Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Need help reading Hijackthis log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Need help reading Hijackthis log

Unread postby girlgeekmary » May 20th, 2008, 6:25 pm

I've run 15 scans on this computer so I think it's kind of clean. Can someone assist me with the hijackthis log, please?

Ops, forgot the log.
hijackthislog.txt
You do not have the required permissions to view the files attached to this post.
Last edited by girlgeekmary on May 20th, 2008, 9:07 pm, edited 2 times in total.
girlgeekmary
Active Member
 
Posts: 10
Joined: February 21st, 2008, 6:58 pm
Advertisement
Register to Remove

Re: Need help reading Hijackthis log

Unread postby MikeSwim07 » May 20th, 2008, 8:43 pm

This is a very good tutorial over at BC: http://www.bleepingcomputer.com/tutoria ... ial42.html

Also, when you are posting questions that involve malware removal or tools, please use the debating chamber, located here : viewforum.php?f=7
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: Need help reading Hijackthis log

Unread postby Elrond » May 21st, 2008, 12:55 am

This topic has been moved to Room 06.
Freshmen, if you need help with your own computer or a log that you need to work with please post it in Room 06 out of sight from the general public.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Re: Need help reading Hijackthis log

Unread postby Dakeyras » May 21st, 2008, 6:35 am

Hi :)


Did you rename the HJT exe file yourself or have you received help re a malware issue in the past?. Anyway can you tell myself if their are any advantages to renaming or not?

What stands out as in regard to the installed anti-spyware applications? Are they actually active or not?. How can we address this?

Can you see anything malware related in the log? and or anything that needs addressing that is not of a malware nature?.

Hope you do not think I sound harsh, I assure you I am not being, just trying to help :).

Ok apart from the above you need to research the log. The method I use, is to check each line individually and in notepad remove all the good/safe entries but I think the best way forward for yourself is actually check each line from the header downwards and post a comment underneath about your findings/conclusions. For example:

Platform: Windows XP SP2 (WinNT 5.01.2600)
Denotes Operating System and current service pack installed.

C:\WINDOWS\System32\smss.exe
Part of a MS Op' Sys' and is the Session Manager Subsystem which basically looks after sessions during operation. If this was not in the System32 folder or the exe file was named slightly different then that would be a possible indication of a malware infection.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
Relates to IE start page and start assistant entries, in this instance the url is safe but this is not always the case with some malware infections.
Myself I do not really like anything Yahoo related but that is just my preference :lol:.

So research your whole log and post back what you find please and we can go from there :).

Some good research guides to be found here to go with the good link MikeSwim07 posted:

viewtopic.php?f=25&t=5674

viewforum.php?f=30

Any questions feel free to ask etc.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Need help reading Hijackthis log

Unread postby chryssi2001 » May 21st, 2008, 10:08 am

Hello girlgeekmary,

I've run 15 scans on this computer so I think it's kind of clean

No your pc isn't clean.

As mike and Dakeyras posted, also as indicated in the link in my post,
search each line of your log, and post back the bad lines you find.
viewtopic.php?f=28&t=26330

What are the 15 scans/rools you run except of HijackThis log?
You've run them yourself or did someone advice you?

Post back the name of the tools used already, together with all bad lines you can find in your HijackThis log, and i will help you clean it.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Need help reading Hijackthis log

Unread postby girlgeekmary » May 21st, 2008, 6:47 pm

Yes, I have worked through this a couple of times with TechSpot. I've was trying to teach myself as much as possible. So, I did the preliminary scans required for TechSpot. They included spybot, avg, adaware, ccleaner, superantispyware, vundofix, smitfraudfix, virtumundobegone, malwarebytes, panda antiroot kit, combofix. Avg, spybot and adaware a second time in safe mode. And lastly Avg antispyware.

The entries I have questions about are:

02 - BHO: (no name) - {04D44604-F4DF-47A3-BC7A-40896769C5AA} - C:\WINDOWS\system32\urqOiihg.dll (file missing)

O2 - BHO: (no name) - {FC1EF45A-3879-45BE-80C6-2788C78C7FEC} - C:\WINDOWS\system32\geBstspP.dll (file missing)

I couldn't find the two BHO's listed above.

O4 - HKLM\..\Run: [c40191c2] rundll32.exe "C:\WINDOWS\system32\xxmfvbyw.dll",b

The xxmfvbyw.dll pops up at startup with an Error Loading message.

O4 - Global Startup: Digital Line Detect.lnk = ?

Could this be related to the isp?

O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll

024 - Desktop Component 0: Privacy Protection - (no file)

Should I also deleted the "not needed" items?

Thanks for your help.
girlgeekmary
Active Member
 
Posts: 10
Joined: February 21st, 2008, 6:58 pm

Re: Need help reading Hijackthis log

Unread postby chryssi2001 » May 22nd, 2008, 2:49 am

Hello girlgeekmary :),

Nice, all the lines you posted are bad except of this:

O4 - Global Startup: Digital Line Detect.lnk = ?

It belongs to Dell computers. Google Digital Line Detect ;)

Some more lines also shows infection.
----------------------------------------------
Should I also deleted the "not needed" items?

I can't understand what you mean by "not needed" items, but do not fix anything yourself and do not run other tools except the ones i tell you to.
----------------------------------------------
Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let me know what you have decided to do in your next post.
----------------------------------------------
Now if you decide to clean your pc follow my instructions below:

Remove/Disable one of your Anti Virus programs.
You are operating your computer with multiple Anti Virus programs running in memory at once:

AVG7
Fix-It AV


Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

Please remove/disable one of them.

You can disable Fix-It AV and run it mannually when you want to.
----------------------------------------------
We have to uninstall Combofix as it's updated often, and we need the new updated version.

UNINSTALL COMBOFIX

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK.
  • Note the space between the X and the U, it needs to be there.
  • Image
You can also delete any logs we have produced, and empty your Recycle bin.
----------------------------------------------
Disable Spybot's TeaTimer. This is a two step process.

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
Don't forget to re-enable it, when your computer is clean.
----------------------------------------------
Disable SUPERAntiSpyware until the computer is clean
  • Right-click on the shortcut from the system tray
  • Choose View Control Center (preferences/options)
  • On the General and Startup tab, uncheck Start SUPERAntispyware when Windows starts.
  • Click Close to exit.
Don't forget to re-enable it, when your computer is clean.
----------------------------------------------
Please visit this webpage for instructions for downloading ComboFix at your DESKTOP :
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
Note: If you already have Recovery Console installed, skip that step.

Additional links to download the tool:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
----------------------------------------------
Post back:
Combofix report.
A new HijackThis log.
Post all reports properly and not as attachments please.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Need help reading Hijackthis log

Unread postby girlgeekmary » May 22nd, 2008, 12:28 pm

I didn't know fix-it AV is on the computer. Where do I find it to delete it?

Should I run hijackthis to fix the problems already found?

I apparently don't understand how to attach logs.

Where do I find Windows Recovery Console to install it?
girlgeekmary
Active Member
 
Posts: 10
Joined: February 21st, 2008, 6:58 pm

Re: Need help reading Hijackthis log

Unread postby chryssi2001 » May 22nd, 2008, 1:10 pm

Hello girlgeekmary.

I suppose you want to clean your pc.

I didn't know fix-it AV is on the computer. Where do I find it to delete it?

It's in your Program Files, but all i have is this: VCOM
Do you have such a program in your Program Files?
If you can't find it, just disable it when you will run Combofix, also disable your Anti-Virus, and we'll remove it later.

Did you read all my post?

Should I run hijackthis to fix the problems already found?

No. Do not fix anything your self!!

I apparently don't understand how to attach logs.

I want you to post logs, and not attach them please.

When Notepad opens after running Combofix, or HijackThis, after clicking post reply button here in this thread, copy/paste the reports here.

Read here how to install Combofix and Recovery Console, but do it after you uninstall the old version.
You will find the link to install Recovery Console in that topic.

Post back:
Combofix report.
A new HijackThis log.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Need help reading Hijackthis log

Unread postby girlgeekmary » May 22nd, 2008, 4:28 pm

I aplogize for not reading your previous instructions completely.

ComboFix 08-05-21.3 - john garcia 2008-05-22 13:07:45.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1618 [GMT -7:00]
Running from: C:\Documents and Settings\john garcia\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Google\googletoolbar1.dll
C:\WINDOWS\system32\drivers\nsX73.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NSX73
-------\Service_nsX73


((((((((((((((((((((((((( Files Created from 2008-04-22 to 2008-05-22 )))))))))))))))))))))))))))))))
.

2008-05-22 13:10 . 2008-05-22 13:10 29,056 --a------ C:\WINDOWS\system32\drivers\sxD51.sys
2008-05-22 13:10 . 2008-05-22 13:10 14,336 --a------ C:\WINDOWS\system32\WinCtrl32.dl_
2008-05-20 10:36 . 2008-05-20 10:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-05-20 10:13 . 2008-05-20 10:34 14,336 --a------ C:\WINDOWS\system32\WinCtrl32.dll
2008-05-18 10:43 . 2008-05-18 10:43 <DIR> d-------- C:\WINDOWS\system32\Dell
2008-05-17 19:59 . 2008-05-17 19:59 206 --a------ C:\WINDOWS\system32\MRT.INI
2008-05-17 16:42 . 2008-05-17 16:42 <DIR> d-------- C:\Documents and Settings\john garcia\Application Data\Malwarebytes
2008-05-17 16:42 . 2008-05-17 16:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-17 16:29 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-17 16:29 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-17 16:29 . 2008-05-15 23:22 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-17 16:29 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-17 16:29 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-17 16:29 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-17 16:29 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-17 16:29 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-17 14:09 . 2008-05-17 14:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-17 14:08 . 2008-05-22 12:23 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-17 14:08 . 2008-05-22 12:23 <DIR> d-------- C:\Documents and Settings\john garcia\Application Data\SUPERAntiSpyware.com
2008-05-16 21:17 . 2008-05-17 01:19 <DIR> d-------- C:\Documents and Settings\john garcia\.housecall6.6
2008-05-16 21:12 . 2008-05-18 10:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-15 11:40 . 2008-05-15 11:40 <DIR> d-------- C:\Documents and Settings\john garcia\Application Data\TmpRecentIcons
2008-05-11 03:58 . 2008-05-11 03:58 <DIR> d-------- C:\Documents and Settings\john garcia\Application Data\Lexmark Productivity Studio
2008-05-10 16:22 . 2008-05-10 16:22 <DIR> d-------- C:\Documents and Settings\john garcia\Application Data\FaxCtr
2008-05-10 16:02 . 2008-05-10 16:04 <DIR> d-------- C:\Documents and Settings\All Users\Lx_cats
2008-05-10 16:00 . 2007-02-22 00:13 45,056 --a------ C:\WINDOWS\system32\LXF3PMON.DLL
2008-05-10 16:00 . 2007-02-22 00:12 32,768 --a------ C:\WINDOWS\system32\LXF3FXPU.DLL
2008-05-10 15:59 . 2008-05-10 16:00 <DIR> d-------- C:\Program Files\Lexmark Fax Solutions
2008-05-10 15:59 . 2008-05-10 15:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FaxCtr
2008-05-10 15:59 . 2006-05-31 12:51 339,968 --a------ C:\WINDOWS\system32\IMGMAN32.DLL
2008-05-10 15:59 . 2006-05-31 12:51 98,345 --a------ C:\WINDOWS\system32\IMHOST32.DLL
2008-05-10 15:59 . 2006-05-31 12:51 98,304 --a------ C:\WINDOWS\system32\IM31XPNG.DEL
2008-05-10 15:59 . 2006-05-31 12:51 69,632 --a------ C:\WINDOWS\system32\IM31XTIF.DEL
2008-05-10 15:59 . 2006-05-31 12:51 49,152 --a------ C:\WINDOWS\system32\IM31IMG.DIL
2008-05-10 15:59 . 2006-11-07 08:02 36,864 --a------ C:\WINDOWS\system32\lxf3oem.dll
2008-05-10 15:59 . 2007-02-22 00:15 12,288 --a------ C:\WINDOWS\system32\LXF3PMRC.DLL
2008-05-10 15:56 . 2007-02-19 13:00 1,645,320 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-05-10 15:48 . 2008-05-10 16:01 <DIR> d-------- C:\Program Files\Lexmark 3500-4500 Series
2008-05-10 15:48 . 2007-05-17 08:00 311,296 --a------ C:\WINDOWS\system32\lxdihcp.dll
2008-05-10 15:48 . 2007-05-17 07:59 294,912 --a------ C:\WINDOWS\system32\lxdiinst.dll
2008-05-10 15:48 . 2007-01-22 02:53 60 --ah----- C:\WINDOWS\system32\lxdirwrd.ini
2008-05-10 15:46 . 2008-05-10 15:46 <DIR> d-------- C:\logs
2008-05-10 15:46 . 2007-03-30 07:13 344,064 -ra------ C:\WINDOWS\system32\lxdicoin.dll
2008-05-10 15:46 . 2007-06-11 07:01 1,900 -ra------ C:\WINDOWS\system32\lxdi.loc
2008-05-06 16:18 . 2008-05-06 16:19 <DIR> d-------- C:\Program Files\505 Game Collection

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-22 20:07 --------- d-----w C:\Program Files\Google
2008-05-22 19:23 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 05:01 --------- d-----w C:\Documents and Settings\john garcia\Application Data\AVG7
2008-05-20 00:12 --------- d-----w C:\Program Files\Dl_cats
2008-05-19 03:30 --------- d-----w C:\Program Files\Trend Micro
2008-05-18 17:53 --------- d-----w C:\Documents and Settings\john garcia\Application Data\Yahoo!
2008-05-18 17:43 --------- d-----w C:\Program Files\Dell
2008-05-17 03:54 --------- d-----w C:\Program Files\Java
2008-05-10 22:58 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-05-06 23:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2006-09-24 16:52 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.
Code: Select all
<pre>
----a-w           135,168 2008-02-27 00:24:42  C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent .exe
----a-w         1,404,928 2008-02-04 20:39:11  C:\Program Files\Analog Devices\Core\smax4pnp .exe
----a-w            81,920 2008-02-04 20:39:14  C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w           249,856 2008-02-04 20:39:11  C:\Program Files\Common Files\InstallShield\UpdateService\isuspm      .exe
----a-w           249,856 2008-02-04 18:20:34  C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w           106,496 2008-02-04 20:40:25  C:\Program Files\Corel\Corel Photo Album 6\MediaDetect .exe
----a-w            86,016 2008-02-04 20:39:11  C:\Program Files\Dell\Media Experience\DMXLauncher .exe
----a-w           425,984 2008-02-04 20:39:40  C:\Program Files\Dell Photo AIO Printer 924\dlccmon .exe
----a-w           460,784 2008-02-27 00:24:19  C:\Program Files\DellSupport\DSAgnt .exe
----a-w            68,856 2008-02-27 00:40:29  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w         6,731,312 2008-02-28 00:18:14  C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
----a-w         1,694,208 2008-02-27 00:24:26  C:\Program Files\Messenger\msmsgs .exe
----a-w           600,896 2008-02-04 20:40:56  C:\Program Files\Microsoft IntelliPoint\ipoint .exe
----a-w           576,320 2008-02-04 20:40:41  C:\Program Files\Microsoft IntelliType Pro\itype .exe
----a-w             8,192 2008-02-04 20:39:18  C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mimboot .exe
----a-w            98,304 2008-02-27 00:24:14  C:\Program Files\QuickTime\qttask          .exe
----a-w            26,112 2008-02-04 20:39:13  C:\Program Files\Real\RealPlayer\RealPlay .exe
----a-w         2,097,488 2008-02-28 00:17:57  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w           224,248 2008-02-27 00:24:32  C:\Program Files\Yahoo!\Search Protection\SearchProtection .exe
----a-w            15,360 2008-02-25 21:53:56  C:\WINDOWS\system32\ctfmon .exe
----a-w            77,824 2008-02-04 20:39:49  C:\WINDOWS\system32\hkcmd .exe
----a-w           114,688 2008-02-04 20:39:55  C:\WINDOWS\system32\igfxpers .exe
----a-w            94,208 2008-02-04 20:39:39  C:\WINDOWS\system32\igfxtray .exe
</pre>



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{04D44604-F4DF-47A3-BC7A-40896769C5AA}]
C:\WINDOWS\system32\urqOiihg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC1EF45A-3879-45BE-80C6-2788C78C7FEC}]
C:\WINDOWS\system32\geBstspP.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-16 21:12 68856]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [ ]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [ ]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [ ]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [ ]
"lxdimon.exe"="C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-07-16 09:54 434864]
"lxdiamon"="C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-07-16 09:54 25264]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [ ]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe" [ ]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [ ]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [ ]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [ ]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [ ]
"Fix-It AV"="C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe" [ ]
"FaxCenterServer"="C:\Program Files\\Lexmark Fax Solutions\fm3032.exe" [2007-07-16 09:54 311984]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [ ]
"dlccmon.exe"="C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe" [ ]
"DLCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 05:38 69632]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [ ]
"c40191c2"="C:\WINDOWS\system32\xxmfvbyw.dll" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-17 09:29 579584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-27 18:07 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-12-19 19:44:06 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll 2008-05-20 10:34 14336 C:\WINDOWS\system32\WinCtrl32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hnt51.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Mrw16.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sxD51.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\WINDOWS\\system32\\lxdicoms.exe"=
"C:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"=
"C:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"=
"C:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"C:\\Program Files\\Lexmark Fax Solutions\\FaxCtr.exe"=
"C:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdijswx.exe"=

R0 sxD51;sxD51;C:\WINDOWS\system32\Drivers\sxD51.sys [2008-05-22 13:10]
R2 lxdi_device;lxdi_device;C:\WINDOWS\system32\lxdicoms.exe [2007-06-11 07:14]
R2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe [2007-06-11 07:14]
S0 Hnt51;Hnt51;C:\WINDOWS\system32\Drivers\Hnt51.sys []
S0 Mrw16;Mrw16;C:\WINDOWS\system32\Drivers\Mrw16.sys []

*Newly Created Service* - SXD51
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-22 13:11:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\WinCtrl32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdiserv.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-22 13:17:50 - machine was rebooted [john garcia]
ComboFix-quarantined-files.txt 2008-05-22 20:17:19
ComboFix2.txt 2008-05-18 02:09:11

Pre-Run: 64,524,832,768 bytes free
Post-Run: 64,480,198,656 bytes free

213 --- E O F --- 2008-05-22 17:00:39
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:21:50 PM, on 5/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe
C:\WINDOWS\system32\lxdicoms.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\Crusty.exe\Crusty.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {04D44604-F4DF-47A3-BC7A-40896769C5AA} - C:\WINDOWS\system32\urqOiihg.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {FC1EF45A-3879-45BE-80C6-2788C78C7FEC} - C:\WINDOWS\system32\geBstspP.dll (file missing)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [lxdimon.exe] "C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe"
O4 - HKLM\..\Run: [lxdiamon] "C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe" -startup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [c40191c2] rundll32.exe "C:\WINDOWS\system32\xxmfvbyw.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe
O23 - Service: lxdi_device - - C:\WINDOWS\system32\lxdicoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - (no file)
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 8002 bytes
I hope I did it right this time. Thanks.
girlgeekmary
Active Member
 
Posts: 10
Joined: February 21st, 2008, 6:58 pm

Re: Need help reading Hijackthis log

Unread postby chryssi2001 » May 23rd, 2008, 1:02 am

Hi, yes you did fine this time :) .

I need some time to check your reports and i'll be back with a fix.
It's morning here now, so i'll be gone for work any minute.

Meanwhile do some reading in the University. ;)
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Need help reading Hijackthis log

Unread postby chryssi2001 » May 23rd, 2008, 7:41 am

Hello,

I see you posted for help at this forum too.
http://forums.maddoktor2.com/index.php?showtopic=11040

If we are going to continue here, please post and tell them, so they can close the thread.

If you will continue there let me know.

Users who needs help are much more than us Helpers, so it's not fair to have 2 helpers working with cleaning your pc.

If you decide to continue here let me know if you know what are these driver about, 2 of them looks Chinese, and i can't find information about them, as i can't read the language, also i can't find information about the 3rd.

C:\WINDOWS\system32\drivers\sxD51.sys
C:\WINDOWS\system32\Drivers\Hnt51.sys
C:\WINDOWS\system32\Drivers\Mrw16.sys
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Need help reading Hijackthis log

Unread postby girlgeekmary » May 24th, 2008, 2:38 pm

Yes, continue here please. I closed the other one.

The only thing I could find out is about driver sxD51.sys is that it is referred to as a driver for an analog device. I don't know what that is.

Thank you. I'll be waiting.
girlgeekmary
Active Member
 
Posts: 10
Joined: February 21st, 2008, 6:58 pm

Re: Need help reading Hijackthis log

Unread postby chryssi2001 » May 24th, 2008, 5:41 pm

Hello girlgeekmary,

FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - (no file)
O24 - Desktop Component 0: Privacy Protection - (no file)


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
----------------------------------------------
COMBOFIX-Script
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    http://malwareremoval.com/forum/viewtopic.php?f=28&t=30879
    
    KILLALL::
    
    File::
    C:\WINDOWS\system32\drivers\sxD51.sys
    C:\WINDOWS\system32\Drivers\Hnt51.sys
    C:\WINDOWS\system32\Drivers\Mrw16.sys
    
    Collect::
    C:\WINDOWS\system32\WinCtrl32.dl_
    C:\WINDOWS\system32\WinCtrl32.dll
    C:\WINDOWS\system32\urqOiihg.dll
    C:\WINDOWS\system32\geBstspP.dll
    C:\WINDOWS\system32\xxmfvbyw.dll
    
    Folder::
    C:\PROGRA~1\VCOM
    C:\Program Files\Google\GoogleToolbarNotifier
    
    RenV::
    C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent .exe
    C:\Program Files\Analog Devices\Core\smax4pnp .exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
    C:\Program Files\Common Files\InstallShield\UpdateService\isuspm      .exe
    C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
    C:\Program Files\Corel\Corel Photo Album 6\MediaDetect .exe
    C:\Program Files\Dell\Media Experience\DMXLauncher .exe
    C:\Program Files\Dell Photo AIO Printer 924\dlccmon .exe
    C:\Program Files\DellSupport\DSAgnt .exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
    C:\Program Files\Messenger\msmsgs .exe
    C:\Program Files\Microsoft IntelliPoint\ipoint .exe
    C:\Program Files\Microsoft IntelliType Pro\itype .exe
    C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mimboot .exe
    C:\Program Files\QuickTime\qttask          .exe
    C:\Program Files\Real\RealPlayer\RealPlay .exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
    C:\Program Files\Yahoo!\Search Protection\SearchProtection .exe
    C:\WINDOWS\system32\ctfmon .exe
    C:\WINDOWS\system32\hkcmd .exe
    C:\WINDOWS\system32\igfxpers .exe
    C:\WINDOWS\system32\igfxtray .exe
    
    Driver::
    sxD51
    Hnt51
    Mrw16
    SDhelper
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{04D44604-F4DF-47A3-BC7A-40896769C5AA}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC1EF45A-3879-45BE-80C6-2788C78C7FEC}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UserFaultCheck"=-
    "Fix-It AV"=-
    "c40191c2"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hnt51.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Mrw16.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sxD51.sys]
    
    
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Post back:
Combofix report.
A new HijackThis log.
Is the pc running better now?
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Need help reading Hijackthis log

Unread postby girlgeekmary » May 24th, 2008, 7:28 pm

The information was successfully sent to Bleeping Computer. Here are the logs. Yes, it is running better.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:23:37 PM, on 5/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe
C:\WINDOWS\system32\lxdicoms.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\Crusty.exe\Crusty.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [lxdimon.exe] "C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe"
O4 - HKLM\..\Run: [lxdiamon] "C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe
O23 - Service: lxdi_device - - C:\WINDOWS\system32\lxdicoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 7937 bytes

ComboFix 08-05-21.3 - john garcia 2008-05-24 16:05:56.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1666 [GMT -7:00]
Running from: C:\Documents and Settings\john garcia\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\john garcia\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\Drivers\Hnt51.sys
C:\WINDOWS\system32\Drivers\Mrw16.sys
C:\WINDOWS\system32\drivers\sxD51.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Google\GoogleToolbarNotifier
C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\gtn.dll
C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\Readme.url
C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\drivers\sxD51.sys
C:\WINDOWS\system32\WinCtrl32.dl_
C:\WINDOWS\system32\WinCtrl32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SDHELPER
-------\Legacy_SXD51
-------\Service_Hnt51
-------\Service_Mrw16
-------\Service_SDhelper
-------\Service_sxD51


((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.

2008-05-23 10:24 . 2008-05-23 10:24 <DIR> d-------- C:\Deckard
2008-05-20 10:36 . 2008-05-20 10:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-05-18 10:43 . 2008-05-18 10:43 <DIR> d-------- C:\WINDOWS\system32\Dell
2008-05-17 19:59 . 2008-05-17 19:59 206 --a------ C:\WINDOWS\system32\MRT.INI
2008-05-17 16:42 . 2008-05-17 16:42 <DIR> d-------- C:\Documents and Settings\john garcia\Application Data\Malwarebytes
2008-05-17 16:42 . 2008-05-17 16:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-17 16:29 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-17 16:29 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-17 16:29 . 2008-05-15 23:22 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-17 16:29 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-17 16:29 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-17 16:29 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-17 16:29 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-17 16:29 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-17 14:09 . 2008-05-17 14:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-17 14:08 . 2008-05-22 12:23 <DIR> d-------- C:\Documents and Settings\john garcia\Application Data\SUPERAntiSpyware.com
2008-05-16 21:17 . 2008-05-17 01:19 <DIR> d-------- C:\Documents and Settings\john garcia\.housecall6.6
2008-05-16 21:12 . 2008-05-24 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-15 11:40 . 2008-05-15 11:40 <DIR> d-------- C:\Documents and Settings\john garcia\Application Data\TmpRecentIcons
2008-05-11 03:58 . 2008-05-11 03:58 <DIR> d-------- C:\Documents and Settings\john garcia\Application Data\Lexmark Productivity Studio
2008-05-10 16:22 . 2008-05-10 16:22 <DIR> d-------- C:\Documents and Settings\john garcia\Application Data\FaxCtr
2008-05-10 16:02 . 2008-05-10 16:04 <DIR> d-------- C:\Documents and Settings\All Users\Lx_cats
2008-05-10 16:00 . 2007-02-22 00:13 45,056 --a------ C:\WINDOWS\system32\LXF3PMON.DLL
2008-05-10 16:00 . 2007-02-22 00:12 32,768 --a------ C:\WINDOWS\system32\LXF3FXPU.DLL
2008-05-10 15:59 . 2008-05-10 16:00 <DIR> d-------- C:\Program Files\Lexmark Fax Solutions
2008-05-10 15:59 . 2008-05-10 15:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FaxCtr
2008-05-10 15:59 . 2006-05-31 12:51 339,968 --a------ C:\WINDOWS\system32\IMGMAN32.DLL
2008-05-10 15:59 . 2006-05-31 12:51 98,345 --a------ C:\WINDOWS\system32\IMHOST32.DLL
2008-05-10 15:59 . 2006-05-31 12:51 98,304 --a------ C:\WINDOWS\system32\IM31XPNG.DEL
2008-05-10 15:59 . 2006-05-31 12:51 69,632 --a------ C:\WINDOWS\system32\IM31XTIF.DEL
2008-05-10 15:59 . 2006-05-31 12:51 49,152 --a------ C:\WINDOWS\system32\IM31IMG.DIL
2008-05-10 15:59 . 2006-11-07 08:02 36,864 --a------ C:\WINDOWS\system32\lxf3oem.dll
2008-05-10 15:59 . 2007-02-22 00:15 12,288 --a------ C:\WINDOWS\system32\LXF3PMRC.DLL
2008-05-10 15:56 . 2007-02-19 13:00 1,645,320 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-05-10 15:48 . 2008-05-10 16:01 <DIR> d-------- C:\Program Files\Lexmark 3500-4500 Series
2008-05-10 15:48 . 2007-05-17 08:00 311,296 --a------ C:\WINDOWS\system32\lxdihcp.dll
2008-05-10 15:48 . 2007-05-17 07:59 294,912 --a------ C:\WINDOWS\system32\lxdiinst.dll
2008-05-10 15:48 . 2007-01-22 02:53 60 --ah----- C:\WINDOWS\system32\lxdirwrd.ini
2008-05-10 15:46 . 2008-05-10 15:46 <DIR> d-------- C:\logs
2008-05-10 15:46 . 2007-03-30 07:13 344,064 -ra------ C:\WINDOWS\system32\lxdicoin.dll
2008-05-10 15:46 . 2007-06-11 07:01 1,900 -ra------ C:\WINDOWS\system32\lxdi.loc
2008-05-06 16:18 . 2008-05-06 16:19 <DIR> d-------- C:\Program Files\505 Game Collection

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 23:06 --------- d-----w C:\Program Files\Google
2008-05-24 23:05 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-24 23:05 --------- d-----w C:\Program Files\QuickTime
2008-05-24 23:05 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2008-05-24 23:05 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-05-24 23:05 --------- d-----w C:\Program Files\DellSupport
2008-05-24 23:05 --------- d-----w C:\Program Files\Dell Photo AIO Printer 924
2008-05-22 19:23 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 05:01 --------- d-----w C:\Documents and Settings\john garcia\Application Data\AVG7
2008-05-20 00:12 --------- d-----w C:\Program Files\Dl_cats
2008-05-19 03:30 --------- d-----w C:\Program Files\Trend Micro
2008-05-18 17:53 --------- d-----w C:\Documents and Settings\john garcia\Application Data\Yahoo!
2008-05-18 17:43 --------- d-----w C:\Program Files\Dell
2008-05-17 03:54 --------- d-----w C:\Program Files\Java
2008-05-10 22:58 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-05-06 23:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-02 01:36 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-25 21:53 15,360 ----a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-02-25 21:53 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2006-09-24 16:52 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2008-02-23 10:53 56 --sh--r C:\WINDOWS\system32\70EF0442AF.sys
2008-02-23 10:53 4,236 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-22_13.17.01.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-22 20:10:19 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-24 23:09:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2004-07-15 07:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1240\_aspnet_isapi.dll
+ 2004-07-15 06:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1240\_CORPerfMonExt.dll
+ 2004-07-15 06:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1240\_fusion.dll
+ 2004-07-15 06:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1240\_mscorjit.dll
+ 2004-07-15 20:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1240\_mscorlib.dll
+ 2003-02-21 01:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1240\_mscorsn.dll
+ 2004-07-15 06:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1240\_mscorsvr.dll
+ 2004-07-15 06:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1240\_mscorwks.dll
+ 2003-02-21 10:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1240\_msvcr71.dll
+ 2004-07-15 06:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1240\_PerfCounter.dll
+ 2004-07-15 07:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1888\_aspnet_isapi.dll
+ 2004-07-15 06:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1888\_CORPerfMonExt.dll
+ 2004-07-15 06:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1888\_fusion.dll
+ 2004-07-15 06:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1888\_mscorjit.dll
+ 2004-07-15 20:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1888\_mscorlib.dll
+ 2003-02-21 01:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1888\_mscorsn.dll
+ 2004-07-15 06:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1888\_mscorsvr.dll
+ 2004-07-15 06:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1888\_mscorwks.dll
+ 2003-02-21 10:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1888\_msvcr71.dll
+ 2004-07-15 06:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1888\_PerfCounter.dll
+ 2008-02-04 20:39:49 77,824 ----a-w C:\WINDOWS\system32\hkcmd.exe
+ 2008-02-04 20:39:55 114,688 ----a-w C:\WINDOWS\system32\igfxpers.exe
+ 2008-02-04 20:39:39 94,208 ----a-w C:\WINDOWS\system32\igfxtray.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-02-25 14:53 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [ ]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2008-02-26 17:24 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-02-26 17:24 224248]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2008-02-04 13:39 1404928]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2008-02-04 13:39 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2008-02-04 13:39 8192]
"lxdimon.exe"="C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-07-16 09:54 434864]
"lxdiamon"="C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-07-16 09:54 25264]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2008-02-04 13:40 576320]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2008-02-04 13:39 81920]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2008-02-04 11:20 249856]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2008-02-04 13:40 600896]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2008-02-04 13:39 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2008-02-04 13:39 114688]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2008-02-04 13:39 77824]
"FaxCenterServer"="C:\Program Files\\Lexmark Fax Solutions\fm3032.exe" [2007-07-16 09:54 311984]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2008-02-04 13:39 86016]
"dlccmon.exe"="C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe" [2008-02-04 13:39 425984]
"DLCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 05:38 69632]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2008-02-04 13:40 106496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-17 09:29 579584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-27 18:07 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-12-19 19:44:06 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\WINDOWS\\system32\\lxdicoms.exe"=
"C:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"=
"C:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"=
"C:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"C:\\Program Files\\Lexmark Fax Solutions\\FaxCtr.exe"=
"C:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdijswx.exe"=

R2 lxdi_device;lxdi_device;C:\WINDOWS\system32\lxdicoms.exe [2007-06-11 07:14]
R2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe [2007-06-11 07:14]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-24 16:10:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdiserv.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2008-05-24 16:17:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-24 23:16:25
ComboFix2.txt 2008-05-22 20:17:51
ComboFix3.txt 2008-05-18 02:09:11

Pre-Run: 64,397,651,968 bytes free
Post-Run: 64,383,569,920 bytes free

230 --- E O F --- 2008-05-23 17:32:03
girlgeekmary
Active Member
 
Posts: 10
Joined: February 21st, 2008, 6:58 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 55 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware