14 23:27 15,872 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\padrs404.dll
2007-08-14 23:27 15,360 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\padrs804.dll
2007-08-14 23:27 143,422 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\softkey.dll
2007-08-14 23:27 14,848 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\register.exe
2007-08-14 23:27 14,336 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\padrs412.dll
2007-08-14 23:27 131,584 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pmxviceo.dll
2007-08-14 23:27 13,192 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\tdasync.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-15 21:19 5058 --a------ C:\WINDOWS\pchealth\HelpCtr\PackageStore\SkuStore.bin
2007-08-15 21:18 9492 --a------ C:\WINDOWS\pchealth\HelpCtr\Config\Cntstore.bin
2007-08-15 00:35 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-15 00:35 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-14 23:37 --------- d-------- C:\Program Files\321Studios
2007-08-14 23:24 --------- d-------- C:\Program Files\Movie Maker
2007-08-14 23:22 --------- d-------- C:\Program Files\Windows NT
2007-08-14 23:22 --------- d-------- C:\Program Files\Messenger
2007-08-14 22:35 --------- d-------- C:\Program Files\ArcSoft
2007-08-14 22:34 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-13 23:09 --------- d--h----- C:\Program Files\WindowsUpdate
2007-08-13 10:36 --------- d-------- C:\Program Files\Creative
2007-08-12 21:25 --------- d-------- C:\Program Files\WordPerfect Office 12
2007-08-12 21:25 --------- d-------- C:\Program Files\support.com
2007-08-12 21:25 --------- d-------- C:\Program Files\MSN Messenger
2007-08-12 21:25 --------- d-------- C:\Program Files\Google
2007-08-12 21:25 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-12 21:25 --------- d-------- C:\Program Files\Common Files\AOL
2007-08-12 21:20 --------- d-------- C:\Program Files\Yahoo!
2007-08-02 17:36 --------- d-------- C:\Program Files\Online Services
2007-06-28 00:59 --------- d-------- C:\Program Files\AIM6
2007-06-24 17:12 --------- d-------- C:\Program Files\RCA


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64BAFD4D-68C9-4B12-B61B-8799E4BF7DD2}]
C:\Program Files\WindowsUpdate\hopetewy4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D987FF50-217B-48C9-A2B6-254607D66E28}]
C:\Program Files\Online Services\labu107.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-16 08:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"freexstylel"=lockts.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Symantec NetDriver Warning"=C:\PROGRA~1\SYMNET~1\SNDWarn.exe
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\Vicki\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2007-08-14 23:25:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebya]
C:\WINDOWS\System32\gebya.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnomjk]
opnomjk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=SESSMGR.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Lisa Gardner^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Lisa Gardner\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Lisa Gardner^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\Lisa Gardner\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!ewido]
"C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aida]
"C:\PROGRA~1\COMMON~1\CROSOF~1\taskmgr.exe" -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlfaCleaner]
C:\Program Files\AlfaCleaner\AlfaCleaner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
REGSVR32.EXE /S CTASIO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\chauetmA]
C:\WINDOWS\chauetmA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDC]
C:\WINDOWS\System32\gwsfqbhx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\System32\pwinkmdt.exe SKY009

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMModule2]
"C:\Program Files\ISM\ISMModule2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ms]
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\18063\gm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pzo]
C:\WINDOWS\SYSTEM32\??crosoft\w?nspool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
C:\WINDOWS\inet20004\winlogon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]
C:\Documents and Settings\Lisa Gardner\Application Data\Microsoft\Windows\xligtghi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe "C:\WINDOWS\System32\nbdhywvb.dll",forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ttool]
C:\WINDOWS\9129837.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Program Files\WinPop\winpop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch]
C:\Documents and Settings\Lisa Gardner\Application Data\WinTouch\WinTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\W?nSxS]
C:\WINDOWS\CTRES.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{47-78-87-77-ZN}]
C:\windows\system32\ljdsregk.exe SKY009

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{ZN}]
C:\WINDOWS\TISKY009.exe SKY009

R2 SVKP;SVKP;\??\C:\WINDOWS\System32\SVKP.sys
S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-16 12:47:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-16 12:48:14
C:\ComboFix-quarantined-files.txt ... 2007-08-16 12:48
C:\ComboFix2.txt ... 2007-08-15 18:13

--- E O F ---

pskelley
2007-08-16, 20:27
I have No clue what that thing is SorryYou understand I gave you the tools to scan the file to find out? Since it is on your computer I can not do that for you. I can, however, remove it if you tell me to do so.

Any idea where you got this computer this infected?

1) Move HJT from the Desktop for safety. I prefer C:\HJT\HijackThis.exe, if you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm

2) AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.

3) Ad-Aware 2007 <<< I do not have instruction since this is new, please turn it completely off so it is not running.

4) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

5) download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://iesettingsupdate/
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {64BAFD4D-68C9-4B12-B61B-8799E4BF7DD2} - C:\Program Files\WindowsUpdate\hopetewy4444.dll (file missing)
O2 - BHO: 0 - {D987FF50-217B-48C9-A2B6-254607D66E28} - C:\Program Files\Online Services\labu107.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file)
O4 - HKLM\..\RunServices: [freexstylel] lockts.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{09155DD8-CCF1-4E57-A7BE-B94EA9F38CA3}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: SESSMGR.dll <<< your call
O20 - Winlogon Notify: gebya - C:\WINDOWS\System32\gebya.dll (file missing)
O20 - Winlogon Notify: opnomjk - opnomjk.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

7) RIGHT Click on Start then click on Explore. Locate and delete these items:

(you need to search for these two files and delete them)

lockts.exe <<< delete

SESSMGR.dll <<< delete

8) Follow the directions in this link to run AVG Anti-Spyware, make sure you delete or quarantine anything it finds and save the scan report to post.
http://forums.security-central.us/showthread.php?t=3165

9) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

10) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)

Restart the computer and post the Uninstall list, AVG Anti-Spyware scan report and a new HJT log. Tell me how the computer is running.

Thanks

RandomHero
2007-08-16, 23:01
This is a friends computer she ask me to look at so im not sure but she had Bearshare and Limewire installed

i didnt find these
lockts.exe <<< delete
SESSMGR.dll <<< delete

Ad-Aware 2007
Adobe Flash Player 9 ActiveX
Adobe Shockwave Player
AIM 6
AIM Pro
ATI Control Panel
ATI Display Driver
AVG 7.5
AVG Anti-Spyware 7.5
Creative WebCam Center
Creative WebCam Live! Driver (1.01.01.0730)
Creative WebCam Live! User's Guide (English)
Dell Digital Jukebox Driver
Dell Media Experience
Dell Photo AIO Printer 922
Dell Solution Center
Dell Support 5.0.0 (766)
GiPo@MoveOnBoot 1.9.5
HijackThis 2.0.2
Intel(R) 537EP V9x DF PCI Modem
Internet Explorer Default Page
Kaspersky Online Scanner
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft Visual C++ 2005 Redistributable
MSN Messenger 7.5
MySpaceIM
PowerDVD 5.1
QuickTime
RealPlayer Basic
Shockwave
Sonic DLA
Sonic MyDVD
Sonic RecordNow!
Sonic Update Manager
Sound Blaster Audigy 2
Spybot - Search & Destroy 1.4
SUPERAntiSpyware Free Edition
Viewpoint Media Player
Wal-Mart Digital Photo Manager
Windows Installer 3.1 (KB893803)
WordPerfect Office 12
Yahoo! Internet Mail
Yahoo! Messenger

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:50:13 PM 8/16/2007

+ Scan result:



C:\Documents and Settings\Vicki\Cookies\vicki@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : No action taken.


::Report end

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:59:04 PM, on 8/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186982533437
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe

--
End of file - 3769 bytes

RandomHero
2007-08-16, 23:02
its seems to be running a lot better

pskelley
2007-08-16, 23:41
This is a friends computer she ask me to look at so im not sure but she had Bearshare and Limewire installed That can do it, show her some of this:
http://forums.spybot.info/showthread.php?t=282
http://www3.ca.com/securityadvisor/pest/Pest.aspx?id=453088059
http://pcpitstop.com/spycheck/p2p.asp
http://pcpitstop.com/spycheck/badtorrent.asp

Uninstall list:

Viewpoint Media Player <<< part of Viewpoint
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546

The HJT log looks ok, and AVG showed only a cookie, I would say as far as malware you are in good shape.

Please remove combofix, combofix/qoobox/quarantine and any other tools we used, you can keep ATF-Cleaner if you wish.

Here are links to suggestions to improve performance if you wish:
http://www.castlecops.com/postitle175256-0-0-.html
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/atwork/getstarted/speed.mspx?wt_svl=20292a&mg_id=20292b

Let's clean the system restore files like this:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

SAS is also a good program, but if it is only a trial, I would uninstall it, uses a lot of resources.

(try to get her to view the information in these links)
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

RandomHero
2007-08-17, 05:50
Thanks very much
i just have one question/problem everytime i try to update windows from Microsoft it says that all of them failed

pskelley
2007-08-17, 13:22
I can only give you limited help with a Microsoft problem.
1) http://v4.windowsupdate.microsoft.com/troubleshoot/

2) And if you can not fix it with that information, ask Microsoft for help, that is what we pay them for.
http://support.microsoft.com/

Need more help?
Contact a support professional by e-mail, online chat, or telephone.

Thanks

RandomHero
2007-08-19, 02:08
Ok so got microsoft to fix the update problem but now on the other account on the computer i cant download anything off the web any piece of advice?

pskelley
2007-08-19, 02:37
I doubt it, does not ring a bell with me. Can you provide more information. Are you saying you have multiple users (at least 2) and you can download with one user and you can download in the administration account but you can not download with the other user account? If this is what you are saying, why not delete that user and establish a new user account to see if that fixes the problem. I am interested in exactly what happens when you try to download, what you are trying to download also. What message do you get when this happens?

Thanks

RandomHero
2007-08-19, 02:51
yea there are two accounts on it i can download fine one one and get "internet explorer was not able to open this internet site. the request site is either unavailable or cannot be found." i tried downloading firefox and adobe flash and get it everthing

pskelley
2007-08-19, 03:15
Are you sure the error messages are "word for word"? This one:
"internet explorer was not able to open this internet site" has some information at the google:
http://www.google.com/search?hl=en&q=internet+explorer+was+not+able+to+open+this+internet+site&btnG=Google+Search
the requested site is either unavailable or cannot be found.
http://www.google.com/search?hl=en&q=the+requested+site+is+either+unavailable+or+cannot+be+found.&btnG=Search

OOPs...before you look at the links below, the first thing I would suggest is that you upgrade to IE7
http://www.microsoft.com/windows/products/winfamily/ie/default.mspx

Here is some information that may or may not help:
http://www.microsoft.com/windows/IE/community/columns/IEtopten.mspx
http://support.academic.com/knowbase/root/public/acdm9147.htm
http://www.microsoft.com/windows/ie/community/columns/ie7_basics.mspx

pskelley
2007-08-28, 00:45
As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thanks