Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Computer has been hijacked - IE/Firefox inoperable
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 08-08-2008, 12:50 PM   #1 (permalink)
Registered User
 
Join Date: Jan 2007
Posts: 22
OS: xp pro


Computer has been hijacked - IE/Firefox inoperable
My laptop (running xp sp2) is messed up big time. I cannot use IE...i keep getting redirected to random webpages, and when I try to use Panda ActiveScan or any other recommended anti-virus pages, i get an error message. I can't even get to the Tech Support Forum. (i'm on my desktop right now). I have hijack this on the laptop, however, I'm not sure how I can post a log if I can't get to the TSF website. Please help!
rath is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Sponsored Links
Old 08-08-2008, 01:33 PM   #2 (permalink)
Registered User
 
Join Date: Jan 2007
Posts: 22
OS: xp pro


Re: Computer has been hijacked - IE/Firefox inoperable
UPDATE: I have since turned my laptop off, now it won't start back up.
rath is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-09-2008, 07:02 AM   #3 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,971
OS: WinXP and Vista


Re: Computer has been hijacked - IE/Firefox inoperable
Kindly explain 'it won't start back up'.

What happens when Windows tries to load?

Will Windows load in Safe Mode?

If it will load in Safe Mode, we'd need a more comprehensive set of logs than just a HijackThis scan.


Use your desktop to download necessary tools to any removable media, then transfer them to the laptop. Any reports we need can be copied to that removable media, then transferred to your desktop so they may be posted in your replies.


As noted in the final step (Step 5) of our sticky topic IMPORTANT - Read This Before Posting For Malware Removal Help....


Download Deckard's System Scanner (DSS) to your Desktop.

What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review.
  • DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.

Please include the following in your next reply:

main.txt
an attached extra.txt
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-09-2008, 09:22 AM   #4 (permalink)
Registered User
 
Join Date: Jan 2007
Posts: 22
OS: xp pro


Re: Computer has been hijacked - IE/Firefox inoperable
Hi Reid,
Thanks for the help. Sorry for my lack of technical terminology! The laptop started back up after I went on in safe mode and deleted a startup process that didn't look right. I hope that didn't make this a bigger mess than it already is! Here's the DSS log:



Deckard's System Scanner v20071014.68
Run by THOMAS DEMENTI on 2008-08-09 11:57:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; unknown error code 0x0000013D


-- Last 5 Restore Point(s) --
138: 2008-08-07 20:43:45 UTC - RP1011 - Printer Driver Foxit PDF Printer Driver Installed
137: 2008-08-07 16:51:45 UTC - RP1010 - Software Distribution Service 3.0
136: 2008-08-07 07:00:22 UTC - RP1009 - Software Distribution Service 3.0
135: 2008-08-06 20:14:20 UTC - RP1008 - Installed Easy Resume Creator Pro
134: 2008-08-06 07:00:20 UTC - RP1007 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-05-12 03:21:16 UTC - RP874 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as THOMAS DEMENTI.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:32 AM, on 8/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\RamBooster 2.0\Rambooster.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\THOMAS DEMENTI\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\THOMAS DEMENTI.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cvrmls.marketlinx.com/Login/L...?ReturnUrl=%2f
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: mxlivemedia browser optimizer - {17ff672b-70fd-452a-a669-d84d2c1497f2} - C:\WINDOWS\system32\qihdhapgap.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [{1a5163e5-12c4-dd30-6a7b-52415beaa843}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\qihdhapgap.dll" DllStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster 2.0\Rambooster.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/s...OS/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://rein.mlxchange.com/Control/Mu...ctComboBox.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.onlinegis.net/download/Mg...B/mgaxctrl.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://rein.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://rein.mlxchange.com/3.0.10.88/...l/IRCSharc.cab
O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} (First American Res MapActiveX Control) - http://realist2.firstamres.com/mapviewer/mapviewer.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O21 - SSODL: tfnslopk - {C1212488-CF10-4965-A004-CD64BD60FEAB} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9634 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - shell\open\command - NOTEPAD.EXE %1
.reg - regfile - shell\open\command - NOTEPAD.EXE %1
.scr - scrfile - shell\open\command - NOTEPAD.EXE %1
.vbs - VBSFile - shell\open\command - NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>

S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
S3 VNUSB (VN Series Device) - c:\windows\system32\drivers\vnusb.sys <Not Verified; OLYMPUS IMAGING CORP.; VVRUSB Driver>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
R2 NICCONFIGSVC - c:\program files\dell\nicconfigsvc\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
R2 RegSrvc - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>
R2 ScsiAccess - c:\program files\photodex\proshowgold\scsiaccess.exe
R2 WLANKEEPER - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSOFSet Service>

S4 Coafdiu -


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom 440x 10/100 Integrated Controller
Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01881028&REV_02\4&2FA23535&0&00F0
Manufacturer: Broadcom
Name: Broadcom 440x 10/100 Integrated Controller
PNP Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01881028&REV_02\4&2FA23535&0&00F0
Service: bcm4sbxp


-- Scheduled Tasks -------------------------------------------------------------

2008-08-09 11:00:00 504 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job
2008-08-09 02:22:27 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-08-06 08:32:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-07-09 and 2008-08-09 -----------------------------

2008-08-08 16:40:40 0 dr-h----- C:\Documents and Settings\THOMAS DEMENTI\Recent
2008-08-08 15:09:23 0 d-------- C:\Program Files\Trend Micro
2008-08-08 13:49:06 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-08-08 12:52:39 0 d-------- C:\Program Files\Lavasoft
2008-08-08 12:52:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-08 12:52:10 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-07 17:25:46 0 d-------- C:\Program Files\Windows Defender
2008-08-07 16:52:29 64362 --a------ C:\WINDOWS\system32\olcdfuyknfsw.exe
2008-08-07 16:52:25 0 d-------- C:\Documents and Settings\All Users\Application Data\services
2008-08-07 16:50:33 139264 --a------ C:\WINDOWS\edsa.exe
2008-08-07 16:50:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Secure Solutions
2008-08-07 10:17:13 0 d-------- C:\Program Files\Foxit Software
2008-08-06 16:16:48 0 d-------- C:\Documents and Settings\THOMAS DEMENTI\Application Data\Sarm Software
2008-08-06 16:14:34 0 d-------- C:\Program Files\Sarm Software
2008-08-05 09:45:51 0 d-------- C:\Program Files\RamBooster 2.0
2008-08-04 18:01:17 0 d-------- C:\Program Files\iPod
2008-08-04 18:01:13 0 d-------- C:\Program Files\iTunes
2008-07-21 17:44:33 0 d-------- C:\Program Files\Bonjour
2008-07-21 17:43:23 0 d-------- C:\Program Files\QuickTime
2008-07-21 14:03:30 0 d-------- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-07-21 14:01:44 0 d-------- C:\Program Files\Canon
2008-07-21 13:59:52 0 d-------- C:\Program Files\Common Files\Canon
2008-07-21 10:05:48 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-07-14 09:14:12 158208 --a------ C:\WINDOWS\system32\qihdhapgap.dll


-- Find3M Report ---------------------------------------------------------------

2008-08-08 13:48:21 0 d-------- C:\Program Files\Symantec
2008-08-08 13:48:10 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-08 13:48:06 0 d-------- C:\Program Files\Symantec AntiVirus
2008-08-08 12:52:10 0 d-------- C:\Program Files\Common Files
2008-08-08 12:46:37 0 d-------- C:\Documents and Settings\THOMAS DEMENTI\Application Data\uTorrent
2008-08-07 16:44:48 6262 --a------ C:\Documents and Settings\THOMAS DEMENTI\Application Data\wklnhst.dat
2008-08-06 10:46:07 0 d-------- C:\Documents and Settings\THOMAS DEMENTI\Application Data\Adobe
2008-08-04 18:02:56 0 d-------- C:\Program Files\Apple Software Update
2008-07-27 18:41:47 0 d-------- C:\Program Files\Full Tilt Poker
2008-07-26 13:15:10 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-21 10:05:13 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-17 08:24:37 0 d-------- C:\Program Files\IrfanView
2008-07-08 15:45:42 0 d-------- C:\Documents and Settings\THOMAS DEMENTI\Application Data\Logitech
2008-07-08 15:44:27 0 d-------- C:\Program Files\Common Files\Logishrd
2008-07-08 15:40:02 0 d-------- C:\Program Files\Logitech
2008-06-19 16:42:39 0 d-------- C:\Documents and Settings\THOMAS DEMENTI\Application Data\Mozilla
2008-06-03 10:09:22 6081 --a----c- C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17ff672b-70fd-452a-a669-d84d2c1497f2}]
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservicesonce
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservicesonce
HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce
HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices
HKEY_USERS\.default\software\microsoft\windows\currentversion\runservicesonce
Picasa Media Detector REG_SZ C:\Program Files\Picasa2\PicasaMediaDetector.exe
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [7/8/2008 3:40:53 PM]
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer
HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer

Written by Bobbi Flekman 2006 (C)
GeneralFlags REG_DWORD 5 (0x5)
RestoredStateInfo REG_BINARY 180000006a02000023000000a40000009a00000001000000

REGEDIT4
"DefaultDomainName"="HAL"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions]
"NoGPOListChanges"=dword:00000001
2c,41,70,70,6c,69,63,61,74,69,6f,6e,29,00,00
"ProcessGroupPolicy"="ProcessGroupPolicy"
"NoGPOListChanges"=dword:00000001
"NotifyLinkTransition"=dword:00000001
00
"MaxNoGPOListChangesInterval"=dword:00000001
00
"RequiresSuccessfulRegistry"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001
74,61,6c,6c,65,72,2c,41,70,70,6c,69,63,61,74,69,6f,6e,29,00,00
"NoGPOListChanges"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify]
"Logoff"="ChainWlxLogoffEvent"
"Logoff"="CryptnetWlxLogoffEvent"
"Asynchronous"=dword:00000001
"Unlock"="WinlogonUnlockEvent"
"Logoff"="IntelUserLogoff"
"Shutdown"="OnShutdown"
"StartShell"="LBTWLgn_STARTSHELL"
"LoginDomain"=""
"Asynchronous"=dword:00000001
"Logoff"="SchedEventLogOff"
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00
"Asynchronous"=dword:00000001
"Disconnect"="TSEventDisconnect"
"Event"=dword:00000002
ed,22,fc,bc,7d,4f,83,44,c1,14,64,b2
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\SpecialAccounts]
"ASPNET"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Credentials]
!d;s/.*t//;s/
[hkey.*/n
Asynchronous REG_DWORD 0 (0x0)
!d;s/.*t//;s/
[hkey.*/n
Asynchronous REG_DWORD 0 (0x0)
!d;s/.*t//;s/
[hkey.*/n
DLLName REG_SZ cscdll.dll
!d;s/.*t//;s/
[hkey.*/n
!d;s/.*t//;s/
[hkey.*/n
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless
!d;s/.*t//;s/
[hkey.*/n
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn
!d;s/.*t//;s/
[hkey.*/n
LoginDomain REG_SZ
!d;s/.*t//;s/
[hkey.*/n
DLLName REG_SZ wlnotify.dll
!d;s/.*t//;s/
[hkey.*/n
Asynchronous REG_DWORD 0 (0x0)
!d;s/.*t//;s/
[hkey.*/n
Logoff REG_SZ WLEventLogoff
!d;s/.*t//;s/
[hkey.*/n
DLLName REG_SZ WlNotify.dll
!d;s/.*t//;s/
[hkey.*/n
Asynchronous REG_DWORD 0 (0x0)
!d;s/.*t//;s/
[hkey.*/n
Logon REG_SZ WLEventLogon
!d;s/.*t//;s/
[hkey.*/n
DLLName REG_SZ wlnotify.dll

Written by Bobbi Flekman 2006 (C)
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
ApplicationGoo REG_BINARY 140200001002000000020000900434000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe00000100000007000b000000000007000b0000003f000000020000000400010001000000000000000000000000000000440000000100560061007200460069006c00650049006e0066006f00000000002400040000005400720061006e0073006c006100740069006f006e00000000000904e404f0030000010053007400720069006e006700460069006c00650049006e0066006f000000cc03000001003000340030003900300034004500340000004a001900010043006f006d006d0065006e007400730000004300720079007300740061006c002000530051004c002000440065007300690067006e0065007200200037002e0030000000000088003400010043006f006d00700061006e0079004e0061006d006500000000005300650061006700610074006500200053006f00660074007700610072006500200049006e0066006f0072006d006100740069006f006e0020004d0061006e006100670065006d0065006e0074002000470072006f00750070002c00200049006e0063002e000000ae00450001004c006500670061006c0043006f007000790072006900670068007400000043006f0070007900720069006700680074002000280063002900200031003900390031002d003100390039001000000000000000
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
DisableHeapLookAside REG_SZ 1
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
ApplicationGoo REG_BINARY 5409000054020000000200008c0334000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe000001000200a8112e0400000200a8112e0400003f000000200000000400000001000000000000000000000000000000ec020000010053007400720069006e006700460069006c00650049006e0066006f000000c8020000010030003000300030003000340062003000000038001000010043006f006d006d0065006e007400730000004f007200690067006e0061006c002000560065007200730069006f006e00000042001100010043006f006d00700061006e0079004e0061006d006500000000005300410050002000410047002c002000570061006c006c0064006f0072006600000000005a0019000100460069006c0065004400650073006300720069007000740069006f006e00000000005300410050002000460072006f006e00740065006e006400200066006f0072002000570069006e0064006f0077007300000000003c000e000100460069006c006500560065007200730069006f006e000000000034003500320030002e0032002e0030002e003100300037003000000032000900010049006e007400650072006e0061006c004e0061006d0065000000460045005700460052004f004e005400000000007a002b0001004c006500670061006c0043006f007000790072006900670068000200000000000000010000004c0000003cfd0600040000000000000065050000020000000300000000000100530065007200760069006300650020005000610063006b00200033000000230054020000000200008c0334000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe0000010003009e112604000003009e11260400003f000000200000000400000001000000000000000000000000000000ec020000010053007400720069006e006700460069006c00650049006e0066006f000000c8020000010030003000300030003000340062003000000038001000010043006f006d006d0065006e007400730000004f007200690067006e0061006c002000560065007200730069006f006e00000042001100010043006f006d00700061006e0079004e0061006d006500000000005300410050002000410047002c002000570061006c006c0064006f0072006600000000005a0019000100460069006c0065004400650073006300720069007000740069006f006e00000000005300410050002000460072006f006e00740065006e006400200066006f0072002000570069006e0064006f0077007300000000003c000e000100460069006c006500560065007200730069006f006e000000000034003500310030002e0033002e0030002e003100300036003200000032000900010049006e007400650072006e0061006c004e0061006d0065000000460045005700460052004f004e005400000000007a002b0001004c006500670061006c0043006f007000790072006900670068000200000000000000010000004c0000003cfd0600040000000000000065050000020000000300000000000100530065007200760069006300650020005000610063006b0020003300000023005402000000020000200334000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe0000010000000400f003000000000400f00300003f0000000000000004000100010000000000000000000000000000007e020000010053007400720069006e006700460069006c00650049006e0066006f0000005a02000001003000340030003900300034004500340000002e000700010043006f006d00700061006e0079004e0061006d00650000000000530041005000200041004700000000005a0019000100460069006c0065004400650073006300720069007000740069006f006e00000000005300410050002000460072006f006e00740065006e006400200066006f0072002000570069006e0064006f00770073000000000036000b000100460069006c006500560065007200730069006f006e000000000034002e0030002e0030002e003100300030003800000000002c000600010049006e007400650072006e0061006c004e0061006d0065000000460052004f004e00540000005e001d0001004c006500670061006c0043006f007000790072006900670068007400000043006f0070007900720069006700680074002000a900200031003900390033002d0031003900390037002000530041005000200041004700000000002800000001004c006500670061006c0054007200610064000200000000000000010000004c0000003cfd0600040000000000000065050000020000000300000000000100530065007200760069006300650020005000610063006b0020003300000023005402000000020000180334000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe0000010000000400dd03000000000400dd0300003f00000000000000040001000100000000000000000000000000000078020000010053007400720069006e006700460069006c00650049006e0066006f0000005402000001003000340030003900300034004500340000002e000700010043006f006d00700061006e0079004e0061006d00650000000000530041005000200041004700000000005a0019000100460069006c0065004400650073006300720069007000740069006f006e00000000005300410050002000460072006f006e00740065006e006400200066006f0072002000570069006e0064006f00770073000000000034000a000100460069006c006500560065007200730069006f006e000000000034002e0030002e0030002e0039003800390000002c000600010049006e007400650072006e0061006c004e0061006d0065000000460052004f004e00540000005e001d0001004c006500670061006c0043006f007000790072006900670068007400000043006f0070007900720069006700680074002000a900200031003900390033002d0031003900390037002000530041005000200041004700000000002800000001004c006500670061006c00540072006100640065006d000200000000000000010000004c0000003cfd0600040000000000000065050000020000000300000000000100530065007200760069006300650020005000610063006b002000330000002300
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
ApplicationGoo REG_BINARY 5802000054020000000200006c0734000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe00000100050005000700a807050005000700a8073f000000000000000400040001000000000000000000000000000000cc060000010053007400720069006e006700460069006c00650049006e0066006f00000054030000010030003400300039003000340042003000000018000000010043006f006d006d0065006e007400730000004c001600010043006f006d00700061006e0079004e0061006d006500000000004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e000000680020000100460069006c0065004400650073006300720069007000740069006f006e00000000004d006900630072006f0073006f00660074002000450078006300680061006e00670065002000530065007200760065007200200053006500740075007000000036000b000100460069006c006500560065007200730069006f006e000000000035002e0035002e0031003900360030002e003700000000002c000600010049006e007400650072006e0061006c004e0061006d00650000005300650074007500700000009c003c0001004c006500670061006c0043006f007000790072006900670068007400000043006f00700079007200690067006800740020000200000000000000010000004c0000003cfd0600050000000000000065050000020000000300000002000000530065007200760069006300650020005000610063006b002000340000002300
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
ApplicationGoo REG_BINARY 580200005402000000020000440234000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe00000100010001000c000000010001000c00000000000000000000000400000001000000000000000000000000000000440000000000560061007200460069006c00650049006e0066006f00000000002400040000005400720061006e0073006c006100740069006f006e00000000000904b004a4010000010053007400720069006e006700460069006c00650049006e0066006f00000080010000010030003400300039003000340042003000000040002000010043006f006d00700061006e0079004e0061006d00650000000000440065004c006f0072006d00650020004d0061007000700069006e0067000000440022000100500072006f0064007500630074004e0061006d006500000000005200650067002000280044004c0069006200620079005c006d0073006600290000000000340014000100460069006c006500560065007200730069006f006e000000000031002e00300031002e0030003000310032000000380014000100500072006f006400750063007400560065007200730069006f006e00000031002e00300031002e003000300031003200000034001200010049006e007400650072006e0061006c004e0061006d00650000004d004e00470052004500470033003200000000000200000000000000010000004c0000003cfd0600040000000000000065050000020000000300000000000100530065007200760069006300650020005000610063006b002000330000002300
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
GlobalFlag REG_SZ 0x00200000
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
GlobalFlag REG_SZ 0x00200000
DisableHeapLookAside REG_SZ 1
DisableHeapLookAside REG_SZ 1
ApplicationGoo REG_BINARY 140200001002000000020000b40234000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe00000100350007000000000035000700000000003f00000000000000040000000100000000000000000000000000000012020000010053007400720069006e006700460069006c00650049006e0066006f000000ee010000010030003400300039003000340062003000000042001100010043006f006d00700061006e0079004e0061006d00650000000000500065006f0070006c00650053006f00660074002c00200049006e0063002e0000000000280000000100460069006c0065004400650073006300720069007000740069006f006e00000000002a0005000100460069006c006500560065007200730069006f006e000000000037002e0035003300000000009c003c0001004c006500670061006c0043006f007000790072006900670068007400000043006f0070007900720069006700680074002000a900200031003900380038002d0031003900390038002000500065006f0070006c00650053006f00660074002c00200049006e0063002e002000200041006c006c00200052006900670068007400730020005200650073006500720076006500640000003c000a0001004f0072006900670069006e0061006c00460069006c0065006e0061006d00650000007000730064006d0074002e001000000000000000
DisableHeapLookAside REG_SZ 1
DisableHeapLookAside REG_SZ 1
CheckAppHelp REG_DWORD 1 (0x1)
ApplicationGoo REG_BINARY 000700005402000000020000840734000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe00000100050005000700a807050005000700a8073f000000000000000400040001000000000000000000000000000000e4060000010053007400720069006e006700460069006c00650049006e0066006f00000060030000010030003400300039003000340042003000000018000000010043006f006d006d0065006e007400730000004c001600010043006f006d00700061006e0079004e0061006d006500000000004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e000000680020000100460069006c0065004400650073006300720069007000740069006f006e00000000004d006900630072006f0073006f00660074002000450078006300680061006e00670065002000530065007200760065007200200053006500740075007000000036000b000100460069006c006500560065007200730069006f006e000000000035002e0035002e0031003900360030002e003700000000002c000600010049006e007400650072006e0061006c004e0061006d00650000005300650074007500700000009e003d0001004c006500670061006c0043006f007000790072006900670068007400000043006f00700079007200690067006800740020000200000000000000010000004c0000003cfd0600050000000000000065050000020000000000000000000000530065007200760069006300650020005000610063006b0020003300000024005402000000020000a40834000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe00000100050005000700a807050005000700a8073f00000000000000040004000100000000000000000000000000000004080000010053007400720069006e006700460069006c00650049006e0066006f000000f0030000010030003400300039003000340042003000000018000000010043006f006d006d0065006e007400730000004c001600010043006f006d00700061006e0079004e0061006d006500000000004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e000000680020000100460069006c0065004400650073006300720069007000740069006f006e00000000004d006900630072006f0073006f00660074002000450078006300680061006e00670065002000530065007200760065007200200053006500740075007000000036000b000100460069006c006500560065007200730069006f006e000000000035002e0035002e0031003900360030002e003700000000002c000600010049006e007400650072006e0061006c004e0061006d0065000000530065007400750070000000a600410001004c006500670061006c0043006f007000790072006900670068007400000043006f00700079007200690067006800740020000200000000000000010000004c0000003cfd0600050000000000000065050000020000000000000000000000530065007200760069006300650020005000610063006b0020003300000024005402000000020000180434000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe00000100050005000700a807050005000700a8073f00000000000000040004000100000000000000000000000000000078030000010053007400720069006e006700460069006c00650049006e0066006f00000054030000010030003400300039003000340042003000000018000000010043006f006d006d0065006e007400730000004c001600010043006f006d00700061006e0079004e0061006d006500000000004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e000000680020000100460069006c0065004400650073006300720069007000740069006f006e00000000004d006900630072006f0073006f00660074002000450078006300680061006e00670065002000530065007200760065007200200053006500740075007000000036000b000100460069006c006500560065007200730069006f006e000000000035002e0035002e0031003900360030002e003700000000002c000600010049006e007400650072006e0061006c004e0061006d00650000005300650074007500700000009a003b0001004c006500670061006c0043006f007000790072006900670068007400000043006f00700079007200690067006800740020000200000000000000010000004c0000003cfd0600050000000000000065050000020000000000000000000000530065007200760069006300650020005000610063006b002000330000002400
ApplicationGoo REG_BINARY 140200001002000000020000040334000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe000001001c0008000000000000000800000000003f00000000000000040000000100000000000000000000000000000064020000010053007400720069006e006700460069006c00650049006e0066006f00000040020000010030003400300039003000340062003000000044001200010043006f006d00700061006e0079004e0061006d0065000000000043006f00720065006c00200043006f00720070006f0072006100740069006f006e0000004e0013000100460069006c0065004400650073006300720069007000740069006f006e000000000043006f00720065006c002000530065007400750070002000570069007a00610072006400000000002c0006000100460069006c006500560065007200730069006f006e000000000038002e00300032003800000046001300010049006e007400650072006e0061006c004e0061006d006500000043006f00720065006c002000530065007400750070002000570069007a00610072006400000000006c00240001004c006500670061006c0043006f007000790072006900670068007400000043006f0070007900720069006700680074002000a900200031003900390037002c00200043006f00720065006c00200043006f00720070006f0072000800000000000000
ApplicationGoo REG_BINARY 140200001002000000020000380334000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe0000010002000a0001000a0002000a0001000a000000000000000000040001000100000000000000000000000000000098020000010053007400720069006e006700460069006c00650049006e0066006f0000007402000001003000340030003900300034004500340000004a001500010043006f006d00700061006e0079004e0061006d00650000000000530079006d0061006e00740065006300200043006f00720070006f0072006100740069006f006e000000000060001c000100460069006c0065004400650073006300720069007000740069006f006e0000000000530079006d0061006e007400650063002000530079006d006500760065006e007400200049006e007300740061006c006c0065007200000034000a000100460069006c006500560065007200730069006f006e0000000000310030002e0032002e00310030002e003100000030000800010049006e007400650072006e0061006c004e0061006d006500000053004500560049004e005300540000007e002d0001004c006500670061006c0043006f007000790072006900670068007400000043006f00700079007200690067006800740020002800430029002000530079006d0061006e00740065006300200043006f0072000100000000000000
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
DisableHeapLookAside REG_SZ 1
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
CheckAppHelp REG_DWORD 1 (0x1)
DisableHeapLookAside REG_SZ 1
CheckAppHelp REG_DWORD 1 (0x1)
ApplicationGoo REG_BINARY 1402000010020000000200007c0334000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe00000100000001000900260000000100090026003f000000000000000400000001000000000000000000000000000000dc020000010053007400720069006e006700460069006c00650049006e0066006f000000b8020000010030003400300039003000340062003000000066002700010043006f006d006d0065006e0074007300000042007500730069006e00650073007300200049006e00740065006c006c006900670065006e006300650020006f006e0020004500760065007200790020004400650073006b0074006f0070000000000048001400010043006f006d00700061006e0079004e0061006d0065000000000043006f0067006e006f007300200049006e0063006f00720070006f0072006100740065006400000060001c000100460069006c0065004400650073006300720069007000740069006f006e000000000043006f0067006e006f0073002000470065006e006500720069006300200049006e007300740061006c006c006100740069006f006e00000038000c000100460069006c006500560065007200730069006f006e000000000031002c00200030002c002000330038002c0020003900000030000800010049006e007400650072006e0061006c004e0061006d00650000000100000000000000
GlobalFlag REG_SZ 0x000010F0
ApplicationGoo REG_BINARY 140200001002000000020000a40234000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe00000100000001000100000000000100010000003f00000000000000010001000100000000000000000000000000000004020000010053007400720069006e006700460069006c00650049006e0066006f000000e0010000010030003400300039003000340045003400000020000000010043006f006d00700061006e0079004e0061006d00650000000000580018000100460069006c0065004400650073006300720069007000740069006f006e000000000049004e005300540041004c004c0020004d004600430020004100700070006c00690063006100740069006f006e000000300008000100460069006c006500560065007200730069006f006e000000000031002e0030002e00300030003100000030000800010049006e007400650072006e0061006c004e0061006d006500000049004e005300540041004c004c0000002400000001004c006500670061006c0043006f00700079007200690067006800740000002800000001004c006500670061006c00540072006100640065006d00610072006b0073000000000040000c0001004f0072006900670069006e0061006c00460069006c0065006e0061006d006500000049004e005300540041004c004c002e004500580045000000300008000800000000000000
"Notification Packages scecli

Written by Bobbi Flekman 2006 (C)
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state
NextRefreshReason REG_DWORD 0 (0x0)
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Extension-List
LoggingStatus REG_DWORD 0 (0x0)
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Extension-List\{c6dc5466-785a-11d2-84d0-00c04fb169f7}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List
SOM REG_SZ Local
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List
WQL-Id REG_SZ
NextRefreshReason REG_DWORD 0 (0x0)
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2737080713-4217204644-573995376-1005\Extension-List
LoggingStatus REG_DWORD 0 (0x0)
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2737080713-4217204644-573995376-1005\Extension-List\{c6dc5466-785a-11d2-84d0-00c04fb169f7}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2737080713-4217204644-573995376-1005\GPLink-List
SOM REG_SZ Local
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2737080713-4217204644-573995376-1005\GPO-List
WQL-Id REG_SZ
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2737080713-4217204644-573995376-1005\Loopback-GPLink-List
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2737080713-4217204644-573995376-1005\Loopback-GPO-List
NextRefreshReason REG_DWORD 0 (0x0)
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2737080713-4217204644-573995376-500\Extension-List
LoggingStatus REG_DWORD 0 (0x0)
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2737080713-4217204644-573995376-500\GPLink-List
SOM REG_SZ Local
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2737080713-4217204644-573995376-500\GPO-List
WQL-Id REG_SZ
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2737080713-4217204644-573995376-500\Loopback-GPLink-List
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2737080713-4217204644-573995376-500\Loopback-GPO-List

Written by Bobbi Flekman 2006 (C)
SecurityProviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SaslProfiles
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\WDigest

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[hkey_local_machine\system\currentcontrolset\control\safeboot\minimal\File system]
@="Driver Group"

[hkey_local_machine\system\currentcontrolset\control\safeboot\minimal\RpcSs]
@="Service"

[hkey_local_machine\system\currentcontrolset\control\safeboot\minimal\vgasave.sys]
@="Driver"

[hkey_local_machine\system\currentcontrolset\control\safeboot\minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[hkey_local_machine\system\currentcontrolset\control\safeboot\minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[hkey_local_machine\system\currentcontrolset\control\safeboot\minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[hkey_local_machine\system\currentcontrolset\control\safeboot\minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[hkey_local_machine\system\currentcontrolset\control\safeboot\minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[hkey_local_machine\system\currentcontrolset\control\safeboot\minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 (C)

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder

!d;s/t.*t/=/;s/hkey.*/[&]/;/]/{x;p;x;}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk
item REG_SZ Adobe Gamma Loader
!d;s/t.*t/=/;s/hkey.*/[&]/;/]/{x;p;x;}
path REG_SZ C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
!d;s/t.*t/=/;s/hkey.*/[&]/;/]/{x;p;x;}
backup REG_SZ C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
location REG_SZ Common Startup
command REG_SZ C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE

!d;s/t.*t/=/;s/hkey.*/[&]/;/]/{x;p;x;}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^THOMAS DEMENTI^Start Menu^Programs^Startup^Product Registration.lnk
item REG_SZ Product Registration
!d;s/t.*t/=/;s/hkey.*/[&]/;/]/{x;p;x;}
path REG_SZ C:\Documents and Settings\THOMAS DEMENTI\Start Menu\Programs\Startup\Product Registration.lnk
!d;s/t.*t/=/;s/hkey.*/[&]/;/]/{x;p;x;}
backup REG_SZ C:\WINDOWS\pss\Product Registration.lnkStartup
location REG_SZ Startup
command REG_SZ C:\PROGRA~1\COMMON~1\Logishrd\eReg\SetPoint\eReg.exe

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 (C)

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ
hkey REG_SZ HKLM
!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
command REG_SZ
inimapping REG_SZ 0

!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ Adobe Reader Speed Launcher
hkey REG_SZ HKLM
!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
command REG_SZ "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
inimapping REG_SZ 0

!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ AppleSyncNotifier
hkey REG_SZ HKLM
!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
command REG_SZ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
inimapping REG_SZ 0

!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ ccApp
hkey REG_SZ HKLM
!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
command REG_SZ "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
inimapping REG_SZ 0

!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ ctfmon.exe
hkey REG_SZ HKCU
!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
command REG_SZ C:\WINDOWS\system32\ctfmon.exe
inimapping REG_SZ 0

!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ DSAgnt
hkey REG_SZ HKCU
!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
command REG_SZ "C:\Program Files\DellSupport\DSAgnt.exe" /startup
inimapping REG_SZ 0

!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ tfswctrl
hkey REG_SZ HKLM
!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
command REG_SZ C:\WINDOWS\system32\dla\tfswctrl.exe
inimapping REG_SZ 0

!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ DVDLauncher
hkey REG_SZ HKLM
!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
command REG_SZ "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
inimapping REG_SZ 0

!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ H/PC Connection Agent
hkey REG_SZ HKCU
!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
command REG_SZ "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
inimapping REG_SZ 0

!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ hkcmd
hkey REG_SZ HKLM
!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
command REG_SZ C:\WINDOWS\system32\hkcmd.exe
inimapping REG_SZ 0

!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ ISUSPM Startup
hkey REG_SZ HKLM
!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
command REG_SZ C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
inimapping REG_SZ 0

!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ issch
hkey REG_SZ HKLM
!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
command REG_SZ "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
inimapping REG_SZ 0

!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ iTunesHelper
hkey REG_SZ HKLM
!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
command REG_SZ "C:\Program Files\iTunes\iTunesHelper.exe"
inimapping REG_SZ 0

!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ Kernel and Hardware Abstraction Layer
hkey REG_SZ HKLM
!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
command REG_SZ KHALMNPR.EXE
inimapping REG_SZ 0

!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ msmsgs
hkey REG_SZ HKCU
!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
command REG_SZ "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping REG_SZ 0

!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pdfSaver3
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ
hkey REG_SZ HKLM
!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
command REG_SZ
inimapping REG_SZ 0

!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ QuickTime Task
hkey REG_SZ HKLM
!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
command REG_SZ "C:\Program Files\QuickTime\QTTask.exe" -atboottime
inimapping REG_SZ 0

!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ RealPlay
hkey REG_SZ HKLM
!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
command REG_SZ C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping REG_SZ 0

!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ
hkey REG_SZ HKLM
!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
command REG_SZ
inimapping REG_SZ 0

!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ SunJavaUpdateSched
hkey REG_SZ HKLM
!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
command REG_SZ "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
inimapping REG_SZ 0

!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ swg
hkey REG_SZ HKCU
inimapping REG_SZ 0
!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
command REG_SZ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ SynTPEnh
hkey REG_SZ HKLM
!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
command REG_SZ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
inimapping REG_SZ 0

!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr
key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item REG_SZ AdobeUpdateManager
hkey REG_SZ HKCU
!d;s/.*t//;s/hkey.*/[&]/;/]/{x;p;x;}
command REG_SZ "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
inimapping REG_SZ 0
!d;
"ERSvc"=2 (0x2)
!d;
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
!d;
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\termsvcs







































Written by Bobbi Flekman 2006 (C)
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components
7,0,5730,0
*
6,0,5730,11
6,0,5730,11
1 (0x1)
2,0,0,0
EN
EN
Macromedia Shockwave Director 10.1
11,0,5721,5145
7,0,5730,0
11,0,5721,5145
DirectAnimation
Macromedia Shockwave Director 10.1
1,1,1,7
4,7,0,0320
*
1,397,2406,1
Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
6,0,2900,2180
1 (0x1)
EN
11,0,5721,5145
4,71,1113,0
7,0,5730,11
6,00,01,0223
5,6,0,8820
1 (0x1)
5,00,2918,1900
7,0,5730,11
C:\WINDOWS\system32\msieftp.dll
11,0,5721,5145
4,9,9,2
2,0,50727,0
10,0,0,1
WAB
en
en
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{89820200-ECBD-11cf-8B85-00AA005B4383}\AuthorizedCDFPrefix
2 (0x2)
EN
1 (0x1)
7,0,5730,11

6,0,2800,2180
.NET Framework
6,0,5730,11
.NET Framework
4,71,1968,1
2,1,4026,0
EN
6,0,5730,11
5,0,00,0



-- End of Deckard's System Scanner: finished at 2008-08-09 11:59:46 ------------
Attached Files
File Type: txt extra.txt (30.0 KB, 3 views)
rath is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-09-2008, 10:46 AM   #5 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,971
OS: WinXP and Vista


Re: Computer has been hijacked - IE/Firefox inoperable
That helps, thank you.

This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

***************************************************

Download ComboFix.exe from here

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System




Download the file & save it as it's originally named, next to ComboFix.exe.






---------------------------------------------------------------------
  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.



  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log for further review.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-09-2008, 02:43 PM   #6 (permalink)
Registered User
 
Join Date: Jan 2007
Posts: 22
OS: xp pro


Re: Computer has been hijacked - IE/Firefox inoperable
Hi Ried,
Thanks again for your help! You are a lifesaver! Here's the combofix log:

ComboFix 08-08-08.08 - THOMAS DEMENTI 2008-08-09 17:23:02.1 - NTFSx86

Running from: C:\Documents and Settings\THOMAS DEMENTI\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Secure Solutions
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\as2008xp.exe
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080807165225828.log
C:\WINDOWS\edsa.exe
C:\WINDOWS\system32\qihdhapgap.dll
C:\WINDOWS\system32\setup.ini
C:\WINDOWS\system32\tdssadw.dll
C:\WINDOWS\system32\tdssinit.dll
C:\WINDOWS\system32\tdssl.dll
C:\WINDOWS\system32\tdsslog.dll
C:\WINDOWS\system32\tdssmain.dll
C:\WINDOWS\system32\tdssservers.dat

.
((((((((((((((((((((((((( Files Created from 2008-07-09 to 2008-08-09 )))))))))))))))))))))))))))))))
.

2008-08-09 11:57 . 2008-08-09 11:57 <DIR> d-------- C:\Deckard
2008-08-08 15:09 . 2008-08-08 15:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-08 13:49 . 2008-08-08 13:49 <DIR> d-------- C:\Program Files\ESET
2008-08-08 13:49 . 2008-08-08 13:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-08-08 12:52 . 2008-08-08 12:52 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-08 12:52 . 2008-08-08 12:52 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-08 12:52 . 2008-08-08 12:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-07 17:25 . 2008-08-07 17:25 <DIR> d-------- C:\Program Files\Windows Defender
2008-08-07 16:52 . 2008-08-07 20:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\services
2008-08-07 16:52 . 2008-08-07 16:52 64,362 --a------ C:\WINDOWS\system32\olcdfuyknfsw.exe
2008-08-07 10:17 . 2008-08-07 16:43 <DIR> d-------- C:\Program Files\Foxit Software
2008-08-06 16:16 . 2008-08-06 16:16 <DIR> d-------- C:\Documents and Settings\THOMAS DEMENTI\Application Data\Sarm Software
2008-08-06 16:15 . 2008-08-07 10:23 607 --a------ C:\WINDOWS\Omega.INI
2008-08-06 16:14 . 2008-08-06 16:14 <DIR> d-------- C:\Program Files\Sarm Software
2008-08-05 09:45 . 2008-08-05 09:46 <DIR> d-------- C:\Program Files\RamBooster 2.0
2008-08-04 18:01 . 2008-08-04 18:01 <DIR> d-------- C:\Program Files\iTunes
2008-08-04 18:01 . 2008-08-04 18:01 <DIR> d-------- C:\Program Files\iPod
2008-07-21 17:44 . 2008-07-21 17:44 <DIR> d-------- C:\Program Files\Bonjour
2008-07-21 17:43 . 2008-07-21 17:44 <DIR> d-------- C:\Program Files\QuickTime
2008-07-21 14:03 . 2008-07-21 14:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-07-21 14:01 . 2008-07-21 14:05 <DIR> d-------- C:\Program Files\Canon
2008-07-21 13:59 . 2008-07-21 13:59 <DIR> d-------- C:\Program Files\Common Files\Canon
2008-07-21 10:05 . 2008-07-21 10:05 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-07-16 09:33 . 2008-07-16 09:33 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-08 17:48 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-08-08 17:48 8,014 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-08-08 17:48 110,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-08-08 17:48 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-08-08 17:48 --------- d-----w C:\Program Files\Symantec
2008-08-08 17:48 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-08 17:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-08 16:46 --------- d-----w C:\Documents and Settings\THOMAS DEMENTI\Application Data\uTorrent
2008-08-07 20:44 6,262 ----a-w C:\Documents and Settings\THOMAS DEMENTI\Application Data\wklnhst.dat
2008-08-04 22:02 --------- d-----w C:\Program Files\Apple Software Update
2008-07-27 22:41 --------- d-----w C:\Program Files\Full Tilt Poker
2008-07-26 17:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-21 14:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-17 12:24 --------- d-----w C:\Program Files\IrfanView
2008-07-08 19:45 --------- d-----w C:\Documents and Settings\THOMAS DEMENTI\Application Data\Logitech
2008-07-08 19:44 --------- d-----w C:\Program Files\Common Files\Logishrd
2008-07-08 19:43 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-07-08 19:42 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-07-08 19:40 --------- d-----w C:\Program Files\Logitech
2008-07-08 19:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-07-08 19:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 22:56 34,312 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2008-06-10 22:48 53,256 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-06-10 22:47 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2005-10-15 12:47 66,824 ----a-w C:\Documents and Settings\THOMAS DEMENTI\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

Cryptography Services Error !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"RamBooster"="C:\Program Files\RamBooster 2.0\Rambooster.exe" [2005-11-17 07:32 561664]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 13:45 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-10 18:52 1447168]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 02:17 55824 C:\WINDOWS\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 21:17 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-07-08 15:40:53 789008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-01-09 12:30 72208 c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^THOMAS DEMENTI^Start Menu^Programs^Startup^Product Registration.lnk]
path=C:\Documents and Settings\THOMAS DEMENTI\Start Menu\Programs\Startup\Product Registration.lnk
backup=C:\WINDOWS\pss\Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-07-10 09:47 116040 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 06:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 11:09 460784 C:\Program Files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2005-05-31 05:33 122941 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 17:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a--c--- 2005-02-15 16:02 126976 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 17:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 17:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 10:47 289064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-08-19 18:30 26112 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-03-25 04:28 144784 C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-27 13:45 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2006-03-08 12:48 761947 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2007-11-29 02:17 55824 C:\WINDOWS\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"ERSvc"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3a4152c6-1781-11dd-9950-00123fe430a1}]
\Shell\AutoRun\command - E:\LinksysConnectPC.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-08-09 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Reg - (no file)
HKLM-Run-{1a5163e5-12c4-dd30-6a7b-52415beaa843} - C:\WINDOWS\system32\qihdhapgap.dll
Notify-NavLogon - (no file)
MSConfigStartUp-ccApp - C:\Program Files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\THOMAS DEMENTI\Application Data\Mozilla\Firefox\Profiles\mulixzw9.Default User\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://mail.google.com/mail/
FF -: plugin - C:\Documents and Settings\THOMAS DEMENTI\Application Data\Mozilla\plugins\npPxPlay.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\np_gp.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Common\npyaxmpb.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 17:29:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Photodex\ProShowGold\scsiaccess.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2008-08-09 17:35:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-09 21:35:01

Pre-Run: 23,796,080,640 bytes free
Post-Run: 23,842,525,184 bytes free

235 --- E O F --- 2008-08-09 07:00:49




and a new hijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:41:32 PM, on 8/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\RamBooster 2.0\Rambooster.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cvrmls.marketlinx.com/Login/L...?ReturnUrl=%2f
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster 2.0\Rambooster.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-21-2737080713-4217204644-573995376-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-2737080713-4217204644-573995376-1005\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" (User '?')
O4 - HKUS\S-1-5-21-2737080713-4217204644-573995376-1005\..\Run: [RamBooster] C:\Program Files\RamBooster 2.0\Rambooster.exe (User '?')
O4 - HKUS\S-1-5-21-2737080713-4217204644-573995376-1005\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/s...OS/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://rein.mlxchange.com/Control/Mu...ctComboBox.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.onlinegis.net/download/Mg...B/mgaxctrl.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://rein.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://rein.mlxchange.com/3.0.10.88/...l/IRCSharc.cab
O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} (First American Res MapActiveX Control) - http://realist2.firstamres.com/mapviewer/mapviewer.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9569 bytes
rath is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-09-2008, 04:13 PM   #7 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,971
OS: WinXP and Vista


Re: Computer has been hijacked - IE/Firefox inoperable
Hello rath,

It's the author of ComboFix who is the lifesaver, not me.

We're not out of the woods yet. Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

***************************************************

We really need to get the Recovery Console installed. Did you download the package from Microsoft?

Please try again. Let me know if you had any difficulties, and what they were.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System




Download the file & save it as it's originally named, next to ComboFix.exe.






Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.



  • At the next prompt, click 'NO' we want to exit ComboFix.


--------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->Control Panel->Add/Remove Programs)

Enhancement Browser Tools Mxlivemedia


Ignore any prompts to reboot.

**If you receive an error while uninstalling, move on to the next step and advise me of any troubles you had in your next reply.

--------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Quote:


http://www.techsupportforum.com/secu...ml#post1639991

Collect::
C:\WINDOWS\system32\olcdfuyknfsw.exe
C:\WINDOWS\system32\qihdhapgap.dll
Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.
---------------------------------------------------------------------

**edit**

Open Notepad and copy/paste the contents in the code box below, into Notepad.

Code:
@echo off
VFind -tf %systemdrive%\deckard\* >DSS-Folder.txt
Start Notepad DSS-Folder.txt
Del %0
Save this as look.bat Choose to "Save type as - All Files"
It should look like this:

Double click on look.bat & allow it to run.

Then post the log which it produces, along with the C:\ComboFix.txt.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Last edited by Ried; 08-09-2008 at 05:11 PM.
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-10-2008, 11:55 AM   #8 (permalink)
Registered User
 
Join Date: Jan 2007
Posts: 22
OS: xp pro


Re: Computer has been hijacked - IE/Firefox inoperable
Ried,
again...a million thanks for your help! I think i did everything right. The recovery console was successfully installed this time.

here's the look.bat log:

C:\deckard\System Scanner\extra.txt
C:\deckard\System Scanner\main.txt
C:\deckard\System Scanner\moved.txt
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\atmadm2.exe.bat
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\dw.log
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\FPC_Uninstall.exe
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\FPC_WordAddin.dll
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\inxA1.tmp
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\java_install_reg.log
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\logger.log
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\MSI7cc7b.LOG
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\netfxsl.log
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\Registration.exe
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\s1265.php.bat
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\SEVINST.EXE
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\sfsrv.exe
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\sfsrv.exe.bat
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\snapfish.log
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\SNDunin.log
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\SYMEVENT.LOG
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\tds2AD.tmp
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\tempr.htm
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\TWAIN.LOG
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\Twain001.Mtx
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\Twunk001.MTX
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\vmpremov.exe
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\vpr_drv.dll
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\vpr_gpd.txt
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\vpr_ui.dll
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\WCESCOMM.LOG
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\WcesView.log
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\_addon.exe
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\fox51E.tmp\Foxit Reader Setup.exe
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\fox51E.tmp\Foxit Reader.exe
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\fox51E.tmp\Readme.txt
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\fox51E.tmp\Uninstall.exe
C:\deckard\System Scanner\backup\DOCUME~1\THOMAS~1\LOCALS~1\Temp\fox51E.tmp\what's new.txt
C:\deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\alaGrid.ocx
C:\deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\GeacRevw.ocx
C:\deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\LMIProxyHelper.exe
C:\deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\mapviewer.ocx
C:\deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\MgAxCtrl.dll
C:\deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\MLXClientUtils.dll
C:\deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\MultiSelectComboBox.dll
C:\deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\RACtrl.dll
C:\deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\SnapfishActivia1000.ocx
C:\deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\sprthelper.exe
C:\deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\tgctlcm.dll
C:\deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\unicows.dll
C:\deckard\System Scanner\backup\WINDOWS\temp\MpCmdRun.log
C:\deckard\System Scanner\backup\WINDOWS\temp\MpSigStub.log
C:\deckard\System Scanner\backup\WINDOWS\temp\MSI12ca3.LOG
C:\deckard\System Scanner\backup\WINDOWS\temp\MSI17f9a.LOG
C:\deckard\System Scanner\backup\WINDOWS\temp\MSI1cf3e.LOG
C:\deckard\System Scanner\backup\WINDOWS\temp\MSI52d20.LOG
C:\deckard\System Scanner\backup\WINDOWS\temp\MSI688.LOG
C:\deckard\System Scanner\backup\WINDOWS\temp\MSI7224d.LOG
C:\deckard\System Scanner\backup\WINDOWS\temp\MSI9cfa4.LOG
C:\deckard\System Scanner\backup\WINDOWS\temp\MSId260e.LOG
C:\deckard\System Scanner\backup\WINDOWS\temp\netfxsl.log
C:\deckard\System Scanner\backup\WINDOWS\temp\T30DebugLogFile.txt
C:\deckard\System Scanner\backup\WINDOWS\temp\WcesView.log
C:\deckard\System Scanner\backup\WINDOWS\temp\WGAErrLog.txt
C:\deckard\System Scanner\backup\WINDOWS\temp\WGANotify.settings


and here's the combofix log:


ComboFix 08-08-08.08 - THOMAS DEMENTI 2008-08-10 14:43:45.2 - NTFSx86

Running from: C:\Documents and Settings\THOMAS DEMENTI\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\THOMAS DEMENTI\Desktop\CFScript.txt
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
.

2008-08-09 11:57 . 2008-08-09 11:57 <DIR> d-------- C:\Deckard
2008-08-08 15:09 . 2008-08-08 15:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-08 13:49 . 2008-08-08 13:49 <DIR> d-------- C:\Program Files\ESET
2008-08-08 13:49 . 2008-08-08 13:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-08-08 12:52 . 2008-08-08 12:52 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-08 12:52 . 2008-08-08 12:52 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-08 12:52 . 2008-08-08 12:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-07 17:25 . 2008-08-07 17:25 <DIR> d-------- C:\Program Files\Windows Defender
2008-08-07 16:52 . 2008-08-07 20:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\services
2008-08-07 10:17 . 2008-08-07 16:43 <DIR> d-------- C:\Program Files\Foxit Software
2008-08-06 16:16 . 2008-08-06 16:16 <DIR> d-------- C:\Documents and Settings\THOMAS DEMENTI\Application Data\Sarm Software
2008-08-06 16:15 . 2008-08-07 10:23 607 --a------ C:\WINDOWS\Omega.INI
2008-08-06 16:14 . 2008-08-06 16:14 <DIR> d-------- C:\Program Files\Sarm Software
2008-08-05 09:45 . 2008-08-05 09:46 <DIR> d-------- C:\Program Files\RamBooster 2.0
2008-08-04 18:01 . 2008-08-04 18:01 <DIR> d-------- C:\Program Files\iTunes
2008-08-04 18:01 . 2008-08-04 18:01 <DIR> d-------- C:\Program Files\iPod
2008-07-21 17:44 . 2008-07-21 17:44 <DIR> d-------- C:\Program Files\Bonjour
2008-07-21 17:43 . 2008-07-21 17:44 <DIR> d-------- C:\Program Files\QuickTime
2008-07-21 14:03 . 2008-07-21 14:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-07-21 14:01 . 2008-07-21 14:05 <DIR> d-------- C:\Program Files\Canon
2008-07-21 13:59 . 2008-07-21 13:59 <DIR> d-------- C:\Program Files\Common Files\Canon
2008-07-21 10:05 . 2008-07-21 10:05 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-07-16 09:33 . 2008-07-16 09:33 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-08 17:48 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-08-08 17:48 8,014 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-08-08 17:48 48,768 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-08-08 17:48 110,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-08-08 17:48 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-08-08 17:48 --------- d-----w C:\Program Files\Symantec
2008-08-08 17:48 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-08 17:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-08 16:46 --------- d-----w C:\Documents and Settings\THOMAS DEMENTI\Application Data\uTorrent
2008-08-07 20:44 6,262 ----a-w C:\Documents and Settings\THOMAS DEMENTI\Application Data\wklnhst.dat
2008-08-04 22:02 --------- d-----w C:\Program Files\Apple Software Update
2008-07-27 22:41 --------- d-----w C:\Program Files\Full Tilt Poker
2008-07-26 17:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-21 14:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-17 12:24 --------- d-----w C:\Program Files\IrfanView
2008-07-08 19:45 --------- d-----w C:\Documents and Settings\THOMAS DEMENTI\Application Data\Logitech
2008-07-08 19:44 --------- d-----w C:\Program Files\Common Files\Logishrd
2008-07-08 19:43 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-07-08 19:42 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-07-08 19:40 --------- d-----w C:\Program Files\Logitech
2008-07-08 19:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-07-08 19:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 22:56 34,312 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2008-06-10 22:48 53,256 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-06-10 22:47 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2005-10-15 12:47 66,824 ----a-w C:\Documents and Settings\THOMAS DEMENTI\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

Cryptography Services Error !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"RamBooster"="C:\Program Files\RamBooster 2.0\Rambooster.exe" [2005-11-17 07:32 561664]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 13:45 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-10 18:52 1447168]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 02:17 55824 C:\WINDOWS\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 21:17 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-07-08 15:40:53 789008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-01-09 12:30 72208 c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^THOMAS DEMENTI^Start Menu^Programs^Startup^Product Registration.lnk]
path=C:\Documents and Settings\THOMAS DEMENTI\Start Menu\Programs\Startup\Product Registration.lnk
backup=C:\WINDOWS\pss\Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-07-10 09:47 116040 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 06:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 11:09 460784 C:\Program Files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2005-05-31 05:33 122941 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 17:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a--c--- 2005-02-15 16:02 126976 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 17:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 17:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 10:47 289064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-08-19 18:30 26112 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-03-25 04:28 144784 C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-27 13:45 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2006-03-08 12:48 761947 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2007-11-29 02:17 55824 C:\WINDOWS\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"ERSvc"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3a4152c6-1781-11dd-9950-00123fe430a1}]
\Shell\AutoRun\command - E:\LinksysConnectPC.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-09 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe []

2008-08-06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-08-09 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Reg - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-10 14:46:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-10 14:46:55
ComboFix-quarantined-files.txt 2008-08-10 18:46:51
ComboFix2.txt 2008-08-09 21:35:07

Pre-Run: 23,843,680,256 bytes free
Post-Run: 23,828,058,112 bytes free

196 --- E O F --- 2008-08-09 07:00:49
rath is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-10-2008, 02:54 PM   #9 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,971
OS: WinXP and Vista


Re: Computer has been hijacked - IE/Firefox inoperable
Hello rath,

We still have a serious issue to address:

Quote:
------- Sigcheck -------

Cryptography Services Error !!
What I'd like you to do now is upgrade to XP SP3. Visit Microsoft Update and click the 'Express' button. Allow Microsoft to scan for installations on your system, and when it's through, install all Critical Updates - one of which should be SP3.

After you've downloaded and installed SP 3, double click ComboFix.exe and post the new C:\ComboFix.txt for review.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-10-2008, 03:03 PM   #10 (permalink)
Registered User
 
Join Date: Jan 2007
Posts: 22
OS: xp pro


Re: Computer has been hijacked - IE/Firefox inoperable
Hi Ried,
My laptop has been in some sort of safe mode since i installed/ran the DSS program. I can't get online to do the Microsoft Update you just suggested. How can I do this with my laptop? Thanks!
rath is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-10-2008, 03:06 PM   #11 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,971
OS: WinXP and Vista


Re: Computer has been hijacked - IE/Firefox inoperable
I'm not sure I understand the term 'some sort of Safe Mode'

Do you see the words 'Safe Mode' at each corner of your screen?

Didn't the first run of ComboFix reboot your system into Normal Mode?
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-10-2008, 05:13 PM   #12 (permalink)
Registered User
 
Join Date: Jan 2007
Posts: 22
OS: xp pro


Re: Computer has been hijacked - IE/Firefox inoperable
I don't really understand either. It's not in 'safe mode'...there are no words that say 'safe mode', but I remember when I first ran the DSS program, it said that it was going to put the computer in some sort of state, where the system clock was going to be changed. the start menu looks different, and there is no internet connection. When i go to 'network connections' there are no icons to click on. I hope this helps you understand what is going on.
rath is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-10-2008, 05:17 PM   #13 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,971
OS: WinXP and Vista


Re: Computer has been hijacked - IE/Firefox inoperable
Ah, yes it does, and it sounds as though you mean ComboFix.exe, not dss.exe.

Double click ComboFix.exe again to run it. Let it complete, post the ComboFix.txt and let me know if taskbar and internet are back.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-10-2008, 05:28 PM   #14 (permalink)
Registered User
 
Join Date: Jan 2007
Posts: 22
OS: xp pro


Re: Computer has been hijacked - IE/Firefox inoperable
i just rant the combofix.exe again. the taskbar is back...the clock setting is back to normal, but the internet is not. here's the log produced:

ComboFix 08-08-08.08 - THOMAS DEMENTI 2008-08-10 20:19:28.3 - NTFSx86

Running from: C:\Documents and Settings\THOMAS DEMENTI\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-07-11 to 2008-08-11 )))))))))))))))))))))))))))))))
.

2008-08-09 11:57 . 2008-08-09 11:57 <DIR> d-------- C:\Deckard
2008-08-08 15:09 . 2008-08-08 15:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-08 13:49 . 2008-08-08 13:49 <DIR> d-------- C:\Program Files\ESET
2008-08-08 13:49 . 2008-08-08 13:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-08-08 12:52 . 2008-08-08 12:52 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-08 12:52 . 2008-08-08 12:52 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-08 12:52 . 2008-08-08 12:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-07 17:25 . 2008-08-07 17:25 <DIR> d-------- C:\Program Files\Windows Defender
2008-08-07 16:52 . 2008-08-07 20:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\services
2008-08-07 10:17 . 2008-08-07 16:43 <DIR> d-------- C:\Program Files\Foxit Software
2008-08-06 16:16 . 2008-08-06 16:16 <DIR> d-------- C:\Documents and Settings\THOMAS DEMENTI\Application Data\Sarm Software
2008-08-06 16:15 . 2008-08-07 10:23 607 --a------ C:\WINDOWS\Omega.INI
2008-08-06 16:14 . 2008-08-06 16:14 <DIR> d-------- C:\Program Files\Sarm Software
2008-08-05 09:45 . 2008-08-05 09:46 <DIR> d-------- C:\Program Files\RamBooster 2.0
2008-08-04 18:01 . 2008-08-04 18:01 <DIR> d-------- C:\Program Files\iTunes
2008-08-04 18:01 . 2008-08-04 18:01 <DIR> d-------- C:\Program Files\iPod
2008-07-21 17:44 . 2008-07-21 17:44 <DIR> d-------- C:\Program Files\Bonjour
2008-07-21 17:43 . 2008-07-21 17:44 <DIR> d-------- C:\Program Files\QuickTime
2008-07-21 14:03 . 2008-07-21 14:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-07-21 14:01 . 2008-07-21 14:05 <DIR> d-------- C:\Program Files\Canon
2008-07-21 13:59 . 2008-07-21 13:59 <DIR> d-------- C:\Program Files\Common Files\Canon
2008-07-21 10:05 . 2008-07-21 10:05 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-07-16 09:33 . 2008-07-16 09:33 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-08 17:48 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-08-08 17:48 8,014 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-08-08 17:48 48,768 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-08-08 17:48 110,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-08-08 17:48 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-08-08 17:48 --------- d-----w C:\Program Files\Symantec
2008-08-08 17:48 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-08 17:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-08 16:46 --------- d-----w C:\Documents and Settings\THOMAS DEMENTI\Application Data\uTorrent
2008-08-07 20:44 6,262 ----a-w C:\Documents and Settings\THOMAS DEMENTI\Application Data\wklnhst.dat
2008-08-04 22:02 --------- d-----w C:\Program Files\Apple Software Update
2008-07-27 22:41 --------- d-----w C:\Program Files\Full Tilt Poker
2008-07-26 17:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-21 14:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-17 12:24 --------- d-----w C:\Program Files\IrfanView
2008-07-08 19:45 --------- d-----w C:\Documents and Settings\THOMAS DEMENTI\Application Data\Logitech
2008-07-08 19:44 --------- d-----w C:\Program Files\Common Files\Logishrd
2008-07-08 19:43 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-07-08 19:42 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-07-08 19:40 --------- d-----w C:\Program Files\Logitech
2008-07-08 19:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-07-08 19:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2005-10-15 12:47 66,824 ----a-w C:\Documents and Settings\THOMAS DEMENTI\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

Cryptography Services Error !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"RamBooster"="C:\Program Files\RamBooster 2.0\Rambooster.exe" [2005-11-17 07:32 561664]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 13:45 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-10 18:52 1447168]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 02:17 55824 C:\WINDOWS\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 21:17 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-07-08 15:40:53 789008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-01-09 12:30 72208 c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^THOMAS DEMENTI^Start Menu^Programs^Startup^Product Registration.lnk]
path=C:\Documents and Settings\THOMAS DEMENTI\Start Menu\Programs\Startup\Product Registration.lnk
backup=C:\WINDOWS\pss\Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-07-10 09:47 116040 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 06:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 11:09 460784 C:\Program Files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2005-05-31 05:33 122941 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 17:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a--c--- 2005-02-15 16:02 126976 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 17:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 17:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 10:47 289064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-08-19 18:30 26112 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-03-25 04:28 144784 C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-27 13:45 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2006-03-08 12:48 761947 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2007-11-29 02:17 55824 C:\WINDOWS\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"ERSvc"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3a4152c6-1781-11dd-9950-00123fe430a1}]
\Shell\AutoRun\command - E:\LinksysConnectPC.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-08-09 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe []

2008-08-06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-08-10 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Reg - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\THOMAS DEMENTI\Application Data\Mozilla\Firefox\Profiles\mulixzw9.Default User\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://mail.google.com/mail/
FF -: plugin - C:\Documents and Settings\THOMAS DEMENTI\Application Data\Mozilla\plugins\npPxPlay.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\np_gp.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Common\npyaxmpb.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-10 20:23:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\TEMP\TMP0000006A23F34D7DB09A889A

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-08-10 20:24:28
ComboFix-quarantined-files.txt 2008-08-11 00:24:24
ComboFix2.txt 2008-08-10 18:46:56
ComboFix3.txt 2008-08-09 21:35:07

Pre-Run: 23,841,001,472 bytes free
Post-Run: 23,825,588,224 bytes free

206 --- E O F --- 2008-08-09 07:00:49
rath is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-10-2008, 05:43 PM   #15 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,971
OS: WinXP and Vista


Re: Computer has been hijacked - IE/Firefox inoperable
Quote:
When i go to 'network connections' there are no icons to click on
Do you have those icons now?
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-10-2008, 06:22 PM   #16 (permalink)
Registered User
 
Join Date: Jan 2007
Posts: 22
OS: xp pro


Re: Computer has been hijacked - IE/Firefox inoperable
no...there are no icons. and this time when I went to network connections, i got a message that said "The Network Connections Folder was unable to retrieve the list of Network adapters on your machine. Please make sure that the Network Connections service is enabling and running."
rath is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-10-2008, 06:36 PM   #17 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,971
OS: WinXP and Vista


Re: Computer has been hijacked - IE/Firefox inoperable
Download CF-querySvc.exe

Double click to run it, then please post the log it produces.

Also, do you have the XP install disc?
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-10-2008, 07:57 PM   #18 (permalink)
Registered User
 
Join Date: Jan 2007
Posts: 22
OS: xp pro


Re: Computer has been hijacked - IE/Firefox inoperable
I don't think I still have the xp install disc. I'll dig around for it, but i've had this computer for 3 years or so.

here's the log:


------ REGISTRY:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
- HTTPFilter - HTTPFilter
- LocalService - Alerter, WebClient, LmHosts, RemoteRegistry, upnphost, SSDPSRV
- NetworkService - DnsCache
- DcomLaunch - DcomLaunch, TermService
- rpcss - RpcSs
- imgsvc - StiSvc
- termsvcs - TermService
- WudfServiceGroup - WUDFSvc
- netsvcs - 6to4

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

------ SVCHOST SERVICES NOT RUNNING

STOPPED: DEMAND_START: HTTPFilter : HTTP SSL
STOPPED: DEMAND_START: WudfSvc : Windows Driver Foundation - User-mode Driver Framework
STOPPED: DISABLED: Alerter : Alerter
STOPPED: DISABLED: RemoteRegistry : Remote Registry
STOPPED: DISABLED: SSDPSRV : SSDP Discovery Service
STOPPED: DISABLED: upnphost : Universal Plug and Play Device Host

------ SVCHOST CURRENTLY RUNNING:

1100- C:\WINDOWS\system32\svchost -k DcomLaunch
- DcomLaunch : DCOM Server Process Launcher
- TermService : Terminal Services

1228- C:\WINDOWS\system32\svchost -k rpcss
- RpcSs : Remote Procedure Call (RPC)

1620- C:\WINDOWS\system32\svchost.exe -k NetworkService
- Dnscache : DNS Client

1680- C:\WINDOWS\system32\svchost.exe -k LocalService
- LmHosts : TCP/IP NetBIOS Helper
- WebClient : WebClient

2028- C:\WINDOWS\system32\svchost.exe -k imgsvc
- stisvc : Windows Image Acquisition (WIA)

------ SVCHOST SUB-DEPENDENTS

HTTPFilter = 1
STOPPED: WMPNetworkSvc: Windows Media Player Network Sharing Service

upnphost = 1
STOPPED: WMPNetworkSvc: Windows Media Player Network Sharing Service

SSDPSRV = 2
STOPPED: upnphost: Universal Plug and Play Device Host
STOPPED: WMPNetworkSvc: Windows Media Player Network Sharing Service

TermService = 1
STOPPED: FastUserSwitchingCompatibility: Fast User Switching Compatibility

RpcSs = 55
RUNNING: aawservice: Lavasoft Ad-Aware Service
RUNNING: EvtEng: EvtEng
RUNNING: PolicyAgent: IPSEC Services
RUNNING: ProtectedStorage: Protected Storage
RUNNING: RegSrvc: RegSrvc
RUNNING: S24EventMonitor: Spectrum24 Event Monitor
RUNNING: SamSs: Security Accounts Manager
RUNNING: Spooler: Print Spooler
RUNNING: stisvc: Windows Image Acquisition (WIA)
RUNNING: TermService: Terminal Services
RUNNING: WinDefend: Windows Defender
RUNNING: WLANKEEPER: WLANKEEPER
STOPPED: AudioSrv: Windows Audio
STOPPED: BITS: Background Intelligent Transfer Service
STOPPED: CCALib8: Canon Camera Access Library 8
STOPPED: CiSvc: Indexing Service
STOPPED: COMSysApp: COM+ System Application
STOPPED: CryptSvc: Cryptographic Services
STOPPED: dmadmin: Logical Disk Manager Administrative Service
STOPPED: dmserver: Logical Disk Manager
STOPPED: ERSvc: Error Reporting Service
STOPPED: EventSystem: COM+ Event System
STOPPED: FastUserSwitchingCompatibility: Fast User Switching Compatibility
STOPPED: Fax: Fax
STOPPED: gusvc: Google Updater Service
STOPPED: helpsvc: Help and Support
STOPPED: HidServ: HID Input Service
STOPPED: iPod Service: iPod Service
STOPPED: LiveUpdate: LiveUpdate
STOPPED: Messenger: Messenger
STOPPED: MSDTC: Distributed Transaction Coordinator
STOPPED: MSIServer: Windows Installer
STOPPED: Netman: Network Connections
STOPPED: NtmsSvc: Removable Storage
STOPPED: RasAuto: Remote Access Auto Connection Manager
STOPPED: RasMan: Remote Access Connection Manager
STOPPED: RDSessMgr: Remote Desktop Help Session Manager
STOPPED: RemoteAccess: Routing and Remote Access
STOPPED: RemoteRegistry: Remote Registry
STOPPED: RSVP: QoS RSVP
STOPPED: Schedule: Task Scheduler
STOPPED: SENS: System Event Notification
STOPPED: SharedAccess: Windows Firewall/Internet Connection Sharing (ICS)
STOPPED: ShellHWDetection: Shell Hardware Detection
STOPPED: srservice: System Restore Service
STOPPED: SwPrv: MS Software Shadow Copy Provider
STOPPED: TapiSrv: Telephony
STOPPED: TlntSvr: Telnet
STOPPED: TrkWks: Distributed Link Tracking Client
STOPPED: VSS: Volume Shadow Copy
STOPPED: winmgmt: Windows Management Instrumentation
STOPPED: WmiApSrv: WMI Performance Adapter
STOPPED: wscsvc: Security Center
STOPPED: WZCSVC: Wireless Zero Configuration
STOPPED: xmlprov: Network Provisioning Service

StiSvc = 1
STOPPED: CCALib8: Canon Camera Access Library 8

TermService = 1
STOPPED: FastUserSwitchingCompatibility: Fast User Switching Compatibility
rath is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-11-2008, 08:16 AM   #19 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,971
OS: WinXP and Vista


Re: Computer has been hijacked - IE/Firefox inoperable
Hello rath, and thank you.

Download the attached repair.zip file to your desktop.

Double click on the zip folder, then double click on the repair.reg within.

Click yes to allow it to merge into your registry.

---------------------------------------------------

Reboot your system.

---------------------------------------------------

Double click ComboFix.exe to run it again. Post the C:\ComboFix.txt in your next reply, along with an update on system behavior.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Last edited by Ried; 08-11-2008 at 09:04 AM.
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-11-2008, 08:34 AM   #20 (permalink)
Registered User
 
Join Date: Jan 2007
Posts: 22
OS: xp pro


Re: Computer has been hijacked - IE/Firefox inoperable
Good Morning Ried!

I just did what you recommended. There is no change in system behavior...still no icons in the network connections. the system clock is normal. I get a loud 'beep' for notifications instead of some sort of chime like i used to get before this infection.

here's the newest combofix log:

ComboFix 08-08-08.08 - THOMAS DEMENTI 2008-08-11 11:25:55.4 - NTFSx86

Running from: C:\Documents and Settings\THOMAS DEMENTI\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-07-11 to 2008-08-11 )))))))))))))))))))))))))))))))
.

2008-08-09 11:57 . 2008-08-09 11:57 <DIR> d-------- C:\Deckard
2008-08-08 15:09 . 2008-08-08 15:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-08 13:49 . 2008-08-08 13:49 <DIR> d-------- C:\Program Files\ESET
2008-08-08 13:49 . 2008-08-08 13:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-08-08 12:52 . 2008-08-08 12:52 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-08 12:52 . 2008-08-08 12:52 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-08 12:52 . 2008-08-08 12:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-07 17:25 . 2008-08-07 17:25 <DIR> d-------- C:\Program Files\Windows Defender
2008-08-07 16:52 . 2008-08-07 20:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\services
2008-08-07 10:17 . 2008-08-07 16:43 <DIR> d-------- C:\Program Files\Foxit Software
2008-08-06 16:16 . 2008-08-06 16:16 <DIR> d-------- C:\Documents and Settings\THOMAS DEMENTI\Application Data\Sarm Software
2008-08-06 16:15 . 2008-08-07 10:23 607 --a------ C:\WINDOWS\Omega.INI
2008-08-06 16:14 . 2008-08-06 16:14 <DIR> d-------- C:\Program Files\Sarm Software
2008-08-05 09:45 . 2008-08-05 09:46 <DIR> d-------- C:\Program Files\RamBooster 2.0
2008-08-04 18:01 . 2008-08-04 18:01 <DIR> d-------- C:\Program Files\iTunes
2008-08-04 18:01 . 2008-08-04 18:01 <DIR> d-------- C:\Program Files\iPod
2008-07-21 17:44 . 2008-07-21 17:44 <DIR> d-------- C:\Program Files\Bonjour
2008-07-21 17:43 . 2008-07-21 17:44 <DIR> d-------- C:\Program Files\QuickTime
2008-07-21 14:03 . 2008-07-21 14:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-07-21 14:01 . 2008-07-21 14:05 <DIR> d-------- C:\Program Files\Canon
2008-07-21 13:59 . 2008-07-21 13:59 <DIR> d-------- C:\Program Files\Common Files\Canon
2008-07-21 10:05 . 2008-07-21 10:05 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-07-16 09:33 . 2008-07-16 09:33 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-08 17:48 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-08-08 17:48 8,014 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-08-08 17:48 48,768 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-08-08 17:48 110,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-08-08 17:48 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-08-08 17:48 --------- d-----w C:\Program Files\Symantec
2008-08-08 17:48 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-08 17:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-08 16:46 --------- d-----w C:\Documents and Settings\THOMAS DEMENTI\Application Data\uTorrent
2008-08-07 20:44 6,262 ----a-w C:\Documents and Settings\THOMAS DEMENTI\Application Data\wklnhst.dat
2008-08-04 22:02 --------- d-----w C:\Program Files\Apple Software Update
2008-07-27 22:41 --------- d-----w C:\Program Files\Full Tilt Poker
2008-07-26 17:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-21 14:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-17 12:24 --------- d-----w C:\Program Files\IrfanView
2008-07-08 19:45 --------- d-----w C:\Documents and Settings\THOMAS DEMENTI\Application Data\Logitech
2008-07-08 19:44 --------- d-----w C:\Program Files\Common Files\Logishrd
2008-07-08 19:43 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-07-08 19:42 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-07-08 19:40 --------- d-----w C:\Program Files\Logitech
2008-07-08 19:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-07-08 19:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2005-10-15 12:47 66,824 ----a-w C:\Documents and Settings\THOMAS DEMENTI\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

Cryptography Services Error !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"RamBooster"="C:\Program Files\RamBooster 2.0\Rambooster.exe" [2005-11-17 07:32 561664]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 13:45 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-10 18:52 1447168]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 02:17 55824 C:\WINDOWS\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 21:17 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-07-08 15:40:53 789008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-01-09 12:30 72208 c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^THOMAS DEMENTI^Start Menu^Programs^Startup^Product Registration.lnk]
path=C:\Documents and Settings\THOMAS DEMENTI\Start Menu\Programs\Startup\Product Registration.lnk
backup=C:\WINDOWS\pss\Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-07-10 09:47 116040 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 06:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 11:09 460784 C:\Program Files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2005-05-31 05:33 122941 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 17:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a--c--- 2005-02-15 16:02 126976 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 17:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 17:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 10:47 289064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-08-19 18:30 26112 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-03-25 04:28 144784 C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-27 13:45 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2006-03-08 12:48 761947 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2007-11-29 02:17 55824 C:\WINDOWS\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"ERSvc"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3a4152c6-1781-11dd-9950-00123fe430a1}]
\Shell\AutoRun\command - E:\LinksysConnectPC.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-09 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe []

2008-08-06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-08-11 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Reg - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\THOMAS DEMENTI\Application Data\Mozilla\Firefox\Profiles\mulixzw9.Default User\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://mail.google.com/mail/
FF -: plugin - C:\Documents and Settings\THOMAS DEMENTI\Application Data\Mozilla\plugins\npPxPlay.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\np_gp.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Common\npyaxmpb.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-11 11:29:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-11 11:30:46
ComboFix-quarantined-files.txt 2008-08-11 15:30:41
ComboFix2.txt 2008-08-11 00:24:28
ComboFix3.txt 2008-08-10 18:46:56
ComboFix4.txt 2008-08-09 21:35:07

Pre-Run: 23,839,010,816 bytes free
Post-Run: 23,823,560,704 bytes free

205 --- E O F --- 2008-08-09 07:00:49
rath is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 12:20 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84