Solved: Help, I've been hijacked

rowoo2 · 13-Feb-2009, 01:59 PM #1

please offer assistance w/ ridding laptop of bad issues: desktop defaults to fake alert screen & RUNDLL error pops up at start-up. the DLL error says error loading c:\WINDOWS\Thusise.dll. Redirects are also occurring; usually to bestcatalogonline. Pops-ups for various spyware, registry checkers, anti-virus software are also frequent (stopzilla, regcure, etc.). Have acquired Norton 09 to run once it's cleaned.

Laptop is a Compaq Presario 1500 P4 1.6G, 256M RAM, w/ XP pro v2002 -svc pack 3.

Hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:48, on 2/13/2009
Platform: Windows XP SP3, v.5657 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\acs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [XP Protection Center] "C:\Program Files\XPProtectionCenter\XPProtectionCenter.exe" /hide
O4 - HKLM\..\Run: [Scuqoq] rundll32.exe "C:\WINDOWS\Thusise.dll",e
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [0a0f1676] rundll32.exe "C:\WINDOWS\system32\tlpkadni.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\User1\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Win32 Classes -
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01...s/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1213066744209
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O20 - AppInit_DLLs: karna.dat dnyafb.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\SYSTEM32\acs.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
--
End of file - 4958 bytes

cybertech · 15-Feb-2009, 09:06 AM #2

Hi Welcome to TSG!!

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

Download the file & save it as it's originally named.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

Please note once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall.

Drag the setup package onto ComboFix.exe and drop it.
Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
At the next prompt, click 'Yes' to run the full ComboFix scan.
When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt in your next reply.

rowoo2 · 16-Feb-2009, 06:03 PM #3

Thanks Cybertech; your assistance was awesome and greatly appreciated - these occurences were extremely annoying. I followed the instructions above and the fake desktop warning is gone and I have no more pop-ups so far. My task manager is active again and the dll error is history as well. I've only gotten a runtime error or two since rebooting.

Here is the Combo fix log:

ComboFix 09-02-14.01 - User1 2009-02-16 14:50:57.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.90 [GMT -5:00]
Running from: c:\documents and settings\User1\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User1\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\User1\LOCALS~1\Temp\mousehook.dll
c:\docume~1\User1\LOCALS~1\Temp\ntdll64.dll
c:\docume~1\User1\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\CPV.stt
c:\program files\Mjcore
c:\windows\start.exe
c:\windows\system32\404Fix.exe
c:\windows\system32\ahtn.htm
c:\windows\system32\aqiiwnmf.ini
c:\windows\system32\arintmxx.ini
c:\windows\system32\avoxofbk.ini
c:\windows\system32\bdatnd.dll
c:\windows\system32\cejlxvoc.dll
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\CPV.stt
c:\windows\system32\DelSelf.bat
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekakqfmnrev.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\fmnwiiqa.dll
c:\windows\system32\gfjtmtll.ini
c:\windows\system32\greccxmq.ini
c:\windows\system32\hndfasvb.dll
c:\windows\system32\hnqdegru.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\indakplt.ini
c:\windows\system32\init32.exe
c:\windows\system32\jvvyhlnn.ini
c:\windows\system32\karna.dat
c:\windows\system32\kbfoxova.dll
c:\windows\system32\kexrxexy.dll
c:\windows\system32\klfekikh.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\mjlpscgh.dll
c:\windows\system32\mpedegww.dll
c:\windows\system32\nnlhyvvj.dll
c:\windows\system32\nnVxayxx.ini
c:\windows\SYSTEM32\nnVxayxx.ini2
c:\windows\system32\o4Patch.exe
c:\windows\system32\ocwjmd.dll
c:\windows\system32\opkqayxq.ini
c:\windows\system32\oqhgrapy.ini
c:\windows\system32\Process.exe
c:\windows\system32\qigssunk.dll
c:\windows\system32\qjcphoxr.dll
c:\windows\system32\qmxccerg.dll
c:\windows\system32\rmghsfex.dll
c:\windows\system32\rxohpcjq.ini
c:\windows\system32\senekabbgoenun.dll
c:\windows\system32\senekadsxrrrru.dll
c:\windows\system32\senekatobwqqpk.dat
c:\windows\system32\senekaxfmltolr.dat
c:\windows\system32\SrchSTS.exe
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSStkdu.log
c:\windows\system32\test.ttt
c:\windows\system32\tmp.reg
c:\windows\system32\tuvlgrxk.dll
c:\windows\system32\uepyywux.dll
c:\windows\system32\uniq.tll
c:\windows\system32\upnrgy.dll
c:\windows\system32\urgedqnh.ini
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\vqcaaxvs.ini
c:\windows\system32\warning.gif
c:\windows\system32\win32hlp.cnf
c:\windows\system32\WS2Fix.exe
c:\windows\system32\wvbptwbl.dll
c:\windows\system32\wwgedepm.ini
c:\windows\system32\xefshgmr.ini
c:\windows\system32\xohesr.dll
c:\windows\system32\xuwyypeu.ini
c:\windows\system32\xxyaxVnn.dll
c:\windows\system32\yparghqo.dll
c:\windows\Web\default.htt
c:\windows\system32\userinit.exe . . . is infected!!
.
((((((((((((((((((((((((( Files Created from 2009-01-16 to 2009-02-16 )))))))))))))))))))))))))))))))
.
2009-08-09 22:04 . 2009-08-09 22:04 <DIR> d-------- C:\MP3'S
2009-08-09 21:35 . 2009-08-09 21:35 <DIR> d-------- c:\program files\Microsoft Plus!
2009-08-09 21:34 . 2009-01-30 19:30 552 --a------ c:\windows\SYSTEM32\d3d8caps.dat
2009-08-09 21:19 . 2009-08-09 21:19 <DIR> d-------- c:\program files\CyberLink
2009-08-09 21:19 . 2009-08-09 21:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\CyberLink
2009-08-09 21:01 . 2009-08-09 21:01 <DIR> d--hs---- C:\Recycled
2009-08-09 20:51 . 2009-08-09 20:51 708,608 --a------ c:\windows\SYSTEM32\CDDBUIRoxio.dll
2009-08-09 20:51 . 2009-08-09 20:51 569,344 --a------ c:\windows\SYSTEM32\CDDBControlRoxio.dll
2009-08-09 20:51 . 2009-08-09 20:51 240,640 --a------ c:\windows\SYSTEM32\DRIVERS\cdudf_xp.sys
2009-08-09 20:51 . 2009-08-09 20:51 206,464 --a------ c:\windows\SYSTEM32\DRIVERS\udfreadr_xp.sys
2009-08-09 20:51 . 2009-08-09 20:51 49,152 --a------ c:\windows\SYSTEM32\INETWH32.dll
2009-08-09 20:46 . 2009-08-09 20:46 <DIR> d-------- c:\program files\Common Files\Adaptec Shared
2009-08-09 20:46 . 2009-08-09 20:46 <DIR> d-------- c:\program files\Adaptec
2009-08-09 20:46 . 2009-08-09 20:51 57,344 --a------ c:\windows\uneng.exe
2009-08-09 20:46 . 2009-08-09 20:51 49,152 --a------ c:\windows\SYSTEM32\cdrtc.dll
2009-08-09 20:46 . 2009-08-09 20:51 45,056 --a------ c:\windows\SYSTEM32\cdral.dll
2009-08-09 20:46 . 2009-08-09 20:46 1,966 --a------ c:\windows\SYSTEM32\Project Selector.lnk
2009-08-09 20:46 . 2009-08-09 20:46 422 --a------ c:\windows\videoimp.ini
2009-08-09 20:43 . 2009-08-09 20:43 <DIR> d-------- c:\program files\Common Files\InstallShield
2009-08-09 20:40 . 2009-08-09 20:40 <DIR> d-------- c:\windows\SYSTEM32\Adobe
2009-08-09 20:40 . 2009-08-09 20:40 <DIR> d-------- c:\windows\Profiles
2009-08-09 20:40 . 2009-08-09 20:40 <DIR> d-------- c:\program files\Common Files\Adobe
2009-08-09 20:40 . 2009-08-09 20:40 <DIR> d-------- c:\documents and settings\User1\Application Data\InterTrust
2009-08-09 20:39 . 1998-10-29 14:45 306,688 --a------ c:\windows\IsUninst.exe
2009-08-09 20:37 . 2008-10-25 08:53 316,640 --a------ c:\windows\WMSysPr9.prx
2009-08-09 20:11 . 2009-08-09 20:11 376 --a------ c:\windows\ODBC.INI
2009-08-09 20:09 . 2009-08-09 20:09 <DIR> d-------- c:\program files\Microsoft ActiveSync
2009-08-09 20:06 . 2009-08-09 20:06 <DIR> d--h----- c:\windows\ShellNew
2009-08-09 20:06 . 2009-08-09 20:06 <DIR> d-------- c:\program files\Common Files\L&H
2009-08-09 19:48 . 2009-08-09 19:48 <DIR> d--hs---- c:\windows\Installer
2009-08-09 19:46 . 2009-08-09 19:46 <DIR> d---s---- c:\windows\SYSTEM32\Microsoft
2009-08-09 19:04 . 2009-08-09 19:04 8,192 --a------ c:\windows\REGLOCS.OLD
2009-08-09 19:00 . 2009-08-09 19:00 <DIR> d-------- c:\windows\SYSTEM32\xircom
2009-08-09 19:00 . 2009-08-09 19:00 <DIR> d-------- c:\program files\microsoft frontpage
2009-08-09 18:57 . 2009-08-09 18:57 <DIR> d-------- c:\windows\srchasst
2009-08-09 18:57 . 2008-08-05 22:58 749 -rah----- c:\windows\SYSTEM32\cdplayer.exe.manifest
2009-08-09 18:57 . 2008-08-05 22:58 488 -rah----- c:\windows\SYSTEM32\WindowsLogon.manifest
2009-08-09 18:55 . 2008-08-05 22:55 22,720 --a------ c:\windows\SYSTEM32\emptyregdb.dat
2009-08-09 18:55 . 2009-08-09 18:55 37 --a------ c:\windows\vbaddin.ini
2009-08-09 18:55 . 2009-08-09 18:55 36 --a------ c:\windows\vb.ini
2009-08-09 18:52 . 2008-02-12 03:13 57,600 --a------ c:\windows\SYSTEM32\DRIVERS\redbook.sys
2009-08-09 18:52 . 2008-02-12 03:18 52,864 --a------ c:\windows\SYSTEM32\DRIVERS\DMusic.sys
2009-08-09 18:52 . 2008-02-12 03:15 28,672 --a------ c:\windows\SYSTEM32\DRIVERS\nscirda.sys
2009-08-09 18:52 . 2008-02-12 03:18 6,272 --a------ c:\windows\SYSTEM32\DRIVERS\splitter.sys
2009-08-09 18:52 . 2001-08-17 13:59 3,072 --a------ c:\windows\SYSTEM32\DRIVERS\audstub.sys
2009-08-09 18:50 . 2008-10-03 19:27 347,268 --a------ c:\windows\SYSTEM32\PerfStringBackup.INI
2009-08-09 18:50 . 2002-01-03 04:26 176,157 --a------ c:\windows\SYSTEM32\dgrpsetu.dll
2009-08-09 18:50 . 2002-01-03 04:27 103,424 --a------ c:\windows\SYSTEM32\EqnClass.Dll
2009-08-09 18:50 . 2002-01-03 04:25 66,082 --a------ c:\windows\SYSTEM32\c_28599.nls
2009-08-09 18:50 . 2002-01-03 04:25 66,082 --a------ c:\windows\SYSTEM32\C_28597.NLS
2009-08-09 18:50 . 2002-01-03 04:25 66,082 --a------ c:\windows\SYSTEM32\C_28595.NLS
2009-08-09 18:50 . 2002-01-03 04:25 66,082 --a------ c:\windows\SYSTEM32\C_28594.NLS
2009-08-09 18:50 . 2002-01-03 04:25 66,082 --a------ c:\windows\SYSTEM32\c_20127.nls
2009-08-09 18:50 . 2008-02-12 03:15 11,264 --a------ c:\windows\SYSTEM32\DRIVERS\irenum.sys
2009-08-09 18:50 . 2008-08-05 22:59 4,161 --a------ c:\windows\ODBCINST.INI
2009-08-09 18:50 . 2008-12-18 03:00 1,393 --a------ c:\windows\imsins.BAK
2009-08-09 18:49 . 2009-08-09 18:49 <DIR> d-------- c:\windows\SYSTEM32\CatRoot2
2009-08-09 18:49 . 2009-08-09 18:49 <DIR> d-------- c:\windows\SYSTEM32\CatRoot
2009-08-09 18:49 . 2009-08-09 18:49 <DIR> d-------- C:\Documents and Settings
2009-08-09 18:49 . 2002-01-03 04:31 1,085,913 -ra------ c:\windows\SET3.tmp
2009-08-09 18:49 . 2008-07-12 05:46 425,967 --a------ c:\windows\setupapi.old
2009-08-09 18:49 . 2008-02-12 14:59 74,752 --a------ c:\windows\SYSTEM32\storprop.dll
2009-08-09 18:49 . 2002-01-03 04:28 13,608 -ra------ c:\windows\SET7.tmp
2009-08-09 18:49 . 2002-01-03 04:25 2,577 --------- c:\windows\SYSTEM32\CONFIG.TMP
2009-08-09 18:49 . 2002-01-03 04:25 1,688 --a------ c:\windows\SYSTEM32\AUTOEXEC.NT
2009-08-09 18:48 . 2008-08-05 23:04 17,873 --a------ c:\windows\SYSTEM32\$winnt$.inf
2009-08-09 18:42 . 2009-08-09 18:42 <DIR> d--hs---- C:\undo
2009-08-09 18:41 . 2009-08-09 18:41 512 ---hs---- C:\BOOTSECT.DOS
2009-08-09 18:40 . 2009-08-09 18:40 13,137 --a------ c:\windows\config.dmp
2009-08-09 18:40 . 2009-08-09 18:40 2,472 --a------ c:\windows\upgrade.htm
2009-08-09 18:39 . 2009-08-09 18:39 <DIR> d-------- c:\windows\MDMUPGLG
2009-08-09 18:33 . 2009-08-09 18:33 83,430 ---h----- c:\windows\ShellIconCache
2009-08-09 18:24 . 2009-08-09 18:21 237 --a------ c:\windows\brndlog.bak
2009-08-09 18:23 . 2009-08-09 18:23 74,987 --a------ c:\windows\Default.sfc
2009-08-09 18:22 . 2009-08-09 18:22 <DIR> d---s---- c:\windows\Downloaded Program Files
2009-08-09 18:22 . 2009-08-09 18:22 <DIR> d-------- c:\program files\DirectX
2009-08-09 18:22 . 2009-08-09 18:22 245,792 -r-h----- c:\windows\HWINFO.DAT
2009-08-09 18:22 . 2009-08-09 18:22 13,122 ---h----- c:\windows\SYSTEM32\folder.htt
2009-08-09 18:22 . 2009-08-09 18:22 13,122 ---h----- c:\windows\folder.htt
2009-02-13 16:03 . 2009-02-13 16:03 <DIR> d--hs---- C:\FOUND.016
2009-02-13 15:51 . 2009-02-13 15:51 <DIR> d--hs---- C:\FOUND.015
2009-02-13 12:37 . 2009-02-13 12:38 <DIR> d-------- c:\program files\Trend Micro
2009-02-10 20:31 . 2009-02-10 20:31 <DIR> d--hs---- C:\FOUND.014
2009-01-30 12:55 . 2009-02-01 12:05 29 --a------ c:\windows\slideshw.ini
2009-01-28 21:30 . 2009-01-28 21:30 <DIR> dr------- c:\program files\Norton Support
2009-01-28 21:07 . 2009-01-28 21:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-01-28 21:02 . 2009-01-28 21:02 <DIR> d-------- c:\program files\Symantec
2009-01-28 21:02 . 2009-01-28 21:02 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-01-28 21:02 . 2009-01-28 21:02 124,464 --a------ c:\windows\SYSTEM32\DRIVERS\SYMEVENT.SYS
2009-01-28 21:02 . 2009-01-28 21:02 60,808 --a------ c:\windows\SYSTEM32\S32EVNT1.DLL
2009-01-28 21:02 . 2008-12-05 05:02 36,272 -ra------ c:\windows\SYSTEM32\DRIVERS\SymIM.sys
2009-01-28 21:02 . 2009-01-28 21:02 10,635 --a------ c:\windows\SYSTEM32\DRIVERS\SYMEVENT.CAT
2009-01-28 21:02 . 2009-01-28 21:02 806 --a------ c:\windows\SYSTEM32\DRIVERS\SYMEVENT.INF
2009-01-28 20:59 . 2009-01-28 20:59 <DIR> d-------- c:\windows\SYSTEM32\DRIVERS\NIS
2009-01-28 20:58 . 2009-01-28 20:58 <DIR> d-------- c:\program files\Windows Sidebar
2009-01-28 20:58 . 2009-01-28 20:58 <DIR> d-------- c:\program files\Norton Internet Security
2009-01-28 20:56 . 2009-01-28 20:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2009-01-28 20:52 . 2009-01-28 20:52 <DIR> d-------- c:\program files\NortonInstaller
2009-01-28 20:52 . 2009-01-28 20:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-01-27 20:33 . 2009-01-27 20:33 <DIR> d-------- c:\documents and settings\User1\Application Data\Twain
2009-01-27 20:28 . 2009-01-27 20:28 <DIR> d-------- c:\program files\WebShow
2009-01-27 17:14 . 2009-02-16 14:55 4 --a------ c:\windows\kyfgdmfi
2009-01-27 16:06 . 2009-01-27 16:32 2,816 --a------ c:\windows\gagyxzrk
2009-01-26 13:01 . 2009-01-26 13:01 <DIR> d-------- c:\program files\Citrix
2009-01-17 14:45 . 2003-01-26 13:41 40,960 --a------ c:\windows\SYSTEM32\ssubtmr6.dll
2009-01-17 14:45 . 2007-08-31 18:36 36,864 --a------ c:\windows\SYSTEM32\trayicon_handler.ocx
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-10 01:51 30,406 ----a-w c:\windows\system32\drivers\Mmc_2k.sys
2009-08-10 01:51 25,674 ----a-w c:\windows\system32\drivers\Dvd_2k.sys
2009-08-10 01:51 134,426 ----a-w c:\windows\system32\drivers\pwd_2K.sys
2009-08-09 23:23 65,536 --sh--w C:\VIDEOROM.BIN
2009-08-09 23:22 266 --sh--w c:\program files\desktop.ini
2009-08-09 23:22 11,079 ---h--w c:\program files\folder.htt
2009-01-31 20:21 125,440 ----a-w c:\windows\SYSTEM32\userinit.exe
2009-01-06 16:04 --------- d-----w c:\program files\Microsoft Silverlight
2008-11-20 21:33 19,221 ----a-w c:\windows\SYSTEM32\byhom.scr
2008-11-20 21:33 17,032 ----a-w c:\program files\Common Files\ipesa.lib
2008-11-20 21:33 16,430 ----a-w c:\documents and settings\User1\Application Data\ytoqasamo.dll
2008-11-20 21:33 16,390 ----a-w c:\documents and settings\All Users\Application Data\ajatajyc.pif
2008-11-20 21:33 16,360 ----a-w c:\windows\senepu.dll
2008-11-20 21:33 15,952 ----a-w c:\windows\SYSTEM32\oxykahap.scr
2008-11-20 21:33 14,809 ----a-w c:\documents and settings\All Users\Application Data\ydyzu.reg
2008-11-20 21:33 14,251 ----a-w c:\windows\oxywanynu.bin
2008-11-20 21:33 14,004 ----a-w c:\windows\SYSTEM32\zidezos.exe
2008-11-20 21:33 11,809 ----a-w c:\program files\Common Files\ucatopiv.bat
2008-11-20 18:56 19,552 ----a-w c:\documents and settings\User1\Application Data\GDIPFONTCACHEV1.DAT
2008-06-22 19:22 7,496,920 ----a-w c:\program files\Firefox Setup 3.0.exe
.
------- Sigcheck -------
2009-01-31 15:21 125440 fb8a0c448384cd2228b476943e01d024 c:\windows\SYSTEM32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-02-12 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-02-12 15360]
"cdloader"="c:\documents and settings\User1\Application Data\mjusbsp\cdloader2.exe" [2008-12-17 50520]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2009-08-09 684032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-08-09 106560]
Belkin Wireless Utility.lnk - c:\program files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe [2005-08-18 1388544]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 282624]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\expl orer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ComPlusSetup]
2008-02-12 14:58 625664 c:\windows\SYSTEM32\catsrvut.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabled runkeys]
"IrMon"=IrMon.exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Documents and Settings\\User1\\Application Data\\MJUSBSP\\magicJack.exe"=
R0 kyfgdmfi;kyfgdmfi;c:\windows\system32\drivers\gplypjxf.sys [2009-01-27 25088]
R3 BLKWGN;Belkin Wireless G Notebook Card Service;c:\windows\system32\DRIVERS\BLKWGN.sys [2005-06-01 463872]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1002000.007\SYMEFA.SYS [2008-12-05 309296]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1002000.007\BHDrvx86.sys [2008-12-05 255536]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1002000.007\ccHPx86.sys [2009-01-28 362544]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090212.003\IDSxpx86.sys [2009-01-29 276344]
S2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe [2008-12-05 115560]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-28 99376]

--- Other Services/Drivers In Memory ---
*Deregistered* - ACS
*Deregistered* - ALG
*Deregistered* - AudioSrv
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - ImapiService
*Deregistered* - Irmon
*Deregistered* - lanmanserver
*Deregistered* - LmHosts
*Deregistered* - MDM
*Deregistered* - MSIServer
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Norton Internet Security
*Deregistered* - Npfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - RasAcd
*Deregistered* - Rasirda
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SoftFax
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - SRTSP
*Deregistered* - SRTSPX
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - SYMDNS
*Deregistered* - SymEFA
*Deregistered* - SymEvent
*Deregistered* - SYMFW
*Deregistered* - SYMIDS
*Deregistered* - SymIMMP
*Deregistered* - SYMNDIS
*Deregistered* - SYMREDRV
*Deregistered* - SYMTDI
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - Tones
*Deregistered* - TrkWks
*Deregistered* - UdfReadr_xp
*Deregistered* - Update
*Deregistered* - V124
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - WS2IFSL
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WUSB54GCSVC
*Deregistered* - WZCSVC
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\E]
\Shell\AutoRun\command - E:\autorun.exe
\Shell\phone\command - E:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{c6130f60-bff2-11dd-9d9d-0008029dc7e1}]
\Shell\AutoRun\command - E:\autorun.exe
\Shell\phone\command - E:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder
2089-02-22 c:\windows\Tasks\Uninstall Expiration Reminder.job
- c:\windows\System32\OOBE\oobebaln.exe [2008-02-12 14:59]
2009-02-14 c:\windows\Tasks\EasyShare Registration Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7. 4.20.2.sxt _RegistrationOffer@16 []
.
- - - - ORPHANS REMOVED - - - -
BHO-{23BD9B8D-2302-43E7-A792-C03FDC36A5E3} - c:\windows\system32\xxyaxVnn.dll
BHO-{8e20f550-aacb-421e-af89-3bd35fd48194} - c:\windows\system32\ocwjmd.dll
ShellIconOverlayIdentifiers-{7D688A77-C613-11D0-999B-00C04FD655E1} - (no file)
HKLM-Run-XP Protection Center - c:\program files\XPProtectionCenter\XPProtectionCenter.exe
HKLM-Run-Scuqoq - c:\windows\Thusise.dll
Notify-cbXOGWpq - cbXOGWpq.dll
Notify-geBspqqQ - geBspqqQ.dll

.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: c:\windows\TEMP\ntdll64.dll
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\Norton Internet Security\Engine\16.2.0.7\CoIEPlg.dll
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso4.cab
DPF: Win32 Classes
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-16 14:58:06
Windows 5.1.2600 Service Pack 3, v.5657 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.2.0.7\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(588)
c:\windows\system32\GTGina.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ACS.EXE
c:\program files\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
c:\program files\COMPACT WIRELESS-G USB ADAPTER WIRELESS NETWORK MONITOR\WLSERVICE.EXE
c:\program files\COMPACT WIRELESS-G USB ADAPTER WIRELESS NETWORK MONITOR\WUSB54GC.EXE
c:\program files\Microsoft Office\Office10\msoffice.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2009-02-16 15:11:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-16 20:11:30
Pre-Run: 18,691,751,936 bytes free
Post-Run: 18,752,339,968 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
432 --- E O F --- 2009-01-27 08:01:27

cybertech · 16-Feb-2009, 07:54 PM #4

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Click Exit on the Main menu to close the program.

Please download Malwarebytes Anti-Malware and save it to your desktop. alternate link 1 alternate link 2

Make sure you are connected to the Internet.
Double-click on Download_mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
- Make sure the "Perform Quick Scan" option is selected.
- Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply with a new hijackthis log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure the following is checked.
- Spyware, Adware, Dialers, and other potentially dangerous programs
- Mail databases
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.

Upgrading Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 12.
Click the "Download" button to the right.
Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
Click on Continue.
Click on the link to download Windows Offline Installation (jre-6u12-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u12-windows-i586-p.exe and select "Run as an Administrator".)

rowoo2 · 17-Feb-2009, 06:03 PM #5

Followed directions for your download suggestions; I mistakenly did a full scan instead of a quick scan. Now have Norton '09, so I disabled it in order to run the scan that you recommended.

New issue: Now after reboot, I only have desktop with no desktop icons or command options: no Start menu, no taskbar, nothing. I'm stuck in idle mode.

cybertech · 17-Feb-2009, 08:01 PM #6

Boot the computer to the Last Known Configuration:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the Last Known Configuration and press Enter.

rowoo2 · 18-Feb-2009, 11:48 AM #7

rebooted in F8 safe mode with Advanced Options, selected Last Known Good Configuration...

Still comes up with desktop image only. No icons, no start menu.

Any suggestions appreciated.
THANKS

rowoo2 · 18-Feb-2009, 12:04 PM #8

All I get now is the wallpaper. NOTHING ELSE

Another thing, when I selecting Last Known Good Config, I get an option to select operating systems to start:
Recoveryconsole or XP Professional.
Should I choose one of these??

cybertech · 18-Feb-2009, 12:58 PM #9

You want to select XP.

rowoo2 · 19-Feb-2009, 05:36 PM **#10**

Chose XP Professional option, still boots up to desktop image only.
No control options.
Really appreciate your help. Sorry for the full scan faux pas.

Am I now relegated to finding the disk to reload the entire operating system? Or do you have another suggestion. (i.e. control keys to restore icons) The only control which seems to work is Control+Alt+Delete which gives me the task manager dialogue box.

cybertech · 19-Feb-2009, 06:57 PM **#11**

Your machine was very infected and to be right up front with you I would not think twice about doing a full format of the c: drive and reinstall the OS.

rowoo2 · 22-Feb-2009, 02:32 AM **#12**

Whew; not as bad as I thought - I checked the MBAM site for suggestions and others have had this occur; am able to pull up task mgr, so was advised to go to applications and manually enter explorer.exe - everything is still there - the exe command were just erased. I will nd to find out to restore these. You have been great. I will post new logs for your view. Thx.

rowoo2 · 27-Feb-2009, 02:04 PM **#13**

Thanks. I still have glitches so have decided to reload OS. Your assistance has been great. Thanks

cybertech · 27-Feb-2009, 07:26 PM **#14**

I think that is a very wise choice!

Here are some additional links for you to check out to help you with your computer security.

How did I get infected in the first place.

Secunia software inspector & update checker

Good free tools and advice on how to tighten your security settings.

Security Help Tools

Tag Cloud
access acer asus batch bios bsod crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory modem monitor motherboard mouse network printer problem ram registry repair router slow software sound trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for:

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!