1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Infected, please help. HJT Log inside.

Discussion in 'Windows - Virus and spyware problems' started by neurokasm, Dec 27, 2007.

  1. neurokasm

    neurokasm Member

    Joined:
    Sep 8, 2005
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    16
    hello, my machine is infected with something. the control panel is hidden, and if i am able to find it, nothing is accessible. hjt logfile below, please help. thank you

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:17:30 PM, on 12/27/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\shell.exe
    C:\Documents and Settings\User\Application Data\T?sks\w?auclt.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\User\Desktop\HiJackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - URLSearchHook: (no name) - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - (no file)
    R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
    O4 - HKCU\..\Run: [Lhf] "C:\Documents and Settings\Aaron Copeland\Application Data\T?sks\w?auclt.exe"
    O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
    O4 - Startup: findfast.exe
    O4 - Global Startup: autorun.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{90BCDAB2-D453-488B-A53C-EDEEA39A76A1}: NameServer = 207.69.188.185,207.69.188.186
    O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
    O21 - SSODL: cYhACmwbvCk - {005072E7-AAFA-D84D-153E-0F7E49BE3C45} - (no file)

    --
    End of file - 4715 bytes
     
    Last edited: Dec 27, 2007
  2. QuikDraw

    QuikDraw Regular member

    Joined:
    Sep 29, 2007
    Messages:
    827
    Likes Received:
    0
    Trophy Points:
    26
    Pretty good mess! Reboot into SAFE MODE! Run HijackThis, place check marks next to all the items listed below. Press Fix checked. Reboot
    Post new Hijack log.

    C:\WINDOWS\shell.exe

    C:\Documents and Settings\Aaron Copeland\Application Data\T?sks\w?auclt.exe

    R3 - URLSearchHook: (no name) - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - (no file)

    R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe

    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

    O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe

    O4 - HKCU\..\Run: [Lhf] "C:\Documents and Settings\Aaron Copeland\Application Data\T?sks\w?auclt.exe"

    O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe

    O4 - Startup: findfast.exe

    O4 - Global Startup: autorun.exe

    O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

    O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll

    O21 - SSODL: cYhACmwbvCk - {005072E7-AAFA-D84D-153E-0F7E49BE3C45} - (no file)
     
    Last edited: Dec 27, 2007
  3. neurokasm

    neurokasm Member

    Joined:
    Sep 8, 2005
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    16
    yeah, it's pretty jacked. thank you for your help, it's greatly appreciated! new HJT log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:24:29 PM, on 12/27/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\User\Desktop\HiJackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [00507249] rundll32.exe "C:\WINDOWS\system32\flfmiflf.dll",b
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{90BCDAB2-D453-488B-A53C-EDEEA39A76A1}: NameServer = 207.69.188.185,207.69.188.186
    O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll

    --
    End of file - 3783 bytes
     
  4. QuikDraw

    QuikDraw Regular member

    Joined:
    Sep 29, 2007
    Messages:
    827
    Likes Received:
    0
    Trophy Points:
    26
    Reboot into Safe mode, run HijackThis, put check marks on the items listed below. Fix checked. Post new log.

    O4 - HKLM\..\Run: [00507249] rundll32.exe "C:\WINDOWS\system32\flfmiflf.dll",b

    O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll

    Your using IE6, should update to IE7, here's the link.
    http://www.microsoft.com/windows/downloads/ie/getitnow.mspx

    Go here make sure your OS is fully updated. Select the Express button. Download any high priority updates.
    http://www.update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us

    What Internet Security suite are you using? What Anti-Spyware program are you using?

    Have you ever used a registry cleaner?
     
    Last edited: Dec 27, 2007
  5. neurokasm

    neurokasm Member

    Joined:
    Sep 8, 2005
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    16
    I downloaded ie7, and will install. I'm using, ad-aware, spybot, spywareblaster, ccleaner. this file "O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll" seems to reappear every time after running HJT? Thanks again for your ongoing help =]

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:06:50 PM, on 12/27/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Safe mode

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\User\Desktop\HiJackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{90BCDAB2-D453-488B-A53C-EDEEA39A76A1}: NameServer = 207.69.188.185,207.69.188.186
    O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll

    --
    End of file - 3507 bytes
     
  6. QuikDraw

    QuikDraw Regular member

    Joined:
    Sep 29, 2007
    Messages:
    827
    Likes Received:
    0
    Trophy Points:
    26
    Yes, stubborn little bugger. Download comboFix. http://forums.majorgeeks.com/showthread.php?t=134965

    Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

    Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
    Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
     
  7. neurokasm

    neurokasm Member

    Joined:
    Sep 8, 2005
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    16
    ok heres the combofix.txt:

    ComboFix 07-12-21.4 - User 2007-12-27 15:57:46.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.296 [GMT -8:00]
    Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
    * Created a new restore point
    .
    ADS - svchost.exe: deleted 58880 bytes in 1 streams.

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\User\Application Data\antivirus.exe
    C:\Documents and Settings\User\My Documents\WNSXS~1
    C:\Documents and Settings\All Users.\documents\settings\bot.dll
    C:\Documents and Settings\All Users\Application Data.\salesmonitor
    C:\Documents and Settings\All Users\Application Data.\winantispyware 2007
    C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\Abbr
    C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\ProductCode
    C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr
    C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode
    C:\Documents and Settings\LocalService\Application Data\install.dat
    C:\Documents and Settings\LocalService\Application Data\NetMon
    C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
    C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
    C:\Documents and Settings\LocalService\Desktop\searchus.exe
    C:\Documents and Settings\NetworkService\Application Data\.rdr.ini
    C:\Documents and Settings\NetworkService\Application Data\install.dat
    C:\Documents and Settings\NetworkService\Desktop\searchus.exe
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\n.ini
    C:\Program Files\Common Files\asks~1
    C:\Program Files\Common Files\curity~1
    C:\Program Files\Common Files\fnts~1
    C:\Program Files\Common Files\winantispyware 2007
    C:\Program Files\Common Files\winantispyware 2007\err.log
    C:\Program Files\Internet Explorer\vihizy121.dll
    C:\Program Files\Internet Explorer\vihizy185.dll
    C:\Program Files\Internet Explorer\vihizy22.dll
    C:\Program Files\Internet Explorer\vihizy226.dll
    C:\Program Files\Internet Explorer\vihizy230.dll
    C:\Program Files\Internet Explorer\vihizy277.dll
    C:\Program Files\Internet Explorer\vihizy281.dll
    C:\Program Files\Internet Explorer\vihizy377.dll
    C:\Program Files\Internet Explorer\vihizy401.dll
    C:\Program Files\Internet Explorer\vihizy405.dll
    C:\Program Files\Internet Explorer\vihizy441.dll
    C:\Program Files\Internet Explorer\vihizy464.dll
    C:\Program Files\Internet Explorer\vihizy470.dll
    C:\Program Files\Internet Explorer\vihizy52.dll
    C:\Program Files\Internet Explorer\vihizy526.dll
    C:\Program Files\Internet Explorer\vihizy54.dll
    C:\Program Files\Internet Explorer\vihizy542.dll
    C:\Program Files\Internet Explorer\vihizy549.dll
    C:\Program Files\Internet Explorer\vihizy598.dll
    C:\Program Files\Internet Explorer\vihizy688.dll
    C:\Program Files\Internet Explorer\vihizy721.dll
    C:\Program Files\Internet Explorer\vihizy733.dll
    C:\Program Files\Internet Explorer\vihizy740.dll
    C:\Program Files\Internet Explorer\vihizy759.dll
    C:\Program Files\Internet Explorer\vihizy774.dll
    C:\Program Files\Internet Explorer\vihizy808.dll
    C:\Program Files\Internet Explorer\vihizy824.dll
    C:\Program Files\Internet Explorer\vihizy910.dll
    C:\Program Files\Internet Explorer\vihizy978.dll
    C:\Program Files\Internet Explorer\vihizy983.dll
    C:\Program Files\ISM
    C:\Program Files\ISM\adblcupd.exe
    C:\Program Files\ISM\anticaupd.exe
    C:\Program Files\ISM\archupd.exe
    C:\Program Files\ISM\BndDrive2.dll
    C:\Program Files\ISM\BndDrive3.dll
    C:\Program Files\ISM\BndDrive6.dll
    C:\Program Files\ISM\BndDrive7.dll
    C:\Program Files\ISM\bndloader.exe
    C:\Program Files\ISM\dictionary.gz
    C:\Program Files\ISM\ism.exe
    C:\Program Files\ISM\kazooupd.exe
    C:\Program Files\ISM\syncupd.exe
    C:\Program Files\ISM\synupd.exe
    C:\Program Files\ISM\targets.gz
    C:\Program Files\ISM\Uninstall.exe
    C:\Program Files\ISM2
    C:\Program Files\ISM2\cringupd.exe
    C:\Program Files\ISM2\dictionary.gz
    C:\Program Files\ISM2\ISMPack5.exe
    C:\Program Files\ISM2\ISMPack6.exe
    C:\Program Files\ISM2\ISMPack7.exe
    C:\Program Files\ISM2\ISMPack8.exe
    C:\Program Files\ISM2\targets.gz
    C:\Program Files\outerinfo
    C:\Program Files\outerinfo\FF\chrome.manifest
    C:\Program Files\outerinfo\FF\components\FF.dll
    C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
    C:\Program Files\outerinfo\FF\install.rdf
    C:\Program Files\outerinfo\Terms.rtf
    C:\Program Files\smante~1
    C:\WINDOWS\asembl~1
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe
    C:\WINDOWS\racle~1
    C:\WINDOWS\rau001978.exe
    C:\WINDOWS\smante~1
    C:\WINDOWS\sstem3~1
    C:\WINDOWS\sstem3~1\s?stem32\
    C:\WINDOWS\system32\awvvt.dll
    C:\WINDOWS\system32\b02FdUe
    C:\WINDOWS\system32\b06FdUe
    C:\WINDOWS\SYSTEM32\clkuhyko.ini
    C:\WINDOWS\system32\cnbajhus.exe
    C:\WINDOWS\system32\config\system~1\Applic~1\Microsoft\20509.dat
    C:\WINDOWS\system32\config\systemprofile\application data\.rdr.ini
    C:\WINDOWS\system32\csvbrvgg.dll
    C:\WINDOWS\system32\dobe~1
    C:\WINDOWS\system32\dodfljjf.exe
    C:\WINDOWS\system32\driver
    C:\WINDOWS\system32\drivers\IP6FW.SYS
    C:\WINDOWS\system32\drivers\symavc32.sys
    C:\WINDOWS\system32\drivers\VHKN41.sys
    C:\WINDOWS\system32\fccbaay.dll
    C:\WINDOWS\SYSTEM32\flfimflf.ini
    C:\WINDOWS\system32\flfmiflf.dll
    C:\WINDOWS\SYSTEM32\gcmjvxgs.ini
    C:\WINDOWS\system32\gmyykbmu.dll
    C:\WINDOWS\system32\lanmandrv.sys
    C:\WINDOWS\system32\ldinfo.ldr
    C:\WINDOWS\system32\ljjihhe.dll
    C:\WINDOWS\system32\n.ini
    C:\WINDOWS\system32\nmopcqeg.dll
    C:\WINDOWS\system32\ntvihfpw.dll
    C:\WINDOWS\system32\okyhuklc.dll
    C:\WINDOWS\system32\racle~1
    C:\WINDOWS\system32\sgxvjmcg.dll
    C:\WINDOWS\system32\tsks~1
    C:\WINDOWS\SYSTEM32\tvvwa.bak1
    C:\WINDOWS\SYSTEM32\tvvwa.bak2
    C:\WINDOWS\SYSTEM32\tvvwa.ini
    C:\WINDOWS\SYSTEM32\umbkyymg.ini
    C:\WINDOWS\system32\win
    C:\WINDOWS\system32\winnb58.dll
    C:\WINDOWS\system32\wisydfdm.dll
    C:\WINDOWS\system32\wnsapiisv32.exe
    C:\WINDOWS\system32\wowfx.dll
    C:\WINDOWS\system32\Z1
    C:\WINDOWS\system32\Z1\mwspasrt83122.exe
    C:\WINDOWS\system32\Z11
    C:\WINDOWS\system32\Z11\z53.exe
    C:\WINDOWS\system32\Z3
    C:\WINDOWS\system32\Z5
    C:\WINDOWS\system32\Z7
    C:\WINDOWS\tk58.exe
    C:\WINDOWS\uni_eh44.exe
    C:\WINDOWS\uninst1014.exe
    C:\WINDOWS\vgztmvt.exe
    C:\WINDOWS\wnsxs~1
    C:\Documents and Settings\All Users.\documents\settings

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_ASC3550U
    -------\LEGACY_CMDSERVICE
    -------\LEGACY_CORE
    -------\LEGACY_DOMAINSERVICE
    -------\LEGACY_FOPN
    -------\LEGACY_ICF
    -------\LEGACY_LANMANDRV
    -------\LEGACY_NDNET1
    -------\LEGACY_NETWORK_MONITOR
    -------\LEGACY_RUNTIME
    -------\LEGACY_RUNTIME2
    -------\LEGACY_SYMAVC32
    -------\LEGACY_VHKN41
    -------\LEGACY_WINDOWS_OVERLAY_COMPONENTS


    ((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))
    .

    2007-12-27 15:19 . 2007-12-27 15:43 1,393 --a------ C:\WINDOWS\imsins.BAK
    2007-12-27 14:05 . 2007-12-27 14:09 696 --a------ C:\WINDOWS\wininit.ini
    2007-12-27 13:47 . 2007-12-27 13:47 <DIR> d-------- C:\Program Files\EliteProtector
    2007-12-27 12:02 . 2007-12-27 12:02 <DIR> d-------- C:\Program Files\CCleaner
    2007-12-27 11:40 . 2004-12-21 19:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
    2007-12-27 11:40 . 2004-12-21 19:56 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
    2007-12-02 15:33 . 2007-12-21 17:32 1,414,970 --ahs---- C:\WINDOWS\SYSTEM32\xtfbcquu.ini

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-12-27 21:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-12-27 20:50 --------- d-----w C:\Program Files\SpywareBlaster
    2007-12-27 20:24 --------- d-----w C:\Program Files\QuickTime
    2007-11-23 22:46 181,760 ----a-w C:\WINDOWS\system32\drivers\Vhbx42.sys
    2007-11-21 00:11 181,760 ----a-w C:\WINDOWS\system32\drivers\Pkv48.sys
    2007-11-20 15:18 181,760 ----a-w C:\WINDOWS\system32\drivers\Ibkq51.sys
    2007-11-14 07:26 450,560 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\jscript.dll
    2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
    2007-10-30 10:16 3,058,688 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
    2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
    2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
    2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
    2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
    2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
    2007-10-11 06:13 96,256 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inseng.dll
    2007-10-11 06:13 659,456 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
    2007-10-11 06:13 615,424 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
    2007-10-11 06:13 55,808 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
    2007-10-11 06:13 532,480 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
    2007-10-11 06:13 474,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
    2007-10-11 06:13 449,024 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
    2007-10-11 06:13 39,424 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
    2007-10-11 06:13 357,888 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
    2007-10-11 06:13 251,392 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iepeers.dll
    2007-10-11 06:13 205,312 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
    2007-10-11 06:13 16,384 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
    2007-10-11 06:13 151,040 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\cdfview.dll
    2007-10-11 06:13 146,432 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
    2007-10-11 06:13 1,494,528 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
    2007-10-11 06:13 1,054,208 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\danim.dll
    2007-10-11 06:13 1,023,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll
    2007-10-10 11:16 18,432 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
    2005-07-29 23:24 472 --sha-r C:\WINDOWS\QWFyb24gQ29wZWxhbmQ\kqIVvZb0kZ6TtqU1vAk.vbs
    2007-01-10 04:03 848 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2603AE66-A301-4826-B383-287B6ACC1F46}]
    C:\Program Files\MSN Gaming Zone\ryvy83122.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50D8D20D-4278-44FD-855D-7B926A4B0324}]
    C:\Program Files\MSN Gaming Zone\ryvy4444.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6B2432DA-E58D-4C9A-AE60-7C856A4E903F}]
    2007-12-06 15:44 598016 --a------ C:\WINDOWS\msagent\CHARS\odsocm.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{932AE59C-7E7F-441F-B2E7-8449719064BE}]
    C:\Program Files\MSN Gaming Zone\ryvy4444.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcaxvw]
    ddcaxvw.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\odsocm]
    C:\WINDOWS\msagent\CHARS\odsocm.dll 2007-12-06 15:44 598016 C:\WINDOWS\MSAGENT\CHARS\odsocm.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
    path=C:\Documents and Settings\User\Start Menu\Programs\Startup\LimeWire On Startup.lnk
    backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^findfast.exe]
    path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe
    backup=C:\WINDOWS\pss\findfast.exeStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
    backup=C:\WINDOWS\pss\autorun.exeCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
    backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
    backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00507249]
    rundll32.exe C:\WINDOWS\system32\gmyykbmu.dll,b

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
    C:\WINDOWS\avp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
    C:\Program Files\BroadJump\Client Foundation\CFD.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Photo AIO Printer 922]
    2004-06-18 07:30 290816 --a------ C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
    C:\Program Files\Dell Support\DSAgnt.exe /startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
    C:\Program Files\EarthLink TotalAccess\TaskPanl.exe -winstart

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX6000 Series]
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE /FU C:\WINDOWS\TEMP\E_S12C.tmp /EF HKLM

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\g4356cbvy63]
    C:\WINDOWS\g4356cbvy63

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
    2005-09-20 09:32 77824 --a------ C:\WINDOWS\system32\hkcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
    2005-09-20 09:36 114688 --a------ C:\WINDOWS\system32\igfxpers.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
    2005-09-20 09:35 94208 --a------ C:\WINDOWS\system32\igfxtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
    2005-07-25 11:01 1397760 --------- C:\Program Files\Ahead\InCD\InCD.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
    2004-06-03 00:50 204800 --a------ C:\Program Files\Microsoft IntelliPoint\point32.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
    2003-09-03 18:12 221184 --a------ C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightLAN 01]
    C:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe -l

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 01]
    C:\Program Files\EarthLink TotalAccess\FastLane2\IPMon32.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lanmanwrk.exe]
    C:\WINDOWS\System32\lanmanwrk.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
    2003-12-10 03:52 380928 --a------ C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
    C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    C:\Program Files\Messenger\msmsgs.exe /background

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2001-07-09 10:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
    2004-04-11 18:15 290816 --------- C:\Program Files\Dell\Media Experience\PCMService.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Printer]
    C:\WINDOWS\system32\printer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule9]
    C:\Program Files\QdrModule\QdrModule9.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    C:\Program Files\QuickTime\qttask.exe -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]
    mgrs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    2004-06-30 11:33 1388544 --a------ C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
    C:\WINDOWS\system32\spoolvs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2003-11-19 15:48 32881 --a------ C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]
    2004-06-03 00:51 172032 --a------ C:\Program Files\Microsoft IntelliType Pro\type32.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vgztmvtA]
    C:\WINDOWS\vgztmvtA.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAntiSpyware 2007 Free]
    C:\Program Files\WinAntiSpyware 2007\was7.exe /min

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    1

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
    2003-12-09 13:02 57344 --a------ C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{ZN}]
    C:\WINDOWS\win320594527222007.exe SKY009

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "NetSvc"=3 (0x3)
    "KodakCCS"=3 (0x3)
    "InCDsrv"=2 (0x2)
    "EarthLinkMonitor"=2 (0x2)
    "dlbt_device"=3 (0x3)
    "WMPNetworkSvc"=3 (0x3)
    "DomainService"=2 (0x2)

    S3 ADSFilter;ADSFilter - (Aluria Filter Driver);C:\WINDOWS\system32\DRIVERS\ADSFilter.sys []
    S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys []

    .
    **************************************************************************

    catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-12-27 16:16:25
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\msagent\CHARS\odsocm.dll

    PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
    -> C:\WINDOWS\msagent\CHARS\odsocm.dll
    .
    Completion time: 2007-12-27 16:18:33 - machine was rebooted
    .
    2007-12-27 23:24:42 --- E O F ---

    and the hjt log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:21:30 PM, on 12/27/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\User\Desktop\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{90BCDAB2-D453-488B-A53C-EDEEA39A76A1}: NameServer = 207.69.188.185,207.69.188.186

    --
    End of file - 3460 bytes

    things seem to be ok after that combofix run. look ok now?
     
    Last edited: Dec 27, 2007
  8. QuikDraw

    QuikDraw Regular member

    Joined:
    Sep 29, 2007
    Messages:
    827
    Likes Received:
    0
    Trophy Points:
    26
    Logs are clean. Follow up with a registry cleaner. Run Disc Cleanup, and Defragmenter. How's the PC running?
     
  9. neurokasm

    neurokasm Member

    Joined:
    Sep 8, 2005
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    16
    Running as it should, thanks a ton for your help QuikDraw! =D
     
    Last edited: Dec 28, 2007
  10. QuikDraw

    QuikDraw Regular member

    Joined:
    Sep 29, 2007
    Messages:
    827
    Likes Received:
    0
    Trophy Points:
    26
    Great! Bye now.
     

Share This Page