Hijackthis results... please help

hwsuh82 · 09-24-2009, 07:37 PM

Hi.
I'm getting bad image errors and I saw in another thread to scan with hijackthis and post the log results on a thread here. Below is the log. If I did this incorrectly, please let me know.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:23:49 PM, on 9/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WWCnt\WwcNT.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.101.2.203:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.lge.com;<local>
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O1 - Hosts: 204.79.148.110 LGEUSSECNJ5Q
O1 - Hosts: 204.79.148.110 LGEUSSECNJ5Q
O1 - Hosts: http://ilerpap02.lgeil.com:8000/dev60cgi/f60cgi
O1 - Hosts: test server entry
O1 - Hosts: Please find the url
O1 - Hosts: http://iltestap.lgeil.com:8001
O1 - Hosts: host file entry -
O1 - Hosts: tns entry :
O1 - Hosts: ILTEST= (DESCRIPTION=
O1 - Hosts: (ADDRESS=(PROTOCOL=tcp)(HOST=iltest)(PORT=1522))
O1 - Hosts: (CONNECT_DATA=(SID=ILTEST))
O1 - Hosts: )
O1 - Hosts: ILDEV Entry
O1 - Hosts: http://iltestap.lgeil.com:8002
O1 - Hosts: ILDEV =
O1 - Hosts: (DESCRIPTION =
O1 - Hosts: (ADDRESS_LIST =
O1 - Hosts: (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.20.121)(PORT = 1523))
O1 - Hosts: )
O1 - Hosts: (CONNECT_DATA =
O1 - Hosts: (SERVICE_NAME = ILDEV)
O1 - Hosts: )
O1 - Hosts: )
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Pvutohotucejaqa] rundll32.exe "C:\WINDOWS\idiyugupiditem.dll",Startup
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.lge.com
O16 - DPF: {1455BE02-C41B-4115-B21C-32380507DC8F} (MxTextAreaU Class) - file://C:\WINDOWS\Temp\MxTextAreaU.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {19A9C0F9-C5FB-46A0-8B6D-A9E2D2944FEF} (Findprog Control) - http://136.166.10.66/wwscan/Findprog.cab
O16 - DPF: {223216F6-B9FE-406D-9ED6-143FCE3A07B8} (MxLogicalTRU Class) - file://C:\WINDOWS\Temp\MxLogicalTRU.cab
O16 - DPF: {2F98EA90-EAE1-4AB5-AE89-DA073D824589} (MxBinderU Class) - file://C:\WINDOWS\Temp\MxBinderU.cab
O16 - DPF: {3042C30E-50B7-44EF-B4B6-C9AB391DEF78} (Manager Class) - http://display-gscp.lge.com:8003/gau...nt/Manager.cab
O16 - DPF: {31538FAB-8051-4CFA-ACA4-B2668718B6F8} (MxMenuU Class) - file://C:\WINDOWS\Temp\MxMenuU.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.5.0.cab
O16 - DPF: {4F57AF1B-5470-47EE-A5AA-D1EA4B3C42A6} (XChartU Class) - file://C:\WINDOWS\Temp\XChartU.cab
O16 - DPF: {5C32688E-CEBE-419D-9C63-0704A2331EEC} (MxFileControlU Class) - file://C:\WINDOWS\Temp\MxFileControlU.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {71E7ACA0-EF63-4055-9894-229B056E9C31} (MxGridU Class) - file://C:\WINDOWS\Temp\MxGridU.cab
O16 - DPF: {90CAA259-71ED-42CB-BEB8-95281CCF9E58} (MxTabU Class) - file://C:\WINDOWS\Temp\MxTabU.cab
O16 - DPF: {9683681E-FAD6-45F1-86B3-FD60C7101BC9} (MxReportU Class) - file://C:\WINDOWS\Temp\MxReportU.cab
O16 - DPF: {9F0AA341-1D10-4B18-B70B-6AA49CE7F5D6} (MxImageSetU Class) - file://C:\WINDOWS\Temp\MxImageSetU.cab
O16 - DPF: {AF989B7C-8AC3-40BC-B749-EB335BDFD190} (MxDataSetU Class) - file://C:\WINDOWS\Temp\MxDataSetU.cab
O16 - DPF: {BB4533A0-85E0-4657-9BF2-E8E7B100D47E} (MxComboU Class) - file://C:\WINDOWS\Temp\MxComboU.cab
O16 - DPF: {C1781C5C-0C32-40F2-8927-46FE4BCB5B87} (MxTreeU Class) - file://C:\WINDOWS\Temp\MxTreeU.cab
O16 - DPF: {D7779973-9954-464E-9708-DA774CA50E13} (MxMaskEditU Class) - file://C:\WINDOWS\Temp\MxMaskEditU.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F73C0958-D8FE-43A5-9BB0-0F651C5A2BCC} (MxRadioU Class) - file://C:\WINDOWS\Temp\MxRadioU.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = LGE.NET
O17 - HKLM\Software\..\Telephony: DomainName = LGE.NET
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = LGE.NET
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = LGE.NET
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\cru629.dat
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Ww Client for NT (WWC) - Waterwall Systems Co,. Ltd. - C:\WWCnt\WwcNT.exe

--
End of file - 8527 bytes

Ried · 09-25-2009, 12:10 AM

Hello hwsuh82 and welcome.

HijackThis is no longer the preferred initial scanning tool in this forum as it no longer provides enough information in regard to today's malware. Please follow our pre-posting process outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

After running through all the steps, you shall have a proper set of logs. Please post them in your next reply.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

**Please note this section of the forum is very busy, so be sure to familiarize yourself with the Bumping Rules also found in our sticky topic mentioned above. One of our Analysts will review your log as soon as possible.

hwsuh82 · 10-03-2009, 04:21 PM

I followed the instructions and ran another scan. The problem I am having is whenever I try to run something, I get a Bad Image error but once I click ok, the program runs.

DDS (Ver_09-09-29.01) - NTFSx86
Run by lguser at 17:51:25.98 on Sat 10/03/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.186 [GMT -4:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled* {FF8F073D-E29C-48F4-B771-5B91BD1C16DE}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WWCnt\WwcNT.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Explorer.EXE
svchost
C:\Documents and Settings\lgeuser\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 10.101.2.203:80
uInternet Settings,ProxyOverride = *.lge.com;<local>
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
mRun: [Pvutohotucejaqa] rundll32.exe "c:\windows\idiyugupiditem.dll",Startup
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: lge.com
DPF: {1455BE02-C41B-4115-B21C-32380507DC8F} - file://c:\windows\temp\MxTextAreaU.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {19A9C0F9-C5FB-46A0-8B6D-A9E2D2944FEF} - hxxp://136.166.10.66/wwscan/Findprog.cab
DPF: {223216F6-B9FE-406D-9ED6-143FCE3A07B8} - file://c:\windows\temp\MxLogicalTRU.cab
DPF: {2F98EA90-EAE1-4AB5-AE89-DA073D824589} - file://c:\windows\temp\MxBinderU.cab
DPF: {3042C30E-50B7-44EF-B4B6-C9AB391DEF78} - hxxp://display-gscp.lge.com:8003/gaucecomponent/Manager.cab
DPF: {31538FAB-8051-4CFA-ACA4-B2668718B6F8} - file://c:\windows\temp\MxMenuU.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {4F57AF1B-5470-47EE-A5AA-D1EA4B3C42A6} - file://c:\windows\temp\XChartU.cab
DPF: {5C32688E-CEBE-419D-9C63-0704A2331EEC} - file://c:\windows\temp\MxFileControlU.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {71E7ACA0-EF63-4055-9894-229B056E9C31} - file://c:\windows\temp\MxGridU.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {90CAA259-71ED-42CB-BEB8-95281CCF9E58} - file://c:\windows\temp\MxTabU.cab
DPF: {9683681E-FAD6-45F1-86B3-FD60C7101BC9} - file://c:\windows\temp\MxReportU.cab
DPF: {9F0AA341-1D10-4B18-B70B-6AA49CE7F5D6} - file://c:\windows\temp\MxImageSetU.cab
DPF: {AF989B7C-8AC3-40BC-B749-EB335BDFD190} - file://c:\windows\temp\MxDataSetU.cab
DPF: {BB4533A0-85E0-4657-9BF2-E8E7B100D47E} - file://c:\windows\temp\MxComboU.cab
DPF: {C1781C5C-0C32-40F2-8927-46FE4BCB5B87} - file://c:\windows\temp\MxTreeU.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D7779973-9954-464E-9708-DA774CA50E13} - file://c:\windows\temp\MxMaskEditU.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F73C0958-D8FE-43A5-9BB0-0F651C5A2BCC} - file://c:\windows\temp\MxRadioU.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\cru629.dat
LSA: Notification Packages = scecli tugokira.dll dugabise.dll

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-9-20 12552]
R0 FileHook;SAFASOFT File System Filter;c:\windows\system32\drivers\filehook.sys [2008-8-12 45952]
R0 SFCDEX;WaterWall SFCDEX Filter;c:\windows\system32\drivers\sfcdex.sys [2009-7-24 10240]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-20 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-20 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-20 108552]
R1 PROCHIDE;ProcHide Driver;c:\windows\system32\drivers\ProcHide.sys [2008-8-12 5632]
R1 Safandrv;Safandrv;c:\windows\system32\drivers\safandrv.sys [2008-8-12 16191]
R1 SFkbd;SAFASOFT Keyboard Filter;c:\windows\system32\drivers\SFKbd.sys [2008-8-12 4992]
R1 SFMouse;SAFASOFT Mouse Filter;c:\windows\system32\drivers\SFMouse.sys [2008-8-12 5632]
R1 SFReg;SAFASOFT Registry Filter;c:\windows\system32\drivers\SFReg.sys [2008-8-12 13824]
R1 SFRes;SAFASOFT Resource Driver;c:\windows\system32\drivers\SFRes.sys [2008-8-12 34688]
R2 SDFA;SDFA Driver;c:\windows\system32\drivers\SDFA.SYS [2008-8-12 40960]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2005-11-9 205328]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2005-11-9 36368]
R2 WWC;Ww Client for NT;c:\wwcnt\WwcNT.exe [2008-8-12 925802]
R3 WwHook;WwHook;c:\windows\system32\drivers\Wwhook.sys [2008-8-12 7867]
S3 FDDec;SAFASOFT Encrpty Mobile Driver;c:\windows\system32\drivers\FDDec.SYS [2008-8-12 32384]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2008-9-5 58240]
S3 SFfolder;SAFASOFT Encrpty Folder Driver;c:\windows\system32\drivers\SFFOLDER.SYS [2008-8-12 35200]
S3 zteusbser;ZTE USB Device for Legacy Serial Communication;c:\windows\system32\drivers\zteusbser.sys [2008-9-25 100480]
S4 ADAgent;ADAgentService;c:\program files\lgead\ADAgentService.exe [2008-8-13 586752]
S4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-20 297752]
S4 OfcPfwSvc;OfficeScanNT Personal Firewall;c:\program files\trend micro\officescan client\OfcPfwSvc.exe [2007-10-2 233552]

=============== Created Last 30 ================

2009-10-03 17:46 <DIR> --d----- c:\windows\ContLog
2009-09-23 19:23 1,949 a------- c:\windows\wininit.ini
2009-09-20 16:31 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-09-20 16:25 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-09-20 16:25 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-09-20 16:25 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-09-20 16:25 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-09-20 16:24 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-09-20 16:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-09-20 16:24 <DIR> --d----- c:\program files\AVG
2009-09-20 16:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-09-17 23:47 6,144 a------- c:\windows\system32\cru629.dat
2009-09-17 23:09 0 a------- c:\windows\Sfogodadodexa.bin
2009-09-17 23:09 120 a------- c:\windows\Wlokofajahi.dat
2009-09-17 20:41 <DIR> --d----- c:\program files\DivX
2009-09-15 11:47 3,254 a------- c:\windows\system32\wbem\Outlook_01ca361be665ef9c.mof
2009-09-09 23:00 153,088 -c------ c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-09-19 23:10 45,952 a------- c:\windows\system32\drivers\filehook.sys
2009-09-19 23:10 32,384 a------- c:\windows\system32\drivers\FDDec.SYS
2009-09-19 23:10 16,191 a------- c:\windows\system32\drivers\safandrv.sys
2009-09-19 23:10 5,632 a------- c:\windows\system32\drivers\ProcHide.sys
2009-09-19 23:10 40,960 a------- c:\windows\system32\drivers\SDFA.SYS
2009-09-19 23:10 35,200 a------- c:\windows\system32\drivers\SFFOLDER.SYS
2009-09-19 23:10 34,688 a------- c:\windows\system32\drivers\SFRes.sys
2009-09-19 23:10 10,240 a------- c:\windows\system32\drivers\sfcdex.sys
2009-09-19 23:10 5,632 a------- c:\windows\system32\drivers\SFMouse.sys
2009-09-19 23:10 4,992 a------- c:\windows\system32\drivers\SFKbd.sys
2009-09-19 23:09 7,867 -------- c:\windows\system32\drivers\Wwhook.sys
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-08-26 22:08 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-25 19:50 19,168 a------- c:\program files\common files\ozasifuhad.vbs
2009-08-25 19:50 17,748 a------- c:\windows\cylalobuw.dll
2009-08-25 19:50 15,562 a------- c:\windows\system32\uqufugeba.scr
2009-08-25 19:50 13,269 a------- c:\windows\system32\isawiq.vbs
2009-08-25 19:50 12,467 a------- c:\program files\common files\kejozehoza.lib
2009-08-25 19:50 10,802 a------- c:\docume~1\lgeuser\applic~1\qosyl.sys
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-03 15:07 403,816 a------- c:\windows\system32\OGACheckControl.dll
2009-08-03 15:07 322,928 a------- c:\windows\system32\OGAAddin.dll
2009-08-03 15:07 230,768 a------- c:\windows\system32\OGAEXEC.exe
2009-07-30 08:54 0 ---shr-- C:\eej2.exe
2009-07-26 16:44 48,448 a------- c:\windows\system32\sirenacm.dll
2009-07-25 05:23 411,368 ac------ c:\windows\system32\deploytk.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll

============= FINISH: 17:55:31.10 ===============

I was trying to attach the zip file but my computer has a WaterWall program that is restricting uploading of the file. Is there another way to upload the other logs?

Ried · 10-04-2009, 08:50 AM

If you can't disable Water Wall for a moment to attach those, then copy/paste them into your reply.

hwsuh82 · 10-04-2009, 01:28 PM

Below is the Attach log:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-09-29.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/29/2007 6:56:39 AM
System Uptime: 10/3/2009 5:44:32 PM (0 hours ago)

Motherboard: IBM | | 1875DLU
Processor: Intel(R) Pentium(R) M processor 1.73GHz | None | 1729/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 56 GiB total, 40.789 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 9/23/2009 6:43:12 PM - System Checkpoint
RP2: 9/23/2009 6:43:14 PM - System Checkpoint

==== Installed Programs ======================

32 Bit HP BiDi Channel Components Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.1
AT&T Global Network Client
AVG 8.5
Canon MP Navigator 2.2
Canon MP530
Canon MP530 User Registration
Canon Utilities Easy-PhotoPrint
Citrix Program Neighborhood
Compatibility Pack for the 2007 Office system
Easy-WebPrint
GOM Player
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
i2 Sales & Operations Management 6.2.1.1
i2 Sales & Operations Management 6.2.1.3
IBM Integrated 56K Modem
IBM ThinkPad Power Management Driver
IBM ThinkPad UltraNav Driver
Intel(R) Graphics Media Accelerator Driver for Mobile
Java(TM) 6 Update 15
Juniper Networks Network Connect 5.2.0
Juniper Networks Network Connect 5.5.0
LG ActiveDirectory Service
LimeWire 5.2.13
LiveUpdate 3.1 (Symantec Corporation)
Malwarebytes' Anti-Malware
Messenger Plus! Live
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2003 Primary Interop Assemblies
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 2005 Tools for Office Runtime
mIRC
MSN
MSN Toolbar
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
OGA Notifier 2.0.0048.0
PANTECH PC Card Software
Picasa 3
Presto! PageManager 7.15.14
Real Alternative 1.8.4
ScanSoft OmniPage SE 4.0
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Segoe UI
SimCity 3000
SMS Advanced Client
Spybot - Search & Destroy
ThinkPad UltraNav Wizard
Trend Micro OfficeScan Client
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
VideoLAN VLC media player 0.8.5
VZAccess Manager
WebFldrs XP
Windows Driver Package - Intel (NETw3x32) net (10/17/2006 10.5.1.72)
Windows Driver Package - Intel (w29n51) net (10/25/2006 9.0.4.26)
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows XP Service Pack 3
WinVNC 3.3.3
WinZip 12.1
WWC
ZTE CDMA1X MODEM

==== Event Viewer Messages From Past Week ========

9/30/2009 10:16:45 PM, error: NETLOGON [5719] - No Domain Controller is available for domain LGE due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
9/29/2009 11:20:03 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Beep
9/29/2009 11:20:03 AM, error: Service Control Manager [7000] - The adfs service failed to start due to the following error: The system cannot find the file specified.
10/1/2009 12:03:15 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}

==== End Of File ===========================

Below is the Ark log:

GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-10-03 18:13:22
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\lgeuser\LOCALS~1\Temp\aflirkow.sys

---- System - GMER 1.0.15 ----

Code 831494B0 ZwEnumerateKey
Code 8317D548 ZwFlushInstructionCache
Code 8315C0EE ZwSaveKey
Code 8315368E ZwSaveKeyEx
Code 832A2E16 IofCallDriver
Code 8313B306 IofCompleteRequest

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs FileHook.sys (Filesystem Filter Driver(New)/Waterwall Systems Co.,Ltd.)
AttachedDevice \FileSystem\Ntfs \Ntfs TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SFkbd.SYS (Keyboard Filter Driver 2KXP/WaterWallSystems Co., Ltd.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SFkbd.SYS (Keyboard Filter Driver 2KXP/WaterWallSystems Co., Ltd.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 SFCDEX.sys (Waterwall CD Filter/WaterWallSystems Co., Ltd.)
Device \Driver\atapi \Device\Ide\IdePort0 SFCDEX.sys (Waterwall CD Filter/WaterWallSystems Co., Ltd.)
Device \Driver\atapi \Device\Ide\IdePort1 SFCDEX.sys (Waterwall CD Filter/WaterWallSystems Co., Ltd.)
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e SFCDEX.sys (Waterwall CD Filter/WaterWallSystems Co., Ltd.)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\irda \Device\IrDA WwHook.SYS (Hook Driver./WaterwallSystems Co,. Ltd.)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\gasfkyxumoqoeh.sys (*** hidden *** ) [SYSTEM] gasfkyhlrndovy <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy@imagepath \systemroot\system32\drivers\gasfkyxumoqoeh.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\main@aid 10096
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\main\delete@C:\DOCUME~1\lgeuser\LOCALS~1\Temp\gasfkysiwtxvfrpp.tmp
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\main\delete@C:\DOCUME~1\lgeuser\LOCALS~1\Temp\gasfkyqxdcilqqhf.tmp
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\main\injector@* gasfkywsp8y.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkyxumoqoeh.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\modules@gasfkycmd.dll \systemroot\system32\gasfkyrhvwqtym.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\modules@gasfkylog.dat \systemroot\system32\gasfkypulkxrrw.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\modules@gasfkywsp.dll \systemroot\system32\gasfkyipkmpyvo.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\modules@gasfky.dat \systemroot\system32\gasfkytkdblusb.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\modules@gasfkywsp8y.dll \systemroot\system32\gasfkyrnotviqj.dll
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy@imagepath \systemroot\system32\drivers\gasfkyxumoqoeh.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\main@aid 10096
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\main@sid 0
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\main\delete@C:\DOCUME~1\lgeuser\LOCALS~1\Temp\gasfkysiwtxvfrpp.tmp
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\main\delete@C:\DOCUME~1\lgeuser\LOCALS~1\Temp\gasfkyqxdcilqqhf.tmp
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\main\injector@* gasfkywsp8y.dll
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkyxumoqoeh.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\modules@gasfkycmd.dll \systemroot\system32\gasfkyrhvwqtym.dll
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\modules@gasfkylog.dat \systemroot\system32\gasfkypulkxrrw.dat
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\modules@gasfkywsp.dll \systemroot\system32\gasfkyipkmpyvo.dll
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\modules@gasfky.dat \systemroot\system32\gasfkytkdblusb.dat
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\modules@gasfkywsp8y.dll \systemroot\system32\gasfkyrnotviqj.dll

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Identities 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Juniper Networks 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Macromedia 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Microsoft 0 bytes
File C:\DRIVERS\WIN\WLANINT\XP\Apps\IA32E\iProLang\cache 0 bytes
File C:\DRIVERS\WIN\WLANINT\XP\Apps\IA32E\iProLang\IEToolbar.dll 1062144 bytes executable
File C:\DRIVERS\WIN\WLANINT\XP\Apps\IA32E\iProLang\Languages 0 bytes

---- EOF - GMER 1.0.15 ----

Ried · 10-04-2009, 01:38 PM

The internal information illegal outflow protection that WaterWallSystems is supposed to provide isn't going to be much help if you use programs such as Limewire for music or movie file sharing. I'm not sure how this tool may interfere with our tools, so you may have to uninstall it temporarily so we can remove the rootkit.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================

Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal.

====================================================

Double click on combofix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

09-24-2009, 07:37 PM	#1 (permalink)
hwsuh82 Registered User Join Date: Sep 2009 Posts: 3 OS: xp	Hijackthis results... please help Hi. I'm getting bad image errors and I saw in another thread to scan with hijackthis and post the log results on a thread here. Below is the log. If I did this incorrectly, please let me know. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:23:49 PM, on 9/24/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WWCnt\WwcNT.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe C:\WINDOWS\system32\CCM\CcmExec.exe C:\PROGRA~1\AVG\AVG8\avgam.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.101.2.203:80 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .lge.com;<local> R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O1 - Hosts: 204.79.148.110 LGEUSSECNJ5Q O1 - Hosts: 204.79.148.110 LGEUSSECNJ5Q O1 - Hosts: http://ilerpap02.lgeil.com:8000/dev60cgi/f60cgi O1 - Hosts: test server entry O1 - Hosts: Please find the url O1 - Hosts: http://iltestap.lgeil.com:8001 O1 - Hosts: host file entry - O1 - Hosts: tns entry : O1 - Hosts: ILTEST= (DESCRIPTION= O1 - Hosts: (ADDRESS=(PROTOCOL=tcp)(HOST=iltest)(PORT=1522)) O1 - Hosts: (CONNECT_DATA=(SID=ILTEST)) O1 - Hosts: ) O1 - Hosts: ILDEV Entry O1 - Hosts: http://iltestap.lgeil.com:8002 O1 - Hosts: ILDEV = O1 - Hosts: (DESCRIPTION = O1 - Hosts: (ADDRESS_LIST = O1 - Hosts: (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.20.121)(PORT = 1523)) O1 - Hosts: ) O1 - Hosts: (CONNECT_DATA = O1 - Hosts: (SERVICE_NAME = ILDEV) O1 - Hosts: ) O1 - Hosts: ) O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Pvutohotucejaqa] rundll32.exe "C:\WINDOWS\idiyugupiditem.dll",Startup O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: .lge.com O16 - DPF: {1455BE02-C41B-4115-B21C-32380507DC8F} (MxTextAreaU Class) - file://C:\WINDOWS\Temp\MxTextAreaU.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {19A9C0F9-C5FB-46A0-8B6D-A9E2D2944FEF} (Findprog Control) - http://136.166.10.66/wwscan/Findprog.cab O16 - DPF: {223216F6-B9FE-406D-9ED6-143FCE3A07B8} (MxLogicalTRU Class) - file://C:\WINDOWS\Temp\MxLogicalTRU.cab O16 - DPF: {2F98EA90-EAE1-4AB5-AE89-DA073D824589} (MxBinderU Class) - file://C:\WINDOWS\Temp\MxBinderU.cab O16 - DPF: {3042C30E-50B7-44EF-B4B6-C9AB391DEF78} (Manager Class) - http://display-gscp.lge.com:8003/gau...nt/Manager.cab O16 - DPF: {31538FAB-8051-4CFA-ACA4-B2668718B6F8} (MxMenuU Class) - file://C:\WINDOWS\Temp\MxMenuU.cab O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.5.0.cab O16 - DPF: {4F57AF1B-5470-47EE-A5AA-D1EA4B3C42A6} (XChartU Class) - file://C:\WINDOWS\Temp\XChartU.cab O16 - DPF: {5C32688E-CEBE-419D-9C63-0704A2331EEC} (MxFileControlU Class) - file://C:\WINDOWS\Temp\MxFileControlU.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab O16 - DPF: {71E7ACA0-EF63-4055-9894-229B056E9C31} (MxGridU Class) - file://C:\WINDOWS\Temp\MxGridU.cab O16 - DPF: {90CAA259-71ED-42CB-BEB8-95281CCF9E58} (MxTabU Class) - file://C:\WINDOWS\Temp\MxTabU.cab O16 - DPF: {9683681E-FAD6-45F1-86B3-FD60C7101BC9} (MxReportU Class) - file://C:\WINDOWS\Temp\MxReportU.cab O16 - DPF: {9F0AA341-1D10-4B18-B70B-6AA49CE7F5D6} (MxImageSetU Class) - file://C:\WINDOWS\Temp\MxImageSetU.cab O16 - DPF: {AF989B7C-8AC3-40BC-B749-EB335BDFD190} (MxDataSetU Class) - file://C:\WINDOWS\Temp\MxDataSetU.cab O16 - DPF: {BB4533A0-85E0-4657-9BF2-E8E7B100D47E} (MxComboU Class) - file://C:\WINDOWS\Temp\MxComboU.cab O16 - DPF: {C1781C5C-0C32-40F2-8927-46FE4BCB5B87} (MxTreeU Class) - file://C:\WINDOWS\Temp\MxTreeU.cab O16 - DPF: {D7779973-9954-464E-9708-DA774CA50E13} (MxMaskEditU Class) - file://C:\WINDOWS\Temp\MxMaskEditU.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O16 - DPF: {F73C0958-D8FE-43A5-9BB0-0F651C5A2BCC} (MxRadioU Class) - file://C:\WINDOWS\Temp\MxRadioU.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = LGE.NET O17 - HKLM\Software\..\Telephony: DomainName = LGE.NET O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = LGE.NET O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = LGE.NET O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: C:\WINDOWS\system32\cru629.dat O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Ww Client for NT (WWC) - Waterwall Systems Co,. Ltd. - C:\WWCnt\WwcNT.exe -- End of file - 8527 bytes

09-25-2009, 12:10 AM	#2 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,016 OS: WinXP and Vista	Re: Hijackthis results... please help Hello hwsuh82 and welcome. HijackThis is no longer the preferred initial scanning tool in this forum as it no longer provides enough information in regard to today's malware. Please follow our pre-posting process outlined here: NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help After running through all the steps, you shall have a proper set of logs. Please post them in your next reply. If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply. Please note this section of the forum is very busy, so be sure to familiarize yourself with the Bumping Rules** also found in our sticky topic mentioned above. One of our Analysts will review your log as soon as possible. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-03-2009, 04:21 PM	#3 (permalink)
hwsuh82 Registered User Join Date: Sep 2009 Posts: 3 OS: xp	Re: Hijackthis results... please help I followed the instructions and ran another scan. The problem I am having is whenever I try to run something, I get a Bad Image error but once I click ok, the program runs. DDS (Ver_09-09-29.01) - NTFSx86 Run by lguser at 17:51:25.98 on Sat 10/03/2009 Internet Explorer: 6.0.2900.5512 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.186 [GMT -4:00] AV: AVG Anti-Virus On-access scanning enabled (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: Trend Micro OfficeScan Enterprise Client Firewall enabled {FF8F073D-E29C-48F4-B771-5B91BD1C16DE} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe C:\Program Files\AVG\AVG8\avgrsx.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WWCnt\WwcNT.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe C:\WINDOWS\system32\CCM\CcmExec.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\Explorer.EXE svchost C:\Documents and Settings\lgeuser\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uDefault_Search_URL = hxxp://www.google.com/ie mDefault_Search_URL = hxxp://www.google.com/ie mSearch Page = hxxp://www.google.com mStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyServer = 10.101.2.203:80 uInternet Settings,ProxyOverride = *.lge.com;<local> uSearchAssistant = hxxp://www.google.com uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll uURLSearchHooks: H - No File BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File mRun: [Pvutohotucejaqa] rundll32.exe "c:\windows\idiyugupiditem.dll",Startup uPolicies-system: EnableProfileQuota = 1 (0x1) IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll Trusted Zone: lge.com DPF: {1455BE02-C41B-4115-B21C-32380507DC8F} - file://c:\windows\temp\MxTextAreaU.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {19A9C0F9-C5FB-46A0-8B6D-A9E2D2944FEF} - hxxp://136.166.10.66/wwscan/Findprog.cab DPF: {223216F6-B9FE-406D-9ED6-143FCE3A07B8} - file://c:\windows\temp\MxLogicalTRU.cab DPF: {2F98EA90-EAE1-4AB5-AE89-DA073D824589} - file://c:\windows\temp\MxBinderU.cab DPF: {3042C30E-50B7-44EF-B4B6-C9AB391DEF78} - hxxp://display-gscp.lge.com:8003/gaucecomponent/Manager.cab DPF: {31538FAB-8051-4CFA-ACA4-B2668718B6F8} - file://c:\windows\temp\MxMenuU.cab DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab DPF: {4F57AF1B-5470-47EE-A5AA-D1EA4B3C42A6} - file://c:\windows\temp\XChartU.cab DPF: {5C32688E-CEBE-419D-9C63-0704A2331EEC} - file://c:\windows\temp\MxFileControlU.cab DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab DPF: {71E7ACA0-EF63-4055-9894-229B056E9C31} - file://c:\windows\temp\MxGridU.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {90CAA259-71ED-42CB-BEB8-95281CCF9E58} - file://c:\windows\temp\MxTabU.cab DPF: {9683681E-FAD6-45F1-86B3-FD60C7101BC9} - file://c:\windows\temp\MxReportU.cab DPF: {9F0AA341-1D10-4B18-B70B-6AA49CE7F5D6} - file://c:\windows\temp\MxImageSetU.cab DPF: {AF989B7C-8AC3-40BC-B749-EB335BDFD190} - file://c:\windows\temp\MxDataSetU.cab DPF: {BB4533A0-85E0-4657-9BF2-E8E7B100D47E} - file://c:\windows\temp\MxComboU.cab DPF: {C1781C5C-0C32-40F2-8927-46FE4BCB5B87} - file://c:\windows\temp\MxTreeU.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {D7779973-9954-464E-9708-DA774CA50E13} - file://c:\windows\temp\MxMaskEditU.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab DPF: {F73C0958-D8FE-43A5-9BB0-0F651C5A2BCC} - file://c:\windows\temp\MxRadioU.cab Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Notify: avgrsstarter - avgrsstx.dll Notify: igfxcui - igfxsrvc.dll AppInit_DLLs: c:\windows\system32\cru629.dat LSA: Notification Packages = scecli tugokira.dll dugabise.dll ============= SERVICES / DRIVERS =============== R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-9-20 12552] R0 FileHook;SAFASOFT File System Filter;c:\windows\system32\drivers\filehook.sys [2008-8-12 45952] R0 SFCDEX;WaterWall SFCDEX Filter;c:\windows\system32\drivers\sfcdex.sys [2009-7-24 10240] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-20 335240] R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-20 27784] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-20 108552] R1 PROCHIDE;ProcHide Driver;c:\windows\system32\drivers\ProcHide.sys [2008-8-12 5632] R1 Safandrv;Safandrv;c:\windows\system32\drivers\safandrv.sys [2008-8-12 16191] R1 SFkbd;SAFASOFT Keyboard Filter;c:\windows\system32\drivers\SFKbd.sys [2008-8-12 4992] R1 SFMouse;SAFASOFT Mouse Filter;c:\windows\system32\drivers\SFMouse.sys [2008-8-12 5632] R1 SFReg;SAFASOFT Registry Filter;c:\windows\system32\drivers\SFReg.sys [2008-8-12 13824] R1 SFRes;SAFASOFT Resource Driver;c:\windows\system32\drivers\SFRes.sys [2008-8-12 34688] R2 SDFA;SDFA Driver;c:\windows\system32\drivers\SDFA.SYS [2008-8-12 40960] R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2005-11-9 205328] R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2005-11-9 36368] R2 WWC;Ww Client for NT;c:\wwcnt\WwcNT.exe [2008-8-12 925802] R3 WwHook;WwHook;c:\windows\system32\drivers\Wwhook.sys [2008-8-12 7867] S3 FDDec;SAFASOFT Encrpty Mobile Driver;c:\windows\system32\drivers\FDDec.SYS [2008-8-12 32384] S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2008-9-5 58240] S3 SFfolder;SAFASOFT Encrpty Folder Driver;c:\windows\system32\drivers\SFFOLDER.SYS [2008-8-12 35200] S3 zteusbser;ZTE USB Device for Legacy Serial Communication;c:\windows\system32\drivers\zteusbser.sys [2008-9-25 100480] S4 ADAgent;ADAgentService;c:\program files\lgead\ADAgentService.exe [2008-8-13 586752] S4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-20 297752] S4 OfcPfwSvc;OfficeScanNT Personal Firewall;c:\program files\trend micro\officescan client\OfcPfwSvc.exe [2007-10-2 233552] =============== Created Last 30 ================ 2009-10-03 17:46 <DIR> --d----- c:\windows\ContLog 2009-09-23 19:23 1,949 a------- c:\windows\wininit.ini 2009-09-20 16:31 <DIR> --d-h--- C:\$AVG8.VAULT$ 2009-09-20 16:25 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys 2009-09-20 16:25 11,952 a------- c:\windows\system32\avgrsstx.dll 2009-09-20 16:25 108,552 a------- c:\windows\system32\drivers\avgtdix.sys 2009-09-20 16:25 335,240 a------- c:\windows\system32\drivers\avgldx86.sys 2009-09-20 16:24 <DIR> --d----- c:\windows\system32\drivers\Avg 2009-09-20 16:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar 2009-09-20 16:24 <DIR> --d----- c:\program files\AVG 2009-09-20 16:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8 2009-09-17 23:47 6,144 a------- c:\windows\system32\cru629.dat 2009-09-17 23:09 0 a------- c:\windows\Sfogodadodexa.bin 2009-09-17 23:09 120 a------- c:\windows\Wlokofajahi.dat 2009-09-17 20:41 <DIR> --d----- c:\program files\DivX 2009-09-15 11:47 3,254 a------- c:\windows\system32\wbem\Outlook_01ca361be665ef9c.mof 2009-09-09 23:00 153,088 -c------ c:\windows\system32\dllcache\triedit.dll ==================== Find3M ==================== 2009-09-19 23:10 45,952 a------- c:\windows\system32\drivers\filehook.sys 2009-09-19 23:10 32,384 a------- c:\windows\system32\drivers\FDDec.SYS 2009-09-19 23:10 16,191 a------- c:\windows\system32\drivers\safandrv.sys 2009-09-19 23:10 5,632 a------- c:\windows\system32\drivers\ProcHide.sys 2009-09-19 23:10 40,960 a------- c:\windows\system32\drivers\SDFA.SYS 2009-09-19 23:10 35,200 a------- c:\windows\system32\drivers\SFFOLDER.SYS 2009-09-19 23:10 34,688 a------- c:\windows\system32\drivers\SFRes.sys 2009-09-19 23:10 10,240 a------- c:\windows\system32\drivers\sfcdex.sys 2009-09-19 23:10 5,632 a------- c:\windows\system32\drivers\SFMouse.sys 2009-09-19 23:10 4,992 a------- c:\windows\system32\drivers\SFKbd.sys 2009-09-19 23:09 7,867 -------- c:\windows\system32\drivers\Wwhook.sys 2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-08-26 22:08 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat 2009-08-25 19:50 19,168 a------- c:\program files\common files\ozasifuhad.vbs 2009-08-25 19:50 17,748 a------- c:\windows\cylalobuw.dll 2009-08-25 19:50 15,562 a------- c:\windows\system32\uqufugeba.scr 2009-08-25 19:50 13,269 a------- c:\windows\system32\isawiq.vbs 2009-08-25 19:50 12,467 a------- c:\program files\common files\kejozehoza.lib 2009-08-25 19:50 10,802 a------- c:\docume~1\lgeuser\applic~1\qosyl.sys 2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll 2009-08-03 15:07 403,816 a------- c:\windows\system32\OGACheckControl.dll 2009-08-03 15:07 322,928 a------- c:\windows\system32\OGAAddin.dll 2009-08-03 15:07 230,768 a------- c:\windows\system32\OGAEXEC.exe 2009-07-30 08:54 0 ---shr-- C:\eej2.exe 2009-07-26 16:44 48,448 a------- c:\windows\system32\sirenacm.dll 2009-07-25 05:23 411,368 ac------ c:\windows\system32\deploytk.dll 2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll 2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll ============= FINISH: 17:55:31.10 =============== I was trying to attach the zip file but my computer has a WaterWall program that is restricting uploading of the file. Is there another way to upload the other logs?

10-04-2009, 08:50 AM	#4 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,016 OS: WinXP and Vista	Re: Hijackthis results... please help If you can't disable Water Wall for a moment to attach those, then copy/paste them into your reply. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-04-2009, 01:28 PM	#5 (permalink)
hwsuh82 Registered User Join Date: Sep 2009 Posts: 3 OS: xp	Re: Hijackthis results... please help Below is the Attach log: UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-09-29.01) Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume1 Install Date: 3/29/2007 6:56:39 AM System Uptime: 10/3/2009 5:44:32 PM (0 hours ago) Motherboard: IBM \| \| 1875DLU Processor: Intel(R) Pentium(R) M processor 1.73GHz \| None \| 1729/533mhz ==== Disk Partitions ========================= C: is FIXED (NTFS) - 56 GiB total, 40.789 GiB free. D: is CDROM () ==== Disabled Device Manager Items ============= ==== System Restore Points =================== RP1: 9/23/2009 6:43:12 PM - System Checkpoint RP2: 9/23/2009 6:43:14 PM - System Checkpoint ==== Installed Programs ====================== 32 Bit HP BiDi Channel Components Installer Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Reader 8.1.1 AT&T Global Network Client AVG 8.5 Canon MP Navigator 2.2 Canon MP530 Canon MP530 User Registration Canon Utilities Easy-PhotoPrint Citrix Program Neighborhood Compatibility Pack for the 2007 Office system Easy-WebPrint GOM Player HijackThis 2.0.2 Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB954550-v5) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB970653-v3) i2 Sales & Operations Management 6.2.1.1 i2 Sales & Operations Management 6.2.1.3 IBM Integrated 56K Modem IBM ThinkPad Power Management Driver IBM ThinkPad UltraNav Driver Intel(R) Graphics Media Accelerator Driver for Mobile Java(TM) 6 Update 15 Juniper Networks Network Connect 5.2.0 Juniper Networks Network Connect 5.5.0 LG ActiveDirectory Service LimeWire 5.2.13 LiveUpdate 3.1 (Symantec Corporation) Malwarebytes' Anti-Malware Messenger Plus! Live Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft Application Error Reporting Microsoft Choice Guard Microsoft Office 2003 Primary Interop Assemblies Microsoft Office Professional Edition 2003 Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Visual Studio 2005 Tools for Office Runtime mIRC MSN MSN Toolbar MSVCRT MSXML 4.0 SP2 (KB954430) MSXML 6.0 Parser (KB933579) OGA Notifier 2.0.0048.0 PANTECH PC Card Software Picasa 3 Presto! PageManager 7.15.14 Real Alternative 1.8.4 ScanSoft OmniPage SE 4.0 Security Update for CAPICOM (KB931906) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows Media Player 9 (KB917734) Security Update for Windows Media Player 9 (KB936782) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB923789) Security Update for Windows XP (KB938464-v2) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950759) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953838) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956390) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958215) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960714) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969897) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB971961) Security Update for Windows XP (KB972260) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973869) Segoe UI SimCity 3000 SMS Advanced Client Spybot - Search & Destroy ThinkPad UltraNav Wizard Trend Micro OfficeScan Client Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Windows XP (KB942763) Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update for Windows XP (KB955839) Update for Windows XP (KB961503) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB973815) VideoLAN VLC media player 0.8.5 VZAccess Manager WebFldrs XP Windows Driver Package - Intel (NETw3x32) net (10/17/2006 10.5.1.72) Windows Driver Package - Intel (w29n51) net (10/25/2006 9.0.4.26) Windows Genuine Advantage Notifications (KB905474) Windows Imaging Component Windows Live Call Windows Live Communications Platform Windows Live Essentials Windows Live Messenger Windows Live Sign-in Assistant Windows Live Upload Tool Windows XP Service Pack 3 WinVNC 3.3.3 WinZip 12.1 WWC ZTE CDMA1X MODEM ==== Event Viewer Messages From Past Week ======== 9/30/2009 10:16:45 PM, error: NETLOGON [5719] - No Domain Controller is available for domain LGE due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator. 9/29/2009 11:20:03 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Beep 9/29/2009 11:20:03 AM, error: Service Control Manager [7000] - The adfs service failed to start due to the following error: The system cannot find the file specified. 10/1/2009 12:03:15 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064} ==== End Of File =========================== Below is the Ark log: GMER 1.0.15.15087 - http://www.gmer.net Rootkit scan 2009-10-03 18:13:22 Windows 5.1.2600 Service Pack 3 Running: gmer.exe; Driver: C:\DOCUME~1\lgeuser\LOCALS~1\Temp\aflirkow.sys ---- System - GMER 1.0.15 ---- Code 831494B0 ZwEnumerateKey Code 8317D548 ZwFlushInstructionCache Code 8315C0EE ZwSaveKey Code 8315368E ZwSaveKeyEx Code 832A2E16 IofCallDriver Code 8313B306 IofCompleteRequest ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs FileHook.sys (Filesystem Filter Driver(New)/Waterwall Systems Co.,Ltd.) AttachedDevice \FileSystem\Ntfs \Ntfs TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.) AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SFkbd.SYS (Keyboard Filter Driver 2KXP/WaterWallSystems Co., Ltd.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SFkbd.SYS (Keyboard Filter Driver 2KXP/WaterWallSystems Co., Ltd.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 mouclass.sys (Mouse Class Driver/Microsoft Corporation) AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 SFCDEX.sys (Waterwall CD Filter/WaterWallSystems Co., Ltd.) Device \Driver\atapi \Device\Ide\IdePort0 SFCDEX.sys (Waterwall CD Filter/WaterWallSystems Co., Ltd.) Device \Driver\atapi \Device\Ide\IdePort1 SFCDEX.sys (Waterwall CD Filter/WaterWallSystems Co., Ltd.) Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e SFCDEX.sys (Waterwall CD Filter/WaterWallSystems Co., Ltd.) AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\irda \Device\IrDA WwHook.SYS (Hook Driver./WaterwallSystems Co,. Ltd.) ---- Services - GMER 1.0.15 ---- Service C:\WINDOWS\system32\drivers\gasfkyxumoqoeh.sys (* hidden * ) [SYSTEM] gasfkyhlrndovy <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy@start 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy@type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy@group file system Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy@imagepath \systemroot\system32\drivers\gasfkyxumoqoeh.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\main Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\main@aid 10096 Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\main@sid 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\main@cmddelay 14400 Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\main\delete Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\main\delete@C:\DOCUME~1\lgeuser\LOCALS~1\Temp\gasfkysiwtxvfrpp.tmp Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\main\delete@C:\DOCUME~1\lgeuser\LOCALS~1\Temp\gasfkyqxdcilqqhf.tmp Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\main\injector Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\main\injector@* gasfkywsp8y.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\main\tasks Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\modules Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkyxumoqoeh.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\modules@gasfkycmd.dll \systemroot\system32\gasfkyrhvwqtym.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\modules@gasfkylog.dat \systemroot\system32\gasfkypulkxrrw.dat Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\modules@gasfkywsp.dll \systemroot\system32\gasfkyipkmpyvo.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\modules@gasfky.dat \systemroot\system32\gasfkytkdblusb.dat Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyhlrndovy\modules@gasfkywsp8y.dll \systemroot\system32\gasfkyrnotviqj.dll Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy@start 1 Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy@type 1 Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy@group file system Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy@imagepath \systemroot\system32\drivers\gasfkyxumoqoeh.sys Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\main (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\main@aid 10096 Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\main@sid 0 Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\main@cmddelay 14400 Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\main\delete (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\main\delete@C:\DOCUME~1\lgeuser\LOCALS~1\Temp\gasfkysiwtxvfrpp.tmp Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\main\delete@C:\DOCUME~1\lgeuser\LOCALS~1\Temp\gasfkyqxdcilqqhf.tmp Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\main\injector (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\main\injector@* gasfkywsp8y.dll Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\main\tasks (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\modules (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkyxumoqoeh.sys Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\modules@gasfkycmd.dll \systemroot\system32\gasfkyrhvwqtym.dll Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\modules@gasfkylog.dat \systemroot\system32\gasfkypulkxrrw.dat Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\modules@gasfkywsp.dll \systemroot\system32\gasfkyipkmpyvo.dll Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\modules@gasfky.dat \systemroot\system32\gasfkytkdblusb.dat Reg HKLM\SYSTEM\ControlSet004\Services\gasfkyhlrndovy\modules@gasfkywsp8y.dll \systemroot\system32\gasfkyrnotviqj.dll ---- Files - GMER 1.0.15 ---- File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Identities 0 bytes File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Juniper Networks 0 bytes File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Macromedia 0 bytes File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Microsoft 0 bytes File C:\DRIVERS\WIN\WLANINT\XP\Apps\IA32E\iProLang\cache 0 bytes File C:\DRIVERS\WIN\WLANINT\XP\Apps\IA32E\iProLang\IEToolbar.dll 1062144 bytes executable File C:\DRIVERS\WIN\WLANINT\XP\Apps\IA32E\iProLang\Languages 0 bytes ---- EOF - GMER 1.0.15 ----

10-04-2009, 01:38 PM	#6 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,016 OS: WinXP and Vista	Re: Hijackthis results... please help The internal information illegal outflow protection that WaterWallSystems is supposed to provide isn't going to be much help if you use programs such as Limewire for music or movie file sharing. I'm not sure how this tool may interfere with our tools, so you may have to uninstall it temporarily so we can remove the rootkit. Download ComboFix from one of these locations: Link 1 Link 2 * IMPORTANT- Save ComboFix.exe to your Desktop ==================================================== Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. ==================================================== Double click on combofix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt** in your next reply for further review. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."