Jump to content

Trojans just won't go....


Recommended Posts

I seem to have the reoccuring form of these bl**dy things. I run Malewarebytes, which finds them, select Remove, reboot, and then run another scan. And the're gone, but not for long. Always back again after a few hours. This time time on the reboot I got a DLL error messge that windows couldn't find C:\WINDOWS\onewanom.dll , which was what I had mbam remove.

Scared to death now that I've removed something needed.....

Helpr from someone who knows a LOT more than me would be much appreciated.

Here's the logs:

HiJack This:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:01:02 PM, on 3/29/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Spyware Doctor\TFEngine\TFService.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\system32\VTtrayp.exe

C:\Program Files\Verizon\McciTrayApp.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe

C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe

C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe

C:\Program Files\uTorrent\uTorrent.exe

C:\Documents and Settings\Patrice\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe

C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe

C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\PROGRA~1\Yahoo!\browser\ybrowser.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.my.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.my.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer

provided by Yahoo!

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program

Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -

C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program

Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program

Files\Yahoo!\browser\YSidebarIEBHO.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program

Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe

O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Tmaconaxehizajif] rundll32.exe "C:\WINDOWS\iwejepuritucivi.dll",e

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe" /NoDialog

O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Patrice\Local Settings\Application

Data\Google\Update\GoogleUpdate.exe" /c

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -

C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -

C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -

C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) -

http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program

Files\Microsoft Office\Office12\GrooveSystemServices.dll

O20 - AppInit_DLLs: omszag.dll

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple

Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common

Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - Unknown owner - C:\Program Files\PC Tools

AntiVirus\PCTAVSvc.exe (file missing)

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware

Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware

Doctor\pctsSvc.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing

Shared\stllssvr.exe

O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe

O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program

Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--

End of file - 9101 bytes

mbam:

Malwarebytes' Anti-Malware 1.35

Database version: 1917

Windows 5.1.2600 Service Pack 3

3/29/2009 10:50:49 PM

mbam-log-2009-03-29 (22-50-49).txt

Scan type: Quick Scan

Objects scanned: 79559

Time elapsed: 3 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tmaconaxehizajif (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\onewanom.dll (Trojan.Agent) -> Delete on reboot.

Link to post
Share on other sites

Thank you for taking the time to read/reply. And sorry about the other post - I really did think I had successfully removed the two items, and didn't want to bother y'all when so many folks are in need.

I have done as you asked and unchecked wordwrap.

Since reading your response I:

1. ran mbam, full scan - result was 2 infections

2. removed/rebooted

3. ran HijackThis

4. ran mbam/quick scan to see if the Trojans had been removed - 2 more showed up

5. removed/rebooted

6. ran HijackThis

Here are the logs - I hope the format is easier to read. Thanks again for the assistance.

Malwarebytes' Anti-Malware 1.35

Database version: 1917

Windows 5.1.2600 Service Pack 3

3/30/2009 7:42:46 PM

mbam-log-2009-03-30 (19-42-24).txt

Scan type: Full Scan (C:\|F:\|)

Objects scanned: 237207

Time elapsed: 56 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tmaconaxehizajif (Trojan.Agent) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\igupoyowuka.dll (Trojan.Agent) -> No action taken.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:46:39 PM, on 3/30/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\system32\VTtrayp.exe

C:\Program Files\Verizon\McciTrayApp.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe

C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe

C:\Program Files\uTorrent\uTorrent.exe

C:\Documents and Settings\Patrice\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe

C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe

C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe

C:\Program Files\Spyware Doctor\TFEngine\TFService.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroDist.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.my.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.my.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe

O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe" /NoDialog

O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Patrice\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O20 - AppInit_DLLs: omszag.dll

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - Unknown owner - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe (file missing)

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe

O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--

End of file - 9029 bytes

Malwarebytes' Anti-Malware 1.35

Database version: 1917

Windows 5.1.2600 Service Pack 3

3/30/2009 7:54:12 PM

mbam-log-2009-03-30 (19-53-28).txt

Scan type: Quick Scan

Objects scanned: 80107

Time elapsed: 4 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tmaconaxehizajif (Trojan.Agent) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\ugeyetas.dll (Trojan.Agent) -> No action taken.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:57:21 PM, on 3/30/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\system32\VTtrayp.exe

C:\Program Files\Verizon\McciTrayApp.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe

C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe

C:\Program Files\uTorrent\uTorrent.exe

C:\Documents and Settings\Patrice\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe

C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe

C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe

C:\Program Files\Spyware Doctor\TFEngine\TFService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.my.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.my.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe

O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe" /NoDialog

O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Patrice\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O20 - AppInit_DLLs: omszag.dll

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - Unknown owner - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe (file missing)

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe

O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--

End of file - 8972 bytes

Link to post
Share on other sites

  • Staff

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

Thank you for your help - it is much appreciated.

I downloaded ComboFix to my desktop, and disabled PCTools Spyware Dr (required a reboot).

When I clicked on Combofix exe, the first window opened as expected and then I received the following message:

C:\Windows\System32\msmqytsoigt.dll has tried to attach to ComboFix. Please make note of the file for future reference.

I did just that and continued.

ComboFix went as far as the message "Preparing to Run" when I received the following error:

CF23542.exe

Unable to locate component. Application failed to start because msmqytsoigt.dll was not found. Reinstalling the application may fix this.

When I clicked OK, the same message appeared as the following errors:

NirCmd.cfexe

SWREG.cfexe

Attrib.cfexe

CF23542.exe

hidec.exe

Ping.exe

pv.cfexe

sort.exe

CombFix-Download.cfexe

FindSTR.cfexe

Clicking OK only resulted in the same messages apppearing again, and the error message would not close. I tried patience (a last resort) but nothing seemed to be moving ahead. I was able to close the ComboFix window, but the error messages remained until I restarted.

So I don't have a ComboFix log yet, nor has Recovery Console installed. Very sorry. I *am* trying!

Link to post
Share on other sites

  • Staff

Hi,

Can you log in in Safe mode under your Account instead of Administrator account?

Combofix.exe should be located in next directory also: C:\Documents and Settings\Patrice\Desktop

If you're still getting the same error, then rescan with HijackThis and post a new HijackThislog in your next reply.

Link to post
Share on other sites

Thank you for staying with this....and me.

You're correct, of course - I was logging in incorrectly.

I was able to start ComboFix in Safe Mode but encountered much the same error. This time the message said file msmqytsoigt.dll would be disabled, but the errors that followed were the same as before. It took another restart to close the message box and close ComboFix.

Here is the new HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:04:36 PM, on 3/31/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\system32\VTtrayp.exe

C:\Program Files\Verizon\McciTrayApp.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe

C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe

C:\Program Files\uTorrent\uTorrent.exe

C:\Documents and Settings\Patrice\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe

C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\Program Files\Spyware Doctor\TFEngine\TFService.exe

C:\PROGRA~1\Yahoo!\browser\ybrowser.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.my.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.my.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe

O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Tmaconaxehizajif] rundll32.exe "C:\WINDOWS\emihazozahuyuruw.dll",e

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe" /NoDialog

O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Patrice\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O20 - AppInit_DLLs: omszag.dll

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - Unknown owner - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe (file missing)

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe

O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--

End of file - 9100 bytes

Link to post
Share on other sites

  • Staff

Hi,

I was able to start ComboFix in Safe Mode but encountered much the same error. This time the message said file msmqytsoigt.dll would be disabled, but the errors that followed were the same as before. It took another restart to close the message box and close ComboFix.
The errors remind me of a patched system file. And I have the feeling that your imm32.dll got patched.

Let's have a look when it was modified... and where other copies are present. To find out, do next please...

go to Start > Run and type:

cmd.exe

and ok. Copy and paste the below string after the prompt, then press Enter >

dir /s /a "c:\imm32*.*" > c:\find.txt && notepad c:\find.txt

Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread please.

Link to post
Share on other sites

done:

Volume in drive C has no label.

Volume Serial Number is 04E1-3A75

Directory of c:\WINDOWS\$NtServicePackUninstall$

02/28/2006 08:00 AM 110,080 imm32.dll

1 File(s) 110,080 bytes

Directory of c:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:11 PM 110,080 imm32.dll

1 File(s) 110,080 bytes

Directory of c:\WINDOWS\system32

03/27/2009 04:27 PM 110,592 imm32.dll

1 File(s) 110,592 bytes

Total Files Listed:

3 File(s) 330,752 bytes

0 Dir(s) 130,892,386,304 bytes free

Link to post
Share on other sites

I followed this route

C > Windows > (scary note about not modifying these files) > imm32.dll

then copied that file to a folder in my external drive (where I put anything I want to be able to find)

I then followed your link, browsed to the file, but the upload failed - it said "you are not allowed to upload this type of file "

Sorry - know it must be me...I appreciate you sticking with this....but how do I package the file for upload?

Link to post
Share on other sites

  • Staff

Hi,

No need to copy that file though...

Just browse to the C:\Windows\system32 folder

rightclick the imm32.dll file and zip it

This will create a zipflder called imm32

Upload that zipfolder in that thread. I forgot to tell you to zip the file first. Then you'll be able to upload it.

Link to post
Share on other sites

  • Staff

Hi,

There's indeed code added to the imm32.dll file which points to the msmqytsoigt.dll file. That explains why you got that error.

The imm32.dll file was in your case patched by malware..

To restore it,

Open notepad and copy and paste next present in the quotebox in it:

@ECHO OFF

cd c:\windows\system32

attrib -r -s imm32.dll

ren imm32.dll imm32.vir

copy c:\WINDOWS\ServicePackFiles\i386\imm32.dll c:\windows\system32

Save this as replace.bat , choose to save as *all files and place it on your desktop.

It should look like this: bat.gif

Doubleclick on it. This will rename the bad imm32.dll to imm32.vir and replace a good imm32.dll from another folder.

Then try to run Combofix again. That error should be gone then and you should be able to run Combofix. No need to run from Safe mode, just make sure your Antivirus is disabled during its run.

Link to post
Share on other sites

Should I tell you now that in looking for the file you requested I just saw some stuff on my C drive that I've never seen before? Being a big baby, of course it scares the beejeezuz out of me. I don't know that it has anything to do with my particular infection or with the programs we've dld to fix. And I know you're not psychic - just thought I should mention it. I opened one file (iSofterOutput0 and the browser crashed. Also see something called FileIn.CnS and FileOut.Cns. and a directory QooBox. :)

Link to post
Share on other sites

  • Staff

Hi,

Don't you worry about the files. The Qoobox is related with Combofix. The Combofix log should show what files needs to get deleted as well, but first perform my instructions so you can run Combofix.

Don't be too paranoid though, because many legitimate files may look suspicious. I'll tell you afterwards what to delete :)

Link to post
Share on other sites

Thanks for the reassurance on the odd files.

Thanks for staying up till the wee hours to help!

ComboFix ran this time *phew* but somewhere in the middle of all of the reboots, my default browser was changed...lost all my bookmarks and things, and found myself on IE with about a bazillion Yahoo add ons . Just took me a while to find my way back - nearly a dead panic when IE (which I don't usually use) wouldn't connect to the internet. Anyway - here's the log - and I'll be back tomorrow after work.

Thanks again.

ComboFix 09-03-31.01 - Patrice 2009-03-31 21:35:47.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.1536 [GMT -4:00]

Running from: c:\documents and settings\Patrice\Desktop\ComboFix.exe

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\vimiuscw.ini

.

((((((((((((((((((((((((( Files Created from 2009-03-01 to 2009-04-01 )))))))))))))))))))))))))))))))

.

2009-03-31 19:28 . 2009-03-31 19:28 <DIR> d--hs---- c:\documents and settings\Administrator\IETldCache

2009-03-31 19:28 . 2009-03-31 19:28 <DIR> d-------- c:\documents and settings\Administrator

2009-03-28 23:02 . 2009-03-28 23:02 <DIR> d-------- c:\program files\Trend Micro

2009-03-26 18:23 . 2009-01-09 15:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat

2009-03-26 10:58 . 2009-03-26 10:58 <DIR> d--hs---- c:\documents and settings\Patrice\IECompatCache

2009-03-26 05:13 . 2009-03-26 05:34 <DIR> d-------- c:\windows\SxsCaPendDel

2009-03-26 05:13 . 2009-03-26 05:14 <DIR> d-------- C:\59d9fd794a448ee29c1d

2009-03-26 04:43 . 2009-03-26 04:43 <DIR> d--hs---- c:\documents and settings\Patrice\PrivacIE

2009-03-26 04:42 . 2009-03-26 04:42 <DIR> d--hs---- c:\documents and settings\LocalService\IETldCache

2009-03-26 04:41 . 2009-03-26 04:41 <DIR> d--hs---- c:\documents and settings\Patrice\IETldCache

2009-03-26 04:39 . 2009-03-26 04:39 <DIR> d-------- c:\windows\ie8updates

2009-03-26 04:35 . 2009-03-26 04:39 <DIR> d--h----- c:\windows\msdownld.tmp

2009-03-26 04:35 . 2009-03-26 04:38 <DIR> d--h-c--- c:\windows\ie8

2009-03-26 04:34 . 2009-02-28 00:55 105,984 -----c--- c:\windows\system32\dllcache\iecompat.dll

2009-03-22 20:15 . 2008-06-06 12:15 51,520 --a------ c:\windows\system32\drivers\TfFsMon.sys

2009-03-22 20:15 . 2008-06-06 12:15 38,208 --a------ c:\windows\system32\drivers\TfSysMon.sys

2009-03-22 20:15 . 2008-06-06 12:15 33,088 --a------ c:\windows\system32\drivers\TfNetMon.sys

2009-03-22 20:15 . 2008-06-06 12:15 12,608 --a------ c:\windows\system32\drivers\TfKbMon.sys

2009-03-22 20:12 . 2008-12-11 08:38 159,600 --a------ c:\windows\system32\drivers\pctgntdi.sys

2009-03-22 20:12 . 2009-03-06 16:45 130,424 --a------ c:\windows\system32\drivers\PCTCore.sys

2009-03-22 20:12 . 2008-12-18 12:16 73,840 --a------ c:\windows\system32\drivers\PCTAppEvent.sys

2009-03-22 20:12 . 2008-12-10 12:36 64,392 --a------ c:\windows\system32\drivers\pctplsg.sys

2009-03-14 20:19 . 2004-03-29 16:23 90,112 --a------ c:\windows\unvise32.exe

2009-03-14 20:18 . 2009-03-14 20:18 <DIR> d-------- c:\program files\The Rosetta Stone

2009-03-12 06:16 . 2009-03-12 06:16 <DIR> d-------- c:\program files\TurboTax

2009-03-10 07:52 . 2009-03-10 07:59 <DIR> d-------- c:\documents and settings\Patrice\Application Data\ImgBurn

2009-03-10 07:50 . 2009-03-10 07:51 <DIR> d-------- c:\program files\ImgBurn

2009-03-08 14:22 . 2009-03-08 14:22 49,152 --a------ c:\windows\system32\msrating.dll.mui

2009-03-08 14:22 . 2009-03-08 14:22 2,560 --a------ c:\windows\system32\mshta.exe.mui

2009-03-08 14:21 . 2009-03-08 14:21 4,096 --a------ c:\windows\system32\ie4uinit.exe.mui

2009-03-08 14:20 . 2009-03-08 14:20 81,920 --a------ c:\windows\system32\iedkcs32.dll.mui

2009-03-08 04:33 . 2009-03-08 04:33 18,944 -----c--- c:\windows\system32\dllcache\corpol.dll

2009-03-01 12:23 . 2009-03-01 12:23 <DIR> d-------- c:\documents and settings\Patrice\Application Data\Kodak

2009-03-01 12:21 . 2009-03-01 12:21 <DIR> d-------- c:\program files\Kodak

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-01 01:39 --------- d-----w c:\documents and settings\Patrice\Application Data\uTorrent

2009-04-01 01:31 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-04-01 01:31 --------- d-----w c:\program files\Spyware Doctor

2009-03-31 23:54 --------- d-----w c:\program files\uTorrent

2009-03-31 18:37 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater

2009-03-29 02:21 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-03-27 11:27 --------- d-----w c:\program files\MediaCoder

2009-03-26 20:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-26 20:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-03-26 08:44 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion

2009-03-26 08:38 --------- d-----w c:\program files\Yahoo!

2009-03-26 08:38 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!

2009-03-26 04:48 --------- d-----w c:\documents and settings\Patrice\Application Data\Smilebox

2009-03-23 00:12 --------- d-----w c:\program files\Common Files\PC Tools

2009-03-21 05:00 --------- d-----w c:\documents and settings\All Users\Application Data\PCPitstop

2009-03-18 04:22 --------- d-----w c:\program files\eMule

2009-03-18 04:13 --------- d-----w c:\program files\Defraggler

2009-03-11 21:30 34 ----a-w c:\documents and settings\Patrice\jagex_runescape_preferences.dat

2009-03-11 08:00 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2009-02-24 10:00 --------- d-----w c:\documents and settings\All Users\Application Data\PC Tools

2009-02-24 07:01 12,608 ----a-w c:\windows\system32\drivers\TfKbMon.sys.old

2009-02-08 04:19 --------- d-----w c:\documents and settings\Patrice\Application Data\dvdcss

2009-02-07 17:50 --------- d-----w c:\documents and settings\Patrice\Application Data\foobar2000

2009-02-07 13:45 --------- d-----w c:\documents and settings\Patrice\Application Data\vlc

2009-02-03 00:27 --------- d-----w c:\program files\Avery

2009-01-30 10:40 49,152 ----a-w c:\documents and settings\Patrice\Application Data\upd.exe

2008-07-21 01:01 9,814,742 ----a-w c:\documents and settings\Patrice\RTS8.zip

2008-04-13 16:43 9,730,075 ----a-w c:\program files\vlc-0.8.6f-win32.exe

2008-03-22 04:37 427,556 ----a-w c:\program files\ljArchive-0.9.7.exe

2008-03-22 04:37 318,016 ----a-w c:\program files\ljArchive-0.9.7-doc.chm

2008-03-22 04:36 65,536 ----a-w c:\program files\EF.ljArchive.Common-0.9.7.dll

2008-03-11 00:59 2,733,520 ----a-w c:\program files\ccsetup205.exe

2008-03-09 22:37 4,013,384 ----a-w c:\program files\audioextractor.exe

2008-02-23 16:41 6,029,648 ----a-w c:\program files\Firefox Setup 2.0.0.12.exe

2007-09-20 22:34 936,960 ----a-w c:\program files\WinRAR.exe

2008-08-22 02:04 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082120080822\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 1249280]

"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-06-18 1122816]

"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2008-11-05 4347120]

"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-02-19 270128]

"Google Update"="c:\documents and settings\Patrice\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-23 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]

"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-28 185896]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

"Tmaconaxehizajif"="c:\windows\emihazozahuyuruw.dll" [2008-04-13 156160]

"VTTimer"="VTTimer.exe" [2006-09-14 c:\windows\system32\VTTimer.exe]

"VTTrayp"="VTtrayp.exe" [2007-04-25 c:\windows\system32\VTTrayp.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=omszag.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli mshmsxp.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Documents and Settings\\Patrice\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\Patrice\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"25930:TCP"= 25930:TCP:eMule Plus

"25941:UDP"= 25941:UDP:eMule Plus

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-03-22 130424]

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-03-22 51520]

R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-03-22 38208]

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2008-02-21 17920]

R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-03-22 159600]

R2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2008-11-09 602392]

R3 DsAudioDevice_286;DsAudioDevice_286;c:\windows\system32\drivers\DsAudioDevice_286.sys [2008-12-24 16640]

S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2009-03-22 64392]

S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-03-13 348752]

S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-03-22 33088]

S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12

.

Contents of the 'Scheduled Tasks' folder

2009-04-01 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 06:29]

2009-03-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-1604221776-682003330-1004.job

- c:\documents and settings\Patrice\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-23 20:34]

2009-01-07 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job

- c:\program files\Microsoft IntelliType Pro\itype.exe [2008-06-10 15:56]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://verizon.my.yahoo.com

uInternet Settings,ProxyOverride = *.local

LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

FF - ProfilePath -

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-31 21:39:21

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(704)

c:\windows\mshmsxp.dll

c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\wscntfy.exe

c:\progra~1\Yahoo!\browser\ycommon.exe

c:\program files\Microsoft IntelliType Pro\dpupdchk.exe

c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

c:\program files\PC Connectivity Solution\ServiceLayer.exe

c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe

c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe

c:\program files\Common Files\Nokia\MPAPI\MPAPI3s.exe

c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe

.

**************************************************************************

.

Completion time: 2009-03-31 21:42:30 - machine was rebooted [Patrice]

ComboFix-quarantined-files.txt 2009-04-01 01:42:27

Pre-Run: 130,787,344,384 bytes free

Post-Run: 130,867,585,024 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

207 --- E O F --- 2009-03-26 22:44:04

Link to post
Share on other sites

  • Staff

Hi,

y default browser was changed...lost all my bookmarks and things, and found myself on IE with about a bazillion Yahoo add ons
Well, as a matter of fact, these Yahoo addons were already present before though, but I guess the main cause was the patched imm32.dll file, because this probably prevented the completion of the IE8 install.

Anyway

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

File::

c:\windows\emihazozahuyuruw.dll

Collect::[8]

c:\windows\mshmsxp.dll

Registry::

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Tmaconaxehizajif"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\drivers\\svchost.exe"=-

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again.

Then, please visit this site:

http://www.bleepingcomputer.com/submit-malware.php?channel=8

Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)

Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

Thanks for coming back to help

(just as a side note, I'd gotten my browser back last night - elves, I think - but it went again with this restart...no biggie - just mentioning it)

Today's log:

ComboFix 09-04-01.01 - Patrice 2009-04-01 17:17:45.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.1426 [GMT -4:00]

Running from: c:\documents and settings\Patrice\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Patrice\Desktop\CFScript.txt

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)

* Created a new restore point

FILE ::

c:\windows\emihazozahuyuruw.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\emihazozahuyuruw.dll

c:\windows\mshmsxp.dll

.

((((((((((((((((((((((((( Files Created from 2009-03-01 to 2009-04-01 )))))))))))))))))))))))))))))))

.

2009-03-31 19:28 . 2009-03-31 19:28 <DIR> d--hs---- c:\documents and settings\Administrator\IETldCache

2009-03-31 19:28 . 2009-03-31 19:28 <DIR> d-------- c:\documents and settings\Administrator

2009-03-28 23:02 . 2009-03-28 23:02 <DIR> d-------- c:\program files\Trend Micro

2009-03-26 18:23 . 2009-01-09 15:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat

2009-03-26 10:58 . 2009-03-26 10:58 <DIR> d--hs---- c:\documents and settings\Patrice\IECompatCache

2009-03-26 05:13 . 2009-03-26 05:34 <DIR> d-------- c:\windows\SxsCaPendDel

2009-03-26 05:13 . 2009-03-26 05:14 <DIR> d-------- C:\59d9fd794a448ee29c1d

2009-03-26 04:43 . 2009-03-26 04:43 <DIR> d--hs---- c:\documents and settings\Patrice\PrivacIE

2009-03-26 04:42 . 2009-03-26 04:42 <DIR> d--hs---- c:\documents and settings\LocalService\IETldCache

2009-03-26 04:41 . 2009-03-26 04:41 <DIR> d--hs---- c:\documents and settings\Patrice\IETldCache

2009-03-26 04:39 . 2009-03-26 04:39 <DIR> d-------- c:\windows\ie8updates

2009-03-26 04:35 . 2009-03-26 04:39 <DIR> d--h----- c:\windows\msdownld.tmp

2009-03-26 04:35 . 2009-03-26 04:38 <DIR> d--h-c--- c:\windows\ie8

2009-03-26 04:34 . 2009-02-28 00:55 105,984 -----c--- c:\windows\system32\dllcache\iecompat.dll

2009-03-22 20:15 . 2008-06-06 12:15 51,520 --a------ c:\windows\system32\drivers\TfFsMon.sys

2009-03-22 20:15 . 2008-06-06 12:15 38,208 --a------ c:\windows\system32\drivers\TfSysMon.sys

2009-03-22 20:15 . 2008-06-06 12:15 33,088 --a------ c:\windows\system32\drivers\TfNetMon.sys

2009-03-22 20:15 . 2008-06-06 12:15 12,608 --a------ c:\windows\system32\drivers\TfKbMon.sys

2009-03-22 20:12 . 2008-12-11 08:38 159,600 --a------ c:\windows\system32\drivers\pctgntdi.sys

2009-03-22 20:12 . 2009-03-06 16:45 130,424 --a------ c:\windows\system32\drivers\PCTCore.sys

2009-03-22 20:12 . 2008-12-18 12:16 73,840 --a------ c:\windows\system32\drivers\PCTAppEvent.sys

2009-03-22 20:12 . 2008-12-10 12:36 64,392 --a------ c:\windows\system32\drivers\pctplsg.sys

2009-03-14 20:19 . 2004-03-29 16:23 90,112 --a------ c:\windows\unvise32.exe

2009-03-14 20:18 . 2009-03-14 20:18 <DIR> d-------- c:\program files\The Rosetta Stone

2009-03-12 06:16 . 2009-03-12 06:16 <DIR> d-------- c:\program files\TurboTax

2009-03-10 07:52 . 2009-03-10 07:59 <DIR> d-------- c:\documents and settings\Patrice\Application Data\ImgBurn

2009-03-10 07:50 . 2009-03-10 07:51 <DIR> d-------- c:\program files\ImgBurn

2009-03-08 14:22 . 2009-03-08 14:22 49,152 --a------ c:\windows\system32\msrating.dll.mui

2009-03-08 14:22 . 2009-03-08 14:22 2,560 --a------ c:\windows\system32\mshta.exe.mui

2009-03-08 14:21 . 2009-03-08 14:21 4,096 --a------ c:\windows\system32\ie4uinit.exe.mui

2009-03-08 14:20 . 2009-03-08 14:20 81,920 --a------ c:\windows\system32\iedkcs32.dll.mui

2009-03-08 04:33 . 2009-03-08 04:33 18,944 -----c--- c:\windows\system32\dllcache\corpol.dll

2009-03-01 12:23 . 2009-03-01 12:23 <DIR> d-------- c:\documents and settings\Patrice\Application Data\Kodak

2009-03-01 12:21 . 2009-03-01 12:21 <DIR> d-------- c:\program files\Kodak

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-01 21:15 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-04-01 21:15 --------- d-----w c:\program files\Spyware Doctor

2009-04-01 21:14 --------- d-----w c:\documents and settings\Patrice\Application Data\uTorrent

2009-04-01 19:38 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater

2009-03-31 23:54 --------- d-----w c:\program files\uTorrent

2009-03-29 02:21 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-03-27 11:27 --------- d-----w c:\program files\MediaCoder

2009-03-26 20:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-26 20:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-03-26 08:44 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion

2009-03-26 08:38 --------- d-----w c:\program files\Yahoo!

2009-03-26 08:38 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!

2009-03-26 04:48 --------- d-----w c:\documents and settings\Patrice\Application Data\Smilebox

2009-03-23 00:12 --------- d-----w c:\program files\Common Files\PC Tools

2009-03-21 05:00 --------- d-----w c:\documents and settings\All Users\Application Data\PCPitstop

2009-03-18 04:22 --------- d-----w c:\program files\eMule

2009-03-18 04:13 --------- d-----w c:\program files\Defraggler

2009-03-11 21:30 34 ----a-w c:\documents and settings\Patrice\jagex_runescape_preferences.dat

2009-03-11 08:00 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2009-02-24 10:00 --------- d-----w c:\documents and settings\All Users\Application Data\PC Tools

2009-02-24 07:01 12,608 ----a-w c:\windows\system32\drivers\TfKbMon.sys.old

2009-02-08 04:19 --------- d-----w c:\documents and settings\Patrice\Application Data\dvdcss

2009-02-07 17:50 --------- d-----w c:\documents and settings\Patrice\Application Data\foobar2000

2009-02-07 13:45 --------- d-----w c:\documents and settings\Patrice\Application Data\vlc

2009-02-03 00:27 --------- d-----w c:\program files\Avery

2009-01-30 10:40 49,152 ----a-w c:\documents and settings\Patrice\Application Data\upd.exe

2008-07-21 01:01 9,814,742 ----a-w c:\documents and settings\Patrice\RTS8.zip

2008-04-13 16:43 9,730,075 ----a-w c:\program files\vlc-0.8.6f-win32.exe

2008-03-22 04:37 427,556 ----a-w c:\program files\ljArchive-0.9.7.exe

2008-03-22 04:37 318,016 ----a-w c:\program files\ljArchive-0.9.7-doc.chm

2008-03-22 04:36 65,536 ----a-w c:\program files\EF.ljArchive.Common-0.9.7.dll

2008-03-11 00:59 2,733,520 ----a-w c:\program files\ccsetup205.exe

2008-03-09 22:37 4,013,384 ----a-w c:\program files\audioextractor.exe

2008-02-23 16:41 6,029,648 ----a-w c:\program files\Firefox Setup 2.0.0.12.exe

2007-09-20 22:34 936,960 ----a-w c:\program files\WinRAR.exe

2008-08-22 02:04 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082120080822\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 1249280]

"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-06-18 1122816]

"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2008-11-05 4347120]

"Google Update"="c:\documents and settings\Patrice\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-23 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]

"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-28 185896]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

"VTTimer"="VTTimer.exe" [2006-09-14 c:\windows\system32\VTTimer.exe]

"VTTrayp"="VTtrayp.exe" [2007-04-25 c:\windows\system32\VTTrayp.exe]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Documents and Settings\\Patrice\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\Patrice\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"25930:TCP"= 25930:TCP:eMule Plus

"25941:UDP"= 25941:UDP:eMule Plus

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-03-22 130424]

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-03-22 51520]

R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-03-22 38208]

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2008-02-21 17920]

R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-03-22 159600]

R2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2008-11-09 602392]

R3 DsAudioDevice_286;DsAudioDevice_286;c:\windows\system32\drivers\DsAudioDevice_286.sys [2008-12-24 16640]

S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2009-03-22 64392]

S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-03-13 348752]

S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-03-22 33088]

S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12

.

Contents of the 'Scheduled Tasks' folder

2009-04-01 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 06:29]

2009-04-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-1604221776-682003330-1004.job

- c:\documents and settings\Patrice\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-23 20:34]

2009-01-07 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job

- c:\program files\Microsoft IntelliType Pro\itype.exe [2008-06-10 15:56]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://verizon.my.yahoo.com

uInternet Settings,ProxyOverride = *.local

LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

FF - ProfilePath -

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-01 17:22:11

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(704)

c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\wscntfy.exe

c:\progra~1\Yahoo!\browser\ycommon.exe

c:\program files\Microsoft IntelliType Pro\dpupdchk.exe

c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

c:\program files\PC Connectivity Solution\ServiceLayer.exe

c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe

c:\program files\Common Files\Nokia\MPAPI\MPAPI3s.exe

c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe

c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe

.

**************************************************************************

.

Completion time: 2009-04-01 17:25:01 - machine was rebooted

ComboFix-quarantined-files.txt 2009-04-01 21:24:58

ComboFix2.txt 2009-04-01 01:42:31

Pre-Run: 130,831,486,976 bytes free

Post-Run: 130,840,358,912 bytes free

197 --- E O F --- 2009-03-26 22:44:04

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.