Member Panel

Remember me ?

Forgot password?   

Sponsors and Ads

Live Tag Cloud
PC Forum PC Help Forum » Security & Safety » [Fixed] Hijackthis! Logs » Please, can someone help me?

[Fixed] Hijackthis! Logs - Please, can someone help me? posted in the Security & Safety forums; I'm a new guy, and my PC is messed up pretty bad. I receive an error message that reads "This application has failed to start because ATL.DLL was not found. ...

JOIN US NOW to remove these Ads

Post New Thread  Reply
Page 1 of 3 1 2 3 >
  #1  
Old 12-08-2007
LoPan's Avatar
Bronze Member
  
Join Date: Dec 2007
Posts: 8
PC Experience: Some Experience
LoPan - See this Members User comments on their Profile page
Default Please, can someone help me?
I'm a new guy, and my PC is messed up pretty bad. I receive an error message that reads "This application has failed to start because ATL.DLL was not found. Re-installing the application may fix this problem" whenever I start any application. I was unable to disable the system restore during the prework phase this forum suggested, but I followed all the other steps. If anyone can help it would be greatly appreciated...I hope it's not too late for my PC.

I'm getting a message that I do not have permission to access this page, so I can't upload my logs. Here's my Superantispyware log...

SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com - AntiAdware, AntiSpyware, AntiMalware!
Generated 12/07/2007 at 09:02 PM
Application Version : 3.9.1008
Core Rules Database Version : 3357
Trace Rules Database Version: 1356
Scan type : Complete Scan
Total Scan Time : 00:58:58
Memory items scanned : 170
Memory threats detected : 0
Registry items scanned : 5616
Registry threats detected : 0
File items scanned : 39314
File threats detected : 18
Adware.Tracking Cookie
C:\Documents and Settings\Clif\Cookies\clif@richmedia.yahoo[1].txt
C:\Documents and Settings\Clif\Cookies\clif@rotator.adjuggler[2].txt
C:\Documents and Settings\Clif\Cookies\clif@revsci[2].txt
C:\Documents and Settings\Clif\Cookies\clif@tacoda[1].txt
C:\Documents and Settings\Clif\Cookies\clif@questionmarket[1].txt
C:\Documents and Settings\Clif\Cookies\clif@atdmt[2].txt
C:\Documents and Settings\Clif\Cookies\clif@ads.pointroll[1].txt
C:\Documents and Settings\Clif\Cookies\clif@tribalfusion[2].txt
C:\Documents and Settings\Clif\Cookies\clif@brightcove.112.2o7[1].txt
C:\Documents and Settings\Clif\Cookies\clif@server.iad.liveperson[1].txt
C:\Documents and Settings\Clif\Cookies\clif@ads.revsci[1].txt
C:\Documents and Settings\Clif\Cookies\clif@usatoday1.112.2o7[1].txt
C:\Documents and Settings\Clif\Cookies\clif@adlegend[1].txt
Trojan.Downloader/NMC-Rich
C:\Program Files\RichVideoCodec
Trojan.SpySheriff
C:\AVENGER\WINSTALL.EXE
C:\WINDOWS\SYSTEM32\G6A8C.TMP.EXE
C:\WINDOWS\SYSTEM32\GB69E.TMP.EXE
C:\WINDOWS\SYSTEM32\GE83D.TMP.EXE





...and here's my Hijackthis log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:08 PM, on 12/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\drivers\system.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SoftwareDistribution\Download\208c1a8c5 2f47d7b2df4baa21f58d3da\update\update.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Yahoo!
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f827.mail.yahoo.com/ym/log...=0mco4ksq4v261
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: IEHelp - {8673347E-6D08-4B61-8794-E101DC448950} - C:\WINDOWS\system32\IEHelp.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: AcroIEHelper - {F3CFA533-7680-4943-A863-B8216390E847} - C:\WINDOWS\system32\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Version Cue CS2] C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [main] C:\WINDOWS\system32\drivers\system.exe
O4 - HKCU\..\Run: [default] C:\Documents and Settings\Clif\winmain.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [sysinit] C:\WINDOWS\system32\drivers\system.exe
O4 - HKCU\..\RunOnce: [winmz] C:\Documents and Settings\Clif\winmain.exe
O4 - HKUS\S-1-5-21-2376690854-1529554363-2898095038-1006\..\Run: [main] C:\WINDOWS\system32\drivers\system.exe (User '?')
O4 - HKUS\S-1-5-21-2376690854-1529554363-2898095038-1006\..\Run: [default] C:\Documents and Settings\Clif\winmain.exe (User '?')
O4 - HKUS\S-1-5-21-2376690854-1529554363-2898095038-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-2376690854-1529554363-2898095038-1006\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" (User '?')
O4 - HKUS\S-1-5-21-2376690854-1529554363-2898095038-1006\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User '?')
O4 - HKUS\S-1-5-21-2376690854-1529554363-2898095038-1006\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O4 - HKUS\S-1-5-21-2376690854-1529554363-2898095038-1006\..\RunOnce: [sysinit] C:\WINDOWS\system32\drivers\system.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [MSNAgent] C:\WINDOWS\system32\GFA7D.tmp.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [MSNAgent] C:\WINDOWS\system32\GFA7D.tmp.exe (User 'Default user')
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: md4hsh - C:\WINDOWS\SYSTEM32\md4hsh.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
--
End of file - 12685 bytes
  #2  
Old 12-08-2007
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 2,534
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: Please, can someone help me?
Download Download SDFix from here and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum.

=========================================
This will help to identify any malware on your system.
Please download Combofix from any of these locations:
Here
or
Here


Save ComboFix to the desktop.
1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Copy and Paste the contents of that log in your next reply with a new hijackthis log. Do not use Code or html unless asked for.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
Caution...Never run ComboFix without being supervised by a security analyst.


__________________
  • An Australian Member of
  • and
My real name is Eddy
  #3  
Old 12-09-2007
LoPan's Avatar
Bronze Member
  
Join Date: Dec 2007
Posts: 8
PC Experience: Some Experience
LoPan - See this Members User comments on their Profile page
Default Re: Please, can someone help me?
Okay, here's the SDFix log...


SDFix: Version 1.117
Run by Clif on Sun 12/09/2007 at 01:26 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...

Normal Mode:
Checking Files:
Trojan Files Found:
C:\WINDOWS\SYSTEM32\ACROIE~1.XML - Deleted
C:\WINDOWS\SYSTEM32\IEHELP.XML - Deleted
C:\WINDOWS\system32\G2B12.tmp.exe - Deleted
C:\WINDOWS\system32\G3A33.tmp.exe - Deleted
C:\WINDOWS\system32\G7CAD.tmp.exe - Deleted
C:\WINDOWS\system32\GA59C.tmp.exe - Deleted
C:\WINDOWS\system32\GB611.tmp.exe - Deleted
C:\WINDOWS\system32\GB892.tmp.exe - Deleted
C:\WINDOWS\system32\GBAF3.tmp.exe - Deleted
C:\WINDOWS\system32\GBB31.tmp.exe - Deleted
C:\WINDOWS\system32\GBB60.tmp.exe - Deleted
C:\WINDOWS\system32\GBCC8.tmp.exe - Deleted
C:\WINDOWS\system32\GBD06.tmp.exe - Deleted
C:\WINDOWS\system32\GBDC2.tmp.exe - Deleted
C:\WINDOWS\system32\GBF68.tmp.exe - Deleted
C:\WINDOWS\system32\GC3EC.tmp.exe - Deleted
C:\WINDOWS\system32\GCE3C.tmp.exe - Deleted
C:\WINDOWS\system32\GD159.tmp.exe - Deleted
C:\WINDOWS\system32\GD36.tmp.exe - Deleted
C:\WINDOWS\system32\GD6B8.tmp.exe - Deleted
C:\WINDOWS\system32\GF19D.tmp.exe - Deleted
C:\WINDOWS\system32\GFA7D.tmp.exe - Deleted
C:\WINDOWS\system32\boa1.dat - Deleted
C:\WINDOWS\system32\cmds.txt - Deleted
C:\WINDOWS\system32\CONFIG\SYSTEM~1\APPLIC~1\INSTA LL.DAT - Deleted
C:\WINDOWS\system32\drivers\System.exe - Deleted
C:\WINDOWS\system32\rc.dat - Deleted


Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.


Final Check:
catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-09 01:32:11
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:
------------------

Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yah oo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Progra m Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Ya hoo! FT Server"
"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"="C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe:*:Enabled:Adobe Version Cue CS2"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"="C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Engine"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files:
---------------
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
Fri 6 Jan 2006 56 A.SHR --- "C:\i386\523969902B.sys"
Fri 6 Jan 2006 2,516 A.SH. --- "C:\i386\KGyGaAvL.sys"
Thu 18 Oct 2007 24,064 ..SH. --- "C:\Documents and Settings\Clif\winmain.exe"
Wed 1 Sep 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Wed 1 Sep 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Wed 1 Sep 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Tue 20 Nov 2007 56 ..SHR --- "C:\WINDOWS\system32\523969902B.sys"
Tue 20 Nov 2007 4,184 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sun 9 Dec 2007 369,593 A..H. --- "C:\WINDOWS\Temp\BIT12D.tmp"
Sun 9 Dec 2007 369,593 A..H. --- "C:\WINDOWS\Temp\BIT159.tmp"
Sun 9 Dec 2007 369,593 A..H. --- "C:\WINDOWS\Temp\BIT161.tmp"
Sun 9 Dec 2007 330,102 A..H. --- "C:\WINDOWS\Temp\BIT167.tmp"
Sun 9 Dec 2007 0 A..H. --- "C:\WINDOWS\Temp\BIT16F.tmp"
Fri 20 Jan 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 7 Dec 2007 231,686 A..H. --- "C:\Program Files\Trend Micro\Internet Security 12\Quarantine\223.tmp"
Fri 7 Dec 2007 231,682 A..H. --- "C:\Program Files\Trend Micro\Internet Security 12\Quarantine\C.tmp"
Fri 7 Dec 2007 8 A..H. --- "C:\Documents and Settings\Clif\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp "
Fri 7 Dec 2007 8 A..H. --- "C:\Documents and Settings\Clif\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp "
Fri 7 Dec 2007 8 A..H. --- "C:\Documents and Settings\Clif\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp "
Fri 7 Dec 2007 8 A..H. --- "C:\Documents and Settings\Clif\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp "
Finished!




...here's the Combofix log...

ComboFix 07-12-09.1 - Clif 2007-12-09 1:44:12.1 - NTFSx86
Running from: C:\Documents and Settings\Clif\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\LDRA.tmp
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_MSUPDATE
-------\ntload

((((((((((((((((((((((((( Files Created from 2007-11-09 to 2007-12-09 )))))))))))))))))))))))))))))))
.
2007-12-09 01:48 . 2007-12-09 01:48 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-12-09 01:25 . 2007-12-09 01:25 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-07 21:17 . 2007-12-07 21:17 <DIR> d-------- C:\Program Files\CCleaner
2007-12-07 17:54 . 2007-12-07 17:54 <DIR> d-------- C:\Documents and Settings\Clif\Application Data\Grisoft
2007-12-07 17:53 . 2007-12-07 17:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-07 17:53 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-07 17:45 . 2007-12-07 21:14 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-07 17:45 . 2007-12-07 17:45 <DIR> d-------- C:\Documents and Settings\Clif\Application Data\SUPERAntiSpyware.com
2007-12-07 17:45 . 2007-12-07 17:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-07 11:14 . 2007-12-07 12:58 <DIR> d-------- C:\Documents and Settings\Clif\.housecall6.6
2007-12-07 03:04 . 2007-12-07 03:04 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-07 03:04 . 2007-12-07 03:04 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-07 01:41 . 2007-12-07 01:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-07 00:19 . 2007-12-07 00:19 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-07 00:19 . 2007-12-07 00:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-06 23:56 . 2007-12-07 17:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-04 08:56 . 2007-12-04 08:56 118,272 --a------ C:\1236234
2007-12-03 16:39 . 2007-12-03 16:39 528,896 --a------ C:\WINDOWS\system32\AcroIEHelper.dll
2007-11-30 20:14 . 2007-11-30 20:14 6,656 --a------ C:\WINDOWS\system32\md4hsh.dll
2007-11-30 20:14 . 2007-12-09 01:23 2,032 --a------ C:\WINDOWS\system32\nvnati.sys
2007-11-28 10:39 . 2007-11-28 10:39 8,881 --a------ C:\9957734
2007-11-28 10:39 . 2007-11-28 10:39 8,881 --a------ C:\6352046
2007-11-28 10:39 . 2007-11-28 10:39 8,881 --a------ C:\17166265
2007-11-28 10:39 . 2007-11-28 10:39 8,881 --a------ C:\13561812
2007-11-23 17:06 . 2007-11-23 17:06 12,800 --a------ C:\WINDOWS\system32\dialsv32.dll
2007-11-23 01:51 . 2007-11-23 01:51 18,944 --a------ C:\1657031
2007-11-21 07:10 . 2007-11-21 07:10 112,911 --a------ C:\5511875
2007-11-14 12:50 . 2007-11-14 12:50 127 --a------ C:\WINDOWS\system32\MRT.INI
2007-11-13 14:32 . 2007-11-13 14:32 17,408 --a------ C:\888953
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-12-07 19:21 --------- d-----w C:\Program Files\Trend Micro
2007-10-30 19:08 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Yahoo!
2007-10-18 18:23 24,064 --sh--w C:\Documents and Settings\Clif\winmain.exe
2007-10-18 18:23 24,064 ----a-w C:\info.exe
2007-10-09 04:59 --------- d-----w C:\Program Files\Java
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8673347E-6D08-4B61-8794-E101DC448950}]
2007-10-13 10:50 528896 --a------ C:\WINDOWS\system32\IEHelp.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F3CFA533-7680-4943-A863-B8216390E847}]
2007-12-03 16:39 528896 --a------ C:\WINDOWS\system32\AcroIEHelper.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"main"="C:\WINDOWS\system32\drivers\system.exe " [2007-10-18 13:23]
"default"="C:\Documents and Settings\Clif\winmain.exe" [2007-10-18 13:23]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 18:39]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnce]
"sysinit"="C:\WINDOWS\system32\drivers\system. exe" [2007-10-18 13:23]
"winmz"="C:\Documents and Settings\Clif\winmain.exe" [2007-10-18 13:23]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.ex e" [2006-07-21 16:19]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 20:42]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 17:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 08:35]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 08:36]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 08:32]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05]
"Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 18:58]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"MSNAgent"="C:\WINDOWS\system32\GFA7D.tmp.exe" []
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2006-01-15 12:04:09]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"DisableRegistryTools"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\md4hsh]
md4hsh.dll 2007-11-30 20:14 6656 C:\WINDOWS\system32\md4hsh.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2004-12-14 02:12 483328 --a------ C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
2005-04-04 18:58 856064 --a------ C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2005-08-31 12:06 106496 --a--c--- C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
2006-04-28 17:08 692224 -----c--- C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 17:19 53248 -----c--- C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
2005-04-08 14:09 102400 --------- C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-02-23 15:45 278528 --a--c--- C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2005-09-08 20:20 8192 --a--c--- C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
C:\WINDOWS\system32\winupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2007-08-31 16:46 1460560 --a------ C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]
C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe -preload

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart

.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\md4hsh.dll
PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\DOCUME~1\Clif\LOCALS~1\Temp\rdrigeqwUTER.dll
.
************************************************** ************************
catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-09 01:50:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
main = C:\WINDOWS\system32\drivers\system.exe???????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ???????????????????????????????????????????????
default = C:\Documents and Settings\Clif\winmain.exe???u???u???=????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ??????????????????????????????
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once
sysinit = C:\WINDOWS\system32\drivers\system.exe???u???u?? =???=????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ????????????????????????????????????????????????
winmz = C:\Documents and Settings\Clif\winmain.exe???u???u???=????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ??????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
Completion time: 2007-12-09 1:53:33 - machine was rebooted
.
--- E O F ---





...and here's my new Hijackthis log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:57:26 AM, on 12/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Clif\winmain.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\208c1a8c5 2f47d7b2df4baa21f58d3da\update\update.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f827.mail.yahoo.com/ym/log...=0mco4ksq4v261
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: IEHelp - {8673347E-6D08-4B61-8794-E101DC448950} - C:\WINDOWS\system32\IEHelp.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: AcroIEHelper - {F3CFA533-7680-4943-A863-B8216390E847} - C:\WINDOWS\system32\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [main] C:\WINDOWS\system32\drivers\system.exe
O4 - HKCU\..\Run: [default] C:\Documents and Settings\Clif\winmain.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [sysinit] C:\WINDOWS\system32\drivers\system.exe
O4 - HKCU\..\RunOnce: [winmz] C:\Documents and Settings\Clif\winmain.exe
O4 - HKUS\S-1-5-21-2376690854-1529554363-2898095038-1006\..\Run: [main] C:\WINDOWS\system32\drivers\system.exe (User '?')
O4 - HKUS\S-1-5-21-2376690854-1529554363-2898095038-1006\..\Run: [default] C:\Documents and Settings\Clif\winmain.exe (User '?')
O4 - HKUS\S-1-5-21-2376690854-1529554363-2898095038-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-2376690854-1529554363-2898095038-1006\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" (User '?')
O4 - HKUS\S-1-5-21-2376690854-1529554363-2898095038-1006\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User '?')
O4 - HKUS\S-1-5-21-2376690854-1529554363-2898095038-1006\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O4 - HKUS\S-1-5-21-2376690854-1529554363-2898095038-1006\..\RunOnce: [sysinit] C:\WINDOWS\system32\drivers\system.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [MSNAgent] C:\WINDOWS\system32\GFA7D.tmp.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [MSNAgent] C:\WINDOWS\system32\GFA7D.tmp.exe (User 'Default user')
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: md4hsh - C:\WINDOWS\SYSTEM32\md4hsh.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
--
End of file - 12234 bytes
  #4  
Old 12-09-2007
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 2,534
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: Please, can someone help me?
Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:
http://www.pchelpforum.com/hijackthi...tml#post235803
Suspect::[4]
C:\9957734
C:\6352046
C:\17166265
C:\13561812
C:\1657031
C:\5511875
C:\888953
KillAll::
File::
C:\WINDOWS\system32\dialsv32.dll
C:\Documents and Settings\Clif\winmain.exe
C:\WINDOWS\system32\drivers\system.exe
C:\WINDOWS\system32\winupdate.exe
C:\DOCUME~1\Clif\LOCALS~1\Temp\rdrigeqwUTER.dll
C:\WINDOWS\system32\md4hsh.dll
C:\WINDOWS\system32\GFA7D.tmp.exe
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"main"=-
"default"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnce]
"sysinit"=-
"winmz"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\md4hsh]
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


Refering to the picture above, drag CFScript.txt into ComboFix.exe
Restart your computer.
When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.
Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.


__________________
  • An Australian Member of
  • and
My real name is Eddy
Last edited by Pancake; 12-09-2007 at 09:36 AM.
  #5  
Old 12-10-2007
LoPan's Avatar
Bronze Member
  
Join Date: Dec 2007
Posts: 8
PC Experience: Some Experience
LoPan - See this Members User comments on their Profile page
Default Re: Please, can someone help me?
I hope I got this right, because after I dragged the CFScript.txt to the Combofix it tried to reboot my system, but instead of rebooting I got a blue screen that read "STOP: c000021a {Fatal System Error} The Windows Logon Process system process terminated unexpectedly with a status o The system has been shut down." It stayed like that for a while, then I turned the power off my PC and it came back on and Combofix finished and produced a log; then I submitted the file for analysis and it siad it was "successfully submitted to bleepingcomputer.com."

Here's the Combofix log...

ComboFix 07-12-09.1 - Clif 2007-12-09 23:09:16.2 - NTFSx86
Running from: C:\Documents and Settings\Clif\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Clif\Desktop\CFScript.txt
FILE
C:\DOCUME~1\Clif\LOCALS~1\Temp\rdrigeqwUTER.dll
C:\Documents and Settings\Clif\winmain.exe
C:\WINDOWS\system32\dialsv32.dll
C:\WINDOWS\system32\drivers\system.exe
C:\WINDOWS\system32\GFA7D.tmp.exe
C:\WINDOWS\system32\md4hsh.dll
C:\WINDOWS\system32\winupdate.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Clif\winmain.exe
C:\WINDOWS\system32\dialsv32.dll
C:\WINDOWS\system32\drivers\system.exe
C:\WINDOWS\system32\md4hsh.dll
.
((((((((((((((((((((((((( Files Created from 2007-11-10 to 2007-12-10 )))))))))))))))))))))))))))))))
.
2007-12-09 01:25 . 2007-12-09 01:25 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-07 21:17 . 2007-12-07 21:17 <DIR> d-------- C:\Program Files\CCleaner
2007-12-07 17:54 . 2007-12-07 17:54 <DIR> d-------- C:\Documents and Settings\Clif\Application Data\Grisoft
2007-12-07 17:53 . 2007-12-07 17:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-07 17:53 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-07 17:45 . 2007-12-07 21:14 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-07 17:45 . 2007-12-07 17:45 <DIR> d-------- C:\Documents and Settings\Clif\Application Data\SUPERAntiSpyware.com
2007-12-07 17:45 . 2007-12-07 17:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-07 11:14 . 2007-12-07 12:58 <DIR> d-------- C:\Documents and Settings\Clif\.housecall6.6
2007-12-07 03:04 . 2007-12-07 03:04 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-07 03:04 . 2007-12-07 03:04 1,409 --a------ C:\WINDOWS\QTFont.for
2007