Tech Support Forum - View Single Post

gnip gnop · 04-04-2008, 08:09 AM

Hi Aaflac,

I understand that you're overwhelmed on this forum. Thanks for the work that you do.

Because this was my work computer, I had to get it back up and running, so I actually had already followed an earlier post on using Combofix. Here is the output from that run, followed by my hijackthis log. Things seem to be running much better now.

gnip gnop

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ComboFix 08-03-27.1 - 2008-04-02 17:09:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.256 [GMT -4:00]
Running from: c:\Documents and Settings\Dan\Desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMb755e6d2.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\agjsmqab.dll
C:\WINDOWS\system32\bgevggvs.dll
C:\WINDOWS\system32\bkfidyia.dll
C:\WINDOWS\SYSTEM32\cbadd.ini
C:\WINDOWS\SYSTEM32\cbadd.ini2
C:\WINDOWS\system32\dpnxkbgb.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\efcdbcb.dll
C:\WINDOWS\SYSTEM32\hgjlm.ini
C:\WINDOWS\SYSTEM32\hgjlm.ini2
C:\WINDOWS\system32\opnooli.dll
C:\WINDOWS\SYSTEM32\rekucgvs.ini
C:\WINDOWS\system32\svgcuker.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-02 to 2008-04-02 )))))))))))))))))))))))))))))))
.

2008-04-02 15:24 . 2008-04-02 16:51 <DIR> d-------- C:\VundoFix Backups
2008-04-01 15:23 . 2005-10-19 08:59 163,840 --a------ C:\WINDOWS\SYSTEM32\igfxres.dll
2008-04-01 11:07 . 2008-04-01 11:07 <DIR> d-------- C:\Program Files\MSBuild
2008-04-01 11:00 . 2008-04-01 11:00 <DIR> d-------- C:\WINDOWS\SYSTEM32\XPSViewer
2008-04-01 10:59 . 2008-04-01 10:59 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-04-01 10:57 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\SYSTEM32\spmsg2.dll
2008-04-01 10:56 . 2008-04-01 10:56 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-04-01 10:16 . 2008-04-01 10:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-31 22:10 . 2008-03-31 23:46 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2008-03-31 22:10 . 2008-03-31 22:47 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2008-03-31 22:10 . 2008-03-31 22:47 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-03-31 22:10 . 2008-03-31 22:47 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-03-31 14:48 . 2008-03-31 14:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-31 14:46 . 2008-04-02 11:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-31 14:46 . 2008-03-31 14:46 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\SUPERAntiSpyware.com
2008-03-31 13:13 . 2008-03-31 13:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-03-31 13:02 . 2008-03-31 13:02 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\Grisoft
2008-03-31 13:00 . 2008-03-31 13:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-31 13:00 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2008-03-30 22:32 . 2008-03-30 22:32 <DIR> d-------- C:\Program Files\StartupList
2008-03-30 22:31 . 2008-03-30 22:31 <DIR> d-------- C:\Program Files\ProcessExplorer
2008-03-28 13:47 . 2008-03-28 13:47 <DIR> d-------- C:\Deckard
2008-03-28 12:53 . 2008-02-27 13:05 3,654,696 --a------ C:\procexp.exe
2008-03-28 12:53 . 2007-08-31 05:36 72,138 --a------ C:\procexp.chm
2008-03-27 11:36 . 2008-03-31 10:21 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-03-27 11:36 . 2008-03-31 14:56 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-27 11:36 . 2008-03-27 11:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-03-27 11:36 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2008-03-27 11:36 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2008-03-27 11:36 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2008-03-27 11:36 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2008-03-27 11:32 . 2004-04-23 22:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-03-27 11:32 . 2004-04-23 22:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-03-21 16:41 . 1999-03-02 05:01 252,699 --a------ C:\WINDOWS\SYSTEM32\OLCH2D-U.HLP
2008-03-21 16:41 . 1999-03-02 05:01 124 --a------ C:\WINDOWS\SYSTEM32\olch2d-u.cnt
2008-03-21 16:13 . 1999-03-02 06:01 1,676,408 --a------ C:\WINDOWS\SYSTEM32\olch2x32.ocx
2008-03-21 16:13 . 2005-09-08 16:26 1,204,224 --a------ C:\WINDOWS\SYSTEM32\spr32d70.dll
2008-03-21 16:12 . 2008-03-21 16:41 <DIR> d-------- C:\Program Files\eQUEST 3-6
2008-03-04 10:17 . 2008-03-04 10:17 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-03-04 10:17 . 2008-03-26 16:00 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\skypePM
2008-03-04 10:17 . 2008-03-04 10:17 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-03 12:31 . 2008-03-06 15:49 224 --a------ C:\WINDOWS\hpbafd.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-02 13:36 --------- d-----w C:\Program Files\LogMeIn
2008-04-01 15:18 --------- d-----w C:\Program Files\ESET
2008-04-01 03:26 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-01 03:16 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-03-31 18:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-27 15:25 --------- d-----w C:\Documents and Settings\Dan\Application Data\Skype
2008-03-21 20:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-04 14:17 --------- d-----w C:\Program Files\Skype
2008-02-13 14:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-07 15:58 --------- d-----w C:\Program Files\MSECache
2008-02-04 14:37 --------- d-----w C:\Program Files\Bassline Software
2002-08-15 16:54 3,198,976 ----a-w C:\Program Files\ViewSonicregistration.exe
2007-05-22 23:14 8,784 ----a-w C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-05-22 23:17 245,408 ----a-w C:\Program Files\mozilla firefox\plugins\unicows.dll
2004-08-04 07:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56 54,784 --sh--w C:\WINDOWS\SYSTEM32\msvcirt.dll
2004-08-04 07:56 413,696 --sha-w C:\WINDOWS\SYSTEM32\msvcp60.dll
2004-08-04 07:56 343,040 --sha-w C:\WINDOWS\SYSTEM32\msvcrt.dll
2007-12-04 18:38 550,912 --sh--w C:\WINDOWS\SYSTEM32\oleaut32.dll
2004-08-04 07:56 83,456 --sha-w C:\WINDOWS\SYSTEM32\olepro32.dll
2004-08-04 07:56 11,776 --sh--w C:\WINDOWS\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 20:47 204800]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 14:03 63048]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-09-29 17:29 949376]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-07 12:16 155648]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59 126976]
"Deskup"="C:\Program Files\Iomega\DriveIcons\deskup.exe" [ ]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 17:18 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcdbcb]
efcdbcb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-21 16:00 87352 C:\WINDOWS\SYSTEM32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bassline Software\\Popup\\BslPopup.exe"=
"C:\\Program Files\\Canon\\DIAS\\CnxDIAS.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-04-17 14:00]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-04-05 11:55]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-31 22:45:01 C:\WINDOWS\Tasks\Shutdown Computer.job"
- C:\WINDOWS\SYSTEM32\SHUTDOWN.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-02 17:19:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Canon\DIAS\CnxDIAS.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-04-02 17:24:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-02 21:24:22
Pre-Run: 64,498,368,512 bytes free
Post-Run: 64,420,503,552 bytes free
.
2008-04-01 21:35:05 --- E O F ---

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:04:39 AM, on 04/04/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Canon\DIAS\CnxDIAS.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\ADVANCE INFORMATION TECHNOLOGY\Taiters\Taiters.exe
C:\PROGRA~1\MICROS~4\Office\OUTLOOK.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://cris.nyserda.org/Dashboard/Login.aspx?
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.dell.com/entry/index....DS&appindex=DS
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {423E32C6-2EC6-11D3-A65D-005004055C6C} (NCSToolBar Class) - http://www.nymapper.com/ecwplugins/ncs.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: efcdbcb - efcdbcb.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program Files\Canon\DIAS\CnxDIAS.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 5327 bytes

04-04-2008, 08:09 AM	#3 (permalink)
gnip gnop Registered User Join Date: Mar 2008 Posts: 4 OS: xp home sp2	Re: mljgh.dll won't go away Hi Aaflac, I understand that you're overwhelmed on this forum. Thanks for the work that you do. Because this was my work computer, I had to get it back up and running, so I actually had already followed an earlier post on using Combofix. Here is the output from that run, followed by my hijackthis log. Things seem to be running much better now. gnip gnop ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ComboFix 08-03-27.1 - 2008-04-02 17:09:21.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.256 [GMT -4:00] Running from: c:\Documents and Settings\Dan\Desktop\combofix.exe Command switches used :: /killall * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\BMb755e6d2.xml C:\WINDOWS\pskt.ini C:\WINDOWS\system32\agjsmqab.dll C:\WINDOWS\system32\bgevggvs.dll C:\WINDOWS\system32\bkfidyia.dll C:\WINDOWS\SYSTEM32\cbadd.ini C:\WINDOWS\SYSTEM32\cbadd.ini2 C:\WINDOWS\system32\dpnxkbgb.dll C:\WINDOWS\system32\drivers\fad.sys C:\WINDOWS\system32\efcdbcb.dll C:\WINDOWS\SYSTEM32\hgjlm.ini C:\WINDOWS\SYSTEM32\hgjlm.ini2 C:\WINDOWS\system32\opnooli.dll C:\WINDOWS\SYSTEM32\rekucgvs.ini C:\WINDOWS\system32\svgcuker.dll . ((((((((((((((((((((((((( Files Created from 2008-03-02 to 2008-04-02 ))))))))))))))))))))))))))))))) . 2008-04-02 15:24 . 2008-04-02 16:51 <DIR> d-------- C:\VundoFix Backups 2008-04-01 15:23 . 2005-10-19 08:59 163,840 --a------ C:\WINDOWS\SYSTEM32\igfxres.dll 2008-04-01 11:07 . 2008-04-01 11:07 <DIR> d-------- C:\Program Files\MSBuild 2008-04-01 11:00 . 2008-04-01 11:00 <DIR> d-------- C:\WINDOWS\SYSTEM32\XPSViewer 2008-04-01 10:59 . 2008-04-01 10:59 <DIR> d-------- C:\Program Files\Reference Assemblies 2008-04-01 10:57 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\SYSTEM32\spmsg2.dll 2008-04-01 10:56 . 2008-04-01 10:56 <DIR> d-------- C:\Program Files\MSXML 6.0 2008-04-01 10:16 . 2008-04-01 10:16 <DIR> d-------- C:\Program Files\Trend Micro 2008-03-31 22:10 . 2008-03-31 23:46 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan 2008-03-31 22:10 . 2008-03-31 22:47 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico 2008-03-31 22:10 . 2008-03-31 22:47 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico 2008-03-31 22:10 . 2008-03-31 22:47 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico 2008-03-31 14:48 . 2008-03-31 14:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-03-31 14:46 . 2008-04-02 11:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-03-31 14:46 . 2008-03-31 14:46 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\SUPERAntiSpyware.com 2008-03-31 13:13 . 2008-03-31 13:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft 2008-03-31 13:02 . 2008-03-31 13:02 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\Grisoft 2008-03-31 13:00 . 2008-03-31 13:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-03-31 13:00 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys 2008-03-30 22:32 . 2008-03-30 22:32 <DIR> d-------- C:\Program Files\StartupList 2008-03-30 22:31 . 2008-03-30 22:31 <DIR> d-------- C:\Program Files\ProcessExplorer 2008-03-28 13:47 . 2008-03-28 13:47 <DIR> d-------- C:\Deckard 2008-03-28 12:53 . 2008-02-27 13:05 3,654,696 --a------ C:\procexp.exe 2008-03-28 12:53 . 2007-08-31 05:36 72,138 --a------ C:\procexp.chm 2008-03-27 11:36 . 2008-03-31 10:21 <DIR> d-------- C:\Program Files\Spyware Doctor 2008-03-27 11:36 . 2008-03-31 14:56 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-03-27 11:36 . 2008-03-27 11:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools 2008-03-27 11:36 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys 2008-03-27 11:36 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys 2008-03-27 11:36 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys 2008-03-27 11:36 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys 2008-03-27 11:32 . 2004-04-23 22:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec 2008-03-27 11:32 . 2004-04-23 22:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc 2008-03-21 16:41 . 1999-03-02 05:01 252,699 --a------ C:\WINDOWS\SYSTEM32\OLCH2D-U.HLP 2008-03-21 16:41 . 1999-03-02 05:01 124 --a------ C:\WINDOWS\SYSTEM32\olch2d-u.cnt 2008-03-21 16:13 . 1999-03-02 06:01 1,676,408 --a------ C:\WINDOWS\SYSTEM32\olch2x32.ocx 2008-03-21 16:13 . 2005-09-08 16:26 1,204,224 --a------ C:\WINDOWS\SYSTEM32\spr32d70.dll 2008-03-21 16:12 . 2008-03-21 16:41 <DIR> d-------- C:\Program Files\eQUEST 3-6 2008-03-04 10:17 . 2008-03-04 10:17 <DIR> d-------- C:\Program Files\Common Files\Skype 2008-03-04 10:17 . 2008-03-26 16:00 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\skypePM 2008-03-04 10:17 . 2008-03-04 10:17 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat 2008-03-03 12:31 . 2008-03-06 15:49 224 --a------ C:\WINDOWS\hpbafd.ini . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-02 13:36 --------- d-----w C:\Program Files\LogMeIn 2008-04-01 15:18 --------- d-----w C:\Program Files\ESET 2008-04-01 03:26 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-04-01 03:16 --------- d-----w C:\Program Files\Common Files\Autodesk Shared 2008-03-31 18:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-03-27 15:25 --------- d-----w C:\Documents and Settings\Dan\Application Data\Skype 2008-03-21 20:40 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-03-04 14:17 --------- d-----w C:\Program Files\Skype 2008-02-13 14:41 --------- d-----w C:\Program Files\Common Files\Adobe 2008-02-07 15:58 --------- d-----w C:\Program Files\MSECache 2008-02-04 14:37 --------- d-----w C:\Program Files\Bassline Software 2002-08-15 16:54 3,198,976 ----a-w C:\Program Files\ViewSonicregistration.exe 2007-05-22 23:14 8,784 ----a-w C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll 2007-05-22 23:17 245,408 ----a-w C:\Program Files\mozilla firefox\plugins\unicows.dll 2004-08-04 07:56 50,688 --sh--w C:\WINDOWS\twain_32.dll 2004-08-04 07:56 54,784 --sh--w C:\WINDOWS\SYSTEM32\msvcirt.dll 2004-08-04 07:56 413,696 --sha-w C:\WINDOWS\SYSTEM32\msvcp60.dll 2004-08-04 07:56 343,040 --sha-w C:\WINDOWS\SYSTEM32\msvcrt.dll 2007-12-04 18:38 550,912 --sh--w C:\WINDOWS\SYSTEM32\oleaut32.dll 2004-08-04 07:56 83,456 --sha-w C:\WINDOWS\SYSTEM32\olepro32.dll 2004-08-04 07:56 11,776 --sh--w C:\WINDOWS\SYSTEM32\regsvr32.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 20:47 204800] "LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 14:03 63048] "nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-09-29 17:29 949376] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32 53248] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-07 12:16 155648] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59 126976] "Deskup"="C:\Program Files\Iomega\DriveIcons\deskup.exe" [ ] "ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [ ] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 17:18 443968] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcdbcb] efcdbcb.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] LMIinit.dll 2007-11-21 16:00 87352 C:\WINDOWS\SYSTEM32\LMIinit.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Bassline Software\\Popup\\BslPopup.exe"= "C:\\Program Files\\Canon\\DIAS\\CnxDIAS.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-04-17 14:00] R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-04-05 11:55] . Contents of the 'Scheduled Tasks' folder "2008-03-31 22:45:01 C:\WINDOWS\Tasks\Shutdown Computer.job" - C:\WINDOWS\SYSTEM32\SHUTDOWN.EXE . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-02 17:19:16 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2] "ImagePath"="\"\"" . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Canon\DIAS\CnxDIAS.exe C:\Program Files\LogMeIn\x86\RaMaint.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\wdfmgr.exe . ************************************************************************ . Completion time: 2008-04-02 17:24:27 - machine was rebooted ComboFix-quarantined-files.txt 2008-04-02 21:24:22 Pre-Run: 64,498,368,512 bytes free Post-Run: 64,420,503,552 bytes free . 2008-04-01 21:35:05 --- E O F --- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:04:39 AM, on 04/04/08 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Canon\DIAS\CnxDIAS.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\Eset\nod32kui.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\Program Files\ADVANCE INFORMATION TECHNOLOGY\Taiters\Taiters.exe C:\PROGRA~1\MICROS~4\Office\OUTLOOK.EXE C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://cris.nyserda.org/Dashboard/Login.aspx? R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.dell.com/entry/index....DS&appindex=DS O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {423E32C6-2EC6-11D3-A65D-005004055C6C} (NCSToolBar Class) - http://www.nymapper.com/ecwplugins/ncs.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: efcdbcb - efcdbcb.dll (file missing) O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program Files\Canon\DIAS\CnxDIAS.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe -- End of file - 5327 bytes